Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

So one day an email gets caught in my filter.  There's nothing fancy about it but for the lulz I just follow the links to see where they go. The one thing that DID stick out was this email tried to use my filter as a relay, which makes it easy to spot.

It ends up leading to a malicious APK file, installer for Android OS.


Subject:  Shelly Taylor

overcomingthefearofbeingfabulous.com /xjvnsqk /fbktojkxbxp.php

That was it, just a link in the body of the email, nothing else.


Header Examples:

The envelope header spoofed one of the people inside my network. So they were trying to use my filter like an open relay.

Received: from mycomputer [197.0.184.153]  <-- that ip is NOT in my network.
  X-Envelope-From: [someone in my domain]
  From: "Shelly Taylor" <shelly1smr @yahoo.com>
  To: .... [ like a hundred people ]
  Subject: Shelly Taylor

Link Samples:

The first link:

overcomingthefearofbeingfabulous.com /xjvnsqk /fbktojkxbxp.php

didn't really do much in urlquery.net so I decided to try CURL a few different user-agents. I noticed that the Android user-agent strings resulted in a different reply:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http:// mobile.downloadadobecentral.ru /FLVupdate.php">here</a>.</p>
</body></html>

ORLY? So I put THAT URL in urlquery.net but still don't get much. So I CURL it though some other user-agent strings and find that the next hop is using javascript trickery!

<html><head><script type="text/javascript">
window.top.location=document.URL.replace("FLVupdate.php","FLVupdate2.php");
</script></head><body></body></html>

Well played good sir! So I CURL the FLVupdate2.php URL with an Android user-agent string and I get:

VirusTotal report 

AVG 					Android_dc.AILJ 	
Ad-Aware Android.Trojan.NioServ.B
AntiVir Android/NoComA.D.2
Avast Android:NotCom-C [PUP]
Baidu-International Trojan.AndroidOS.NioServ.AeCJ
BitDefender Android.Trojan.NioServ.B
Commtouch AndroidOS/NoCom.A
Comodo UnclassifiedMalware
ESET-NOD32 a variant of Android/NoComA.D
Emsisoft Android.Trojan.NioServ.B (B)
F-Prot AndroidOS/NoCom.A
F-Secure Trojan:Android/NotCompatible.31e20f58!gen
GData Android.Trojan.NioServ.B
Ikarus AndroidOS.NoComA
K7GW Trojan ( 0048d68d1 )
Kaspersky HEUR:Trojan.AndroidOS.NioServ.a
Kingsoft Android.Troj.at_Nisev.a.(kcloud)
McAfee Artemis!02874F8CDA35
McAfee-GW-Edition Artemis!02874F8CDA35
MicroWorld-eScan Android.Trojan.NioServ.B
Sophos Andr/Notcom-A
TrendMicro-HouseCall TROJ_GEN.F47V0805
VIPRE Trojan.AndroidOS.Generic.A

Joe Sandbox's APK-Analyzer.net report

Malware-Traffic-Analysis.net explains much more about this Android malware.

Something evil... (Dynamoo does this part much better):

Now, when I said that urlquery.net didn't show much on the first URL, that isn't exactly true. Urlquery.net showed me similary URLs on the same IP.

74.50.122.8	raviinternational.com /ynuydft/yxhsgqzegzvtbjn.html
74.50.122.8 vlssecurities.com /rpk/sytilyjbazgwk.php
74.50.122.8 banchharam.com /no/plauyexaqer.php

These URLs also provided a path to malware. So I go check the IP with VirusTotal.com and bigger than shit:

74.50.122.8	smartsglobal.com /abzvwp /dklhbsgwwnyryaxzujztq.php
74.50.122.8 maitreya.co.in /uduld /kawabanga.php
74.50.122.8 ronniesindia.com /ppy /vuivhngsqqd.vgfhdubrbueqynljn
74.50.122.8 sunvanoverseas.net /cpec /xbukymgnfjkolsepjzcpzhaufczpwv.awyqpyvwbapmfoepfklkxnf
74.50.122.8 judithandjim.com /lettinglovelead /pocketinfo.php
74.50.122.8 pearllighting.in /ftyalj /ukuhefrjgqtlntilld.ahovwpnafgvzn
74.50.122.8 praguebusinesscorporation.com /pz /btwnow.php

Several of those lead to Android malware and depending on the user agent, some lead to junky copypasta clickbait sites like:

naturalhealthxcare.com  <-- rip off of Good Housekeeping
com-qj61.net /indexer.php ?a=269321&c=skin&s=h57s <-- Rachel Ray copycat?
topzfxs.com/?s=662 <-- fake Fox News site

And Like I said earlier, Dynamoo's Blog would do some real digging on this, so check THIS out!

Epilogue

I notified HiVelocity hosting about the IP address that seems to be pretty-well compromised. HiVelocity responded by disabling it for cleanup and investigation. Mad props to them for taking action! Email excerpt:

Picture of hivelocity email about taking down malware site.

This junked-up server is of course NOT mission-critical to the malware spammers, but sometimes one bad email can get a server taken down. Then, look at all the attention Conrad at Dynamoo's Blog put on them and the next-higher group. The malware spammers were better off before they sent that one oddball email.

If this was at least a little helpful, how about a +1, Like, or Tweet?