[Xylitol]

A fresh landing targeting France, as spotted by malekal https://twitter.com/malekal_morte/statu ... 6680811521 asking for itunes gift cards.
There is an anti 'noscript' to redirect people on a 404 page if javascript is disabled:

Code: Select all

<noscript><meta http-equiv="refresh" content="0; URL=../google.com/index.html"></noscript>

Full screen:

Code: Select all

 //eval if (key == 'jwsf72efuju2') {function toggleFullScreen() {  if (!document.fullscreenElement &&  !document.mozFullScreenElement && !document.webkitFullscreenElement) {  if (document.documentElement.requestFullscreen) {  document.documentElement.requestFullscreen();  } else if (document.documentElement.mozRequestFullScreen) {  document.documentElement.mozRequestFullScreen();  } else if (document.documentElement.webkitRequestFullscreen) {  document.documentElement.webkitRequestFullscreen(Element.ALLOW_KEYBOARD_INPUT);}}}} 

Full screen if escape key (VK_ESCAPE = 27) is pressed:

Code: Select all

 //eval document.addEventListener('keyup', function(es) {  if (es.keyCode == 27) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 

More keys event:
VK_F11 = 122
VK_CONTROL = 17
VK_ALT = 18
VK_RETURN = 13

Code: Select all

 //eval document.addEventListener('keyup', function(e) {  if (e.keyCode == 122 || e.keyCode == 17 || e.keyCode == 18 || e.keyCode == 13) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 

Code: Select all

http://namemdk.review/fritunes1/

URL scan: https://www.virustotal.com/en/url/e5eba ... 501322170/ (3/65)
File scan: https://www.virustotal.com/en/file/185b ... 501319076/ (3/59)

[Xylitol]

Trojan.JS.Cryxos targeting france, trying to fool/scare user to phone 0186264266
https://www.f-secure.com/v-descs/trojan_js_cryxos.shtml
continuing here because similar to my previous post, who's now also detected as Cryxos.

Code: Select all

htxp://www.support.microsoft9023yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/?cid={conversion}&pid={pubfeed}_{subid}&bid={bid}&ip={ip}&city={city}&network=yfrmsrbcls&cid=Iv1vt5Wy31M&pid=76535_68475&bid=0.006&ip=88.88.88.88&city=Gotham&network=yfrmsrbcls

https://www.virustotal.com/en/file/3182 ... 503778932/

The page have a poor french grammar and also audio speech.

Code: Select all

htxp://www.support.microsoft9023yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/assests/french.mp3

ID3 from file:
Artist: TextAloud: IVONA Mathieu22 (French)
Title: 19577024.mp3
Album: Created: 1/6/2017 8:43:22 AM
Year: 2017
Comment: http://www.nextup.com
Genre: Speech

disable right click, attempt to get in full screen, block also some keyCode, display alert() and 'lock' the browser by inserting an iframe who redirect on a http auth.

Code: Select all

htxps://security-error-reported.in/2/chrome/auth.php
www-authenticate=Basic realm="Microsoft has detected suspicious activity from your IP address.Contact microsoft Engineers at 1-800-431-228(Toll Free Australia) or 0-800-069-8527( Toll Free UK) for Technical Assistance for network and secuirty support"

edit:
some others hostile landing:

Code: Select all

hxtp://www.support.microsoft9024yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/
hxtps://we-mn-72.s3.amazonaws.com/gfhre/ts-ie-frgauth/index.htm?n=09-75-18-92-61&red=y&error=

[Xylitol]

Got one with sound, just a siren sound of 3 seconds, triggered each time the user try to interact with the landing (click on page, press a key, etc...)

Code: Select all

 //eval document.addEventListener('keyup', function(es) {  if (es.keyCode == 27) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 

And inline images with data urls:


They seem to always use the same structure with a directory named 'fritunes' for french landings and 'deitunes' for german landings.
Some examples from urlquery:

German:
http://urlquery.net/report/f85e9577-985 ... a869dda4ec
http://urlquery.net/report/3b247b95-7ee ... 80a0074c33
http://urlquery.net/report/5872aefb-300 ... 27ed8d8def
https://urlquery.net/report/284b6de0-fe ... 0259f42b25
https://urlquery.net/report/9e057a27-63 ... b1aa589ff0

French:
https://urlquery.net/report/5fa93541-d1 ... 7e3a3441da
https://urlquery.net/report/193e42e3-08 ... 08c077affb
https://urlquery.net/report/e6fa93f6-98 ... 6322386515
http://urlquery.net/report/15ef1b49-957 ... acc06e3dab

Russian:
https://urlquery.net/report/bdf64aa5-32 ... 1def42cf0b
https://urlquery.net/report/89802663-e8 ... bc6b7e2417
https://urlquery.net/report/fb3a76a3-f5 ... 71534f5485

[Xylitol]

thread split from http://www.kernelmode.info/forum/viewto ... =16&t=2904 as Browlock ≠ Cryxos

Trojan.JS.Cryxos.A ~ http://telussecuritylabs.com/threats/sh ... 0170726-02
Sample attached https://www.virustotal.com/en/file/8031 ... 512903612/

[Xylitol]

Code: Select all

http://propelle.stream/fritunesstars/

url scan: https://www.virustotal.com/en/url/9d158 ... 514077045/ (0/66)
html file: https://www.virustotal.com/en/file/fed1 ... 514076650/ (0/60)

propelle.stream ⚙ 5.8.18.5
-> propelle.review https://www.virustotal.com/en/url/e4897 ... 514106241/ (0/66)
-> propelle.bid https://www.virustotal.com/en/url/52491 ... 514106219/ (0/66)
-> propelle.download https://www.virustotal.com/en/url/59ed2 ... 514106198/ (0/66)
-> nepreller.stream https://www.virustotal.com/en/url/87f13 ... 514106181/ (0/66)
-> nepreller.win https://www.virustotal.com/en/url/8aa9e ... 514106158/ (0/66)
-> neteller.space https://www.virustotal.com/en/url/1c3ab ... 514106136/ (0/66)
-> neteller.pw https://www.virustotal.com/en/url/f95d2 ... 514106118/ (0/66)
-> moneynakarmane.stream https://www.virustotal.com/en/url/679ff ... 514106081/ (1/66)
-> moneynakarmane.bid https://www.virustotal.com/en/url/7ab5f ... 514106007/ (1/66)
-> moneynakarmane.win https://www.virustotal.com/en/url/1e7ad ... 514106044/ (2/66)

[Xylitol]

Code: Select all

tds: http://erotiznet.com/THfQ4b
http://propelle.stream/fritunesexo/

[Xylitol]

Code: Select all

http://188.166.26.60/fr/?t=09%2070%2073%2038%2070&bk=673d079e

https://www.virustotal.com/en/file/6cf5 ... 514638450/
full screen, hide cursor, alert dialog, mp3 playing, inline images, want you to call 09 70 73 38 70 (skype number)

[Xylitol]

redirector: game6666666.com - https://www.virustotal.com/en/url/93f0a ... 515166721/ (0/66)
cryxos: support.microsoft990207afrmscomborbclf8415.com.s3-website.eu-central-1.amazonaws.com - https://www.virustotal.com/en/url/23285 ... 515166632/ (0/66)
win-help-alert.site - https://www.virustotal.com/en/url/696cc ... 515166958/ (2/66)
https://www.virustotal.com/en/ip-addres ... formation/
skype number: 0970731054




Also, erotiznet.com still active

Redirecting on zakonvzakone.bid (5.8.18.5) https://www.virustotal.com/en/url/ff0b8 ... 515155349/ (1/66) you need french IP and firefox as browser to get redirected on usual fake french police nationale warning.

Talked with AWS (ec2-abuse[@]amazonaws.com) they finally took some initiative against cryxos proliferation.