A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30657  by Xylitol
 Sat Jul 29, 2017 9:59 am
A fresh landing targeting France, as spotted by malekal https://twitter.com/malekal_morte/statu ... 6680811521 asking for itunes gift cards.
There is an anti 'noscript' to redirect people on a 404 page if javascript is disabled:
Code: Select all
<noscript><meta http-equiv="refresh" content="0; URL=../google.com/index.html"></noscript>
Full screen:
Code: Select all
 //eval if (key == 'jwsf72efuju2') {function toggleFullScreen() {  if (!document.fullscreenElement &&  !document.mozFullScreenElement && !document.webkitFullscreenElement) {  if (document.documentElement.requestFullscreen) {  document.documentElement.requestFullscreen();  } else if (document.documentElement.mozRequestFullScreen) {  document.documentElement.mozRequestFullScreen();  } else if (document.documentElement.webkitRequestFullscreen) {  document.documentElement.webkitRequestFullscreen(Element.ALLOW_KEYBOARD_INPUT);}}}} 
Full screen if escape key (VK_ESCAPE = 27) is pressed:
Code: Select all
 //eval document.addEventListener('keyup', function(es) {  if (es.keyCode == 27) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 
More keys event:
VK_F11 = 122
VK_CONTROL = 17
VK_ALT = 18
VK_RETURN = 13
Code: Select all
 //eval document.addEventListener('keyup', function(e) {  if (e.keyCode == 122 || e.keyCode == 17 || e.keyCode == 18 || e.keyCode == 13) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 
Image
Code: Select all
http://namemdk.review/fritunes1/
URL scan: https://www.virustotal.com/en/url/e5eba ... 501322170/ (3/65)
File scan: https://www.virustotal.com/en/file/185b ... 501319076/ (3/59)
Attachments
infected
(192.58 KiB) Downloaded 50 times
 #30784  by Xylitol
 Sat Aug 26, 2017 7:55 pm
Trojan.JS.Cryxos targeting france, trying to fool/scare user to phone 0186264266
https://www.f-secure.com/v-descs/trojan_js_cryxos.shtml
continuing here because similar to my previous post, who's now also detected as Cryxos.
Code: Select all
htxp://www.support.microsoft9023yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/?cid={conversion}&pid={pubfeed}_{subid}&bid={bid}&ip={ip}&city={city}&network=yfrmsrbcls&cid=Iv1vt5Wy31M&pid=76535_68475&bid=0.006&ip=88.88.88.88&city=Gotham&network=yfrmsrbcls
Image
https://www.virustotal.com/en/file/3182 ... 503778932/

The page have a poor french grammar and also audio speech.
Code: Select all
htxp://www.support.microsoft9023yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/assests/french.mp3

ID3 from file:
Artist: TextAloud: IVONA Mathieu22 (French)
Title: 19577024.mp3
Album: Created: 1/6/2017 8:43:22 AM
Year: 2017
Comment: http://www.nextup.com
Genre: Speech
disable right click, attempt to get in full screen, block also some keyCode, display alert() and 'lock' the browser by inserting an iframe who redirect on a http auth.
Code: Select all
htxps://security-error-reported.in/2/chrome/auth.php
www-authenticate=Basic realm="Microsoft has detected suspicious activity from your IP address.Contact microsoft Engineers at 1-800-431-228(Toll Free Australia) or 0-800-069-8527( Toll Free UK) for Technical Assistance for network and secuirty support"
edit:
some others hostile landing:
Code: Select all
hxtp://www.support.microsoft9024yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/
hxtps://we-mn-72.s3.amazonaws.com/gfhre/ts-ie-frgauth/index.htm?n=09-75-18-92-61&red=y&error=
Image
Attachments
infected
(323.53 KiB) Downloaded 37 times
 #31108  by Xylitol
 Sun Dec 10, 2017 1:38 am
Got one with sound, just a siren sound of 3 seconds, triggered each time the user try to interact with the landing (click on page, press a key, etc...)
Code: Select all
 //eval document.addEventListener('keyup', function(es) {  if (es.keyCode == 27) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 
And inline images with data urls:
Image

They seem to always use the same structure with a directory named 'fritunes' for french landings and 'deitunes' for german landings.
Some examples from urlquery:

German:
http://urlquery.net/report/f85e9577-985 ... a869dda4ec
http://urlquery.net/report/3b247b95-7ee ... 80a0074c33
http://urlquery.net/report/5872aefb-300 ... 27ed8d8def
https://urlquery.net/report/284b6de0-fe ... 0259f42b25
https://urlquery.net/report/9e057a27-63 ... b1aa589ff0

French:
https://urlquery.net/report/5fa93541-d1 ... 7e3a3441da
https://urlquery.net/report/193e42e3-08 ... 08c077affb
https://urlquery.net/report/e6fa93f6-98 ... 6322386515
http://urlquery.net/report/15ef1b49-957 ... acc06e3dab

Russian:
https://urlquery.net/report/bdf64aa5-32 ... 1def42cf0b
https://urlquery.net/report/89802663-e8 ... bc6b7e2417
https://urlquery.net/report/fb3a76a3-f5 ... 71534f5485

Image
Attachments
infected
(18.64 KiB) Downloaded 23 times
 #31109  by Xylitol
 Sun Dec 10, 2017 10:42 am
Attachments
infected
(3.06 KiB) Downloaded 35 times
 #31150  by Xylitol
 Sun Dec 24, 2017 12:54 am
Attachments
infected
(328.97 KiB) Downloaded 23 times
 #31163  by Xylitol
 Sat Dec 30, 2017 1:11 pm
Image
Code: Select all
http://188.166.26.60/fr/?t=09%2070%2073%2038%2070&bk=673d079e
https://www.virustotal.com/en/file/6cf5 ... 514638450/
full screen, hide cursor, alert dialog, mp3 playing, inline images, want you to call 09 70 73 38 70 (skype number)
Attachments
infected
(367.14 KiB) Downloaded 23 times
 #31175  by Xylitol
 Fri Jan 05, 2018 2:43 pm
Image
redirector: game6666666.com - https://www.virustotal.com/en/url/93f0a ... 515166721/ (0/66)
cryxos: support.microsoft990207afrmscomborbclf8415.com.s3-website.eu-central-1.amazonaws.com - https://www.virustotal.com/en/url/23285 ... 515166632/ (0/66)
win-help-alert.site - https://www.virustotal.com/en/url/696cc ... 515166958/ (2/66)
https://www.virustotal.com/en/ip-addres ... formation/
skype number: 0970731054

Image


Also, erotiznet.com still active
Image
Redirecting on zakonvzakone.bid (5.8.18.5) https://www.virustotal.com/en/url/ff0b8 ... 515155349/ (1/66) you need french IP and firefox as browser to get redirected on usual fake french police nationale warning.

Talked with AWS (ec2-abuse[@]amazonaws.com) they finally took some initiative against cryxos proliferation.
Attachments
infected
(259.43 KiB) Downloaded 23 times