[en] Adf.ly and linkbucks malvertisings leads to Gamarue Trojan

After a break in adf.ly malvertising campainn (looks like the ransomware Gema disapear : http://www.malekal.com/2012/03/13/malvertising-adf-ly-ransomware-sacem-police-nationale/ ).

A new one :
adf.ly_malvertising_bot

http://abi.fm/news.php (72.167.232.75 – GO-DADDY-COM-LLC) make the redirections to the ExploitKit :

http://marioneses.info/pics/site.php?articles=313&blogs=276&reports=898&problems=477&demo=46&skin=664 (66.225.241.35 – NET-66-225-192-0-1)
http://marioneses.info/pics/UPCYURJ
http://www.facebook.com/plugins/like.php?api_key=&locale=en_US&sdk=joey&channel_url=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D18%23cb%3Df8f8d72465282%26origin%3Dhttp%253A%252F%252Fabi.fm%252Ff552b0abf08c14%26domain%3Dabi.fm%26relation%3Dparent.parent&href=http%3A%2F%2Fwww.facebook.com%2FAbiAnnMusic&node_type=link&width=450&layout=button_count&colorscheme=light&show_faces=false&send=true&extended_social_context=false
http://marioneses.info/pics/mEoBGU
http://marioneses.info/pics/dmiFd
http://static.ak.fbcdn.net/rsrc.php/v2/y4/r/sIl0tzs2AD6.js
http://marioneses.info/pics/dmiFd
http://marioneses.info/pics/mEoBGU
http://marioneses.info/usage.php?shim=668&promotion=13&image=437&london=1261&redir=103&comp=349&title=630&left=545&my1up=6&arts=921
adf.ly_malvertising_bot2


adf.ly_malvertising_bot3

The dropper : https://www.virustotal.com/file/321637379782a5fcef8b64ed68d6717c84011625dbd80a71c3d05268c9506b85/analysis/1359975931/

SHA256: 321637379782a5fcef8b64ed68d6717c84011625dbd80a71c3d05268c9506b85
File name: build.exe
Detection ratio: 2 / 45
Analysis date: 2013-02-04 11:05:31 UTC ( 2 minutes ago )

DrWeb BackDoor.Tordev.8 20130204
ESET-NOD32 a variant of MSIL/Injector.BBG 20130204 adf.ly_malvertising_bot4
then load %SYSTEM%/wuauctl.exe : adf.ly_malvertising_bot5
and create the Run key : O4 – HKLM\..\Policies\Explorer\Run: [46733] C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msomkovc.com adf.ly_malvertising_bot6

the malware make a POST at oppnetspeed.co.ua/forum/images/image.php (181.191.255.181)

inetnum: 181.191.255/24
status: reallocated
owner: Panamaserver.com VPS
ownerid: PA-PAVP-LACNIC
responsible: Ch Group Corp
address: Bella Vista, 1, 1
address: 000000 – Panama – PA
country: PA
phone: +507 8322443 []
owner-c: MAC30
tech-c: MAC30
abuse-c: MAC30
created: 20120825
changed: 20120825
inetnum-up: 181.191/16

Looks like to be the Trojan Gamarue (a stealer) : http://www.malekal.com/2012/01/12/wormwin32gamarue-stealer/
adf.ly_malvertising_bot7

EDIT 9 February

A malvertising also on linkbucks.com :

Gimeno_malvertising2 Gimeno_malvertising3

Detection – build.exe is at 0 on VirusTotal : Gimeno_malvertising

The second file is Gimeno ransomware that make a come back :

Gimeno_malvertising4 Gimeno_malvertising5

EDIT – February 21

still active :

http://adf.ly/1market.php?cb=3m&sc=1&t=7c5c36636c80cf58498ebdf6f7abe32c&d=454693&n=715336
http://newyouevent.com/ (88.198.48.189)
http://newyouevent.com/facebook.html
http://img.newyouevent.com/new/wp-login/t/speeches.php?rsscss=599&photoshop=160&people=65&sitemap=97&docs=862&phoenix=299
http://img.newyouevent.com/new/wp-login/t/AnoBIL
http://img.newyouevent.com/new/wp-login/t/ZOyNoeZQ
http://img.newyouevent.com/new/wp-login/t/byHTH
http://img.newyouevent.com/new/wp-login/t/ZOyNoeZQ
http://img.newyouevent.com/new/wp-login/t/byHTH
http://img.newyouevent.com/promotion.php?view=401&howto=350&siteindex=13&diary=154&incest=1261&radio=533&docs=247&ipod=33&star=522&pets=463

adf_ly_malvertising

still the same Malware :
http://malwaredb.malekal.com/index.php?hash=dba5f3454d1051b71a07bc037f9616b0
https://www.virustotal.com/fr/file/32adf61456138e72bc190e7b79c5ac29b0e9ed7b681f3cbe46c1210e590e08e9/analysis/1361483429/

SHA256: 32adf61456138e72bc190e7b79c5ac29b0e9ed7b681f3cbe46c1210e590e08e9
Nom du fichier : jwlse.exe
Ratio de détection : 1 / 46
Date d’analyse : 2013-02-21 21:50:29 UTC (il y a 0 minute)McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-PKR.G 20130221

still the same URL (IP change):

POST http://oppnetspeed.co.ua/forum/images/image.php – DIRECT/5.9.181.106 application/octet-stream

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 137 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *