[en] Adf.ly and linkbucks malvertisings leads to Gamarue Trojan

After a break in adf.ly malvertising campainn (looks like the ransomware Gema disapear : https://www.malekal.com/malvertising-adf-ly-ransomware-sacem-police-nationale/ ).

A new one :
adf.ly_malvertising_bot

http://abi.fm/news.php (72.167.232.75 - GO-DADDY-COM-LLC) make the redirections to the ExploitKit :

http://marioneses.info/pics/site.php?articles=313&blogs=276&reports=898&problems=477&demo=46&skin=664 (66.225.241.35 - NET-66-225-192-0-1)
http://marioneses.info/pics/UPCYURJ
http://www.facebook.com/plugins/like.php?api_key=&locale=en_US&sdk=joey&channel_url=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D18%23cb%3Df8f8d72465282%26origin%3Dhttp%253A%252F%252Fabi.fm%252Ff552b0abf08c14%26domain%3Dabi.fm%26relation%3Dparent.parent&href=http%3A%2F%2Fwww.facebook.com%2FAbiAnnMusic&node_type=link&width=450&layout=button_count&colorscheme=light&show_faces=false&send=true&extended_social_context=false
http://marioneses.info/pics/mEoBGU
http://marioneses.info/pics/dmiFd
http://static.ak.fbcdn.net/rsrc.php/v2/y4/r/sIl0tzs2AD6.js
http://marioneses.info/pics/dmiFd
http://marioneses.info/pics/mEoBGU
http://marioneses.info/usage.php?shim=668&promotion=13&image=437&london=1261&redir=103&comp=349&title=630&left=545&my1up=6&arts=921
adf.ly_malvertising_bot2
adf.ly_malvertising_bot3

The dropper : https://www.virustotal.com/file/321637379782a5fcef8b64ed68d6717c84011625dbd80a71c3d05268c9506b85/analysis/1359975931/

SHA256: 321637379782a5fcef8b64ed68d6717c84011625dbd80a71c3d05268c9506b85
File name: build.exe
Detection ratio: 2 / 45
Analysis date: 2013-02-04 11:05:31 UTC ( 2 minutes ago )

DrWeb BackDoor.Tordev.8 20130204
ESET-NOD32 a variant of MSIL/Injector.BBG 20130204 adf.ly_malvertising_bot4
then load %SYSTEM%/wuauctl.exe : adf.ly_malvertising_bot5
and create the Run key : O4 - HKLM\..\Policies\Explorer\Run: [46733] C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msomkovc.com adf.ly_malvertising_bot6

the malware make a POST at oppnetspeed.co.ua/forum/images/image.php (181.191.255.181)

inetnum: 181.191.255/24
status: reallocated
owner: Panamaserver.com VPS
ownerid: PA-PAVP-LACNIC
responsible: Ch Group Corp
address: Bella Vista, 1, 1
address: 000000 - Panama - PA
country: PA
phone: +507 8322443 [] owner-c: MAC30
tech-c: MAC30
abuse-c: MAC30
created: 20120825
changed: 20120825
inetnum-up: 181.191/16

Looks like to be the Trojan Gamarue (a stealer) : https://www.malekal.com/wormwin32gamarue-stealer/
adf.ly_malvertising_bot7

EDIT 9 February

A malvertising also on linkbucks.com :

Gimeno_malvertising2 Gimeno_malvertising3

Detection - build.exe is at 0 on VirusTotal : Gimeno_malvertising

The second file is Gimeno ransomware that make a come back :

Gimeno_malvertising4 Gimeno_malvertising5

EDIT - February 21

still active :

http://adf.ly/1market.php?cb=3m&sc=1&t=7c5c36636c80cf58498ebdf6f7abe32c&d=454693&n=715336
http://newyouevent.com/ (88.198.48.189)
http://newyouevent.com/facebook.html
http://img.newyouevent.com/new/wp-login/t/speeches.php?rsscss=599&photoshop=160&people=65&sitemap=97&docs=862&phoenix=299
http://img.newyouevent.com/new/wp-login/t/AnoBIL
http://img.newyouevent.com/new/wp-login/t/ZOyNoeZQ
http://img.newyouevent.com/new/wp-login/t/byHTH
http://img.newyouevent.com/new/wp-login/t/ZOyNoeZQ
http://img.newyouevent.com/new/wp-login/t/byHTH
http://img.newyouevent.com/promotion.php?view=401&howto=350&siteindex=13&diary=154&incest=1261&radio=533&docs=247&ipod=33&star=522&pets=463

adf_ly_malvertising

still the same Malware :
http://malwaredb.malekal.com/index.php?hash=dba5f3454d1051b71a07bc037f9616b0
https://www.virustotal.com/fr/file/32adf61456138e72bc190e7b79c5ac29b0e9ed7b681f3cbe46c1210e590e08e9/analysis/1361483429/

SHA256: 32adf61456138e72bc190e7b79c5ac29b0e9ed7b681f3cbe46c1210e590e08e9
Nom du fichier : jwlse.exe
Ratio de détection : 1 / 46
Date d'analyse : 2013-02-21 21:50:29 UTC (il y a 0 minute)McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-PKR.G 20130221

still the same URL (IP change):

POST http://oppnetspeed.co.ua/forum/images/image.php - DIRECT/5.9.181.106 application/octet-stream

Vous avez trouvé cet article utile et interressant, n'hésitez pas à le partager...
bouton facebookbouton twitterbouton whatapps
Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] Adf.ly and linkbucks malvertisings leads to Gamarue Trojan mais vous n'avez pas trouvé la solution à votre problème...

Suivez ces articles du forum pour trouver une réponse :

Sinon créez votre propre demande pour obtenir de l'aide gratuite.
Plus de détails : Comment obtenir de l'aide sur le forum