Sometimes ago, i wrote an entry for a SEO poisoning campaign for the Browlock ransomware using hacked websites.
Another campaign leading to PUPs.
The links are similar to the Browlock Campaign, they are probably using the same tools.
Words Spam :
The redirections.
http://s0ftpedia.pw/files/t%C3%A9l%C3%A9charger%20latis%20bio%20gratuit&id=my – https://www.virustotal.com/fr/ip-address/5.199.171.242/information/
http://s0ftpedia.pw/files/t%C3%A9l%C3%A9charger%20latis%20bio%20gratuit&id=my
http://pushtraffic.net/TDS/?wmid=99939&uid=967&q=T%C3%A9l%C3%A9charger_Latis_Bio_Gratuit – https://www.virustotal.com/fr/ip-address/91.205.156.86/information/
http://pushtraffic.net/TDS/?wmid=99939&uid=967&q=T%C3%A9l%C3%A9charger_Latis_Bio_Gratuit
http://j.theadsnet.com/j5GR9KvcCpJl3KxNbd2jHELdoS5hn5sieZuaPXu8lDpq6pYiQLmNZh%2Ft1GwT%2FoUaXrnIQUPSxB%2F1TZGsk4tpEkyLYAUdnGgPL4dSHSOXTuQ8nWHyO3Q%2F%2FyU5LLtrOxOrazoVrg%3D%3D
http://j.theadsnet.com/static/jquery-1.11.3.min.js
http://lss799.filedatabase.biz/j5GREkGD7Ho/2Oh8OZ2Qem3UtDV1pasUWqWpJmmXozpxk6IlQ6ScMlLymSwX6cVSHe7NUgTQzk1FkZ8GXtU4SgffPFEykXsPKJF/ICOcLLBoiGfmNGZw6AlwZP8/NRm1PWBM9AktGL0ScF7AAndC11NoXcITRErFE1ATzBVFZ8caXxrU7UUnz/RNcPnYHiOm71AKpP4pOqDJKjLyqm4Vt+0TDKefaFr1l2VZ8ZJrX9KablOS0z8RisUMQNyLWOPB2liwxaZHvc3wQ7jJ/0H1Mv5KpjW35aA95eL4Ka/pnFWYqslw3/XHPZbmwnuf+8V8h/iIFdTS2EWSmYkWzJrnR8PF – https://www.virustotal.com/fr/ip-address/109.200.202.121/information/
As you can see they are using a TDS at pushtraffic.net :
The TDS rise at ~22k at Alexa
Example of the final installer with a lot of commons PUPs : Adanak (Adware.BrowseFox), Vuu PC, Webssearches (Hijacker), Boxore etc.
to be continued to : https://www.malekal.com/2015/03/27/en-pups-by-crackskeygen/
(Visité 57 fois, 1 visites ce jour)
