What drew my attention to it at first was the .IT TLD, as well as this traffic seemed out of place in the context of this persons web browsing patterns. Furthermore, the two request to gallipolicountryandsea[.]it were resolving to different IPs. I decided to toss the first request into VirusTotal which showed it had a detection ratio of 6/66.
That is a relatively high detection rate for a URL, which piqued my interest even more. I then took the URL and plugged it into URLQuery to see if I could find specific HTTP transactions. This is what I found:
The first and second request go to the same domain but at different IP addresses, just as it did in our customers traffic. Then we get a 302 that redirects it to a different domain at zoxxv[.]com (our customer traffic showed dutbbc[.]com). Apart from the domains being different, the URIs are identical. The final redirect of interest is to help-save-wildlife[.]org, a domain that was registered only days prior and is located in Switzerland. Suspicious.
I then reversed the base64 encoded data and decoded it which gave me this:
I took the decoded script and deobfuscated it until I ended up with the following [Thanks to my coworker Julian for helping me find a good tool for deobfuscation]:
This is only a small list. There are at least 1,907 of these spam pages ranging from 100 all the way to 999. The end of this report contains all the IPs, domains, and sub-domains.
Continuing my investigation… If the value is false it sends the host to various domains, many of which are hosted at 18.104.22.168 and 22.214.171.124:
Trying to reach many of those domains returns this template:
Or are resolving to a what appears to be the SAVE Wildlife Conservation Fund:
There is also evidence that this campaign was at one time sending people to unicef.org.
To to see what would happen I took the URL from the true value in the deobfuscated JS and pasted it into the browser:
No luck. I then tried the referer URL from my research (zoxxv[.]com) and got this spam page:
The spam page is fake as ever link points to “go.php” (884-health.zoxxv[.]com/uswcpg/d3/pure-natural-forskolin/go[.]php). Running that URI through Hybrid-analysis shows it as “no specific threat”.
There were however some malicious artifacts seen on the spam page in the context of contacted host:
This is unrelated to my investigation but these sub-domains at googlecode[.]com are dropping a lot of bad stuff… Google Code is Google’s official open source site meant for developers to host their program’s source code and related files. However, threat actors are using the Google Code repository to host Trojans, backdoors and password stealing keyloggers.
Moving on… Clicking on any of the links on the spam page redirects you to a couple different domains hosting the product page. This time I landed on hxxps://mysecura-gateway[.]com/forskolin/:
Once you have given your name, address, and phone number you click “Rush My Order” and are taken to the “Final Step” page where you are instructed to select a package and then enter in credit card information.
Hybrid-analysis didn’t find any malicious files being dropped on either the spam page or the product pages. Instead, both these pages are advertising Forskolin, a chemical found in the roots of plants, as a means to weight loss.
Doing a quick Google search for “Forskolin scams” returns results for these spam pages. According to Barracudalabs users pay for the pills via credit cards but never receive their product. I haven’t tested this theory out for myself.
It would seem that this company is violating numerous Anti SPAM Acts.
In total, there were 3,351 unique domains and sub-domains found to be resolving to the IP addresses listed above.