Finding A ‘Good Man’

On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant.

Keitaro TDS login panel

Image of TDS login panel

My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a Keitaro TDS and anythingtds.com appeared to be acting as a gate to numerous exploit kits (Sundown and RIG). Unfortunately, I didn’t have access to packet data so I was unable to locate the initial referer (compromised website) for the infection chain. However, the domains anyfucks[.]biz and anythingtds.com proved to be a valuable pivot point for my investigation.

Looking through the Whois information, I located my best pivot point, the registrant email address goodmandilaltain@gmail.com. Pivoting from this point led me to 17 domains using goodmandilaltain@gmail.com. Below is a list of those domains:

Domain Registered Expires
perfectgirlss[.]org 2/22/2017 2/22/2018
jokertube[.]org 1/20/2017 1/20/2018
datsonsdaughter[.]com 1/17/2017 1/17/2018
hurtmehard[.]net 12/2/2016 12/2/2017
lifuntersnum1.net.in 11/12/2016 11/12/2017
anyfucks[.]biz 11/11/2016 11/11/2017
kachapaka.net.in 11/8/2016 11/8/2017
anythingtds.com 8/15/2016 8/15/2017
wetpusy.org 4/10/2016 4/10/2017
poranoxxx.com 4/3/2016 4/3/2017
pornstarl33t[.]org 3/28/2016 3/28/2017
badboys.net.in 3/1/2016 3/1/2017
goodmandilaltain.cc 3/1/2016 3/1/2017
cpro[.]pw 7/1/2015 7/1/2017
develporinline.info 5/31/2015 5/31/2016
sixer.info 7/29/2014 7/29/2015
verifiedppservice.net 6/23/2014 6/23/2015

Some domains in this list will immediately standout to you if you’re following EK researchers. For instance, the domain hurtmehard[.]net has recently been documented by numerous researchers like Brad at @malware_traffic. This domain is being used as a gate for various exploit kits. While researching this domain I even found instances of onclkds.com redirecting users to hurtmehard[.]net. This means there was likely malvertising that led users to this gate.

Additionally, my Twitter friend @nao_sec found multiple compromised websites on 03/09/17 that contained similar scripts pointing to another gate registered to “good man,” datsonsdaughter[.]com. These compromised websites were:

  • teacherprintables[.]net
  • myprioritydate[.]com
  • bearcat1[.]com

You can view the injected script by following this link https://gist.github.com/anonymous/a2a4a5deb8fa50c0687f44b84a3d2ec0 and looking at the entries that say “N/A.”

Users visit these compromised sites and are redirected to a gate like hurtmehard[.]net. The gate would then redirect the host to an exploit kit, etc. For example, here is the script that I found on 03/03/17 when visiting hurtmehard[.]net:

hurtmehard iframe

And here is a script that I found on 03/07/17 when visiting the gate datsonsdaughter[.]com:

datsonsdaughter dot com original source

You can see that in this instance the second iframe was cutoff and didn’t contain and URL. This same thing can be seen in one of Brad’s most recent postings, which can be found here: http://www.malware-traffic-analysis.net/2017/03/09/index.html .

I decided to call this campaign and gates “Good Man” since the compromised sites all have similar injected script, and because the gates that are being used are registered to “good man.”

History Behind The Domains:

The first domain that I could find using goodmandilaltain@gmail.com was verifiedppservice.net. This name used during registration was “jnnnnn man.” The namservers were ns1.carbon2u.com and ns1.carbon2u.com. The registrant country was Malaysia. I can’t find any malicious history associated with this domain and it is no longer resolving. The name of the domain makes it look like it could have been used for phishing, possibly for PayPal users.

The next domain on the list is sixer.info. Again, this domain is no longer resolving and I can’t find any malicious history associated with it. Also, the registrant name was “jnnnnn man” and the registrant country was Malaysia. The nameservers used were ns1.zolaris.net and ns2.zolaris.net. Keep the name “sixer” in mind as it will come up later on in my investigation.

The next domain is develporinline.info. The Whois information for this domain is much different than the first two. For example, the registrant name was “Ali Hassan” and the reigstrant country was Pakistan. The nameservers being used were ns07.domaincontrol.com and ns08.domaincontrol.com.

An important thing to point out is that I couldn’t find any malicious history associated with verifiedppservice.net, sixer.info, and develporinline.info. However, that doesn’t mean they were on the up-and-up.

Moving on to cpro[.]pw. This domain is actually an underground carding forum. Carding is a cyber term meaning the trafficking of stolen credit cards, bank accounts and other personal information online. This was also the first domain to use the registrant name “good man.” Moreover, I found a post on the forum from a vendor called “sixer” who is soliciting other user for compromised cPanel’s:

image of vendor post

This user is also selling dumps of stolen credit card numbers. Why is this important? Well, for starters, the gates that are registered to “good man” are using cPanel’s:

Domain cPanel
perfectgirlss[.]org cphost04.qhoster.net
datsonsdaughter[.]com cphost06.qhoster.net
hurtmehard[.]net cphost11.qhoster.net
anyfucks[.]biz cphost08.qhoster.net
anythingtds.com cphost09.qhoster.net
pornstarl33t[.]org chphost07.qhoster.net
cpro[.]pw cphost06.qhoster.net

Also, do you remember the domain called sixer.info? This could just be my conspiratorial mind but what if the user sixer and the domain sixer.info are related? What if sixer is actually “jnnnnn man,” “Ali Hassan,” and “good man”?

tinfoil hats

Of course I can’t prove any of this but it seems like more than a coincidence. Doing some light Googling I was able to find only a couple references online from usernames matching “jnnnnn man” and “GoodMan DiLaltain,” however, there wasn’t anything conclusive. Moving on…

The nameservers being used by cpro[.]pw are ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net. The registrant country for cpro[.]pw is Pakistan.

The next domain on the list is goodmandilaltain.cc, with .cc being the ccTLD for Cocos (Keeling) Islands, an Australian territory. The registrant name for this domain is “jnnnnn man,” the registrant country is Malaysia, and the nameservers are ns1.carbon2u.com and ns2.carbon2u.com (these were also the nameservers for verifiedppservice.net).

Badboys.net.in is the next domain on the list. The registrant name was “good man” and the nameservers it used was ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net. Additionally, I captured malware traffic from this domain on January 20th, 2017, as it was being used a distribution site for Dreambot:

Traffic

As you can see I went to anythingtds.com which contained an iframe pointing to the Keitaro TDS at anyfucks[.]biz/1:

anythingtds.com contains iframe for anyfucks.biz and references to rarshare dot com

Along with the iframe pointing to anyfucks[.]biz/1 are a lot of references to rarshare.com. It almost looks as if the page was mirrored from there (more on that in a bit).

The response from anyfucks[.]biz/1 was a “302 Moved Temporarily” to badboys.net[].in/land_flash/index.html:

anythingtds.com 302 to badboys.net.in Request-Response

This is what I found on that page:

index.html redirects to executable

The first thing that you see is that the page is mirrored from update-flash-player.com (sounds like a phishing site). Then, at the very bottom you see a location.href pointing to the relative path /download/FlashPlayer.exe. This prompts my host to download the file FlashPlayer.exe:

FlashPlayer.exe Anythingtds dot com

Notice that this page looks like a mirror of rarshare.com yet the URL is still anythingtds.com.

I accept the download:

malware payload

The malware was dropped in a newly created folder in %Temp%:

Executable

Post-infection traffic shows that it is likely Dreambot. Click the link below to get the IOCs and to read more about the infections from January, 2017:

https://malwarebreakdown.com/2017/01/23/keitaro-tds-used-to-redirect-hosts-to-sundown-ek-and-rig-v-ek/

The next domain is pornstarl33t[.]org. The registrant name is “good man,” the registrant country is Pakistan, and the nameservers are ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net. This domain stoodout to me as it was being used for multiple purposes. For example, examining the source code on 01/27/17 showed the following iframes:

instabooter

Why is this significant? Well, instabooter.com is a well-known booter and IP stressor. A booter is “a service offered by cyber criminals that provides paying customers with distributed denial of service (DDoS) attack capabilities on demand.”

Fast forward to 03/09/17 and this domain is being blacklisted by ZueS Tracker:

ZeuS C&C: pornstarl33t.org
Malware: VMZeuS
IP address: 93.115.38.30
Host status: online
Uptime: 59:01:50
Hostname: cphost07.qhoster.net
SBL: Not listed
AS number: 44901
AS name: BELCLOUD , BG
Country: - Bulgaria (BG)
Level: 4 (Unknown / not categorized)
Sponsoring registrar: Namesilo, LLC
Nameserver(s): ns1.qhoster.net | ns2.qhoster.net | ns3.qhoster.net | ns4.qhoster.net
Date added: 2017-03-09
Last checked: 2017-03-11
Last updated: never
BL status: This host is being published on the ZeuS Blocklist!

ZeuS ConfigURLs on this C&C:

Date added ZeuS ConfigURL Status V Builder Filesize MD5 hash HTTP Status File
2017-03-09 pornstarl33t[.]org/zz/config.jpg offline 2 n/a 101’065 5e3cdecf082535809d1aca6ba06d9b5d 501 - download

ZeuS DropURLs (Dropzones) on this C&C

Date added DropURL Status HTTP Status
2017-03-09 pornstarl33t[.]org/zz/gate.php offline 501

ZueS login panel at pornstarl33t[.]org:

panel for pornstarl33t.org goodman campaign

Obviously this domain is being used from criminal activities.

Poranoxxx.com is the next domain on the list. The domain was registered by “good man,” the registrant country is Pakistan, and it used the following nameservers: dns1.securefastserver.com, dns2.securefastserver.com, dns3.securefastserver.com, dns4.securefastserver.com, ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net. I was unable to locate evidence of a malicious activities associated with this domain.

Wetpusy.org is the next domain. It was registered by “by Ali Mana.” The registrant country is Pakistan and the nameservers were ns1.qhost.org and ns2.qhost.org. I was unable to locate evidence of a malicious activities associated with this domain.

The next domain is anythingtds.com, which was acting as a gate for exploit kits. I have documented numerous cases of this since January, 2017. One such case has been documented in great detail here:

https://malwarebreakdown.com/2017/02/08/keitaro-tds-leads-to-rig-v-ek-at-188-225-36-231/

Below is some history with anythingtds.com. It shows how hosts ended up at anythingtds.com (parent), what sites hosts were redirected to after landing on anythingtds.com (child), as well as sites that were seen communicating with it.

Hostname First Seen Last Seen Direction Cause
google.com 2/9/2017 2:34 2/9/2017 11:06 child redirect
anyfucks[.]biz 12/15/2016 17:35 2/9/2017 11:06 parent redirect
vdv.southpadremarketing.com 2/9/2017 2:34 2/9/2017 2:34 child unknown
vdv.southpadremarketing.com 2/9/2017 2:34 2/9/2017 2:34 child iframe.src
bev.southpadrejetskis.com 2/9/2017 1:47 2/9/2017 1:47 child unknown
bev.southpadrejetskis.com 2/9/2017 1:47 2/9/2017 1:47 child iframe.src
retro.southpadreislandnorth.com 2/8/2017 20:52 2/8/2017 20:52 child unknown
retro.southpadreislandnorth.com 2/8/2017 20:52 2/8/2017 20:52 child iframe.src
more.walkforwomen.com 2/8/2017 6:48 2/8/2017 6:48 child unknown
more.walkforwomen.com 2/8/2017 6:48 2/8/2017 6:48 child iframe.src
self.super8spi.com 2/8/2017 3:41 2/8/2017 3:41 child unknown
self.super8spi.com 2/8/2017 3:41 2/8/2017 3:41 child iframe.src
rarshare.com 1/20/2017 0:36 1/20/2017 3:41 child img.src
rarshare.com 1/20/2017 0:36 1/20/2017 3:41 child link.href
bing.com 1/20/2017 0:36 1/20/2017 3:41 child unknown
rarshare.com 1/20/2017 0:36 1/20/2017 3:41 child script.src
new.collectionhomesgroup.com 1/7/2017 10:54 1/7/2017 10:54 child unknown
new.collectionhomesgroup.com 1/7/2017 10:54 1/7/2017 10:54 child iframe.src
art.viralauthors.com 1/7/2017 3:35 1/7/2017 3:35 child unknown
art.viralauthors.com 1/7/2017 3:35 1/7/2017 3:35 child iframe.src
wer.tufirearms.com 1/2/2017 6:37 1/2/2017 6:37 child iframe.src
anyfucks[.]biz 1/2/2017 6:37 1/2/2017 6:37 parent location.refresh
dadadeo[.]com 8/21/2016 10:17 8/21/2016 10:23 child location.refresh
vetschooldiary.com 8/21/2016 10:17 8/21/2016 10:23 parent iframe.src

Everything in red was a subdomain hosting the exploit kit landing pages. Everything in green shows a benign site that the host was redirected to. Everything in blue is a compromised website. The site dadadeo[.]com appears to be associated with IOCs from RIG exploit kit campaigns back in July of 16. Read about that here https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016/07/a-look-into-some-rig-exploit-kit-campaigns/.

Lastly, the registrant name for anythingtds.com is “good man,” the registrant country is Pakistan, and the nameservers are ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net.

Kachapaka.net.in is the next domain on the list. The domain was registered by “good man” and it used the following nameservers: dns1.securefastserver.com, dns2.securefastserver.com, dns3.securefastserver.com, dns4.securefastserver.com (just like Poranoxxx.com). The domain shows up in a article by arbornetworks.com for being associated with Flokibot. Read more about that here https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/.

The next domain that was using the registrant email goodmandilaltain@gmail.com was anyfucks[.]biz. Obviously, we know this is a malicious Keitaro TDS used in different malware campaigns. The registrant name is “good man,” the registrant country is Pakistan, and it’s using the same qhoster.net nameservers as the other domains.

Here is some history involving this TDS:

Hostname First Seen Last Seen Direction Cause
hurtmehard[.]net 2/19/2017 13:34 2/19/2017 13:34 child redirect
dinarmultikarya[.]id 12/3/2016 21:27 2/19/2017 13:34 parent iframe.src
anythingtds.com 12/15/2016 17:35 2/9/2017 11:06 child redirect
sunnysideconcierge[.]com 12/9/2016 22:24 2/9/2017 11:06 parent unknown
cpro[.]pw 11/28/2016 6:58 2/7/2017 9:53 child redirect
horsepowersalesflorida[.]com 2/4/2017 22:32 2/4/2017 22:32 parent iframe.src
iqgreat[.]com 1/2/2017 6:37 2/1/2017 8:10 parent iframe.src
error in token or ident 1/23/2017 22:12 1/25/2017 0:23 child redirect
fredomasearchdsd.top 1/21/2017 23:47 1/22/2017 0:36 child redirect
psg.jai.mobi 1/21/2017 7:31 1/21/2017 7:31 child redirect
badboys.net.in 1/15/2017 13:26 1/21/2017 5:19 child redirect
rugbyusss[.]com 1/19/2017 7:22 1/19/2017 7:22 parent iframe.src
rarshare.com 1/18/2017 15:43 1/18/2017 15:43 child redirect
your subscription has expired please contact support 12/29/2016 20:20 1/18/2017 8:53 child redirect
horsepowersalesflorida[.]com 1/13/2017 13:35 1/13/2017 13:35 parent iframe.src
we.karenmelbourne.com 1/9/2017 8:38 1/10/2017 19:24 child location.refresh
see.colocation.news 1/9/2017 17:28 1/9/2017 17:28 child redirect
out of date 1/7/2017 22:21 1/9/2017 15:26 child redirect
rarshare.com 1/7/2017 22:21 1/9/2017 8:40 parent iframe.src
eya.3074.mobi 1/6/2017 11:43 1/6/2017 11:43 child redirect
cercaroma[.]net 1/6/2017 7:07 1/6/2017 7:07 parent iframe.src
portlandmidwife.com 1/4/2017 11:18 1/5/2017 16:31 child redirect
cwo.2504.mobi 1/3/2017 20:49 1/3/2017 20:49 child redirect
anythingtds.com 1/2/2017 6:37 1/2/2017 6:37 child location.refresh
95.128.182.166 1/1/2017 2:41 1/1/2017 15:38 child location.refresh
palmistry-astrology[.]com 12/30/2016 7:22 12/30/2016 7:22 parent iframe.src
ho.0474.mobi 12/29/2016 2:50 12/29/2016 2:50 child redirect
fhe.0498.mobi 12/29/2016 1:33 12/29/2016 1:33 child redirect
ebc.0648.mobi 12/28/2016 21:04 12/28/2016 21:04 child redirect
kvd.0346.mobi 12/28/2016 10:23 12/28/2016 10:23 child redirect
zi.0487.mobi 12/28/2016 4:29 12/28/2016 4:29 child redirect
cfm.0384.mobi 12/27/2016 23:41 12/27/2016 23:41 child redirect
try.tanews.net 12/27/2016 10:31 12/27/2016 10:31 child redirect
dessign[.]net 12/25/2016 23:31 12/27/2016 10:31 parent iframe.src
top.talink.co 12/27/2016 9:48 12/27/2016 9:48 child redirect
sun.icta.io 12/27/2016 6:17 12/27/2016 6:17 child redirect
kcd.g47.biz 12/12/2016 13:03 12/12/2016 13:03 child redirect
mv.g42.biz 12/12/2016 12:32 12/12/2016 12:32 child redirect
rolandmartinreports[.]com 12/3/2016 14:27 12/12/2016 12:32 parent iframe.src
ae.g14.biz 12/12/2016 11:05 12/12/2016 11:05 child redirect
pu.g45.biz 12/12/2016 10:20 12/12/2016 10:20 child redirect
go.g14.biz 12/12/2016 7:55 12/12/2016 7:55 child redirect
jndglobalsecurity[.]com 12/8/2016 7:55 12/12/2016 7:55 parent iframe.src
db.g30.biz 12/12/2016 4:33 12/12/2016 4:33 child redirect
cs.f34.biz 12/10/2016 13:02 12/10/2016 13:02 child redirect
biw.f34.biz 12/10/2016 13:01 12/10/2016 13:01 child redirect
hi.f34.biz 12/10/2016 13:00 12/10/2016 13:00 child redirect
don.16a.biz 12/10/2016 10:55 12/10/2016 10:55 child redirect
fn.e43.biz 12/10/2016 6:51 12/10/2016 6:51 child redirect
dc.e43.biz 12/10/2016 6:50 12/10/2016 6:51 child redirect
ekp.e43.biz 12/10/2016 6:49 12/10/2016 6:49 child redirect
ahm.e43.biz 12/10/2016 6:48 12/10/2016 6:49 child redirect
eys.e44.biz 12/10/2016 6:05 12/10/2016 6:05 child redirect
gz.e43.biz 12/10/2016 5:37 12/10/2016 5:37 child redirect
ao.e42.biz 12/10/2016 1:19 12/10/2016 1:19 child redirect
esm.09r.biz 12/7/2016 17:18 12/7/2016 17:18 child redirect
afm.p54.biz 12/7/2016 9:32 12/7/2016 9:32 child redirect
zoboutique[.]com 12/6/2016 3:35 12/7/2016 9:31 parent iframe.src
hk.06q.biz 12/6/2016 10:30 12/6/2016 10:30 child redirect
kc.06k.biz 12/6/2016 7:04 12/6/2016 7:04 child redirect
aup.06r.biz 12/6/2016 7:02 12/6/2016 7:03 child redirect
bo.05a.biz 12/6/2016 3:52 12/6/2016 3:52 child redirect
on.07a.biz 12/6/2016 3:35 12/6/2016 3:35 child redirect
cga.06c.biz 12/5/2016 12:59 12/5/2016 12:59 child redirect
dh.san-mateo.info 12/4/2016 9:37 12/4/2016 9:37 child redirect
fay.san-bernardino.info 12/3/2016 21:27 12/3/2016 21:27 child redirect
ay.o17.biz 12/3/2016 19:05 12/3/2016 19:07 child redirect
evb.o17.biz 12/3/2016 19:03 12/3/2016 19:03 child redirect

Everything in pink is associated with “good man” and goodmandilaltain@gmail.com. Everything in red is a subdomain or domain used by RIG or Sundown exploit kits. One of those domains, fredomasearchdsd.top, was actually involved in a infection chain that dropped Spora ransomware. Read about that here https://malwarebreakdown.com/2017/01/21/iframe-points-to-rig-v-ek-at-93-158-215-169-ek-drops-spora-ransomware/.

Also, dinarmultikarya[.]id is a compromised website (and it’s currently defaced) that is redirecting to the Keitaro TDS. It resulted in an infection of Dreambot. Read about that here https://malwarebreakdown.com/2017/03/06/tds-redirecting-users-to-rig-exploit-kit-and-other-stuff/.

You can also see that there were times when “good man” forgot to pay their subscription to the TDS vendor. Everything in blue was compromised and redirected the hosts to the malicious TDS.

The next domain on the list is lifuntersnum1.net.in. The registrant for this domain was “good man” and it was using the same qhoster.net nameservers that I’ve discussed before. This domain, like kachapaka.net.in, has a malicious history that is associated with a bot network. For example, VirusTotal is showing the following submitted URLs:

5/68 – 2016-12-06 15:57:33: hxxp://lifuntersnum1.net[.]in/folder/bot.exe
7/69 – 2016-11-18 10:08:40: hxxp://lifuntersnum1.net[.]in/folder/gate.php
2/68 – 2016-11-15 04:05:34: hxxp://lifuntersnum1.net[.]in/folder/config.jpg

This shows the detection ratio, the date submitted to VT, and the URL that was analyzed. Clearly this domain has a history of doing bad stuff.

The next domain on the list is one we are already familiar with, hurtmehard[.]net. This is an active gate being used by exploit kits. Here is some history associated with this domain:

Hostname First Seen Last Seen Direction Cause
add.kidsonthestreet.com 3/5/2017 4:53 3/5/2017 6:22 child iframe.src
1fds.eastcoastpallets.com 3/4/2017 20:03 3/4/2017 20:03 child iframe.src
1qwe.yanaimark.com 3/4/2017 7:41 3/4/2017 7:41 child iframe.src
1qwe.yanaimark.com 3/4/2017 5:13 3/4/2017 5:14 child iframe.src
qwe.youniquebyvera77.com 2/28/2017 20:36 2/28/2017 20:38 child iframe.src
onclkds.com 2/10/2017 18:21 2/28/2017 20:38 parent location.refresh
2ewq.lmbtechservices.us 2/28/2017 5:18 2/28/2017 5:18 child iframe.src
go.deliverymodo.com 2/28/2017 5:18 2/28/2017 5:18 parent redirect
anyfucks[.]biz 2/19/2017 13:34 2/19/2017 13:34 parent redirect

You can see the exploit kit subdomains in red and the TDS in purple. The ones left black are possible malvertising incidents. There are a ton of different infection chains right now involving hurtmehard[.]net and they are well documented by EK researchers. This domain is registered to “good man” and is using the same qhoster.net nameservers.

The next domain is datsonsdaughter[.]com. Similar to hurtmehard[.]net, this site is acting as a gate for exploit kits. I won’t go into much more detail about it because it has already been covered. The Whois information is the same as others, with “good man” being the registrant name.

The last website that was registered to “good man” was perfectgirlss[.]org. This domain is still active and could be the next gate used by this campaign. The Whois information is the same as the others.

I hope this information was helpful. I apologize if I made any mistakes and if I did please let me know via Twitter! Thank you for your ongoing support and I will see you next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: