Finding a Good Man: Part 2

Read Finding a Good Man (Part 1):
https://malwarebreakdown.com/2017/03/10/finding-a-good-man/

Read the last update on Good Man:
https://malwarebreakdown.com/2017/04/26/update-on-goodman/

It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. Furthermore, one of the registrant names used during this operation was “good man”.

Goodmandilaltain, possibly written as “good man di laltain” (I’m really not sure), was a fable (mainly from North-West India or East Pakistan) during British rule, known as the “good man’s lantern”. The fable was about a blind man who carried a lantern (“laltain” or “laaltain” in Hindi) as he walked through the forest. “People looked at him bemused as he’d walk by every night, realizing he couldn’t benefit from the light he was carrying. When approached and asked why, the blind man responded: ‘The lantern is for others to see in darkness. It is for those who otherwise, would be lost”.

The first domain ever to be registered to goodmandilaltain@gmail.com was verifiedppservice.net. This domain was registered back on January 28th, 2014, and it is no longer active. I am not sure what it was used for, but “verifiedppservice.net” almost sounds like some sort of PayPal phishing site. The registrant name of that domain was “jnnnnn man”, not “good man”. I couldn’t locate any cached images for verifiedppservice.net.

The second domain registered to goodmandilaltain@gmail.com was sixer.info. It was registered on January 30th, 2014, two days after they registered verifiedppservice.net. It too was registered under the name “jnnnnn man”. Archived pages from sixer.info were inconclusive.

The third domain registered to goodmandilaltain@gmail.com was develporinline.info (registered on February 3rd, 2016). It was during this domain registration that one of the actors behind the Good Man campaign used their real information (OPSEC fail). Here is the public Whois information for develporinline.info:

Attribute Value
Registrar GoDaddy.com, LLC (R171-LRMS)
Email goodmandilaltain@gmail.com
Name Ali Hassan
Street Okara|07714435691
City Okara
State Punjab
Postal 54000
Country Pakistan
Phone 927714435691
NameServers NS07.DOMAINCONTROL.COM
NS08.DOMAINCONTROL.COM

We can see from the public Whois information that a “Ali Hassan” from Pakistan is the registrant. We also have a phone number from Pakistan; 92 + 7714435691. Develporinline.info was the only domain found to be using that phone number. I couldn’t find any archived pages for this domain either.

The fourth domain registered to goodmandilaltain@gmail.com was an illegal carding forum called cpro.pw (no longer resolving). Below is the Whois information for cpro.pw:

Attribute Value
WHOIS Server whois.PublicDomainRegistry.com
Registrar PDR Ltd. d/b/a PublicDomainRegistry.com
Email goodmandilaltain@gmail.com
Name good man
Organization non
Street 343 Sharwood Drive,,Naples,FL
City Naples
State FL
Postal 34110
Country PAKISTAN
Phone 92923467486896
NameServers ns4.qhoster.net
ns3.qhoster.net
ns2.qhoster.net
ns1.qhoster.net

We can see from this Whois information that the name being used is “good man” and the email is goodmandilaltain@gmail.com. The phone number used for this registration was 92 + 923467486896.

Looking at archived images for this site shows that there was a moderator called “sixer”:

Archived image of cpro dot pw

Image taken from cpro.pw on October 24th, 2016, showing Sixer and RajuRockett selling dumps of stolen data, including credit card information.

Below is an image of Sixer actively looking to buy “shells cpanel’s with high traffic”.

image of vendor post

This isn’t just a coincidence. The user Sixer (on cpro.pw) is more than likely the owner of goodmandilaltain@gmail.com and the registrant behind the Good Man domains, including the aptly named sixer.info. It could be Ali Hassan or it could be one of his partners.

Also, the author of Terror EK (AKA Neptune EK and Blaze EK) has informed me that sixer@exploit.im might have been the person who purchased his EK:

sixer exploit im

Terror EK was then rebranded by the new owner as Eris EK.

Checking Facebook for any accounts tied to goodmandilaltain@gmail.com returns an account called “Sixer SA”:

Capture

This establishes a clear link between Sixer on cpro.pw, the domain sixer.info and the email address goodmandilaltain@gmail.com.

Something else to consider… Sixer is the name of a popular cricket team in Sydney Australia. Maybe “Sixer SA” stands for Sixer Sydney Australia? I do know that cricket is a very popular sport in Pakistan and India. Also, I have reason to believe that one of his friends on Facebook is from Pakistan and is currently going to college in Australia.

Additionally, one of the Good Man domains is called goodmandilaltain.cc (registered on 10/10/16). For those of you that don’t know, .CC is the TLD for Cocos (Keeling) Islands, an Australian territory.

Further examination of Sixer SA’s Facebook profile shows that they are Pakistani and friends with a “Ali Hassan Maneka” (Remember that “Ali Hassan” is the name used to register some of the Good Man domains):

Sixer FB Account 1

Sixer SA’s Facebook profile from May 1st, 2017.

Sixer SA only had one photo on their Facebook account. That photo is of a family member with the last name “Maneka”.

Ali Hassan Maneka FB

Ali Hassan Maneka’s Facebook profile from May 1st, 2017. He lives in Lahore, Pakistan, and went to DPS College Okara

Ali briefly deactivated his Facebook account during the weeks when all the Good Man domains were taken offline. He has since reactivated his Facebook account, which you can find HERE.

Sixer SA’s Facebook profile also shows that he is following a couple of people:

Sixer following Malik

Checking other popular social media sites, I was also able to locate his Twitter account at @AliHasanManeka:

Twitter Ali Hassan

Ali Hassan Maneka’s Twitter profile from May 1st, 2017.

His Twitter account is using the email address goodmandilaltain@gmail.com and a phone number ending in “96”:

 

The phone number registered to many of the Good Man domains also ends with a “96” (92923467486896).

Domains registered to that phone number include:

Domains Email Registered
t00lz.biz goodmandilaltain@gmail.com 4/18/2017
vicals.pw goodmandilaltain@gmail.com 4/3/2017
vicals.net.in goodmandilaltain@gmail.com 4/3/2017
vicals.ind.in goodmandilaltain@gmail.com 4/3/2017
vicals.gen.in goodmandilaltain@gmail.com 4/3/2017
vicals.co.in goodmandilaltain@gmail.com 4/3/2017
vicals.in goodmandilaltain@gmail.com 4/3/2017
n1shop.net.in goodmandilaltain@gmail.com 3/31/2017
adobeflashpayer.net.in goodmandilaltain@gmail.com 3/29/2017
sipasalar.net.in goodmandilaltain@gmail.com 3/24/2017
perfectgirlss.org goodmandilaltain@gmail.com 2/22/2017
jokertube.org goodmandilaltain@gmail.com 1/20/2017
datsonsdaughter.com goodmandilaltain@gmail.com 1/17/2017
hurtmehard.net goodmandilaltain@gmail.com 12/2/2016
lifuntersnum1.net.in goodmandilaltain@gmail.com 11/12/2016
anyfucks.biz goodmandilaltain@gmail.com 11/11/2016
kachapaka.net.in goodmandilaltain@gmail.com 11/8/2016
anythingtds.com goodmandilaltain@gmail.com 8/15/2016
poranoxxx.com goodmandilaltain@gmail.com 4/3/2016
pornstarl33t.org goodmandilaltain@gmail.com 3/28/2016
cpro.pw goodmandilaltain@gmail.com 7/1/2015

His first tweet was on October 30th, 2016:

First tweet

Below are some more images taken from his Twitter account:

 

Doing some digging into his Twitter acquaintances shows an interesting account called @BanjoDon3.

Followers

Looking at @BanjoDon3’s Twitter feed we can see they have posted a total of 19 times, all on November 28th, 2016, and all about anyfucks[.]biz/1:

BanjoDon3

Anyfucks.biz is registered to goodmandilaltain@gmail.com and the registrant name is “good man”. It was also being used to host their Keitaro TDS server (among other things) and was responsible for redirecting victims to exploit kits. Another important thing to note is that both Ali’s and @BanjoDon3’s Twitter accounts were created in November, 2016.

Further research shows a user “GoodMan DiLaltain” on a very old social network called orkut.com. The group that “GoodMan DiLaltain” belonged to on orkut.google.com was called “Scorpion-Dagger”. The group description is as follows:

Scorpion-Dagger group

You can see many names given in the group description :

  • “Me” (AKA GoodMan DiLaltain)
  • Shehraam Bhai (AKA Shehraam Nawaz)
  • Mansoor (AKA Mansoor Khagga and Mansoor Sahab)
  • Muneeb Hasan (AKA Waisay Muneeb Bhai and Muneeb Bhai)

This group of friends and classmates called themselves “Pantagon”. They liked to think of themselves as “real gangsters”. Also, looking through the various posts on their forum, I could identify a couple more names:

  • Salahuddin Khagga
  • “Haider”

Searching through the forum shows that the user GoodMan DiLaltain is the person who wrote part of the description for this group:

Group description discussion

It looks like they’ve since deleted this group page, however, you can view the archived pages HERE. Names on these forums can be used to further correlate the link between GoodMan DiLaltain and Ali Hassan Maneka.

I want to mention that I don’t believe Ali Hassan Maneka is acting alone. He just happened to be the one with horrible OPSEC. It is likely that there were multiple individuals involved in the Good Man campaign.

Below is a list of verified Good Man domains:

adobeflashpayer.net.in
anyfucks.biz
anythingtds.com
badboys.net.in
cpro.pw
datsonsdaughter.com
goodmandilaltain.cc
hurtmehard.net
jokertube.org
kachapaka.net.in
lifuntersnum1.net.in
londaybaz.pro
n1shop.net.in
perfectgirlss.org
pinktube.pro
poranoxxx.com
pornstarl33t.org
sipasalar.net.in
sixer.info
t00lz.biz
traffic-one.us
verifiedppservice.net
vicals.co.in
vicals.gen.in
vicals.in
vicals.ind.in
vicals.net.in
vicals.pw

Here are some additional domains that I believe were under the control of the Good Man actors:

Domain First Seen Last Seen
pinktube.org 6/7/2017 5:01 6/7/2017 5:01
neutrino-waves.biz 4/2/2017 0:00 4/9/2017 2:35
ddobnajanu.club 4/5/2017 21:30 4/8/2017 9:59

The only difference with these domains are that they protected their Whois information. Something to note, ddobnajanu.club was being used as a CnC server for ZeuSVM:

https://zeustracker.abuse.ch/monitor.php?search=ddobnajanu.club

Also, the domain “neutrino-waves.biz” is a direct reference to a blog post written by Kafeine called “RIG evolves, Neutrino waves goodbye, Empire Pack appears”:

http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

That is all I have for now. Thanks for reading!

Documented Good Man cases:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: