While chasing down this exploit kit yesterday, I noticed an awful lot of related IP addresses and domains that also seemed to be hosting malware.
The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE
ooshuchahxe.co.vu
ahjoneeshae.co.vu
phamiephim.co.vu
kaemahchuum.co.vu
pahsiefoono.co.vu
kaghaingai.co.vu
buengaiyei.co.vu
ohmiajusoo.co.vu
oodeerahshe.co.vu
paotuchepha.co.vu
aedeequeekou.co.vu
eikoosiexa.co.vu
phielaingi.co.vu
thohbeekee.co.vu
A typical exploit landing page looks like this [URLquery report] which appears to be the Nuclear EK.
These are hosted on the following Choopa LLC / Gamservers.com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.175.125
108.61.177.107
108.61.177.89
All these malicious domains use the following nameservers:
ns1.thallsbe.com
ns1.yotelepa.com
ns1.zenteep.com
ns1.neverflouwks.com
ns1.daxpyorgilgere.com
ns1.irkoblik.com
ns2.thallsbe.com
ns2.yotelepa.com
ns2.zenteep.com
ns2.neverflouwks.com
ns2.daxpyorgilgere.com
ns2.irkoblik.com
Nameservers are mostly (but not all hosted on Choopa LLC IPs):
64.187.225.245
104.224.147.220
108.61.123.219
108.61.172.145
108.61.198.148
108.61.211.121
As I said, these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google (long list, sorry, scroll past it if you like):
offearfactory.cf
ukforsavectory.cf
ukforshivaflow.cf
soundchecker.cf
tobiahsebastiani.cf
crazystuff.ga
atproserafic.ga
soundchecker.ga
terriblelow.ml
stumbleupons.ml
ukforprimeebook.cf
greendriver.ga
ukforsavectory.ga
yellowcheck.ml
misterybook.cf
sporterafic.cf
thorteutsch.cf
imainconfig.ga
materofteck.ga
sporterafic.ga
pleskinebook.ga
lowensineflow.ga
warriordriver.ga
materofteck.ml
sporterafic.ml
lowensineflow.ml
mipkohoophw.cf
mipkoewushohn.cf
mipkoeerrw.ml
mipkohiocoh.ml
qdujbffg.cf
floraperf.cf
floreamva.cf
sintroota.cf
akcyvwkudu.cf
jepeugcpaq.cf
kzjzbbezgt.cf
rittfpynit.cf
unitedbeer.cf
vuktrontas.cf
wchiekohya.cf
wingasheng.cf
nikelnstate.cf
quitambient.cf
xotadddance.cf
xoteaddrack.cf
bloxianoiaba.cf
boyconroewom.cf
myfreenomapi.cf
walltaddates.cf
walltaddonce.cf
walltaddrave.cf
xoteaddotion.cf
trohqueenexai.cf
trotesaiheohu.cf
truechiekitha.cf
trueitheipoag.cf
vukontasixtas.cf
vuvatyisedron.cf
wallddforbake.cf
walltadddabit.cf
walltadddance.cf
walltadddsims.cf
wallteaddrack.cf
oproquanterbot.cf
veterloshamerr.cf
vuflowdeadcrow.cf
wallaerkinderr.cf
wallteaddotion.cf
wicomertulatti.cf
walltadddoppler.cf
amixionifyredhedi.cf
shamidgewoodpiste.cf
shoeufflorthrudis.cf
shoppaycleagoncad.cf
sosanasisernitive.cf
sourustieronixtur.cf
sparetediapletecu.cf
stekoneyredecklan.cf
subspironimitells.cf
sultintemicrearti.cf
coolmember.ga
krogralind.ga
rzanygngis.ga
unitedbeer.ga
wchiekohya.ga
weisewieku.ga
xotaddates.ga
xotaddrave.ga
junoreactor.ga
quitambient.ga
xoteaddrack.ga
dealerstrike.ga
trudahsheeso.ga
vumalworrest.ga
walltaddates.ga
walltaddonce.ga
walltaddrave.ga
wamipkoleoxw.ga
xoteaddotion.ga
proquantterms.ga
tritaeneiquoh.ga
trohqueenexai.ga
trotesaiheohu.ga
troyeachahgie.ga
truechiekitha.ga
truexauphudei.ga
victorysecret.ga
vuxeersktrace.ga
wallddforbake.ga
walltadddabit.ga
walltadddance.ga
walltadddsims.ga
wallteaddrack.ga
xotadddoppler.ga
veterloshamerr.ga
victoaddroplen.ga
vuflowdeadcrow.ga
vuvtrassktrace.ga
wallaerkinderr.ga
wallteaddotion.ga
wheallstechaxa.ga
wolscelipartin.ga
wolvestreyrmst.ga
walltadddoppler.ga
serckinvenaftovan.ga
shamidgewoodpiste.ga
shoppaycleagoncad.ga
sosanasisernitive.ga
sourustieronixtur.ga
sparetediapletecu.ga
stekoneyredecklan.ga
subspironimitells.ga
sultintemicrearti.ga
facilygda.ml
iqmhaslyzd.ml
kriendbasi.ml
queezerbot.ml
rittfpynit.ml
xotaddrave.ml
contermance.ml
crazyworlds.ml
junoreactor.ml
loborrowave.ml
quitambient.ml
vuxtronrace.ml
xoteaddrack.ml
bloxianoiaba.ml
trudahsheeso.ml
vumalworrest.ml
vumullefloor.ml
walltaddates.ml
walltaddonce.ml
walltaddrave.ml
xoteaddotion.ml
lodborrowpler.ml
proquantterms.ml
triceebicicha.ml
triilequadaev.ml
tritaeneiquoh.ml
troshiechooph.ml
trotesaiheohu.ml
victorysecret.ml
vuxeersktrace.ml
wallddforbake.ml
walltadddabit.ml
walltadddance.ml
walltadddsims.ml
wallteaddrack.ml
wamipkoicjnew.ml
oproquantables.ml
veterloshamerr.ml
victoaddroplen.ml
wallteaddotion.ml
wickleyoregene.ml
wolscelipartin.ml
walltadddoppler.ml
serckinvenaftovan.ml
shamidgewoodpiste.ml
shoeufflorthrudis.ml
shoppaycleagoncad.ml
sosanasisernitive.ml
sourustieronixtur.ml
sparetediapletecu.ml
stekoneyredecklan.ml
subspironimitells.ml
sultintemicrearti.ml
sintroota.tk
sionixire.tk
bugleryambur.tk
zarauphudei.cf
zaraachwahgie.cf
zaragietheeghe.cf
zarabixampw.ga
zaradhoophw.ga
zarasicjnew.ga
zarauphudei.ga
zaraachwahgie.ga
zaraeqwuadaev.ga
zaraheeteghoh.ga
zaraohgeegheis.ga
zaratiihuw.ml
zarabixampw.ml
zarasicjnew.ml
zarasorsarw.ml
zaraulleoxw.ml
zaraachwahgie.ml
zaraeqwuadaev.ml
zaraewneiquoh.ml
uzaraeserexwai.ml
zaragietheeghe.ml
zaraweethiocoh.ml
In addition, these domains are tagged as malicious by SURBL:
xoteaddrack.cf
wallddforbake.cf
xoteaddrack.ga
walltadddsims.ga
walltaddates.ml
walltadddabit.ml
wallteaddrack.ml
siewaxiesha.co.vu
fourkopoll.co.vu
kurramithompartherd.co.vu
These are the TLDs and SLDs being abused, operated by Freenom (cf, ga, gq, ml, tk) or CoDotVu (co.vu). It looks like perhaps Freenom cleaned up their space, but you can make your own mind up if you want to block traffic to these as a precaution:
co.vu
cf
ga
gq
ml
tk
A full list of all the domains that I can find associated with these servers can be found here [pastebin].
Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121
64.187.225.245
104.224.147.220
UPDATE:
Choopa LLC say they have terminated those IPs. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised.
No comments:
Post a Comment