This attack (assuming it
is an attack) revolves around a bunch of domains hosted in 38.84.134.0/24 (HostZealot, UK).
It starts when a visitor visits the website
click-and-trip.com hosted on
38.84.134.46 which purports to be some sort of hotel reservation system.
However, this
URLquery report also shows a suspected Fiesta EK pattern and/or a TDS (Traffic Distribution System) URL. In the case of the report, the landing page is
[donotclick]asasas.eu/yo416f8/counter.php?id=5 on 38.84.134.171 but this is one of those cases where the landing page seems to change quickly.
Both the "gateway" domain and "payload" domain share similarities in the WHOIS details. For
click-and-trip.com it is:
Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: DE
Registrant Phone: +34.932073031
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: HANSBRUSE@YAHOO.COM
Well, Barcelona isn't in DE (Germany), so these contact details look awfully suspect. If we look at the WHOIS details for
asasas.eu we see:
Name Hans Bruse
Organisation hans inc
Language German
Address Am Forsthaus 9
18209 Glashagen
Germany
Phone +49.382037295
Email hansbruse@yahoo.com
Both addresses use the "hansbruse@yahoo.com" email address, and those German contact details for "Hans Bruse" are more convicining than "Bernado Mines".
The
click-and-trip.com domain has been around since January and interestingly a dig back in time six months turns up slightly different contact details:
Registry Registrant ID:
Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: ES
Registrant Phone: +34.932073031
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: GEFEST@ZMAIL.RU
Registry Admin ID:
See the Russian email address? That gets some
positive matches on Google linking it to a person called
Aleksandr Filippovskiy (or
Filippovskiy Aleksandr) who has been connected with malware sites before. So on balance, this thing looks rather suspicious.. even though
those details could also be a smokescreen.
Reverse DNS on 38.84.134.171 shows three suspect domains with a similar naming pattern:
aaqaaq.eu
asasas.eu
ooaooa.eu
We can also check the IP's
reputation at VirusTotal and it doesn't look great. However, if we extend a look to neighbouring servers, we can see a similar pattern of domains all the way from
38.84.134.162 to
38.84.134.171.
| ioooiiio.eu |
38.84.134.162 |
| oieaa.com |
38.84.134.162 |
| dcfvfr.com |
38.84.134.162 |
| eiieei.com |
38.84.134.162 |
| ijueee.com |
38.84.134.162 |
| aoooaooa.com |
38.84.134.162 |
| acccaacccaaaa.pw |
38.84.134.163 |
| aaeeaae.com |
38.84.134.163 |
| ooioooii.com |
38.84.134.163 |
| azzaaazz.pw |
38.84.134.164 |
| axxaaaxxx.pw |
38.84.134.164 |
| aaooaaoaoaaa.pw |
38.84.134.164 |
| advantagefilm.pw |
38.84.134.164 |
| gthyuuuy.com |
38.84.134.164 |
| kujeikdkd.com |
38.84.134.164 |
| mijkuiiid.com |
38.84.134.164 |
| rfttyhuui.com |
38.84.134.164 |
| uyueueuee.com |
38.84.134.164 |
| oooiiiio.us |
38.84.134.165 |
| iiiiiiioooooooooo.us |
38.84.134.165 |
| hyujuuy.com |
38.84.134.165 |
| hyujyttr.com |
38.84.134.165 |
| nefdefeettyt.com |
38.84.134.165 |
| gthuueeed.us |
38.84.134.166 |
| eeeeaeeeea.us |
38.84.134.166 |
| aaeeeaaaeee.us |
38.84.134.166 |
| gtyuyyuuj.com |
38.84.134.166 |
| eedeeeedddd.eu |
38.84.134.167 |
| iyiiyyyiiiyy.eu |
38.84.134.167 |
| uoooouuuoo.pw |
38.84.134.167 |
| efefefeeeeee.pw |
38.84.134.167 |
| eaeaaaaaaeeeeee.pw |
38.84.134.167 |
| aaaaaaooooo.us |
38.84.134.167 |
| ioiiio.eu |
38.84.134.168 |
| aeaaeee.eu |
38.84.134.168 |
| aoaoooao.eu |
38.84.134.168 |
| oiioooiiii.pw |
38.84.134.168 |
| iaiaiaiaia.eu |
38.84.134.169 |
| axxazazaza.eu |
38.84.134.170 |
| jjjjajjiiiooo.eu |
38.84.134.170 |
| aaqaaq.eu |
38.84.134.171 |
| asasas.eu |
38.84.134.171 |
| ooaooa.eu |
38.84.134.171 |
Older domains seem to use lower IP addresses, the pattern seems to be that domains are hosted in the range for a short time, then they are parked on what appear to be Namecheap parking IPs. Once the reputation of the IP is tarnished, then the domains move on to the next IP address.
The IPs in question roughly correspond to 38.84.134.160/28, but looking at the sites hosted in that range there is a gap of unused IPs all the way to 38.84.134.196.
Where these domains have identifiable WHOIS details, they conform to variants of the "Bernado Mines" persona, for example,
acccaacccaaaa.pw:
Registrant ID:SVXABVV3KWVMGEKW
Registrant Name:Bernardo Mines
Registrant Organization:La Sagrada
Registrant Street1:Carrer de Mallorca, 401
Registrant City:Barcelona
Registrant State/Province:non
Registrant Postal Code:08013
Registrant Country:ES
Registrant Phone:+34.932073031
Registrant Fax:+1.5555555555
Registrant Email:ilokios@gmail.com
But we know that "Bernado Mines" also operates other IPs in this range, including
techno6.com on
38.84.134.47 and a further examination of sites in the range shows
aws-wireless.com on
38.84.134.14 which is registered to..
Registry Registrant ID:
Registrant Name: FILIPPOVSKIY ALEKSANDR
Registrant Organization: DOM
Registrant Street: YLICA BAYMANA. DOM 9.KORPYS A. KVARTIRA 106
Registrant Street: KVARTIRA 106
Registrant City: YOSHKAR OLA
Registrant State/Province: YOSHKAR OLA
Registrant Postal Code: 42400
Registrant Country: RU
Registrant Phone: +7.79276827596
Registrant Phone Ext:
Registrant Fax: +7.79276827596
Registrant Fax Ext:
Registrant Email: AWSWIRELESS@MAIL.COM
So we have
Filippovskiy Aleksandr again
.
A look at
all the hosts I can find in this range [csv] show nothing of value, and a load of cyberquatting and spam sites. On balance, I think that blocking the entire
38.84.134.0/24 range may be prudent, even if it is hard to tell
exactly what is going on here.
