New malicious campaign on 62.122.73.200-254 - Nov 1, 2013

1. Sat, Nov 1 2013
2. #DhiaLite - On shady AS49236 "Leksim": New malicious campaign delivered so far from 8 IPs in the range 62.122.73.200 to 254.
3.  
4. Example VT report of payload
5. https://www.virustotal.com/en/file/626a40dce7f19428a4a3fc5cd6e561f32b90d989f16bf19105c7152cf6dc142c/analysis/
6.  
7. ->Prediction with proof: The totality of the IPs in the 62.122.73.200-254 range are currently hosting malware payload and will start hosting domains to pursue the ongoing malicious campaign.
8.  
9. Read on for details:
10.  
11. Currently 62.122.73.206 to 209 and 62.122.73.211 to 214 are hosting malware domains. All under 62.122.72.0/23 of AS49236 "Leksim".
12. ASN has 1 single CIDR that has been exclusively used for malicious purposes.
13.  
14. Reported for example in the past in:
15.  
16. http://www.welivesecurity.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection/
17. http://blog.dynamoo.com/2011/04/evil-network-leksim-ltd-relnet-net.html
18.  
19. TWO CURRENT INTERESTING FACTS:
20.  
21. 1) All IPs in the range 62.122.73.200 to 254 are currently hosting identical malware payload:
22. encrypt_html_pro_crack.exe (and possibly other payloads), but only 8 of these IPs are hosting domains.
23. 62.122.73.214
24. 62.122.73.213
25. 62.122.73.212
26. 62.122.73.208
27. 62.122.73.211
28. 62.122.73.209
29. 62.122.73.207
30. 62.122.73.206
31.  
32. 2) Within the same /23, another IP range 62.122.72.200 to 254 already showed this pattern of hosting common payload across all IPs with hosted domains:
33. agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe
34.  
35. Below are the dates of first time and last time the IP hosted a malware domain, with number of days it has been used.
36.  
37. 62.122.72.254 2013-10-29 2013-10-31 2
38. 62.122.72.253 2013-10-29 2013-10-31 2
39. 62.122.72.252 2013-10-29 2013-10-30 1
40. 62.122.72.251 2013-10-28 2013-10-30 2
41. 62.122.72.250 2013-10-28 2013-10-30 2
42. 62.122.72.247 2013-10-27 2013-10-31 4
43. 62.122.72.249 2013-10-27 2013-10-30 3
44. 62.122.72.248 2013-10-27 2013-10-30 3
45. 62.122.72.244 2013-10-26 2013-11-01 6
46. 62.122.72.246 2013-10-26 2013-10-31 5
47. 62.122.72.245 2013-10-26 2013-10-28 2
48. 62.122.72.243 2013-10-26 2013-10-28 2
49. 62.122.72.242 2013-10-25 2013-10-26 1
50. 62.122.72.241 2013-10-25 2013-10-26 1
51. 62.122.72.240 2013-10-25 2013-10-26 1
52. 62.122.72.237 2013-10-24 2013-11-01 8
53. 62.122.72.239 2013-10-24 2013-10-31 7
54. 62.122.72.238 2013-10-24 2013-10-26 2
55. 62.122.72.236 2013-10-23 2013-10-27 4
56. 62.122.72.235 2013-10-22 2013-11-01 10
57. 62.122.72.225 2013-10-22 2013-10-22 0
58. 62.122.72.234 2013-10-21 2013-11-01 11
59. 62.122.72.233 2013-10-21 2013-11-01 11
60. 62.122.72.232 2013-10-20 2013-10-31 11
61. 62.122.72.231 2013-10-20 2013-10-24 4
62. 62.122.72.230 2013-10-19 2013-11-01 13
63. 62.122.72.229 2013-10-19 2013-11-01 13
64. 62.122.72.228 2013-10-19 2013-10-31 12
65. 62.122.72.221 2013-10-19 2013-10-19 0
66. 62.122.72.227 2013-10-18 2013-11-01 14
67. 62.122.72.226 2013-10-18 2013-11-01 14
68. 62.122.72.224 2013-10-18 2013-10-30 12
69. 62.122.72.223 2013-10-17 2013-10-31 14
70. 62.122.72.220 2013-10-16 2013-10-21 5
71. 62.122.72.219 2013-10-16 2013-10-16 0
72. 62.122.72.218 2013-10-15 2013-10-31 16
73. 62.122.72.217 2013-10-14 2013-11-01 18
74. 62.122.72.215 2013-10-14 2013-11-01 18
75. 62.122.72.216 2013-10-14 2013-10-31 17
76. 62.122.72.214 2013-10-13 2013-11-01 19
77. 62.122.72.212 2013-10-13 2013-11-01 19
78. 62.122.72.213 2013-10-13 2013-10-31 18
79. 62.122.72.211 2013-10-12 2013-11-01 20
80. 62.122.72.209 2013-10-12 2013-11-01 20
81. 62.122.72.210 2013-10-12 2013-10-29 17
82. 62.122.72.208 2013-10-12 2013-10-28 16
83. 62.122.72.207 2013-10-11 2013-11-01 21
84. 62.122.72.206 2013-10-11 2013-11-01 21
85. 62.122.72.205 2013-10-10 2013-11-01 22
86. 62.122.72.204 2013-10-10 2013-11-01 22
87. 62.122.72.201 2013-10-10 2013-10-29 19
88. 62.122.72.203 2013-10-09 2013-11-01 23
89. 62.122.72.202 2013-10-09 2013-11-01 23
90. 62.122.72.200 2013-10-08 2013-10-31 23
91.  
92. Prediction: Remaining IPs in the 62.122.73.200-254 range are currently dormant but will start hosting new malware domains to serve the ongoing campaign.
93.  
94. Very likley the entire /23 is used for the same or other malicious campaigns.
95.  
96. #Dates when the 8 IPs started hosting malware domains in the past 2 days:
97. 62.122.73.214 2013-11-01
98. 62.122.73.213 2013-11-01
99. 62.122.73.212 2013-11-01
100. 62.122.73.208 2013-11-01
101. 62.122.73.211 2013-10-31
102. 62.122.73.209 2013-10-31
103. 62.122.73.207 2013-10-31
104. 62.122.73.206 2013-10-30
105.  
106. #VirusTotal reports
107. https://www.virustotal.com/en/ip-address/62.122.73.206/information/
108. https://www.virustotal.com/en/ip-address/62.122.73.207/information/
109. https://www.virustotal.com/en/ip-address/62.122.73.208/information/
110. https://www.virustotal.com/en/ip-address/62.122.73.209/information/
111. https://www.virustotal.com/en/ip-address/62.122.73.211/information/
112. https://www.virustotal.com/en/ip-address/62.122.73.212/information/
113. https://www.virustotal.com/en/ip-address/62.122.73.213/information/
114.  
115. #Sample domains on each IP:
116. dlc.sumsungstock.ru 62.122.73.206
117. sumsungstock.ru 62.122.73.206
118. dlc.downloads-msk.ru 62.122.73.207
119. downloads-msk.ru 62.122.73.207
120. dlc.sumsungphone.ru 62.122.73.208
121. dlc.download-russia.ru 62.122.73.209
122. download-russia.ru 62.122.73.209
123. dlc.hot-file.ru 62.122.73.211
124. hot-file.ru 62.122.73.211
125. dlc.moisumsung.ru 62.122.73.212
126. dlc.sumsungsearch.ru 62.122.73.213
127. dlc.freshfiles.ru 62.122.73.214
128. dlc.volga-files.ru 62.122.73.214
129.  
130. #Example check for payloads on IPs 62.122.72.200 to 254
131.  
132. bash-3.2$ curl -A 'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)' "http://62.122.72.206/download/203c3c387267672f27242c2b2d263c3a2d663a3d672f2d3c1730252477/25243a2c212c757b7f707a7d7b7d78716e2e21242d17212c75/06d4e448/torrent/agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe" > agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe
133. % Total % Received % Xferd Average Speed Time Time Time Current
134. Dload Upload Total Spent Left Speed
135. 100 129k 100 129k 0 0 83084 0 0:00:01 0:00:01 --:--:-- 97106
136.  
137. bash-3.2$ file agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exeagricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
138.  
139. https://www.virustotal.com/en/file/0d054d0c2aa50cb8fc30256784bf9df48f47d964b8d0c9e5a8d130f447543a86/analysis/1383424746/
140.  
141.  
142. #Example check for payloads on IPs 62.122.73.200 to 254
143.  
144. bash-3.2$ curl -A 'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)' "http://62.122.73.246/download/302c2c2862777735212b2d352b2d363f762a2d773f3d2c0720353467/35342a2b2c3a656b7e3c313c656b616c6c6d61696d687e3e31343d07313c65/0736a358/setup3/encrypt_html_pro_crack.exe" > encrypt_html_pro_crack.exe
145. % Total % Received % Xferd Average Speed Time Time Time Current
146. Dload Upload Total Spent Left Speed
147. 100 129k 100 129k 0 0 85561 0 0:00:01 0:00:01 --:--:-- 99570
148.  
149. bash-3.2$ file encrypt_html_pro_crack.exe
150. encrypt_html_pro_crack.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
151.  
152. https://malwr.com/analysis/NDk3ZmZiZTdjMzNiNGFkZGE5ZTQ5MzA5ZDFkNTRhY2Q/