Rogue AV, ZeuS and Spear Phishing



Brian Krebs just posted a great article about avprofit.com, an affiliate program for malware distributors, who get $1 per install. But they don’t just spread rogue (fake) anti-virus software, they also spread ZeuS:

Distributors or “affiliates” who sign up with avprofit.com, for example, are given access to an installer program that downloads not only rogue anti-virus but also ZeuS, a stealthy piece of malware that specializes in mining online banking credentials from infected PCs.

There are some very interesting things about this development:
1. The email address used to register avprofit.com is abuseemaildhcp@gmail.com
2. abuseemaildhcp@gmail.com is the email address used to register updatekernel.com, the domain used in targeted spear phishing attacks
3. The binary that the malware distributors were given to spread (baba913304d400802be62e815579c41a) is the same as the binary used in a targeted spear phishing attack
4. The website that hosted the malware in the spear phishing attack was the same as the one used in another spear phishing attack that used portions of Brian Krebs’ article as lure.
5. The command and control for a number of these attacks was updatekernel.com

Krebs lays out an impressive analysis of the broader ecosystem of these criminal networks. It is even more interesting when we factor in the attacks against .mil & .gov email addresses and the extraction of sensitive documents — as opposed the banking credentials usually targeted by ZeuS — and the sensitive nature of the entities from whom these documents were ex-filtrated.

All for $1 a piece.

2 comments.

  1. Malware domains registered to abuseemaildhcp@gmail.com have a long tradition.

    http://www.malwaredomainlist.com/mdl.php?inactive=on&sort=Date&search=abuseemaildhcp&colsearch=All&ascordesc=DESC&quantity=100

  2. ^ Definitely, and MDL is an awesome resource.

Post a comment.