If you have any questions, contact us:
ICQ:1607000
Jabber:9@jabber.ru

  #1 Old 11-08-2015, 01:12 AM
emailsnipper
 
emailsnipper's Avatar
 
Join Date: Apr 2015
Location: Carder.site
Posts: 143
emailsnipper is an unknown quantity at this point
Default

We have been investigating several domains registered using the email address drake.lampado777@gmail[.]com. IBM Security X-Force spotted the information-stealing malware named Corebot.

The Corebot’s author included the ability to add plugins to the malware in order to incorporate more features. The features are usually a specific function the malware will perform or turned the bot in, such as being a socks proxy or adding the possibility for the malware to spread via USB drives, grab certificates, or even perform DDOS. The sample analyzed by IBM Security X-Force communicates with two domains registered to drake.lampado777@gmail[.]com that are down at this time:

Domain name IP Address
arijoputane[.]com 62.76.41.51
vincenzo-sorelli[.]com 62.76.41.51
We found a 64bits version of Corebot, but the sample seems buggy and doesn’t work out properly which suggest that it might still be under development. You can find similar strings in the 64bits code as the 32bits:

core.dga
core.dga.key_fingerprint
core.dga.zones
core.dga.group
core.dga.domains_count
core.server_key
C:\work\itco\core\bin\x64\Release\core.pdb
c:\work\itco\fabric\config1.dat
c:\work\itco\fabric\config1.dat.plain
Hosted on the same IP address 62.76.41.5, we found more interesting domains. One was used as a Carberp C&C and the two others hosts a TVSPY C&C:

Domain name Description
namorushinoshi[.]com Carberp C&C
mastersway2[.]com TVSPY C&C
bekmambek-ushlu[.]in TVSPY C&C
We recently released a blog discussing TVSPY in greater detail. TVSPY is a remote access tool (RAT) leveraging Teamviewer software to gain access to remote computers. With this tool, the attackers could gather private information from their victims as well as take control and install further malware at will.

What else has drake.lampado777@gmail[.]com registered:

Out of the 30+ domains registered using that email address, one domain stood out, btcshop[.]cc. This is a fairly new domain created July 30th 2015. The domain may mislead people as this is not an online shop to buy bitcoin, but an online shop to buy lists of Socket Secure (socks) proxies and personally identifiable information. The lists of proxies are usually infected machines turned into a socks proxy to be used for further malicious activity. Several malware families have the capability to turn an infected machine into a socks proxy. However, this shop has a few peculiarities that are interesting.

The registration process is very simple. You just have to click on the Register button and you are redirected to a new screen notifying you that the registration has been successful. It gives you a hash as a way to log in. The hash is 41 alphanumeric characters long similar to a sha1 hash.

corebot001

Once you get the hash you just have to click on Login and copy/paste the hash to get in:

corebot003

Once you are logged in, there are two tabs available, Accounts and Socks. The Accounts tab lists several countries you can choose from and check if there are any accounts available. There is no specification of what type of accounts but we can assume they contain personally identifiable information (PII). It also shows a bitcoin wallet assigned to you automatically. To purchase, you’ll have to add bitcoin to that specific wallet. Every hash has a new Bitcoin wallet address assigned.

corebot005

As of writing, the base contains 9597 “rows”, where “rows” are individual accounts:

corebot007

The socks Tab only seems to contain 4 socks proxies located in the United States.

corebot009

BTCSHOP Threat Actor:

Once the information about the malicious domains linked to the email drake.lampado777@gmail[.]com was collected, we looked into what we could find about btcshop on forums. We found someone using the handle btcshop who wrote a few posts on forums. In one post btcshop asks advice on how much he could sell socks proxy bots for. The jabber account used is the same account advertized on btcshop[.]cc, btcshop@exploit[.]im.

corebot011

In another interesting post btcshop is apparently selling bot source code on behalf of the author.

corebot013

The email address is linked to a Google+ account:

https://plus.google.com/118423272977624417312/posts

Conclusion:

The link between Corebot, the TVSPY C&C and the online shop is the email address used to register all the domains. We were able to link the online shop to a person on a forum using the handle btcshop and using the Jabber account btcshop@exploit.im. This person may or may not be running Corebot and TVSPY a way to collect personally identifiable information for sale in his online shop. However, it would be convenient for the same person or a small group of people to be running malicious domains registered under the email drake.lampado777@gmail[.]com and also running btcshop to sell their collected wares. More evidence is needed to definitively say that drake.lampado777@gmail[.]com and btcshop@exploit.im are the same person.

Damballa detects this threat as ThreePaperConvicts.

— Loucif Kharouni
Senior Threat Researcher, Damballa

Appendix

64bits Corebot version: b536172bdf3a0c638fd68068b7e8077ac8864e03

Domains hosted on the IP 62.76.41.51:

IP address Domain name First seen Last seen
62.76.41.51 arijoputane[.]com 20150508 20150816
62.76.41.51 mastersway2[.]com 20150902 20150902
62.76.41.51 wascodogamel[.]com 20150601 20150730
62.76.41.51 namorushinoshi[.]com 20150411 20150626
62.76.41.51 chugumshimusona[.]com 20150718 20150718
62.76.41.51 marcello-bascioni[.]com 20150626 20150626
Full list of domains registered using the email address drake.lampado777@gmail[.]com:

Domain
arijoputane[.]com
ass-p***y-f*****g.net
baltazar-btc[.]com
bekmambek-ushlu[.]in
brazilian-love[.]org
btcshop[.]cc
cameron-archibald[.]com
casas-curckos[.]com
castello-casta[.]com
casting-cortell[.]com
chugumshimusona[.]com
critical-damage333[.]org
dragonn-force[.]com
gooip-kumar[.]com
ihave5kbtc[.]biz
ihave5kbtc[.]org
levetas-marin[.]com
marcello-bascioni[.]com
mastersway2[.]com
my-amateur-gals[.]com
namorushinoshi[.]com
narko-cartel[.]com
narko-dispanser[.]com
pasteronixca[.]com
pasteronixus[.]com
ppc-club[.]org
road-to-dominikana[.]biz
road-to-dominikana[.]in
vincenzo-bardelli[.]com
vincenzo-sorelli[.]com
wascodogamel[.]com
__________________
Не свяжитесь со мной. Я ничего не продают.
不要与我联系。 我不卖什么。
Do not contact me. I do not sell anything.
Moenie my te kontak. Ek het nie iets te verkoop.
emailsnipper is offline   Reply With Quote
Reply

Tags
bitcoin, carded

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


The administration is not responsible for the actions of users. The information on this site is for informational purposes only.