Yesterday, while checking my personal spam emails that I received today, I’ve got interested by a certain email which is asking to watch adult pictures by clicking on the picture:
Once you click on the picture, it is linked to hxxp://rusdiam.com/1.exe, which is a malicious file now detected as TROJ_AGENT.HRC.
Once I’ve got this file, I was curious again to know what was on the main page of this website.
I just typed hxxp://rusdiam.com on my browser and I’ve got now really infected by a succession of malware loading in memory. The website is no more available.
I decided to take a look closer to the main page’s source which contains 2 scripts sending you to 2 different URLs:
I’ve then investigated on those 2 URLs as a start.
From the URLs hxxp://buytraffic.cn/in.cgi?11 I was able to get a file named count.php containing a script sending you:
From this link, you get a file with a random name update04xxxx.exe where xxx is a random number. This link is also getting some other information for statistics purpose, as you can see, there is my IP add that I’m using for my testing, it is also getting the browser in use, the language and the OS in use.
After having work on this case and some other before, I’m used to play with the URLs and double check if I’m checking something else.
So, as usual, I played with the URL
My first attempt was the following:
In this attempt I had also prompted to download a file named update04xxxx.exe. This finfing made me more curious and interested to investigate further.
My second attempt was then to play with it again as follow:
As you might be, I was surprise to end up here. On the folder where everything is hosted, such as the malicious pages, malicious file, statistics webpage, a folder full of scripts.
I was also surprise when I tried to look for the malicious file; I just found 1 file named file.exe and every time you try to download the file getexe.php, it is forcing you to download the file “file.exe” but renamed each time.
The most interesting thing here beside of this is the stats link. Once you click on it a web console is displayed as follow:
You are now on a NoName Pack administration console. So now the deal is to login
I just tried a weak login/password and I got in:
As you can see, you can find the browser, the OS in use and also the country and the referrer means from where you came from. I’ve tried few websites stated there and I got fully loaded of malware, here is a small list from 1 website:
kowts_05: vedxga4me1.exe [TROJ_SMALL.BC]
As you may notice it is installing you a rogue antivirus product named Brave Sentry.