By Dancho Danchev
Historical cybercrime performance activity of multiple gangs and individuals has shown us that, in order for them to secure multiple revenue streams, they have the tendency to multi-task on multiple fronts while operating and serving the needs of customers within different cybercrime-friendly market segments.
A logical question emerges in the context of the fact that 99% of all the spamvertised campaigns we’re currently intercepting rely on the latest version of the Black Hole Exploit Kit – is Paunch, the author of the kit, multi-tasking as well? What’s the overall impact of his ‘vertical market integration‘ practices across the Web beyond maintaining the largest market share of malicious activity in regard to Web malware exploitation kits?
This is the most popular advertisement that was featured within the kit since day one, in an attempt by its author to not only achieve a decent brand awareness for the service, but also actually convert his current Black Hole Exploit Kit customers into customers of the crypting/obfuscating service as well. The results? Pretty decent conversion rates, based on a systematic tracking of the pseudo-random obfuscations generated by the service, and actually used in campaigns intercepted in the wild.
At a later stage, things slightly changed, perhaps due to the fact that Paunch’s service has gained the necessary market share. The author of the kit started soliciting advertisements from fellow cybercriminals, like the following ad:
Sample entry page for Paunch’s crypting/obfuscating service:
Sample Black Hole Exploit Kit campaigns’ pseudo-random obfuscation examples that used Paunch’s service:
- Cybercriminals impersonate FDIC, serve client-side exploits and malware
- Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit
- ‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit
hxxp://graciemgt.huntwalker.com/clients.php -> hxxp://mrtwimcraiprwogw.info/in.cgi?14 – 18.104.22.168 (AS16276) – Email: firstname.lastname@example.org -> hxxp://eheph.AlmostMy.COM/hulk -> hxxp://pornadvocate.com
The following malicious redirectors are known to have responsed to the same IP (22.214.171.124) in the past:
What’s particularly interesting about these domains is that we have a seperate MD5 phoning back to two of these domains, namely, safeperl.net and gogoperl.net (MD5: 8545473E7F34B5D5A611D757D9444E3D – detected by 2 out of 42 antivirus scanners as Trojan-Ransom.Win32.Birele.aegw).
This campaign is just the tip of the iceberg, and so is Paunch’s underground ecosystem multi-tasking projects. What’s for certain is the fact that, just like the majority of cybercriminals, he’s got multiple sources of revenue through ‘vertical market integration’ development projects.