Thursday 8 September 2011

Tracking Cyber Crime: Golden Ducat (AV Affil)

New fresh AV Affiliate infiltrated: Golden Ducat.
They use Security Shield rogue.










Main page

News

Malware download


Redirect

instruction.txt:
Инструкция
----------
1. Создать папку с любым названием
1. Распаковать туда архив redirect.zip
2. Прописать свой урл в конфиг скрипта redirect.php ('url' => 'сюда')
   Ссылки брать с раздела Links
3. Установить права на запись в файл link.txt + на папку где он лежит
5. Лить трафик на redirect.php

Statistics

Account info

Payement

Contact

Some crap with PECompact 2









Event test

"I'm here"

Infection dropped into
C:\Documents and Settings\(user)\Local Settings\Application Data



Anti vm/sandbox, usual stuff..

Following IP's was identified.
91.223.89.100
31.44.184.62

The distribution system seem also got links with Bitcoin mining botnet
[91.223.89.100]
91.223.89.99/loader2.exe
91.223.89.99/loader20_lite.exe
91.223.89.99/ddhttp.exe

Edit 09 Sep:
Domain changed:

Statistic temporarily disabled:

2 comments:

  1. Hi Steven,

    Very interesting stuff again. The links at the end are not TDSS but Delf.QCZ/Trojan.Win32.Miner aka the Bitcoin mining botnet. I blogged about it a couple days ago http://blog.eset.com/2011/08/29/win32delf-qcz-additional-details. When you say those urls were in the distribution system, do you mean on the Golden Ducat website or in one of the dropped files ?

    Thanks

    Sébastien

    ReplyDelete
  2. erf mistake, thanks for the notice, i've not really looked into these files.
    They are not distributed with Golden Ducat, i've just looked for malware on similare IP range and got this.

    ReplyDelete