Mimicking Malice: Exploring Malicious Traffic Distributors

Mimicking Malice: Exploring Malicious Traffic Distributors

My journey into the depths of this blog began unexpectedly during a routine online exploration, where I stumbled upon a cyber threat. This scenario is common in our field, and other detailed analyses have been ongoing on groups like ‘Parrot TDS‘ and ‘Vextrio.’ as they continue shifting the tactics and techniques around these campaigns.

These blog explorations often lead to discoveries that resonate with those of other researchers, given the vast data points they have to analyze, with resources I don’t have, like teams of keen analysts, to help crunch it over weeks or months. When I come across comparable research, I make it a point to integrate these into my articles by linking or referencing them, thus providing a comprehensive and informed view of the threat.

Moving forward, my hands-on experimentation with an actively exploited website in this campaign and the unique evidence I’ve gathered offer a current and fresh perspective of the ‘front-end’ experience that a victim follows surfing into these Malicious Traffic Distribution Systems. I’m here to share practical tactics, techniques, and procedures (TTPs) derived from real-world experience interacting with the threat. These TTPs could help you or others identify and neutralize these environmental threats. Unfortunately, some aspects still need to be looked at because of time constraints, leaving room for you, the reader or fellow researcher, to contribute and dig deeper.

My story began when I accessed a company, Sunridge Systems‘ website (Warning: Not Remediated), from my home machine, following a Google search for product information and training resources. Initially, this experience was a routine follow-up to topics discussed during regular business hours. Still, it suddenly became a firsthand encounter with a cyber threat that I went on to investigate for the next few hours:

While following a Google link, I arrived at a product page that unexpectedly opened another window. I instinctively closed it upon noticing a suspicious ‘.live’ top-level domain. My phone’s BitDefender app immediately alerted me to a phishing threat at the gateway of my office network. It had blocked a URL, linkbluehang[.]live, and the connection was promptly reset.

It caught my attention. I was visiting a website that supplied law enforcement organizations and, at the same time, had no other browsers open because I’d just started up the computer. It came from the website I was visiting, but the same scripts did not trigger upon further visits. Thus, I began to dig deeper into what was behind this attack against my machine.

First stop, I checked my DNSFilter logs to find out what was happening on my gateway at the time, absent any equivalent logs coming out of the ‘Netgear Armor‘ to line up what happened around the time I loaded this site:

My visit to the vendor website is apparent, along with the usual noise from analytics and trackers, and two other things stand out in the outputs:

l.js-assets[.]cloud CloudFlare GET https://l.js-assets[.]cloud/min.t.1706310000.js?v=65b43bc8
js.abc-cdn[.]online 162.0.228.112 https://js.abc-cdn[.]online/?dT1odHRwcyUzQSUyRiUyRnN1bnJp….. (Base64 Encoded: 185 Characters)

Immediately, I dug up a few more of these domains that would be interesting to research:

cdn.jsdevlvr[.]info, cdn.wt-api[.]top, spf.js-min[.]site

These CDN sides redirect you with a simple piece of code to the next hop based on looking in Fiddler:

At a glance, the landing sites *.live seemed like the ephemeral layer that typically gets rotated like a crop as vendors mow down the domains with red flags. Lots of them were to be hovering around this subnet 185.155.184.0/22 as per the VirusTotal passive DNS records for the current lookups:

Some have ‘Mimecast‘ in them, likely for a particular campaign they’re running against its users.

When you first land on these pages, source code on PasteBin, a waiting message tells you to hang on, more like 5 seconds, while it figures out how best to screw you over.

‘Loading…
Please bear with us. This will be brief.’

Massive obfuscated script embedded into the page and available in its entirety using the paste link above:

Next, we hit a CAPTCHA at http://re-capta-version-3-55[.]top/ms/robot4/?c=372a2392-4dbb-4fed-bd2f-1f9f846a34ef&a=l143904 page is titled ‘Click “Allow,” which I happily do:

(Pastebin)

My machine reports out to another .live address, ‘midmovenews[.]live,‘ with information about me shown here on PasteBin that includes some ISP info and IP address data:

GET /jmjrkxqn/article2611.doc?utm_campaign=INccHxHRWrew3TQsLBbfNnbGFYUZobMqxXT9Zrw5FhI1&t=main9ljs2&f=1&sid=t1~gomaa1uwypbu3nendhdxw1z4&fp=vi%2FwUTGEF2e5RznRBwr78Q%3D%3D

GET /web/?sid=t1~gomaa3uwypbu3nendhdxw1z5

A familiar scareware landing site emerges, ‘us.secureonlinecontrol[.]com‘, asking permission to send notifications through Chrome. Up in the browser is a tab that popped for ‘thebest-prize[.]life‘:

(It was one of many probable payloads, including malware, that I didn’t go out of my way to collect. It’s mainly dependent on your network (residential/commercial), language, location, etc.)

My machine also hit a long URL from a site https://pshmetrk[.]com/ that I should mention. The URL was in this format 20240126?k=[1198 characters]&n=19&d=1d86391c-57c0-4a1d-868e-d767d69765a3&v=17&sv=17&dn=re-captha-version-3-55.top&dmi=1418265&s=h06&btn=1 containing the next hop for me on a .top domain.

See also: pshmtrack[.]com, pshmtrks[.]com, pshmtrackerk[.]com, pshmtrk[.]com, pushnotificationsprototype[.]com and evttrkapi[.]top via being hosted at 136.243.216.244.)

A final connection was made to rdrdrdr[.]com with this URL: POST /click.php?event4=1&event8=1&uclick=xr4kft16

Other connections to suspicious domains: tracker-2[.com], nxtpsh[.]com, universal-total[.]com, uidsync[.]net, and that was all for my initial session with this page. I still hadn’t figured out the exact code on the site that was doing it, so I had to circle to that once I analyzed all of the pages.

Backdoor:

So, what was the backdoor? Well, it was tough to detect since it seemed to attack an IP only once, and there were a ton of plug-ins on this site. After syncing the files locally and checking Fiddler caps, I was able to finally locate the malicious script and pull out some kind of variable that was not unique to the obfuscation and consistent:

(PasteBin)

Two strings in the script were unique and made it easy to find across other files, both ‘bC5qcy1hc3‘ and ‘NldHMuY2xv‘; in this case, I searched other files synced from the site looking for more code:

Get-ChildItem -Recurse -Filter *.html | Select-String -Pattern 'bC5qcy1hc3' -SimpleMatch | Select-Object Path, LineNumber, Line

Many plug-ins had been backdoored by calling on the functions from these Javascripts converted to (.html) pages. Which one was the entry point needs to be clarified, but there were 5+ script entries on a single page in many cases. I pulled the site down using HTTrack to examine it locally.

From here, I borrowed a useful tactic from Randy Mceoin using a public source code search engine. Based on this database, 3,165 websites have been observed to have this code running on them by that tool. There were a total of 18,770 internal pages with the code, meaning there’s an average of about 6 backdoored scripts per site, and multiple entries per-page, likely from drive by injections. (‘N‘ =’447,409,294‘) [PublicWWW DB]

Feel free to let me know if you have any insights or things to add, and I’ll try to get them in the blog. If you like security research and protecting others from bad actors, follow on LinkedIn.

(If you’d like a list of all the TTPs, Fiddler, and PasteBin links from this article, reach out to me, and I’ll provide it to you in a password-protected file)

Related Links:

Cybercrime Central: VexTrio Operates Massive Criminal Affiliate Program

https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/

https://infosec.exchange/@rmceoin/111688556423448763

https://www.bleepingcomputer.com/news/security/vextrio-tds-inside-a-massive-70-000-domain-cybercrime-operation/

https://www.bleepingcomputer.com/news/security/malicious-web-redirect-scripts-stealth-up-to-hide-on-hacked-sites/