Who's Pushing All The "Fake Updates" Malicious Software Using Redirectors and Traffic Distribution and Redirection Systems and Tools Domains?
2023-12-28 19:3:0 Author: ddanchev.blogspot.com(查看原文) 阅读量:21 收藏

I've recently observed an increase in compromised or exploited to be precise in the context of abusing unfixed web application flaws such as for instance redirection notifications on high-traffic and high-profile Web sites where the ultimate goal would be to push traffic distribution and traffic management rogue domains part of a URL redirection chain where the ultimate goal would be to utilize both legitimate high-traffic and high-profile Web sites including purely malicious Web sites for the purpose of dropping malicious software on the targeted hosts.

The surprising part? The primary and entire portfolio of these traffic redirection and traffic management domain are parked on 193.106.175.18 - AS50465 - IQHost Ltd where one of the bigger domain farms is parked at hxxp://biggerfun.org.

Sample misconfigured high-traffic and high-profile Web sites that allow redirections potentially bypassing reputation filters include:

hxxp://afmonline.org/?URL=hxxp://khTrnB0WV8.biggerfun.org/khTrnB0WV8/

hxxp://whiskyparts.co/?URL=m88Z2iiER.biggerfun.org/m88Z2iiER/

hxxp://hardemancounty.org/?URL=http%3A%2F%2F1FXddDHkYN.biggerfun.org/1FXddDHkYN/

hxxp://bukkit.org/proxy.php?link=hxxp://uToqSuwC.biggerfun.org/uToqSuwC/

hxxp://www.centralsynagogue.org/?URL=hxxp://NjNr8Mkm.biggerfun.org/NjNr8Mkm/

hxxp://board-en.piratestorm.com/proxy.php?link=http%3A%2F%2Fnpn8KwBr.biggerfun.org/npn8KwBr/

hxxp://boards.theforce.net/proxy.php?link=hxxp://WihYqBBuvj.biggerfun.org/WihYqBBuvj/

hxxp://www.cutrite.com.au/?URL=hxxp://9mVRlHjF.biggerfun.org/9mVRlHjF/

Sample traffic redirection and traffic management domains involved in the campaign include:

hxxp://surelytheme.org

hxxp://bluegaslamp.org

hxxp://throatpills.org

hxxp://draggedline.org

hxxp://machinetext.org

hxxp://throatpills.org

hxxp://climedballon.org

Sample related domains known to have been involved in the campaign and are currently parked at 193.106.175.18 - AS50465 - IQHost Ltd include:

hxxp://jsqur.com

hxxp://libertader.org

hxxp://mrbotn.jsqur.com

hxxp://www.catsndogz.org

hxxp://user179.jsqur.com

hxxp://marcusdesigninc.jsqur.com

hxxp://nuvoleparlanti.jsqur.com

hxxp://fserver.jsqur.com

hxxp://download.www.windowlight.org

hxxp://mtf-misawa.jsqur.com

hxxp://cdn.jsqur.com

hxxp://dashtiha.jsqur.com

hxxp://vitkutin.jsqur.com

hxxp://permisdeconduire.jsqur.com

hxxp://olympics.jsqur.com

hxxp://emv1.vibedroom.org

hxxp://melpar-emh1.jsqur.com

hxxp://u.admin.backendjs.org

hxxp://billtieleman.jsqur.com

hxxp://descarte.jsqur.com

hxxp://4m.jsqur.com

hxxp://sn007.jsqur.com

hxxp://win24.jsqur.com

hxxp://web3449.jsqur.com

hxxp://cgxdave.jsqur.com

hxxp://cassandre.jsqur.com

hxxp://deeptrickday.org

hxxp://xxxl80.jsqur.com

hxxp://91.jsqur.com

hxxp://castlerea.jsqur.com

hxxp://dkline.jsqur.com

hxxp://daws-512.jsqur.com

hxxp://ufl.jsqur.com

hxxp://eggert.jsqur.com

hxxp://apps.jqueryj.com

hxxp://frightysever.org

hxxp://beal.jsqur.com

hxxp://survey.backendjs.org

hxxp://best-funny-quotes.jsqur.com

hxxp://jeanm.jsqur.com

hxxp://forms.admin.backendjs.org

hxxp://comtenc.jsqur.com

hxxp://dannyfilm.jsqur.com

hxxp://office.backendjs.org

hxxp://jqueryj.com

hxxp://longtail.jsqur.com

hxxp://web6201.jsqur.com

hxxp://hoytek-gw4.jsqur.com

hxxp://gazeta.jsqur.com

hxxp://www.treegreeny.org

hxxp://cpfm.jsqur.com

hxxp://asims-rdck1.jsqur.com

hxxp://indiajobscircle.jsqur.com

hxxp://babbar.jsqur.com

hxxp://gorki.jsqur.com

hxxp://gmailblog.jsqur.com

hxxp://dvan.jsqur.com

hxxp://carpinteros-aluminio.jsqur.com

hxxp://web18332.jsqur.com

hxxp://wallah.jsqur.com

hxxp://si.jsqur.com

hxxp://shems.jsqur.com

hxxp://vigen.jsqur.com

hxxp://sws.jsqur.com

hxxp://routetest.jsqur.com

hxxp://account.admin.backendjs.org

hxxp://secure-ite2-origin.jsqur.com

hxxp://mdm.backendjs.org

hxxp://_dmarc.jqueryns.com

hxxp://mdm.backendjs.org

hxxp://mntc.jsqur.com

hxxp://powerful.jsqur.com

hxxp://whitney.jsqur.com

hxxp://stream.jsqur.com

hxxp://uhost.jsqur.com

hxxp://unix3.jsqur.com

hxxp://www.florida.jsqur.com

hxxp://jkelley.jsqur.com

hxxp://derby.jsqur.com

hxxp://currier.jsqur.com

hxxp://wp.admin.backendjs.org

hxxp://frente-a-camaras.jsqur.com

hxxp://facman.jsqur.com

hxxp://b10.jsqur.com

hxxp://arehn.jsqur.com

hxxp://cprat.jsqur.com

hxxp://hpermsp.jsqur.com

hxxp://ksia.jsqur.com

hxxp://jhansen.jsqur.com

hxxp://biggerfun.org

hxxp://kodakr.jsqur.com

hxxp://samfox.jsqur.com

hxxp://apps.jsqur.com

hxxp://passe.jsqur.com

hxxp://walkman.jsqur.com

hxxp://stovallscx.jsqur.com

hxxp://antivir.jsqur.com

hxxp://link2-me.jsqur.com

hxxp://xx9.jsqur.com

hxxp://quine.jsqur.com

hxxp://v.circuspride.org

hxxp://cn.circuspride.org

hxxp://x.circuspride.org

hxxp://pay.circuspride.org

hxxp://ssl.circuspride.org

hxxp://physiology.jsqur.com

hxxp://mytabletpcuk.jsqur.com

hxxp://gdsz.jsqur.com

hxxp://daws-43-5.jsqur.com

hxxp://cfg.circuspride.org

hxxp://ip90.jsqur.com

hxxp://oily.jsqur.com

hxxp://jqueryh.org

hxxp://tamarack.jsqur.com

hxxp://macgo.jsqur.com

hxxp://interlock.jsqur.com

hxxp://cmu-cc-vma.jsqur.com

hxxp://daws91-3.jsqur.com

hxxp://norman.jsqur.com

hxxp://www.16.jsqur.com

hxxp://web3933.jsqur.com

hxxp://mta-sts.bluegaslamp.org

hxxp://212.jsqur.com

hxxp://dooly.jsqur.com

hxxp://www.bigbricks.org

hxxp://machinetext.org

hxxp://kb.windowlight.org

hxxp://catsndogz.org

hxxp://whitedrill.org

hxxp://www.neworderspath.org

hxxp://jqueryns.com

hxxp://sorteios-e-promocoes.jsqur.com

hxxp://web5422.jsqur.com

hxxp://ivtortypqfyi.greedyclowns.org

hxxp://ivtorlypqfyi.greedyclowns.org

hxxp://ivladimir.surelytheme.org

hxxp://ivbdimir.surelytheme.org

hxxp://liorida.surelytheme.org

hxxp://rota-sts.climedballon.org

hxxp://climedballon.org

hxxp://treegreeny.org

hxxp://daddygarages.org

hxxp://emperorplan.org

hxxp://bigbricks.org

hxxp://greedyclowns.org

hxxp://vibedroom.org

hxxp://backendjs.org

hxxp://dailytickyclock.org

hxxp://neworderspath.org

hxxp://devcodejs.org

hxxp://cancelledfirestarter.org

hxxp://greedyfines.org

hxxp://limeerror.org

hxxp://bluegaslamp.org

hxxp://throatpills.org

hxxp://drilledgas.org

hxxp://draggedline.org

hxxp://windowlight.org

hxxp://sevenpunches.org

hxxp://circuspride.org

hxxp://linedgreen.org

hxxp://surelytheme.org

hxxp://vivaldi-ed.group

hxxp://cashapp-renewal.com

hxxp://ing-update.info

hxxp://bankid-app.net

hxxp://commonwealth-renewal.com

hxxp://transfer-management.com

hxxp://banko-atnaujinimas.com

hxxp://s-identity-verwalten.com

hxxp://bigfat.shop

hxxp://fomzerapoze.shop

hxxp://aremonuza.shop

hxxp://hanmozapre.shop

hxxp://bamizorapa.shop

hxxp://yazevora.com

hxxp://ipko-aktualizacja.com

hxxp://halifax.signin-helpdesk.com

hxxp://signin-helpdesk.com

hxxp://hailfax.signin-helpdesk.com

hxxp://online-helpdesk-portal.com

hxxp://santander.online-helpdesk-portal.com

hxxp://jquerypure.com

hxxp://de-system-913580.xyz

hxxp://targo.de-system-913580.xyz

hxxp://be-systeem-8510598.xyz

hxxp://ns1.putinkremel.su

hxxp://notudhost.com.ru

hxxp://trsew.ru

hxxp://fashmodsite.uno

hxxp://nnnten.ru

hxxp://tenhost.com.ru

hxxp://au-08.top

hxxp://jutralalali.xyz

hxxp://gilirges.ru

hxxp://www.gilirges.ru

hxxp://ftp.gilirges.ru

hxxp://www.tanmhopisj.xyz

hxxp://tanmhopisj.xyz

hxxp://dev.urbangroup.ru

hxxp://equalizer.dev.urbangroup.ru

hxxp://vk.equalizer.dev.urbangroup.ru

hxxp://partners.urbangroup.ru

hxxp://realty-2.urbangroup.ru

hxxp://ivakino.urbangroup.ru

hxxp://gtry.ru

hxxp://serferio.ru

hxxp://forum-laikovo.urbangroup.ru

hxxp://urbangroup.ru

hxxp://myrussianland.ru

hxxp://gb2nevinsk.ru

hxxp://englishbiblioteka.ru

hxxp://aleana63.ru

hxxp://aptekaplus23.ru

hxxp://chulkovo.info

hxxp://mchedlidze.ru

hxxp://stroytransm.ru

hxxp://flystore.ru

hxxp://kino-pirat.net

hxxp://2sunss.com

hxxp://posadisvoederevo.ru

hxxp://testcosmetic.com

hxxp://vkino.me

hxxp://v1080hd.com

hxxp://r-style.com

hxxp://science-techno.ru

hxxp://kinotuz.ru

hxxp://901901.ru

hxxp://ludota.ru

hxxp://maindoor.ru

hxxp://kinoxaba.ru

hxxp://youcanexcel.ru

hxxp://gidonlinehd.ru

hxxp://kinoggo.ru

hxxp://100pdf.net

hxxp://kinoext.ru

hxxp://www.mreporter.ru

hxxp://magobr.ru

hxxp://lg-soft.ru

hxxp://anapa-new.ru

hxxp://fat-man.ru

hxxp://gracio.ru

hxxp://ikd.ru

hxxp://poseidonboat.ru

hxxp://vetla.ru

hxxp://74dom.ru

hxxp://kabrik-servis.ru

hxxp://tehnopanda.ru

hxxp://creativejournal.ru

hxxp://ufamenu.ru

hxxp://idf.ru

hxxp://sporthit.ru

hxxp://injgeo.ru

hxxp://asbank.ru

hxxp://wood-lux.ru

hxxp://lbf51b14.justinstalledpanel.com

I'll continue monitoring the campaign and will post updates as soon as new developments take place.


文章来源: https://ddanchev.blogspot.com/2023/12/whos-pushing-all-fake-updates-malicious.html
如有侵权请联系:admin#unsafe.sh