dimanche 20 août 2017

A third look at JSDropper/ursnif campaign - Proxy Statistics


I've already talk a lot about the Ursnif campaigns against EU and mainly Italy spreaded by a JScript (you know, the jscript that contacts /r6.php?cmd=p&id= / /l2.php?cmd=p&id= / /re.php?cmd=p&id= etc) but 6 months after my last blogpost, crooks are still working and I have enough data for some cool statistics.
For the last 6 months I've collected access.log logs of one proxy used by this botnet. I'll try to details that here.
There is no magic, I've just use Splunk :D

As reminding, this campaign is used to spread Ursnif like that:

In the same "Proxy server", you can found further "proxy scripts" (usually 1 script / campaign) and those scripts looks like :

So, I've retrieve access.log of one of these proxies and I've extract traffic relative to our case.


Some global statistics for 1 proxy:
From February 2017 to August 2017
  • Total number of hits on all the proxy scripts: 924 021
  • From 108 367 unique IPs
  • on 16 different PHP proxy scripts
Filename Hits First seen url Malware
/3E2s4R.php 610787 June Onliner
/re.php 137352 June JSDropper
term.php 121669 February JSDropper
l2.php 52288 February JSDropper
r4.php 1848 February JSDropper
/0iSP0c.php 7 June Onliner
/130D0G.php 7 June Onliner
/1AtJai.php 7 June Onliner
/HTsGeg.php 7 June Onliner
/J65oH1.php 7 June Onliner
/PaD8qo.php 7 June Onliner
/XI2jHR.php 7 June Onliner
/8QE2UX.php 6 June Onliner
/Xou0HC.php 6 June Onliner
/19pYvo.php 5 June Onliner
/LPQQLc.php 5 June Onliner
We can see 2 different cases:
  • Some PHP proxies are used in production
  • Some PHP proxies seems used for tests only.

Tests proxies

I'll start with the "tests proxies". I call them like that because they have only a few hits (~5) and all the hits on those pages are done by the same IP :]
This IP is not new in this game :), do you remember the white listing feature set in the spam bot panel ?
This IP was in list of allowed IP in the Spambot panel:

Proxy scripts are configured to forward traffic to hxxp://, it's Onliner Spambot, proably the testing instance.

Production proxies

Some details about each proxy scripts:


This one is my favourite.
The proxy records 610 787 hits on this file, from ~ 100 000 unique IPs and I'm unable to find any sample on public sandox.
This is a lot of hits if we think that these statistics concern only 1 proxy! It was used to forward the Spambot traffic to


This one was hit 137 352 times by 1335 uniques IPs. It is used to forward JSDropper traffic to
This Proxy was used for the JSDropper campaign "NEWIT" (Ursnif)
Interesting fact of this one: 51.28% of hits are done by the IP (Italy).
Some IOCs:
  • d5291865ff80cd7cc9f425a145351bb7234383f1
  • 67e1c342f6b41d163a6208b3ccebb991c0650473


Used to forward JSDropper traffic to
121 669 hits from 2259 unique IPs.
It was used for campaigns "WASP","iphone","summer","old", "u1", "NEWIT" and "404" (Ursnif)

Some IOCs:
  • hxxp://www.volf.de/term.php?cmd=e
  • hxxp://pajaje.borec.cz/term.php?cmd=e
  • hxxp://hotelsantantonio.com/term.php?cmd=e
  • hxxp://
  • hxxp://fb-arredamenti.it/term.php?cmd=e
  • hxxp://psymaster.wz.cz/term.php?cmd=e
  • hxxp://getting-reconnected.de/term.php?cmd=e
  • hxxp://ebkk.nl/term.php?cmd=e
  • hxxp://supercondmat.org/term.php?cmd=e
  • 2016dfb44f452adcdd96b7781fdfb581ac72b0f7392404805f08d57210d16ad9
  • a1bd385b59efe1be13da9e8a008e06a6fb6cc07acd2727be22d076c7a2b27155
  • 01853d1552ca4032e5fdc251cc92d57dffd5912411666c7842106d730ada09f4


Used to forward JSDropper traffic to 52 288 hits from 716 unique IPs.
This one is very old. I've logs from November 2016 for this scripts.
At this time they was not using campaign or group name, and they was using ... Ursnif.

Some IOCs:
  • http://191860.webhosting63.1blu.de/l2.php
  • http://454391.webx04.mmc.at/l2.php
  • http://ballettschule-nottuln.de/l2.php
  • http://edle-steine.at/l2.php
  • http://enmoto.com/l2.php
  • http://evastrutzmann.at/l2.php
  • http://evi-verein.at/l2.php
  • http://fioravanti-production.org/l2.php
  • http://friesl-keramik.at/l2.php
  • http://ftp.dimensionevideo.it/l2.php
  • http://ftp.italiabrowsergame.com/l2.php
  • http://getting-reconnected.de/l2.php
  • http://gunnebo.eniac.it/l2.php
  • http://hobbygartenteich.at/l2.php
  • http://hotelsantantonio.com/l2.php
  • http://humanitas-gbr.de/l2.php
  • http://jambasket.com.hk/l2.php
  • http://juwelier-hohenberger.de/l2.php
  • http://katstones.de/l2.php
  • http://lklv.wz.cz/l2.php
  • http://mauriz.at/l2.php
  • http://meindl-edv.eu/l2.php
  • http://nr11303.vhost-enzo.sil.at/l2.php
  • http://pajaje.borec.cz/l2.php
  • http://patrickhess.de/l2.php
  • http://pferdemedizin-stanek.at/l2.php
  • http://portoverde.it/l2.php
  • http://positivemindstates.com/l2.php
  • http://psymaster.wz.cz/l2.php
  • http://reimer-wulf.de/l2.php
  • http://sca.homelinux.com/l2.php
  • http://spatialpourtous.com/l2.php
  • http://supercondmat.org/l2.php
  • http://tennis-arnfels.at/l2.php
  • http://tischlerei-kreiner.at/l2.php
  • http://umzuegeberlin.com/l2.php
  • http://www.diamondfitness.hu/l2.php
  • http://www.drogenhilfezentrum.de/l2.php
  • http://www.dtk-brandenburg.de/l2.php
  • http://www.elektro-morjan.de/l2.php
  • http://www.kurzhaarteckel-trakehner.de/l2.php
  • http://www.midnightlady2006.de/l2.php
  • http://www.msinformatica.it/l2.php
  • http://www.seelackenmuseum-sbg.at/l2.php
  • http://www.skyways-ragdolls-zwergspitze.de/l2.php
  • http://www.teeversand24.net/l2.php
  • http://www.valentinavalsania.it/mdb-databases/cgi-bin/l2.php
  • http://www.webstream.at/l2.php
  • a10cd296e3f58fe329bbff6edaf0bdbb1f9099a088b7a5cede583dda09dd7cf2
  • 5add967a8dc9d7669e7d8da9882329600874b3a35d2a8f087820438ae112cecd
  • fbfe6048514c7fc944c0f56a480d8c4963fce9018b5d3ae8cf39c5840979930c
  • 9a44ff53471012328a3b167c149ed71c2e82b117de8f9463f5773b5b4f5cc7b6
  • 0bf1c1b457818bf7acb6eda33b0f8eb6e9ce026aee620707f6b4e4b58a2e77d0


And the last one: r4.php.
1884 hits by 302 IPs. Used during the campaigns "mk1" "mk2" "bomber" and one with no name ""
Some IOCs:
  • hxxp://191860.webhosting63.1blu.de/r4.php?cmd=e
  • hxxp://werbekalender-werbenotebooks.de/r4.php?cmd=e
  • http://positivemindstates.com/r4.php?cmd=e
  • di000240.host.inode.at/r4.php?cmd=e
  • http://patrickhess.de/r4.php?cmd=e
  • c827511b425cbc91faf947f1c3d309db3dde7419fe8c892380a03c71b5196e0e


This threat start to be very noisy, they continue to spread malware always in the same way.
If somebody who's reading this works on the Ursnif part, don't hesitate to ping me I'll share my data :]

I hope that this example can help you to better understand cybercrime threats. Happy hunting \o/