{
	"id": "d20602ee-8f11-41ee-be80-41326f89810d",
	"created_at": "2026-04-06T00:14:48.608562Z",
	"updated_at": "2026-04-10T03:21:52.30278Z",
	"deleted_at": null,
	"sha1_hash": "1a789ca5f77588cd201b8c7f4bdd0a77762bb0f2",
	"title": "The path to infection - Eye glance at the first line of \"Russian Underground\" - focused on Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2001753,
	"plain_text": "The path to infection - Eye glance at the first line of \"Russian\r\nUnderground\" - focused on Ransomware\r\nArchived: 2026-04-05 21:58:03 UTC\r\n2012-12-05 - Study\r\nOne year since I started \"active\" actions in understanding what is on the other side of malware/mass infection\r\ncampaign. Will share in one picture how i figure things.\r\n ( I hope to have many feedback to fix/adjust my understanding )\r\nI will focus on the Ransomware case but most parts are valid for many other \"blind mass attack\" (as Ransomware\r\nis a specific case of Botnet )\r\nStraight to the visual :\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 1 of 20\n\nEye glance at the first line of \"Russian Underground\"\r\nThe path to infection \r\nCredits for some models used here\r\nNote: New infection vector appeared in early 2013 - RDP compromission then Crypto Ransomware\r\nAnd now here are basic explanation to read the illustration (even if most of you don't need it :P ).\r\nI won't talk about what happen after infection (data/voucher code reselling, money laundering, etc...). It's another\r\nstory.\r\n (will try to add here a table of content or list of anchor links)\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 2 of 20\n\n-Poke A Mole Concept\r\nI will first talk about a concept to which i will often refer, the forest hiding the tree, or the \"Poke A Mole board\".\r\nOn previous map, most of the steps are represented by a single node but even small groups will hide the real\r\nnode/bad server behind redirectors/reverse proxies. It's easier to recreate a redirector than rebuild a new server\r\nonce a node is burnt (read: blacklisted by browser internal protections or antivirus or other filtering tools).\r\nThe smallest group will have one server and multiple IP, then we'll see some groups with one server and one\r\nredirector with multiple IPs, and bigger groups can daily add many redirectors.\r\nThis is how you can reach this kind of architecture for a single exploit kit :\r\nor even bigger ( I saw one Blackhole with up to 2400 ips available to reach it...at least 1940 when it was also\r\nhosting a Ransomware C\u0026C)\r\nSame goes for Domains. Having hundreds of domain allow bad guy to switch from one to another and escape\r\ndomain based blacklisting. Managing domain generation/rotation can be manual, \"outsourced\", built-in the tools\r\nor managed by dedicated tools. I'll give more details later.\r\nOne other great illustration for both, was back in february/march 2012, the Sinowal/Torpig group hosting its\r\ncustom Blackhole on infected nodes of its botnet and making it reachable via Fast-Flux \u0026\u0026 DGA (based on\r\nTwitter trends).\r\n-Infection vector :\r\nthis is how you get infected (as I focus on Ransomware, I won't talk about USB/Network Share etc..\r\n\u003cedit 2013-03-25\u003e Some crypto-ransomware are now deployed after RDP compromission. Bruteforce on\r\nwindows server and Via Remote Desktop Protocol. \u003c/edit\u003e\r\n - Browsing Website :\r\n   - Compromised website : one website has been compromised either using a vulnerability (usually on outdated\r\nCMS) or using stolen credentials from owner, modified to redirect visitors to the infection.\r\nThere are a lot dedicated tools to manage a huge amount of iFrame on website with known credentials or kown\r\nvulns\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 3 of 20\n\n- Malvertising : same via a malicious fake advert (see advertising platforms)\r\n  - Chat/mail\r\n    - link to compromised website or exploit kit\r\n    - binary as attachement, or document with link to the exploit kit\r\n( Matsnu/Rannoh mainly spread by mail, and skype was used to redirect users to BH EK 2.0 then Ransomware )\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 4 of 20\n\nThe tools :\r\nA Nacha/Facebook themed spam Tool\r\nOne more mailer\r\nTo figure out more about that you can read:\r\n   - Manual download\r\n    - the victims download the binary by themselves thinking it's something else (a \"free\" version of a paid game,\r\nan indispensable video plugin, a disinfection tool, etc...)\r\n   - Push in botnet\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 5 of 20\n\nTools : Task option of most Botnet C\u0026C panel\r\nIn Upas:\r\nIn Zemra :\r\nIn Andromeda :\r\netc...\r\nAdvertising Platforms\r\nThe platform can be legit or not. Clicksor, Plugrush, Adfly are often being victims of these kind of badvertisers.\r\nSome platform are built for that dark job. Malekal pointed a fake platform  in this brilliant post about MegoADS\r\nThese platforms are used or abused by bad guys to push advertisement that will drive the user to the redirection\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 6 of 20\n\ninfrastructure, often for instance fake porn website (see later).\r\nMalvert redirecting to \"Sibhost\" EK which is pushing Urausy\r\nCbeplay.P pushed by Sweet Orange via TrafficBroker Malvert\r\nBH EK 2.0 landing after tilt on malvert\r\nTools:\r\nAccount on legit platform TrafficHolder\r\nIf you want to learn more about malvertising you should follow Malekal's Job.\r\nSome readings :\r\nMalvertising and Dynamic DNS: A Never Ending Story - 2013-02-08 - Abhinav Singh - Symantec\r\nFinnish Website Attack via Rogue Ad - 2012-12-05 - Sean - F-Secure\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 7 of 20\n\nAds Integrity Alliance: Working together to fight bad ads - 2012-06-14 - Google Official Blog\r\nGrandclix - a Clicksor Traffic Reseller... - 2014-01-27\r\nRedirection infrastructure :\r\nThis block cover all the steps between the first redirection to the exploitation. This is the \"Traffer Zone\".\r\nDepending on how many actors are involved/how mature are the groups you can see a huge amount of hops.\r\nThe first step after malvertising is TDS or fake website with redirect js\r\nTools:\r\nWhen modifying a saved legit page is not enough to build a fake site, there are dedicated tools to do this.\r\nInitial advert for FakeMaker\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 8 of 20\n\nFakemaker (one fake website builder)\r\n(more here :  http://kafeine.minus.com/lsInqkPcgjHSY )\r\nIn some case the fake website is used to \"prepare\" the victim. For instance to increase conversion rate (people\r\npaying among infected people) on ransomware some traffer do not hesitate to redirect you to a fake Child porn\r\nwebsite (but with real images). Victim shocked before being presented a pseudo law enforcement warning.\r\nDedicated TDS. Those TDS can be hidden behind forest of redirectors/reverse proxies.\r\nThey are redirecting traffic based on country/browser depending on the needs (client requests).\r\nOne TDS will often serve different exploit kits depending on the countries/sources of people hitting it.\r\nSutra,\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 9 of 20\n\n1 TDS many Exploit Kits (at least 5 )\r\nFor instance a French landing here will be redirected to the default page.\r\nSutra driving IT Chrome user to a server faking Chrome Update\r\n(the server is in fact also a Blackhole Exploit Kit and Pony C\u0026C redirector )\r\nKeitaro :\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 10 of 20\n\nKeitaro - Traffic page\r\nSimpleTDS\r\nsTDS 2.0 MOD JackSoft (a simple TDS modification) :\r\nOther tool : Traffic Shop Analyzer the father of Ninja-TDS\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 11 of 20\n\nTraffic Shop Analyzer v3.2 lite\r\nIllustrating 2 paths :\r\n2 path : a straight simple path (red) vs a more advanced one with multiple node and \"poke a mole boards\"\r\n(i'll add real life illustration at the end)\r\nThe RunForestRun campaign that was including DGA was a traffer side work.\r\nThe js were redirecting to a TDS who could then redirect to other TDS or to Exploit Kits (We saw at least\r\nBlackhole and Redkit).\r\nWant to read more about TDS and Traffic exchange platform ?\r\nUsing Traffic Direction Systems to simplify fraud...  and complicate investigations! - Maxim Goncharov -\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 12 of 20\n\nTrendmicro for VB2011\r\nTraffic Exchange Platforms\r\nWon't spend a lot of time here. These are places where traffer/EK operators can register and can sell/buy traffic.\r\nThere are tools to build this kind of platform\r\nSmall Traffic Exchange Platform (based on Web-Traffic Shop) stats \r\nDomain rotator sytem\r\nTools/utility that cover the need for fast/mass domain rotation.\r\nMost exploit kits have built-in features for this.\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 13 of 20\n\nThis was one of the addition to the version 2.0 of Blackhole Exploit Kit.\r\nThis is one of the big feature of Redkit (domain every hours, path every few seconds) , it has also been added to\r\nProPack. The group behind the Cool EK pushing Reveton has also a backend system (I saw at least ten IPs ) with\r\nan api to serve active hijacked domains to traffers\r\nTools :\r\n Qpi Rotator\r\nQpi Rotator\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 14 of 20\n\nQpi Rotator Settings allowing domain auto-rotation based blacklisted level\r\nExploit Kits\r\nWon't spend a lot of time here too as most post in this blog are focused on this part.\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 15 of 20\n\nThe basics\r\nA binary life\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 16 of 20\n\nThis to illustrate the Crypt and AV Check Services\r\n.\r\nNote that most tools on the path are able to check how clean is a binary, exploit pack or domain.\r\nCool EK check both binary and \"sploit pack\".\r\nRedkit (old capture)\r\nBlackhole  allow binary check through 2 services\r\nCheck feature included in Citadel Botnet\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 17 of 20\n\nIn Upas kit :\r\nSometimes the crypt provider allow you to add more features than just bypassing Antivirus :\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 18 of 20\n\nCrypt4u.  Note :  Bypass UAC, Disable Firewall, etc....2014-02-17\r\nUnderground Forums\r\nThis is a key point where all independent actors exchanges service offers and establish contacts. Reading this blog\r\nyou'll see many screenshots of announcement or services offer. Forum are also often the place where conflict are\r\nsolved in section often named \"Black\"/\"Blacklist\".\r\nIf you want an idea on the diversity of services take a look at this advert collection :\r\nhttp://kafeine.minus.com/mnrcD1JxAzu2U (focused on : Traffing, Hosting, Crypting, Virtual Currency Echange,\r\nRansomware affiliates etc...). These advert are found inside services (Forums, Scan, Crypt, Blackhole..etc)\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 19 of 20\n\nSo behind an infection there is a dark economy in turmoil with a lot of specialized individuals/groups.\r\nWe can spend a lot of time discussing about each hat/job in the path. From the domain registration to the hosting,\r\nfrom the coding to the spreading but it was just an eye glance :)\r\nFeel free to comment / send remarks kafeine at dontneedcoffee dot com.\r\nReading/resources :\r\nMalicious Software and its Underground Economy: Two Sides to Every Story Lorenzo Cavallaro - Coursera (1st\r\nSession July 2013)\r\nSource: https://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nhttps://malware.dontneedcoffee.com/2012/12/eyeglanceru.html\r\nPage 20 of 20\n\n  https://malware.dontneedcoffee.com/2012/12/eyeglanceru.html \nKeitaro-Traffic page  \nSimpleTDS   \nsTDS 2.0 MOD JackSoft (a simple TDS modification) :\nOther tool : Traffic Shop Analyzer the father of Ninja-TDS\n   Page 11 of 20\n\n  https://malware.dontneedcoffee.com/2012/12/eyeglanceru.html  \nQpi Rotator Settings allowing domain auto-rotation based blacklisted level\nExploit Kits    \nWon't spend a lot of time here too as most post in this blog are focused on this part.\n   Page 15 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malware.dontneedcoffee.com/2012/12/eyeglanceru.html"
	],
	"report_names": [
		"eyeglanceru.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a789ca5f77588cd201b8c7f4bdd0a77762bb0f2.pdf",
		"text": "https://archive.orkl.eu/1a789ca5f77588cd201b8c7f4bdd0a77762bb0f2.txt",
		"img": "https://archive.orkl.eu/1a789ca5f77588cd201b8c7f4bdd0a77762bb0f2.jpg"
	}
}