Deceptive vendors of PUAs (Potentially Unwanted Applications) continue relying on a multitude of traffic acquisition tactics, which in combination with the ubiquitous for the market segment ‘visual social engineering‘, continue tricking tens of thousands of users into installing the privacy-violating applications. With the majority of PUA campaigns, utilizing legitimately looking Web sites, as well as deceptive EULAs (End User License Agreements), in 2014, the risk-forwarding practice for the actual privacy-violation, continues getting forwarded to the socially engineered end user.

We’ve recently intercepted a rogue portfolio consisting of hundreds of thousands of blackhat SEO friendly, legitimate applications, successfully exposing users to the Sevas-S PUA, through a layered monetization relying on OpenCandy/Conduit affiliate based revenue sharing networks.

More details:

Sample screenshot of the Sevas-S/OpenCandy PU serving Web site:

PUA_Potentially_Unwated_Application_Rogue_Fake_Legitimate_Applications

Deceptive portfolio domain name reconnaissance: hxxp://joydownload.com – 54.235.94.58

Detection rate for a sample Sevas-S/OpenCandy PUA:
MD5: a8fb69cf527df4a731333c06129faf3a – detected by 15 out of 51 antivirus scanners as PUP.Optional.OpenCandy; Sevas-S Installer

Serial number: 4B 35 AC 22 3F4 DB 03 D3 B4 C5 36 89 83 A4 B53

Related Sevas-S certificate numbers:
52 74 71 e5 38 62 e2 f9 0ab 45 ed 4a cb 8f 4c2
6b 59 cd e1 53 f9 d6 b8 05 25 99 e5 05 47 7c 19

Deceptive PUA vendor’s domain name reconnaissance: hxxp://sevas-s.com – 107.23.223.98

Known to have been downloaded from the same IP (107.23.223.98) are also the following PUAs:
MD5: e1a49c030ca2f679b70d92ec3637bf1e
MD5: ce9f84f734cbb6a29eee377112d9e5cf

PUA_Potentially_Unwated_Application_Rogue_Fake_Legitimate_Applications_Sevas-S_LLC

Once executed, the sample phones back to:
api.opencandy.com – 204.232.180.209
media.opencandy.com – 54.231.2.241; 54.231.0.65
cdn.opencandy.com – 87.248.203.254
installs.sevas-s.com – 107.23.223.98
d3.sevas-s.com – 5.79.64.239
sp-installer.conduit-data.com – 54.83.197.43
sp-storage.conduit-services.com – 23.67.3.152
sp-download.conduit-services.com – 199.101.114.124
sp-storage.spccinta.com – 23.66.234.207
sp-settings.conduit-services.com – 23.67.3.152
mediahelper.org – 23.21.66.175
servicemap.conduit-services.com – 23.67.3.152
sp-alive-msg.conduit-data.com – 23.23.100.240
sp-autoupdate.conduit-services.com – 23.67.3.152
sp-ip2location.conduit-services.com – 199.101.114.209

Related Sevas-S download locations:
d2.sevas-s.com – 198.7.58.217
d3.sevas-s.com – 5.79.64.239
d4.sevas-s.com – 162.210.192.105
d5.sevas-s.comv – 207.244.67.208
d6.sevas-s.com – 207.244.67.198
d7.sevas-s.com – 207.244.67.199

Go through related assessments of PUA (Potentially Unwanted Applications) campaigns intercepted in the wild:

Related domains known to have responded to the same IP (mediahelper.org; 23.21.66.175):
2download.co
cpuz.2download.co
directx.2download.co
mediahelper.org
2download.co
youtube-to-mp3-converter.org
youtubeconverterhd.co.uk
youtubetomp3format.com

Related MD5s known to have been downloaded from the same IP (23.21.66.175):
MD5: e6bbd7ce83192d5505489fe738b547e8
MD5: 8e29d732e07a67858d10ee6b85230df7
MD5: 5f7e3f9758aa425fdc602f4b03cdfa2e
MD5: 2462a20c590399755577761bfb9cf919
MD5: 9b860b6e48c6266f09935c6245fea623
MD5: 9affdce21391343f83d84bea830e90a0

PUA_Potentially_Unwated_Application_Rogue_Fake_Legitimate_Applications_Sevas_LLC_01

Known to have phoned back to (204.232.180.209) are also the following malicious MD5s:
MD5: e3d95855c85654de83286f1b6ad4a421
MD5: 0a3617a094b5a73e8bdd2655ff257a7b
MD5: 234047e53ba58255cc24fd7e38b385bc
MD5: 8eac6af7ffd80e5731cc7c5b6ffadeae
MD5: 69e1d70d315c502f5d963f2ed5f39ae4
MD5: f64e14110f8f5871011d3f3cc0566539
MD5: 28bf2ec685291297970b56b48b113e32
MD5: ea70d275f6de4229bfad9bda9ad5d380
MD5: 72b64cc54e107a8df3f1b6047a5d9c97
MD5: 2f18fad5471733f1924a8b6bdfd52867
MD5: aa49205590c65803c5a47d21fad6f09d
MD5: 5d230f2dfadbccbe38c3b103ab275429
MD5: 5fd51587e1e0aeae6deaa6883c2034b7
MD5: cb9ea2692f0aa50d3967fb690717642a
MD5: a66bec592f954fe04efd06e64f9ad96a

Known to have phoned back to the same IP (54.231.2.241) are also the following malicious MD5s:
MD5: f33c86664d84fbbc8e05c4a7ec7941db
MD5: 92f312b8ce0248e11e83afbc891ef710
MD5: 7dba9a415756f20632a66dce2eaffca0
MD5: ec0de726447384b03bb99c2b940c9957
MD5: 20532744bd920846f097b42cb3d044e8
MD5: 9a77df392689b193c2d0eb1f8d7b9312
MD5: 4d4d0544d53f00fce5e7ce76f97dc480
MD5: 749be75d111c51e274b2bb65668592bf
MD5: 6aaee6759cd9795ab619cf1dfc022260
MD5: a8fb69cf527df4a731333c06129faf3a
MD5: 8f140e54e26b081cad542065aefe8d3b
MD5: 42c3418efcdb5b6bb8d7561f14ad2187
MD5: dec13aa433387f7644d5042cd2f10c4d
MD5: 6138dcbf580b1463dbf53863cdc8531a

Webroot SecureAnywhere users are proactively protected from these PUAs.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This