This is not the usual post I write but decided to go on as the campaign is quite big (enough to modify the EK market share feeling) and I have some compromised domain to share for remediation (see at the end)
A big campaign was active from at least 2013-09-27 to 2013-10-14.
A huge number of compromised website were conditionally redirecting to a Sweet Orange pushing Andromeda : (Post by Sucuri about this campaign)
 |
| Sweet Orange 82 2013-09-27 Payload : Andromeda |
The campaign was really widespread and was imo responsible for the feeling from some that Sweet Orange was prevailing after Paunch's Arrest (so maybe in "tilt number" but I think most actors are on Neutrino, Magnitude and Nuclear Pack)
The campaign suddenly stopped redirecting to Sweet Orange on 2013-10-14 redirecting instead to google.com and the day after to [rotating].sytes.net/atb/counter.php then to google.
(Note: at same time 4-5 other Sweet Orange threads I was following also disappeared which made me tweet few days later
Sweet Orange out of the "battlefield" since around 60 hours. Is something happening here too ?Note : have been pointed to at least 2 SWO threads that are still active )
— kafeine (@kafeine) October 18, 2013
 |
| That campaign has a huge place by Sucuri |
That campaign was still "on hold" yesterday ( BadwareBusters thread)
 |
| On Hold Campaign. Redirectin to Google 2013-10-22 |
The infection process is on again but redirecting now to Neutrino.
(it's enough to assume that actors can speak russian or are better than most of us at using google translate)
 |
| Neutrino thread pushing Andromeda |
Having no access to compromised server, based on the way the redirection is handled I thought it was driven by an Apache Rogue module (Darkleech or CDorked installed on compromised server via Cpanel/Parallels Plesk server vulns) but it seems it's more likely compromised Joomla/Wordpress
Payload I got (it's obviously rotating) :
1074b843c0b6e783ee1314c9759067a2 (sample - VT - Malwr )
@kafeine This is is Andromeda 2.7 ( CKF81X) i confirmed .67c7f325d951a444f203489274a0ca62 is the actual payload has after unpacking.
— Raashid Bhat (@raashidbhatt) October 23, 2013
@kafeine here is the c2c config http://t.co/erF2v7WqkW currently c2c is replying with no updates
— Raashid Bhat (@raashidbhatt) October 23, 2013
-----
46.22.211.60
34702 | 46.22.208.0/20 | WAVECOM | EE | WAVECOM.EE | AKTSIASELTS WAVECOM
POST /rukomorsdx/forum.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: base.thecreatureteacher.com
Analysis by Joe Sandbox Cloud
-----
At least >8000 domains were redirecting to the rotator (but I think it's far more than than).
http://pastebin.com/raw.php?i=1vFNKdSW (Please use for remediation - some Cert (CA/CH/CZ/FR/FI/PL) should have already been informed)
<edit1 : 2013-11-01>
After few days out (after that post). They are back again. Using intermediate redictor in : [rotating].dezit/counter.php
 |
| Counter-Andro gang back on Neutrino |
</edit1>
Read More :
Neutrino: Caught in the Act - Karmina Aquino & Daavid Hentunen - 2013-10-23 - F-Secure
Malware iFrame Campaign from Sytes(.)net Daniel Cid - 2013-10-03 Sucuri.net
Hello Neutrino ! (just one more Exploit Kit) 2013-03-17 - last update 2013-10-03