A Method for Infiltration Using W.I.X.

By Candice Carter

Executive Summary

W.I.X. is the website building collaboration with Microsoft for Office 365 customers. Office 365 was recently infected with TrickBot malware spreading to the W.I.X. service (160 million websites). The attack on W.I.X. spread to their website customer’s embedded social media accounts, powering a Crypto-Mining Malware Ecosystem.

The compromised user for this use case is Rebecca Amidei (@bebe.bb.bebe), a resident of Michigan’s swing state. Ms. Amidei is the former girlfriend of Paperboy Prince. Paperboy Prince is a controversial candidate for New York’s 7th Congressional District. Paperboy Prince, lost in the primaries, has petitioned and was on the ballot on November 3, 2020.

Incident

  • Instagram

Instagram deactivated Rebecca Amidei’s (@bebe.bb.bebe) account without warning on October 1, 2020, for not obeying community rules. Searching for her hashtag #bebetattoos, results in hashtags “hidden for possible spread of information and harmful content related to the election” by Instagram.

  • W.I.X.

The website for Rebecca Amidei’s (@bebe.bb.bebe) tattoo business is bebeamidei(.)com. Using Maltego/ ThreatCrowd to review the website bebeamidei(.)com showed the website was surrounded by cryptocurrency and redirects to servers with the following trojans:

  1. WIN32.INJECT1.EAGEWV
  2. TROJAN:WIN32/DYNAMER
  3. ZEUS GEOMA(.) C.O.M. (.) B.R.

bebeamidei.png

Figure 1. bebeamidei(.)com (in Blue) with surrounding connections

  1. Additional Malicious Activity for bebeamidei(.)com includes:
    1. url-system-http://northsidebarbershop(.)com/location.htm
    2. worldlotteryassociation(.)org
    3. lloydsbankservice(.)org
    4. online-btc(.)com
    5. one-health(.)br(.)com
    6. yukiheavenly(.)com
    7. branding-stock(.)com
    8. wholesaleinsider(.)us
    9. walmartappraisal(.)com
  2. Dark Web identified websites connected to bebeamidei(.)com
    1. bebeamidei.hzc(.)io
    2. bebeamidei.devices.resinstaging(.)io
    3. bebeamidei.cust.dev.thingdust.(.)io
    4. bebeamidei.cust.disrec.thingdust(.)io

Additional information connected to bebeamidei(.)com

  • San Francisco, California, U.S.A Phone Number, 14154291173 associated with bebeamidei(.)com does not belong to the owner of the website Rebecca Amidei.
  • 23.236.62.147
    • Phishing
    • HEUR:.Trojan.MSIL
    • Suppobox
    • VB:Trojan.VBA.Agent
    • Virut
  • 185.230.60.102
    • CVE-2017-0199 – Remote Code Execution with Windows API
    • Appendix A lists the websites for 185.230.60.102
  • Content analysis of bebeamidei(.)com amounts in 1795 results, a few highlighted below:
    • The related instances of Gandi(.)net (37°45’03.6″N 97°49’19.2″W) hosts Odoo. The open-source software suite used business management includes e-commerce functionality. Each I.P. related to A.S.N.s and Odoo is hosting approximately 1000 servers each. Various A.S.N.s host the Odoo software from the countries below:
      • China
      • Germany
      • U.S.A.
      • South Africa
      • Netherlands
      • Austria
      • Hong Kong
      • Italy
      • Philippines
      • Spain
  • The related instances of nic(.)ru host the website Crio-Holds(.)com. A Russian outdoor climbing equipment company.
  • Rebecca Amidei Instagram name – new login created (@bebe.bb.bebe) and website name (bebeamidei) for the outdoor mountain bike domain pinkbike(.)com.
    • The Pinkbike domain has a redirect to ogp(.)me on IP 99.84.251.25. Ogp is an Open Graph Protocol for Facebook
      • Ogp(.)me located in the same physical location (37°45’03.6″N 97°49’19.2″W) as Gandi(.)net China attack servers (Cnservers L.L.C. (172.247.132.0/23))
      • IP 99.84.251.25 hosts POTUS1 (d36109lmlgs63y(.)cloudfront(.)net) links are related to MountVernon(.)org
      • MountVernon(.)org has 17 related IPV4 Hosts, 3 Hosts are “MICROSOFT-CORP-MSN-AS-BLOCK”
  • MICROSOFT-CORP-MSN-AS-BLOCK
    • 4B of I.P. Hosts related to “MICROSOFT-CORP-MSN-AS-BLOCK” the sample contained several servers in Ukraine and South Africa.

spyse.png

Figure 2. Spyse View of MICROSOFT-CORP-MSN-AS-BLOCK related I.P. Hosts

  • 3.5 Domains related to “MICROSOFT-CORP-MSN-AS-BLOCK” the sample contained China and the U.S.A. The U.S.A. Domains appear compromised

spyse2.png

Figure 3. Spyse View of MICROSOFT-CORP-MSN-AS-BLOCK related Domains

  • PAPERBOYPRINCE(.) C.O.M.
    • The Paperboyprince(.)com website belongs to Paperboy Prince. He is a controversial candidate for New York’s 7th Congressional District. Paperboy Prince, lost in the primaries, has petitioned and was on the ballot on November 3, 2020.
      • PAPERBOYPRINCE(.) C.O.M. is hosted by Liquidweb (AS32244) I.P. address 64.91.229.52
      • The I.P. address 64.91.229.52 is the same physical location of (37°45’03.6″N 97°49’19.2″W) Gandi(.)net and Ogp(.)me.
      • The I.P. has 15 open ports and hosts 154 domains.
      • The PR DNS is love2 (.)1vsm(.)com
      • Compromised with EXIM SMTPD (privileged, unauthenticated remote code execution weakness in Internet email server software) and OpenSSH.

Appendix

2020-12-13_11-42-182020-12-13_11-42-372020-12-13_11-43-022020-12-13_11-43-192020-12-13_11-43-35