In a recent blog post, security journalist Brian Krebs wrote about the Manipulaters Team, which is a group of Pakistani hackers who sell spam and malware tools online and are believed to be behind the fake identity of Saim Raza, a dark web threat actor.
They refer to their tools as “FUD” — which stands for Fully-Un-Detectable — as they advertise their products as being unnoticeable to antivirus or anti-spam programs.
The group’s low willingness to hide their work is evident when a simple Internet search like “Fudtools” or “Fudpage” was enough to find a few of the group’s phishing selling websites, as well as a Youtube channel.
After analyzing each one of this domains using the Domain Lookup, Enrich Domain and Enrich IP features on the Silent Push App, I found that:
- the domains used either
*.blazingfast.ioor*.cloudflare.comas nameservers; - the vast majority of them were registered through Internet Domain Service BS Corp., but a few were registered through R01-SU, RU-CENTER-RU or Sav.comLLC;
- the IP addresses that host them belong to either Netsolutions (AS47674) or Cloudflare (AS13335);
- the domains have clear domain name patterns, in particular
*fud*,*tool*,*page*,*sender*or*spam*.
I found a lot more domains with these name patterns through the Silent Push API and its passive DNS features, by using various combinations of the nameservers, AS name and registrar previously found as parameters.
To complete the search, the IP addresses that host the domains I discovered were analyzed using the IP Lookup feature on Silent Push App, which revealed more domains managed by this group. The full list of IOCs can be found below.
The domains are also available to Silent Push customers in a feed called ‘Manipulaters’, which continues to be updated.
IOC list (active domains)
16shopscampages[.]com
antibotspanel[.]com
bulktools[.]su
buyfreshtools[.]com
buyscampage[.]com
buyspamtools[.]com
claysender[.]com
claysendervideos[.]com
d29sender[.]com
freespamtool[.]com
freshfudpages[.]com
freshscampages[.]com
freshscamtool[.]com
freshscamtools[.]com
freshspamtool[.]com
freshspamtoolshop[.]com
freshspamtoolvideos[.]com
freshtoolsx[.]com
fu-inboxsender[.]ru
fudbilling[.]com
fudbulktool[.]com
fudbulktools[.]com
fudcoder[.]com
fudcodertools[.]com
fudfreshtools[.]io
fudfreshtools[.]ru
fudfreshtoolshop[.]com
fudletter[.]com
fudlinkheartsender[.]com
fudlinkpages[.]com
fudlinkshop[.]com
fudninja[.]com
fudpages[.]store
fudpagetools[.]com
fudpagevideos[.]com
fudscam[.]com
fudscampage[.]com
fudscampages[.]com
fudscams[.]net
fudscamtool[.]com
fudsell[.]com
fudsender[.]com
fudsenderstore[.]com
fudspam[.]com
fudspam[.]su
fudspamtoolshop[.]com
fudspamvideos[.]com
fudteambilling[.]com
fudtool[.]com
fudtool[.]ru
fudtoolmarket[.]com
fudtoolshop[.]com
fudtoolvideos[.]com
fudtoolx[.]com
gxsender[.]com
heartsender[.]com
heartsender[.]net
heartsenderpages[.]com
heartsenderscampages[.]com
heartsendervideos[.]com
manipulate[.]cc
mrcodertools[.]com
newscampages[.]com
newspamtools[.]com
officeinboxsender[.]com
scampage2021[.]com
scampages2021[.]com
scampagesnew[.]com
scampagespro[.]com
spammingshop[.]com
spammingtoolshop[.]com
spamtools[.]ru
spamtoolstore[.]com
spamtoolx[.]com
thisistool[.]com
xleetshop[.]com
