Trump Hotels Dot Com: Malware C2 In 2014
Credit CNN
TURNIP HACKED!
Remember when the news media was told by Brian Krebs that Turnip’s hotels had been hacked and their credit card data has been stolen? Well there is more to the very little story that made the press after Krebs dropped a dime on them. In looking around the ThreatCrowd today I decided to take a look at the Turnip brand and, well, they have over three thousand domains but a couple jumped out on the searches due to their being connections in some malware back in April of 2014. This coincides with the hack time frame according to the stories I have seen including the one by CNN above where not much is said by Trump nor the FBI or USSS because they were looking into it and that Turnip was a candidate for president. Given that no one has really said anything about this hack post Krebs I have to wonder just how deep these guys got in and what actor group it may have been. If it was straight up carding was it Rescator? Some other Eastern Block group? If it was Russian then, well, you know how they like to dual use these hacks right?
Well, the malware in this case was programmed to attempt to connect with the hotel psmtp server as well as the main domain. This means that they were compromised enough to used as a C2 or perhaps it was just garbage traffic as as been seen in the past with some malware creators. The real kicker is that this malware was doing it’s thing in the same time frame that the hack was alleged to have happened, so I have to think that the case here is that they did in fact use them as a C2 as well, or another actor did piggybacking on the other hacking going on.
Maybe Turnip’s security just sucked? Oh well, as you can see from the maps below they were pretty busy. The best thing for me though was the name of the file that the malware was propagating by.
(scroll down but don’t be drinking anything hot FAIR WARNING)
Maltego of psmtp server at Turnip Hotels
Trumphotels.com Domain ThreatCrowd
Trumphotels.com.s9a1.psmtp.com ThreatCrowd
Money shot of the malware that has trumphotels in the C2 list
Oh, and Turnip loves him Godaddy, the Mos Eisley of domain registries and server farms.
The Malware:
So that malware that had the Turnip hotel as a C2? Yeah, it was in the guise of a file called SHEMALE_MOVIE_83.MPEG.EXE I shit you not! So GoldShower’s systems were being used to pimp malware that went under the name of SHEMALE_MOVIE_83.MPEG.EXE
BAAAAAAAAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAAH!
SHEMALE_MOVIE_83.MPEG.EXE
I do love the schadenfreude here. Evidently it was a trojan that harvested creds, listened to all traffic, and manipulated the SMTP on the system as well. I have to wonder who at Turnip Hotels may have gotten an email with this file and clicked on it. I also have to wonder if they were acutally mailing this shit out from Turnip central as they had connections to the PSMTP server as well. Say, any of you get any dirty email from Turnip back in 2014 or 2015?
As I write I have this grin on my face…
Enjoy the schadenfreude kids!
K.
IOC’s
https://www.threatcrowd.org/searchTwo.php?data=trump
https://www.threatcrowd.org/domain.php?domain=trumphotels.com.s9a1.psmtp.com
https://www.threatcrowd.org/malware.php?md5=833009a54c295a72ad64ab0941f482fe
https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/
4/25/2014
https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498
https://www.threatcrowd.org/ip.php?ip=202.71.129.187
https://www.threatcrowd.org/domain.php?domain=email.cz
https://www.threatcrowd.org/ip.php?ip=72.29.227.205
https://www.threatcrowd.org/domain.php?domain=trumphotels.com
https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/
https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498
Krypt3ia 
Leave a comment