Dear blog readers it's been a while since I last posted a quality update. I wanted to express my gratitude to everyone who expressed interest in Threat Data including current and potential clients and wanted to let everyone know that in case you or your organization is interested in obtaining access to Threat Data including a free trial you're always free to approach me at disruptive.individuals@gmail.com seeking access.
01. What is Threat Data?
Threat Data is the industry's leading and most versatile JSON-capable threats database
successfully empowering companies and security researchers with the
necessary knowledge to stay ahead of current and emerging threats,
further, positioning their company and enterprise on the top of its
game.
02. How to request access?
In case you're interested in obtaining access including a possible trial you can approach me at disruptive.individuals@gmail.com requesting access including a possible trial.
03. Who can request access?
In case you're a security researcher or a security vendor looking for alternative ways to diversify their portfolio of sources for actionable intelligence you are always free to approach me at disruptive.individuals@gmail.com seeking access including a possible trial.
04. What are the pricing options?
Threat Data starts at $2,500 for database and a monthly subscription including access to in-house and all-source analysis starts at $4,000 guaranteeing an unlimited access to in-house and all-source analysis.
05. What does the database cover?
- Russian Business Network coverage
- Koobface Botnet coverage
- Kneber Botnet coverage
- Hundreds of IOCs (Indicators of Compromise)
- Tactics Techniques and Procedures In-Depth Coverage
- Malicious and fraudulent infrastructure mapped and exposed
- Malicious and fraudulent Blackhat SEO coverage
- Malicious spam and phishing campaigns
- Malicious and fraudulent scareware campaigns
- Malicious and fraudulent money mule recruitment scams
- Malicious and fraudulent reshipping mule recruitment scams
- Web based mass attack compromise fraudulent and malicious campaigns
- Malicious and fraudulent client-side exploits serving campaigns
06. How often does the service update?
The data is delivered automatically on a daily weekly monthly basis in MISP-friendly JSON-capable format guaranteeing unlimited access to in-house and all-source analysis.
Enjoy!
Wednesday, October 18, 2017
Friday, July 28, 2017
Introducing Obmonix - The World's Most Comprehensive Sensor Network
The world's leading expert in the field of the security cybercrime research and threat intelligence gathering presents the World's Most Comprehensive Sensor Network for offensive cybercrime/cyberterrorism fighting introducing active sensor deployment cybercrime/cyberterrorism forum and dark-web infiltration launching the Disruptive Individuals startup successfully disrupting and undermining the cybercrime/cyberterrorism ecosystem.
What is the Obmonix Platform?
The Obmonix platform aims to build the World's most versatile and comprehensive sensor network for intercepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of proprietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally empowering the operator law enforcement and the security industry with then necessary tactics techniques and procedures (TTPs) for successfully responding and monitoring cybercrime and cyber jihad activity globally leading to successful launch of the Disruptive Individuals startup successfully serving the needs of the Intelligence Community, the security industry and law enforcement agencies globally successfully anticipating an emerging set of malicious and fraudulent tactics techniques and procedures successfully protecting millions of users globally.
How you can help and contribute?
Feel free to join the Indiegogo funds raising campaign and stay tuned for the associated perks.
Looking forward to receiving your response at ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Enjoy!
The Obmonix platform aims to build the World's most versatile and comprehensive sensor network for intercepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of proprietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally empowering the operator law enforcement and the security industry with then necessary tactics techniques and procedures (TTPs) for successfully responding and monitoring cybercrime and cyber jihad activity globally leading to successful launch of the Disruptive Individuals startup successfully serving the needs of the Intelligence Community, the security industry and law enforcement agencies globally successfully anticipating an emerging set of malicious and fraudulent tactics techniques and procedures successfully protecting millions of users globally.
How you can help and contribute?
Feel free to join the Indiegogo funds raising campaign and stay tuned for the associated perks.
Looking forward to receiving your response at ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Enjoy!
Monday, May 29, 2017
Historical OSINT - Mac OS X PornTube Malware Serving Domains
Cybercriminals continue to actively launch maliciuos and fraudulent malware-serving campaigns further spreading malicious software potentially compromising the confidentiality availability and integrity of hte targeted host to a multit-tude of malicious software further spreading malicious software while earning fraudulent revenue in the process of monetizing access to malware-infected hosts.
We've recently intercepted a currently active portfolio of rogue/fake/ PornTube malicious and fraudulent domains, with the cybercriminals behind the campaign earning fraudulent revenue largely relying on the utilization of an affiliate-network based revenue-sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence on the infrastructure behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.
Known to have been parked within the same malicious IP (93.190.140.56) are also the following malicious domains:
hxxp://playfucktube.com
hxxp://mac-videos.com
hxxp://xhottube.net
hxxp://playfucktube.comtubeporn08.com
hxxp://porn-tube09.com
hxxp://tubeporn09.com
hxxp://xxxporn-tube.com
hxxp://playfucktube.com
hxxp://allsoft-free.com
hxxp://all-softfree.com
hxxp://lsoftfree.com
hxxp://porntubenew.com
hxxp://pornmegatube.net
hxxp://xhottube.net
We'll continue monitoring the campaign and post updates as soon as new developments take place.
We've recently intercepted a currently active portfolio of rogue/fake/ PornTube malicious and fraudulent domains, with the cybercriminals behind the campaign earning fraudulent revenue largely relying on the utilization of an affiliate-network based revenue-sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence on the infrastructure behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.
Known to have been parked within the same malicious IP (93.190.140.56) are also the following malicious domains:
hxxp://playfucktube.com
hxxp://mac-videos.com
hxxp://xhottube.net
hxxp://playfucktube.comtubeporn08.com
hxxp://porn-tube09.com
hxxp://tubeporn09.com
hxxp://xxxporn-tube.com
hxxp://playfucktube.com
hxxp://allsoft-free.com
hxxp://all-softfree.com
hxxp://lsoftfree.com
hxxp://porntubenew.com
hxxp://pornmegatube.net
hxxp://xhottube.net
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Historical OSINT - Massive Black Hat SEO Campaign Spotted in the Wild
Cybercriminals continue actively launching fraudulent and malicious blackhat SEO campaigns further acquiring legitimate traffic for the purpose of converting it into malware-infected hosts further spreading malicious software potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.
We've recently intercepted a currently active malicious blackhat SEO campaign serving scareware to socially engineered users with the cybercriminals behind it earning fraudulent revenue largely relying on the utilization of an affiliate-network based revenue-sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence on the infrastructure behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.
Known malicious domains known to have participated in the campaign:
hxxp://doremisan7.net?uid=213&pid=3&ttl=319455a3f86 - 67.215.238.189
Known malicious redirector known to have participated in the campaign:
hxxp://marketcoms.cn/?pid=123&sid=8ec7ca&uid=213&isRedirected=1 - 91.205.40.5 - Email: JeremyLRademacher@live.com
Related malicious domains known to have been parked within the same malicious IP (91.205.40.5):
hxxp://browsersafeon.com
hxxp://online-income2.cn
hxxp://applestore2.cn
hxxp://media-news2.cn
hxxp://clint-eastwood.cn
hxxp://stone-sour.cn
hxxp://marketcoms.cn
hxxp://fashion-news.cn
Known malicious domains known to have participated in the campaign:
hxxp://guard-syszone.net/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJWfZW
VilWWenGOIo6THodjXoGJdpqmikpVuaGVvZG1kbV%2FEkKE%3D - 206.53.61.73
hxxp://yourspywarescan15.com/scan1/?pid=123&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNPAFO - 85.12.24.12
Sample detection rate for sample malware:
MD5: 3d448b584d52c6a6a45ff369d839eb06
MD5: 54f671bb9283bf4dfdf3c891fd9cd700
We'll continue monitoring the campaign and post updates as soon as new developments take place.
We've recently intercepted a currently active malicious blackhat SEO campaign serving scareware to socially engineered users with the cybercriminals behind it earning fraudulent revenue largely relying on the utilization of an affiliate-network based revenue-sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence on the infrastructure behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.
Known malicious domains known to have participated in the campaign:
hxxp://doremisan7.net?uid=213&pid=3&ttl=319455a3f86 - 67.215.238.189
Known malicious redirector known to have participated in the campaign:
hxxp://marketcoms.cn/?pid=123&sid=8ec7ca&uid=213&isRedirected=1 - 91.205.40.5 - Email: JeremyLRademacher@live.com
Related malicious domains known to have been parked within the same malicious IP (91.205.40.5):
hxxp://browsersafeon.com
hxxp://online-income2.cn
hxxp://applestore2.cn
hxxp://media-news2.cn
hxxp://clint-eastwood.cn
hxxp://stone-sour.cn
hxxp://marketcoms.cn
hxxp://fashion-news.cn
Known malicious domains known to have participated in the campaign:
hxxp://guard-syszone.net/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJWfZW
VilWWenGOIo6THodjXoGJdpqmikpVuaGVvZG1kbV%2FEkKE%3D - 206.53.61.73
hxxp://yourspywarescan15.com/scan1/?pid=123&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNPAFO - 85.12.24.12
Sample detection rate for sample malware:
MD5: 3d448b584d52c6a6a45ff369d839eb06
MD5: 54f671bb9283bf4dfdf3c891fd9cd700
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Historical OSINT - A Diversified Portfolio of Pharmacautical Scams Spotted in the Wild
Cybercriminals continue actively speading fraudulent and malicious campaigns potentially targeting the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software further earning fraudulent revenue in the process of monetizing access to malware-infected hosts further spreading malicious and fraudulent campaigns potentially affecting hundreds of thousands of users globally.
We've recently came across to a currently active diversified portfolio of pharmaceutical scams with the cybercriminals behind it successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts including the active utilization of an affiliate-network based type of revenue sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence, on the infrastructure behind it, and discuss in depth, the tactics techniques and procedures of the cybercriminals behind it.
hxxp://lightmcusic.com
hxxp://darkclosed.com
hxxp://raintable.com
hxxp://rainthing.com
hxxp://lamptrail.com
hxxp://rainopen.com
hxxp://newsmillion.com
hxxp://paintlamp.com
hxxp://newssilver.com
hxxp://singerspa.ru
hxxp://belllead.ru
hxxp://dealfence.ru
hxxp://beachpage.ru
hxxp://sweatybottle.ru
hxxp://superring.ru
hxxp://betaflash.ru
hxxp://petgal.ru
hxxp://beastball.ru
hxxp://chartarm.ru
hxxp://roomcoin.ru
hxxp://armsgun.ru
hxxp://keyhero.ru
hxxp://sisterlover.ru
hxxp://pitstops.ru
hxxp://ballnet.ru
hxxp://betacourt.ru
hxxp://moviecourt.ru
hxxp://bandrow.ru
hxxp://rainmcusic.com
hxxp://lightmcusic.com
hxxp://diskwind.com
hxxp://disklarge.com
hxxp://silverlarge.com
hxxp://totaldomainname.com
hxxp://mcusicmouse.com
hxxp://diskbig.com
hxxp://rainthing.com
hxxp://thunderhigh.com
hxxp://raintruck.com
hxxp://mcusictank.com
hxxp://diskdark.com
hxxp://thunderdark.com
hxxp://raintowel.com
hxxp://mcusicball.com
hxxp://diskwarm.com
hxxp://silverwarsm.com
hxxp://diskopen.com
hxxp://diskfashion.com
hxxp://goldlgs.com
hxxp://silverdarks.com
hxxp://silveropens.com
hxxp://goldapers.com
hxxp://goldslvers.com
hxxp://diskhot.com
hxxp://bluedrow.com
hxxp://flashdrow.com
hxxp://raindrow.com
hxxp://thunderdrow.com
hxxp://rainmcusic.com
hxxp://rainpen.com
hxxp://rainthing.com
hxxp://spotsoda.ru
hxxp://mediamultimedia.ru
hxxp://boozetuna.ru
hxxp://singerspa.ru
hxxp://eyepizza.ru
hxxp://ringmic.ru
hxxp://belllead.ru
hxxp://roselid.ru
hxxp://homemold.ru
hxxp://tuneworld.ru
hxxp://happendepend.ru
hxxp://fruitmind.ru
hxxp://groupmud.ru
hxxp://showbabe.ru
hxxp://juicetube.ru
hxxp://kidrace.ru
hxxp://zoomtrace.ru
hxxp://lawice.ru
hxxp://dealfence.ru
hxxp://wipeagree.ru
hxxp://coverimage.ru
hxxp://beachpage.ru
hxxp://waxylanguage.ru
hxxp://jazzedge.ru
hxxp://casemale.ru
hxxp://spotsoda.ru
hxxp://mediamultimedia.ru
hxxp://boozetuna.ru
hxxp://singerspa.ru
hxxp://eyepizza.ru
hxxp://kittyweb.ru
hxxp://bedrib.ru
hxxp://yourib.ru
hxxp://antthumb.ru
hxxp://ringmic.ru
hxxp://belllead.ru
hxxp://roselid.ru
hxxp://homemold.ru
hxxp://tuneworld.ru
hxxp://happendepend.ru
hxxp://fruitmind.ru
hxxp://groupmud.ru
hxxp://showbabe.ru
hxxp://juicetube.ru
hxxp://kidrace.ru
hxxp://zoomtrace.ru
hxxp://lawice.ru
hxxp://dealfence.ru
hxxp://wipeagree.ru
hxxp://coverimage.ru
hxxp://beachpage.ru
hxxp://waxylanguage.ru
hxxp://jazzedge.ru
hxxp://casemale.ru
hxxp://czarsale.ru
hxxp://sweatybottle.ru
hxxp://boxlane.ru
hxxp://rubyfire.ru
hxxp://radiohorse.ru
hxxp://sodakite.ru
hxxp://armissue.ru
hxxp://houraxe.ru
hxxp://smokeeye.ru
hxxp://anteye.ru
hxxp://salesbarf.ru
hxxp://shelfleg.ru
hxxp://superring.ru
hxxp://timematch.ru
hxxp://sewermatch.ru
hxxp://betaflash.ru
hxxp://wovenbath.ru
hxxp://imagebirth.ru
hxxp://shelfjack.ru
hxxp://ringmack.ru
hxxp://gigaknack.ru
hxxp://filetack.ru
hxxp://busybrick.ru
hxxp://giantdock.ru
hxxp://wormduck.ru
hxxp://roundtruck.ru
hxxp://labfolk.ru
hxxp://malespark.ru
hxxp://petgal.ru
hxxp://hitpal.ru
hxxp://beastball.ru
hxxp://baysmell.ru
hxxp://beachhill.ru
hxxp://giantpill.ru
hxxp://runtvenom.ru
hxxp://soaproom.ru
hxxp://chartarm.ru
hxxp://deedsum.ru
hxxp://firmcan.ru
hxxp://sofafan.ru
hxxp://chinqueen.ru
hxxp://lightpen.ru
hxxp://fishgain.ru
hxxp://shiptrain.ru
hxxp://canbin.ru
hxxp://roomcoin.ru
hxxp://caseion.ru
hxxp://miciron.ru
hxxp://metalcorn.ru
hxxp://roadbun.ru
hxxp://armsgun.ru
hxxp://landclown.ru
hxxp://weedego.ru
hxxp://kidsolo.ru
hxxp://waxsolo.ru
hxxp://hitpiano.ru
hxxp://keyhero.ru
hxxp://hitzero.ru
hxxp://ziptap.ru
hxxp://arealamp.ru
hxxp://sunnystamp.ru
hxxp://freeproshop.ru
hxxp://clanpup.ru
hxxp://silkyear.ru
hxxp://jarpeer.ru
hxxp://cobrariver.ru
hxxp://sisterlover.ru
hxxp://rocktower.ru
hxxp://yearshoes.ru
hxxp://grapefrogs.ru
hxxp://papercoins.ru
hxxp://pitstops.ru
hxxp://ginboss.ru
hxxp://greedpants.ru
hxxp://rulebat.ru
hxxp://kidssplat.ru
hxxp://havocfleet.ru
hxxp://ballnet.ru
hxxp://statezit.ru
hxxp://elfsalt.ru
hxxp://zooant.ru
hxxp://finksnot.ru
hxxp://bluffheart.ru
hxxp://wifechart.ru
hxxp://ladyskirt.ru
hxxp://betacourt.ru
hxxp://moviecourt.ru
hxxp://bluecourt.ru
hxxp://actbeast.ru
hxxp://waterfast.ru
hxxp://beachquest.ru
hxxp://passexist.ru
hxxp://rareyou.ru
hxxp://bandrow.ru
hxxp://applewax.ru
hxxp://rockpony.ru
hxxp://feetboy.ru
hxxp://arguebury.ru
hxxp://chairchevy.ru
hxxp://birthsea.com
hxxp://sourcegood.com
hxxp://lamplarsge.com
hxxp://trailhuge.com
hxxp://raintable.com
hxxp://platepeople.com
hxxp://tablebig.com
hxxp://lampbig.com
hxxp://traillong.com
hxxp://whitebirth.com
hxxp://trailbirth.com
hxxp://tabledisk.com
hxxp://lampdissk.com
hxxp://trucktowel.com
hxxp://lamptrail.com
hxxp://trailwarm.com
hxxp://paperwarm.com
hxxp://lampwasrm.com
hxxp://birthocean.com
hxxp://trailocean.com
hxxp://rainopen.com
hxxp://lampfashion.com
hxxp://newsmillion.com
hxxp://trailsummer.com
hxxp://mcusicpaper.com
hxxp://lamppapser.com
hxxp://newssilver.com
hxxp://platedrops.com
hxxp://lampcups.com
hxxp://tablemindss.com
hxxp://tablecupss.com
hxxp://newssweet.com
hxxp://trailbasket.com
hxxp://trailgift.com
hxxp://goldblow.com
hxxp://truckdrow.com
hxxp://roverkey.com
hxxp://protopsite.ru
hxxp://frontstand.com
hxxp://greystand.com
hxxp://ballmind.com
hxxp://mindlarge.com
hxxp://windlarge.com
hxxp://darklarge.com
hxxp://balltable.com
hxxp://listplate.com
hxxp://frontblue.com
hxxp://lightskye.com
hxxp://balllong.com
hxxp://frontlong.com
hxxp://greylong.com
hxxp://largebisg.com
hxxp://greywalk.com
hxxp://minddark.com
hxxp://largedark.com
hxxp://balldisk.com
hxxp://largetrail.com
hxxp://balltrail.com
hxxp://largewarm.com
hxxp://skyewarm.com
hxxp://listlap.com
hxxp://flowlap.com
hxxp://frontstop.com
hxxp://ballsilver.com
hxxp://flowsilver.com
hxxp://jobsilvesr.com
hxxp://fastpads.com
hxxp://jobpeoples.com
hxxp://bluewaris.com
hxxp://joblaps.com
hxxp://listdrops.com
hxxp://flowchairs.com
hxxp://backgrass.com
hxxp://greygrass.com
hxxp://greyfront.com
hxxp://dropslist.com
hxxp://longgrey.com
hxxp://backgrey.com
hxxp://frontgrey.com
hxxp://hatroad.com
hxxp://hatweather.com
hxxp://hatcool.com
hxxp://weatherfloor.com
hxxp://drinkfloor.com
hxxp://hatbrowse.com
hxxp://roadbrowse.com
hxxp://roadinternet.com
hxxp://whiterdes.com
hxxp://hatcools.com
hxxp://hatbrowses.com
hxxp://hatflow.com
hxxp://hatride.com
hxxp://whitefloors.com
hxxp://hatducks.com
hxxp://whitebrwses.com
hxxp://hattables.com
hxxp://hatfloos.com
hxxp://hatdrinks.com
hxxp://blowlight.com
hxxp://longwrite.com
hxxp://bridelamp.com
hxxp://bridelong.com
hxxp://bridefast.com
hxxp://bridebottle.com
hxxp://longletter.com
hxxp://brideword.com
hxxp://bridetowel.com
hxxp://screenchairs.com
hxxp://boxscreens.com
hxxp://screenbirth.com
hxxp://touchcup.com
hxxp://boxboxs.com
hxxp://boxlams.com
hxxp://touchchair.com
hxxp://screencup.com
hxxp://lamptool.com
hxxp://touchbirth.com
hxxp://weathersand.com
hxxp://summerwarms.com
hxxp://summerwall.com
hxxp://weathersummer.com
hxxp://warmruns.com
hxxp://weathercold.com
hxxp://weatherwarm.com
hxxp://warmskye.com
hxxp://weatherskye.com
hxxp://weatheropens.com
hxxp://weatherocean.com
hxxp://weatherrun.com
hxxp://rovercorner.com
hxxp://rangepeople.com
hxxp://rangesand.com
hxxp://rangecorner.com
hxxp://rangespeed.com
hxxp://roverweather.com
hxxp://rangekey.com
hxxp://roverfast.com
hxxp://roverroad.com
hxxp://rangerange.com
hxxp://rovertrack.com
hxxp://rangetunes.com
hxxp://socketpaper.com
hxxp://trailgold.com
hxxp://booksocket.com
hxxp://brushtrail.com
hxxp://brushround.com
hxxp://brushchair.com
hxxp://brushsocket.com
hxxp://brushfast.com
hxxp://socketfast.com
hxxp://tablebrush.com
hxxp://brushpaper.com
hxxp://brushopen.com
hxxp://sockettrail.com
hxxp://socketround.com
hxxp://brushplane.com
hxxp://sourcebrush.com
hxxp://tabletrail.com
hxxp://truckblus.com
We'll continue monitoring the campaign and post updates as soon as new developments take place.
We've recently came across to a currently active diversified portfolio of pharmaceutical scams with the cybercriminals behind it successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts including the active utilization of an affiliate-network based type of revenue sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence, on the infrastructure behind it, and discuss in depth, the tactics techniques and procedures of the cybercriminals behind it.
hxxp://lightmcusic.com
hxxp://darkclosed.com
hxxp://raintable.com
hxxp://rainthing.com
hxxp://lamptrail.com
hxxp://rainopen.com
hxxp://newsmillion.com
hxxp://paintlamp.com
hxxp://newssilver.com
hxxp://singerspa.ru
hxxp://belllead.ru
hxxp://dealfence.ru
hxxp://beachpage.ru
hxxp://sweatybottle.ru
hxxp://superring.ru
hxxp://betaflash.ru
hxxp://petgal.ru
hxxp://beastball.ru
hxxp://chartarm.ru
hxxp://roomcoin.ru
hxxp://armsgun.ru
hxxp://keyhero.ru
hxxp://sisterlover.ru
hxxp://pitstops.ru
hxxp://ballnet.ru
hxxp://betacourt.ru
hxxp://moviecourt.ru
hxxp://bandrow.ru
hxxp://rainmcusic.com
hxxp://lightmcusic.com
hxxp://diskwind.com
hxxp://disklarge.com
hxxp://silverlarge.com
hxxp://totaldomainname.com
hxxp://mcusicmouse.com
hxxp://diskbig.com
hxxp://rainthing.com
hxxp://thunderhigh.com
hxxp://raintruck.com
hxxp://mcusictank.com
hxxp://diskdark.com
hxxp://thunderdark.com
hxxp://raintowel.com
hxxp://mcusicball.com
hxxp://diskwarm.com
hxxp://silverwarsm.com
hxxp://diskopen.com
hxxp://diskfashion.com
hxxp://goldlgs.com
hxxp://silverdarks.com
hxxp://silveropens.com
hxxp://goldapers.com
hxxp://goldslvers.com
hxxp://diskhot.com
hxxp://bluedrow.com
hxxp://flashdrow.com
hxxp://raindrow.com
hxxp://thunderdrow.com
hxxp://rainmcusic.com
hxxp://rainpen.com
hxxp://rainthing.com
hxxp://spotsoda.ru
hxxp://mediamultimedia.ru
hxxp://boozetuna.ru
hxxp://singerspa.ru
hxxp://eyepizza.ru
hxxp://ringmic.ru
hxxp://belllead.ru
hxxp://roselid.ru
hxxp://homemold.ru
hxxp://tuneworld.ru
hxxp://happendepend.ru
hxxp://fruitmind.ru
hxxp://groupmud.ru
hxxp://showbabe.ru
hxxp://juicetube.ru
hxxp://kidrace.ru
hxxp://zoomtrace.ru
hxxp://lawice.ru
hxxp://dealfence.ru
hxxp://wipeagree.ru
hxxp://coverimage.ru
hxxp://beachpage.ru
hxxp://waxylanguage.ru
hxxp://jazzedge.ru
hxxp://casemale.ru
hxxp://spotsoda.ru
hxxp://mediamultimedia.ru
hxxp://boozetuna.ru
hxxp://singerspa.ru
hxxp://eyepizza.ru
hxxp://kittyweb.ru
hxxp://bedrib.ru
hxxp://yourib.ru
hxxp://antthumb.ru
hxxp://ringmic.ru
hxxp://belllead.ru
hxxp://roselid.ru
hxxp://homemold.ru
hxxp://tuneworld.ru
hxxp://happendepend.ru
hxxp://fruitmind.ru
hxxp://groupmud.ru
hxxp://showbabe.ru
hxxp://juicetube.ru
hxxp://kidrace.ru
hxxp://zoomtrace.ru
hxxp://lawice.ru
hxxp://dealfence.ru
hxxp://wipeagree.ru
hxxp://coverimage.ru
hxxp://beachpage.ru
hxxp://waxylanguage.ru
hxxp://jazzedge.ru
hxxp://casemale.ru
hxxp://czarsale.ru
hxxp://sweatybottle.ru
hxxp://boxlane.ru
hxxp://rubyfire.ru
hxxp://radiohorse.ru
hxxp://sodakite.ru
hxxp://armissue.ru
hxxp://houraxe.ru
hxxp://smokeeye.ru
hxxp://anteye.ru
hxxp://salesbarf.ru
hxxp://shelfleg.ru
hxxp://superring.ru
hxxp://timematch.ru
hxxp://sewermatch.ru
hxxp://betaflash.ru
hxxp://wovenbath.ru
hxxp://imagebirth.ru
hxxp://shelfjack.ru
hxxp://ringmack.ru
hxxp://gigaknack.ru
hxxp://filetack.ru
hxxp://busybrick.ru
hxxp://giantdock.ru
hxxp://wormduck.ru
hxxp://roundtruck.ru
hxxp://labfolk.ru
hxxp://malespark.ru
hxxp://petgal.ru
hxxp://hitpal.ru
hxxp://beastball.ru
hxxp://baysmell.ru
hxxp://beachhill.ru
hxxp://giantpill.ru
hxxp://runtvenom.ru
hxxp://soaproom.ru
hxxp://chartarm.ru
hxxp://deedsum.ru
hxxp://firmcan.ru
hxxp://sofafan.ru
hxxp://chinqueen.ru
hxxp://lightpen.ru
hxxp://fishgain.ru
hxxp://shiptrain.ru
hxxp://canbin.ru
hxxp://roomcoin.ru
hxxp://caseion.ru
hxxp://miciron.ru
hxxp://metalcorn.ru
hxxp://roadbun.ru
hxxp://armsgun.ru
hxxp://landclown.ru
hxxp://weedego.ru
hxxp://kidsolo.ru
hxxp://waxsolo.ru
hxxp://hitpiano.ru
hxxp://keyhero.ru
hxxp://hitzero.ru
hxxp://ziptap.ru
hxxp://arealamp.ru
hxxp://sunnystamp.ru
hxxp://freeproshop.ru
hxxp://clanpup.ru
hxxp://silkyear.ru
hxxp://jarpeer.ru
hxxp://cobrariver.ru
hxxp://sisterlover.ru
hxxp://rocktower.ru
hxxp://yearshoes.ru
hxxp://grapefrogs.ru
hxxp://papercoins.ru
hxxp://pitstops.ru
hxxp://ginboss.ru
hxxp://greedpants.ru
hxxp://rulebat.ru
hxxp://kidssplat.ru
hxxp://havocfleet.ru
hxxp://ballnet.ru
hxxp://statezit.ru
hxxp://elfsalt.ru
hxxp://zooant.ru
hxxp://finksnot.ru
hxxp://bluffheart.ru
hxxp://wifechart.ru
hxxp://ladyskirt.ru
hxxp://betacourt.ru
hxxp://moviecourt.ru
hxxp://bluecourt.ru
hxxp://actbeast.ru
hxxp://waterfast.ru
hxxp://beachquest.ru
hxxp://passexist.ru
hxxp://rareyou.ru
hxxp://bandrow.ru
hxxp://applewax.ru
hxxp://rockpony.ru
hxxp://feetboy.ru
hxxp://arguebury.ru
hxxp://chairchevy.ru
hxxp://birthsea.com
hxxp://sourcegood.com
hxxp://lamplarsge.com
hxxp://trailhuge.com
hxxp://raintable.com
hxxp://platepeople.com
hxxp://tablebig.com
hxxp://lampbig.com
hxxp://traillong.com
hxxp://whitebirth.com
hxxp://trailbirth.com
hxxp://tabledisk.com
hxxp://lampdissk.com
hxxp://trucktowel.com
hxxp://lamptrail.com
hxxp://trailwarm.com
hxxp://paperwarm.com
hxxp://lampwasrm.com
hxxp://birthocean.com
hxxp://trailocean.com
hxxp://rainopen.com
hxxp://lampfashion.com
hxxp://newsmillion.com
hxxp://trailsummer.com
hxxp://mcusicpaper.com
hxxp://lamppapser.com
hxxp://newssilver.com
hxxp://platedrops.com
hxxp://lampcups.com
hxxp://tablemindss.com
hxxp://tablecupss.com
hxxp://newssweet.com
hxxp://trailbasket.com
hxxp://trailgift.com
hxxp://goldblow.com
hxxp://truckdrow.com
hxxp://roverkey.com
hxxp://protopsite.ru
hxxp://frontstand.com
hxxp://greystand.com
hxxp://ballmind.com
hxxp://mindlarge.com
hxxp://windlarge.com
hxxp://darklarge.com
hxxp://balltable.com
hxxp://listplate.com
hxxp://frontblue.com
hxxp://lightskye.com
hxxp://balllong.com
hxxp://frontlong.com
hxxp://greylong.com
hxxp://largebisg.com
hxxp://greywalk.com
hxxp://minddark.com
hxxp://largedark.com
hxxp://balldisk.com
hxxp://largetrail.com
hxxp://balltrail.com
hxxp://largewarm.com
hxxp://skyewarm.com
hxxp://listlap.com
hxxp://flowlap.com
hxxp://frontstop.com
hxxp://ballsilver.com
hxxp://flowsilver.com
hxxp://jobsilvesr.com
hxxp://fastpads.com
hxxp://jobpeoples.com
hxxp://bluewaris.com
hxxp://joblaps.com
hxxp://listdrops.com
hxxp://flowchairs.com
hxxp://backgrass.com
hxxp://greygrass.com
hxxp://greyfront.com
hxxp://dropslist.com
hxxp://longgrey.com
hxxp://backgrey.com
hxxp://frontgrey.com
hxxp://hatroad.com
hxxp://hatweather.com
hxxp://hatcool.com
hxxp://weatherfloor.com
hxxp://drinkfloor.com
hxxp://hatbrowse.com
hxxp://roadbrowse.com
hxxp://roadinternet.com
hxxp://whiterdes.com
hxxp://hatcools.com
hxxp://hatbrowses.com
hxxp://hatflow.com
hxxp://hatride.com
hxxp://whitefloors.com
hxxp://hatducks.com
hxxp://whitebrwses.com
hxxp://hattables.com
hxxp://hatfloos.com
hxxp://hatdrinks.com
hxxp://blowlight.com
hxxp://longwrite.com
hxxp://bridelamp.com
hxxp://bridelong.com
hxxp://bridefast.com
hxxp://bridebottle.com
hxxp://longletter.com
hxxp://brideword.com
hxxp://bridetowel.com
hxxp://screenchairs.com
hxxp://boxscreens.com
hxxp://screenbirth.com
hxxp://touchcup.com
hxxp://boxboxs.com
hxxp://boxlams.com
hxxp://touchchair.com
hxxp://screencup.com
hxxp://lamptool.com
hxxp://touchbirth.com
hxxp://weathersand.com
hxxp://summerwarms.com
hxxp://summerwall.com
hxxp://weathersummer.com
hxxp://warmruns.com
hxxp://weathercold.com
hxxp://weatherwarm.com
hxxp://warmskye.com
hxxp://weatherskye.com
hxxp://weatheropens.com
hxxp://weatherocean.com
hxxp://weatherrun.com
hxxp://rovercorner.com
hxxp://rangepeople.com
hxxp://rangesand.com
hxxp://rangecorner.com
hxxp://rangespeed.com
hxxp://roverweather.com
hxxp://rangekey.com
hxxp://roverfast.com
hxxp://roverroad.com
hxxp://rangerange.com
hxxp://rovertrack.com
hxxp://rangetunes.com
hxxp://socketpaper.com
hxxp://trailgold.com
hxxp://booksocket.com
hxxp://brushtrail.com
hxxp://brushround.com
hxxp://brushchair.com
hxxp://brushsocket.com
hxxp://brushfast.com
hxxp://socketfast.com
hxxp://tablebrush.com
hxxp://brushpaper.com
hxxp://brushopen.com
hxxp://sockettrail.com
hxxp://socketround.com
hxxp://brushplane.com
hxxp://sourcebrush.com
hxxp://tabletrail.com
hxxp://truckblus.com
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Historical OSINT - Google Sponsored Scareware Spotted in the Wild
Cybercriminals continue actively spreading malicious software while looking for alternative ways to acquire and monetize legitimate traffic successfully earning fraudulent revenue in the process of spreading malicious software.
We've recently came across to a Google Sponsored scareware campaign successfully enticing users into installing fake security software on their hosts further earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type of revenue sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence, on the infrastructure, behind it and discuss in-depth, the tactics techniques and procedures of the cybercriminals behind it.
hxxp://www.google.com/aclk?sa=l&ai=Czd4NEnlLS-pWlrS1A-jBmIwO9pfjnQHOjKCvEI2B8woQAigIUPjA4pz8_____wFgyZajiqSkxBGgAabhse4DyAEBqgQhT9
CjnzChYHf5zQB4c8FB-fW9WUzgcUTQ4c7ciD4Gyxs0&num=5&sig=AGiWqty0Uq3Kr6U1Sb10olrq6C22JfNR_w&q=http://www.adwarepronow.com
hxxp://www.google.com/aclk?sa=L&ai=COLk5EnlLS-pWlrS1A-jBmIwO0YGZmwGz9aqwDbiw8bcBEAUoCFCnyNGE______8BYMmWo4qkpMQRyAEBqgQZT9
CTvAGhbX_5PQN_7QaAIk7HT3dQfrqLJQ&num=8amp;sig=AGiWqtyHmo4mgVkszSWtDUcT4dMRUAQnXg&q=http://www.antimalware-2010.com
Known malicious domains known to have participated in the campaign:
hxxp://www.adwarepronow.com/?gclid=CJ6d8LSGnZ8CFRMqagodmR_KaA - 209.216.193.112
Known malicious domains known to have participated in the campaign:
hxxp://www.antimalware-2010.com/ - 209.216.193.119
Sample detection rate for a sample malware:
MD5: 8328da91c8eba6668b3e72d547157ac7
Sample detection rate for a sample malware:
MD5: b74412ea403241c9c60482fd13540505
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://72.167.164.199/definitions/configuration.txt
hxxp://72.167.164.199/latestversion/AntiMalwarePro_appversion.txt
We'll continue monitoring the campaign and post updates as soon as new developments take place.
We've recently came across to a Google Sponsored scareware campaign successfully enticing users into installing fake security software on their hosts further earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type of revenue sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence, on the infrastructure, behind it and discuss in-depth, the tactics techniques and procedures of the cybercriminals behind it.
hxxp://www.google.com/aclk?sa=l&ai=Czd4NEnlLS-pWlrS1A-jBmIwO9pfjnQHOjKCvEI2B8woQAigIUPjA4pz8_____wFgyZajiqSkxBGgAabhse4DyAEBqgQhT9
CjnzChYHf5zQB4c8FB-fW9WUzgcUTQ4c7ciD4Gyxs0&num=5&sig=AGiWqty0Uq3Kr6U1Sb10olrq6C22JfNR_w&q=http://www.adwarepronow.com
hxxp://www.google.com/aclk?sa=L&ai=COLk5EnlLS-pWlrS1A-jBmIwO0YGZmwGz9aqwDbiw8bcBEAUoCFCnyNGE______8BYMmWo4qkpMQRyAEBqgQZT9
CTvAGhbX_5PQN_7QaAIk7HT3dQfrqLJQ&num=8amp;sig=AGiWqtyHmo4mgVkszSWtDUcT4dMRUAQnXg&q=http://www.antimalware-2010.com
Known malicious domains known to have participated in the campaign:
hxxp://www.adwarepronow.com/?gclid=CJ6d8LSGnZ8CFRMqagodmR_KaA - 209.216.193.112
Known malicious domains known to have participated in the campaign:
hxxp://www.antimalware-2010.com/ - 209.216.193.119
Sample detection rate for a sample malware:
MD5: 8328da91c8eba6668b3e72d547157ac7
Sample detection rate for a sample malware:
MD5: b74412ea403241c9c60482fd13540505
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://72.167.164.199/definitions/configuration.txt
hxxp://72.167.164.199/latestversion/AntiMalwarePro_appversion.txt
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Historical OSINT - A Diversified Portfolio of Fake Security Software
Cybercriminals, continue, actively, launching, malicious, and, fraudulent, campaigns, further, spreading, malicious, software, potentially, exposing, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software.
In, this, post, we'll, profile, a, currently, active, portfolio, of, fake, security, software, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203; 94.228.209.195), are, also, the, following, malicious, domains:
hxxp://thebest-antivirus00.com
hxxp://virusscannerpro0.com
hxxp://lightandfastscanner01.com
hxxp://thebest-antivirus01.com
hxxp://thebestantivirus01.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://thebest-antivirus11.com
hxxp://antispyware-module1.com
hxxp://antispywaremodule1.com
hxxp://antivirus-toolsr1.com
hxxp://thebest-antivirus1.com
hxxp://thebest-antivirusx1.com
hxxp://thebestantivirus02.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://lightandfastscanner22.com
hxxp://prosecureprotection2.com
hxxp://virusscannerpro2.com
hxxp://antivirus-toolsr2.com
hxxp://thebest-antivirusx2.com
hxxp://thebestantivirus03.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://antispyware-module3.com
hxxp://antispywaremodule3.com
hxxp://virusscannerpro3.com
hxxp://windowsantivirusserver3.com
hxxp://thebest-antivirusx3.com
hxxp://thebestantivirus04.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://antispyware-scann4.com
hxxp://antivirus-toolsr4.com
hxxp://thebest-antivirusx4.com
hxxp://thebestantivirus05.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://thebest-antivirusx5.com
hxxp://remove-spyware-16.com
hxxp://lightandfastscanner66.com
hxxp://antispywaremodule6.com
hxxp://antispyware-module7.com
hxxp://antispywaremodule7.com
hxxp://antivirus-toolsr7.com
hxxp://antispyware-scann8.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antispyware-module9.com
hxxp://antispywaremodule9.com
hxxp://antispyware-scann9.com
hxxp://virusscannerpro9.com
hxxp://antivirus-toolsr9.com
hxxp://thebest-antivirus9.com
hxxp://antiviruspro1scan.com
hxxp://antiviruspro2scan.com
hxxp://antiviruspro7scan.com
hxxp://antiviruspro8scan.com
hxxp://antiviruspro9scan.com
hxxp://antispyware6sacnner.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://prosecureprotection2.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://windowsantivirusserver3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antivirus-toolsr9.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (94.228.209.195), are, also, the, following, malicious, domains:
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://run-virusscanner4.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
Related, fraudulent, and, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203), are, also, the, following, malicious, domains:
hxxp://anti-virus-system0.com
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://perform-antivirus-scan-1.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://antivirus-system1.com
hxxp://performspywarescan1.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://antivirus-scanner-3.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://gloriousantivirus2014.com
hxxp://run-virusscanner4.com
hxxp://smart-pcscanner05.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://perform-virus-scan5.com
hxxp://perform-antivirus-scan-6.com
hxxp://antivirus-scanner-6.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://antivirus-scan-server6.com
hxxp://perform-antivirus-scan-7.com
hxxp://perform-antivirus-test-7.com
hxxp://antivirus-win-system7.com
hxxp://antivirus-for-pc-8.com
hxxp://perform-antivirus-scan-8.com
hxxp://perform-antivirus-test-8.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://perform-antivirus-test-9.com
hxxp://perform-virus-scan9.com
hxxp://antispywareinfo9.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
hxxp://antispyware06scan.com
hxxp://antispywareinfo9.com
hxxp://antivirus-for-pc-2.com
hxxp://antivirus-for-pc-4.com
hxxp://antivirus-for-pc-6.com
hxxp://antivirus-for-pc-8.com
hxxp://antiviruspro8scan.com
hxxp://extra-antivirus-scan1.com
hxxp://extra-security-scanb1.com
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
hxxp://super-scanner-2004.com
hxxp://top-rateanrivirus0.com
hxxp://topantimalware-scanner7.com
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
In, this, post, we'll, profile, a, currently, active, portfolio, of, fake, security, software, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203; 94.228.209.195), are, also, the, following, malicious, domains:
hxxp://thebest-antivirus00.com
hxxp://virusscannerpro0.com
hxxp://lightandfastscanner01.com
hxxp://thebest-antivirus01.com
hxxp://thebestantivirus01.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://thebest-antivirus11.com
hxxp://antispyware-module1.com
hxxp://antispywaremodule1.com
hxxp://antivirus-toolsr1.com
hxxp://thebest-antivirus1.com
hxxp://thebest-antivirusx1.com
hxxp://thebestantivirus02.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://lightandfastscanner22.com
hxxp://prosecureprotection2.com
hxxp://virusscannerpro2.com
hxxp://antivirus-toolsr2.com
hxxp://thebest-antivirusx2.com
hxxp://thebestantivirus03.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://antispyware-module3.com
hxxp://antispywaremodule3.com
hxxp://virusscannerpro3.com
hxxp://windowsantivirusserver3.com
hxxp://thebest-antivirusx3.com
hxxp://thebestantivirus04.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://antispyware-scann4.com
hxxp://antivirus-toolsr4.com
hxxp://thebest-antivirusx4.com
hxxp://thebestantivirus05.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://thebest-antivirusx5.com
hxxp://remove-spyware-16.com
hxxp://lightandfastscanner66.com
hxxp://antispywaremodule6.com
hxxp://antispyware-module7.com
hxxp://antispywaremodule7.com
hxxp://antivirus-toolsr7.com
hxxp://antispyware-scann8.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antispyware-module9.com
hxxp://antispywaremodule9.com
hxxp://antispyware-scann9.com
hxxp://virusscannerpro9.com
hxxp://antivirus-toolsr9.com
hxxp://thebest-antivirus9.com
hxxp://antiviruspro1scan.com
hxxp://antiviruspro2scan.com
hxxp://antiviruspro7scan.com
hxxp://antiviruspro8scan.com
hxxp://antiviruspro9scan.com
hxxp://antispyware6sacnner.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://prosecureprotection2.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://windowsantivirusserver3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antivirus-toolsr9.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (94.228.209.195), are, also, the, following, malicious, domains:
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://run-virusscanner4.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
Related, fraudulent, and, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203), are, also, the, following, malicious, domains:
hxxp://anti-virus-system0.com
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://perform-antivirus-scan-1.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://antivirus-system1.com
hxxp://performspywarescan1.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://antivirus-scanner-3.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://gloriousantivirus2014.com
hxxp://run-virusscanner4.com
hxxp://smart-pcscanner05.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://perform-virus-scan5.com
hxxp://perform-antivirus-scan-6.com
hxxp://antivirus-scanner-6.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://antivirus-scan-server6.com
hxxp://perform-antivirus-scan-7.com
hxxp://perform-antivirus-test-7.com
hxxp://antivirus-win-system7.com
hxxp://antivirus-for-pc-8.com
hxxp://perform-antivirus-scan-8.com
hxxp://perform-antivirus-test-8.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://perform-antivirus-test-9.com
hxxp://perform-virus-scan9.com
hxxp://antispywareinfo9.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
hxxp://antispyware06scan.com
hxxp://antispywareinfo9.com
hxxp://antivirus-for-pc-2.com
hxxp://antivirus-for-pc-4.com
hxxp://antivirus-for-pc-6.com
hxxp://antivirus-for-pc-8.com
hxxp://antiviruspro8scan.com
hxxp://extra-antivirus-scan1.com
hxxp://extra-security-scanb1.com
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
hxxp://super-scanner-2004.com
hxxp://top-rateanrivirus0.com
hxxp://topantimalware-scanner7.com
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Historical OSINT - A Portfolio of Fake/Rogue Video Codecs
Shall we expose a huge domains portfolio of fake/rogue video codecs dropping the same Zlob variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means?
Currently active Zlob malware variants promoting sites:
hxxp://pornqaz.com
hxxp://uinsex.com
hxxp://qazsex.com
hxxp://sexwhite.net
hxxp://lightporn.net
hxxp://xeroporn.com
hxxp://brakeporn.net
hxxp://sexclean.net
hxxp://delfiporn.net
hxxp://pornfire.net
hxxp://redcodec.net
hxxp://democodec.com
hxxp://delficodec.com
hxxp://turbocodec.net
hxxp://gamecodec.com
hxxp://blackcodec.net
hxxp://xerocodec.com
hxxp://ixcodec.net
hxxp://codecdemo.com
hxxp://ixcodec.com
hxxp://citycodec.com
hxxp://codecthe.com
hxxp://codecnitro.com
hxxp://codecbest.com
hxxp://codecspace.com
hxxp://popcodec.net
hxxp://uincodec.com
hxxp://xhcodec.com
hxxp://stormcodec.net
hxxp://codecmega.com
hxxp://whitecodec.com
hxxp://jetcodec.com
hxxp://endcodec.com
hxxp://abccodec.com
hxxp://codecred.net
hxxp://cleancodec.com
hxxp://herocodec.com
hxxp://nicecodec.com
Related MD5s, known, to, have, participated, in, the, campaign:
MD5: 30965fdbd893990dd24abda2285d9edc
Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the end of many other malware campaigns to come, which will inevitable be ending up to these domains.
Currently active Zlob malware variants promoting sites:
hxxp://pornqaz.com
hxxp://uinsex.com
hxxp://qazsex.com
hxxp://sexwhite.net
hxxp://lightporn.net
hxxp://xeroporn.com
hxxp://brakeporn.net
hxxp://sexclean.net
hxxp://delfiporn.net
hxxp://pornfire.net
hxxp://redcodec.net
hxxp://democodec.com
hxxp://delficodec.com
hxxp://turbocodec.net
hxxp://gamecodec.com
hxxp://blackcodec.net
hxxp://xerocodec.com
hxxp://ixcodec.net
hxxp://codecdemo.com
hxxp://ixcodec.com
hxxp://citycodec.com
hxxp://codecthe.com
hxxp://codecnitro.com
hxxp://codecbest.com
hxxp://codecspace.com
hxxp://popcodec.net
hxxp://uincodec.com
hxxp://xhcodec.com
hxxp://stormcodec.net
hxxp://codecmega.com
hxxp://whitecodec.com
hxxp://jetcodec.com
hxxp://endcodec.com
hxxp://abccodec.com
hxxp://codecred.net
hxxp://cleancodec.com
hxxp://herocodec.com
hxxp://nicecodec.com
Related MD5s, known, to, have, participated, in, the, campaign:
MD5: 30965fdbd893990dd24abda2285d9edc
Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the end of many other malware campaigns to come, which will inevitable be ending up to these domains.
Historical OSINT - A Portfolio of Exploits Serving Domains
With, the, rise, of, Web, malware, exploitation, kits, continuing, to, proliferate, cybercriminals, are, poised, to, continue, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, active,y utilization, of, client-side, exploits, further, spreaing, malicious, software, potentially, compromising, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software.
What, used, to, be, an, ecosystem, dominated, by, proprietary, DIY (do-it-yourself) malware and exploits, generating, tools, is, today's, modern, cybercrime, ecosystem, dominated, by, Web, malware, exploitation, kits, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, launching, a, fraudulent, and, malicious, campaign, potentially, affecting, hundreds, of, thousands, of, users, globally.
In, this, post, we'll, provide, actionable, intelligence, on, currently, active, IcePack, Web, malware, exploitation, kit, client-side, and, malware-exploits, serving, domains.
Related IcePack Web Malware Exploitation Kit domains:
hxxp://seateremok.com/xc/index.php
hxxp://lskdfjlerjvm.com/ice-pack/index.php
hxxp://formidleren.dk/domain/mere.asp
hxxp://webs-money.info/ice-pack/index.php
hxxp://seateremok.com/xc/index.php
hxxp://greeetthh.com/ice-pack1/index.php
hxxp://58.65.235.153/~pozitive/ice/index.php
hxxp://iframe911.com/troy/us/sp/ice/index.php
hxxp://themusicmp3.info/rmpanfr/index.php
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (lskdfjlerjvm.com):
MD5: 4c0958f2f9f5ff2e5ac47e92d4006452
MD5: d955372c7ef939502c43a71ff1a9f76e
MD5: 118e24ea884d375dc9f63c986a15e5df
MD5: e825a7e975a9817441da9ba1054a3e6f
MD5: 71460d4a1c7c18ec672fed56d764ebe6
Once, executed, a, sample, malware (MD5: d955372c7ef939502c43a71ff1a9f76e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://tableshown.net - 208.100.26.234
hxxp://leadshown.net
hxxp://tablefood.ru
hxxp://tablefood.net - 180.210.34.47
hxxp://leadfood.net
hxxp://tablemeet.net
hxxp://leadmeet.net
hxxp://pointneck.net
hxxp://pointshown.net
hxxp://callshown.net - 212.61.180.100
hxxp://callneck.ru
hxxp://callneck.net
hxxp://ringshown.ru
hxxp://ringshown.net
hxxp://noneshown.net
We'll, continue, monitoring, the, campaigns, and, post, updates, as, soon, as, new, developments, take, place.
What, used, to, be, an, ecosystem, dominated, by, proprietary, DIY (do-it-yourself) malware and exploits, generating, tools, is, today's, modern, cybercrime, ecosystem, dominated, by, Web, malware, exploitation, kits, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, launching, a, fraudulent, and, malicious, campaign, potentially, affecting, hundreds, of, thousands, of, users, globally.
In, this, post, we'll, provide, actionable, intelligence, on, currently, active, IcePack, Web, malware, exploitation, kit, client-side, and, malware-exploits, serving, domains.
Related IcePack Web Malware Exploitation Kit domains:
hxxp://seateremok.com/xc/index.php
hxxp://lskdfjlerjvm.com/ice-pack/index.php
hxxp://formidleren.dk/domain/mere.asp
hxxp://webs-money.info/ice-pack/index.php
hxxp://seateremok.com/xc/index.php
hxxp://greeetthh.com/ice-pack1/index.php
hxxp://58.65.235.153/~pozitive/ice/index.php
hxxp://iframe911.com/troy/us/sp/ice/index.php
hxxp://themusicmp3.info/rmpanfr/index.php
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (lskdfjlerjvm.com):
MD5: 4c0958f2f9f5ff2e5ac47e92d4006452
MD5: d955372c7ef939502c43a71ff1a9f76e
MD5: 118e24ea884d375dc9f63c986a15e5df
MD5: e825a7e975a9817441da9ba1054a3e6f
MD5: 71460d4a1c7c18ec672fed56d764ebe6
Once, executed, a, sample, malware (MD5: d955372c7ef939502c43a71ff1a9f76e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://tableshown.net - 208.100.26.234
hxxp://leadshown.net
hxxp://tablefood.ru
hxxp://tablefood.net - 180.210.34.47
hxxp://leadfood.net
hxxp://tablemeet.net
hxxp://leadmeet.net
hxxp://pointneck.net
hxxp://pointshown.net
hxxp://callshown.net - 212.61.180.100
hxxp://callneck.ru
hxxp://callneck.net
hxxp://ringshown.ru
hxxp://ringshown.net
hxxp://noneshown.net
We'll, continue, monitoring, the, campaigns, and, post, updates, as, soon, as, new, developments, take, place.
New Mobile Malware Spotted in the Wild, Hundreds of Users Affected
We've, recently, intercepted, a, currently, circulating, malicious, mobile, malware, potentially, compromising, the, confidentiality, availability, and, integrity, of, the, compromised, devices, further, spreading, malicious, software, on, the, affected, devices, with, the, cybercriminals, behind, it, potentially, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, revenue, sharing, scheme.
In, this, post, we'll, provide, actionable, intelligence, about, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, further, expand, the, malicious, infrastructure, behind, the, campaign, successfully, exposing, the, malicious, actors, behind, it.
Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 12e6971511705b7396e4399ac46854f9
MD5: e7d6fef2f1b23cf39a49771eb277e697
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://61.160.234.133/date/getDate
hxxp://g.10086.cn/gamecms/wap/game/wyinfo/700144311000?channelId=12068000
hxxp://ccinchina.com
hxxp://117.135.133.9/source/appsource/15035916BaiduBrowser_Android_2-3-28-6_1000934d.apk?imei=
hxxp://117.135.131.9/push_4/push.action?imei=value
hxxp://61.160.242.35/pro_5/pro.action
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (61.160.234.133)
MD5: ec125a741919574b7de29889845fe648
MD5: 695db5f40c02fa4eaeda76882de6c1f8
MD5: 3281f34e42483b8a32f7a66dfed5a548
MD5: ccd0a5805a82fdccb3ebdbdc95b432e8
MD5: 07950552ddf728685b943254f390778d
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://agoldcomm.plat96.com
hxxp://push7.devopenserv.com
hxxp://cloud6.uuserv10.com
g.10086.cn, is, known, to, have, responded, to, 112.4.19.33; 221.181.195.141; 58.68.142.6; 180.150.163.149; 58.68.142.188; 58.68.142.203; 60.217.242.152; 58.68.142.232; 60.217.242.151; 112.90.217.110; 58.68.142.182; 58.68.142.183; 60.217.232.201; 58.68.142.237;59.151.7.195
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 15ddafe1b32dc0b476cdaac92cc3ea12
MD5: 60e7caba4395c77f88c72103aa3c14e2
MD5: 9c692a6b2fc5b0d9f468ce1a110bd296
MD5: 2beae563023a37559c3d0e2da577c517
MD5: d9f63c321e345b2b1c91a1259003cfed
MD5: 07950552ddf728685b943254f390778d
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://log6.devopenserv.com - 211.151.167.51
hxxp://cloud6.devopenserv.com
hxxp://pus7.devopenserv.com
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 37845effed5d773252f129bd3fce588a
MD5: 08beb447853aae8655f77ddc16a5766b
MD5: 16147ec72345631cc345af69b2640578
MD5: 4fcedf07023619b21358c259d11a90cb
MD5: ab36173205aa7aeb713956b1f9ec7b26
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://down.devopenserv.com
hxxp://cloud.devopenserv.com
hxxp://ck6.devopenserv.com
hxxp://rck6.devopenserv.com
hxxp://img14.devopenserv.com
hxxp://dl8.devopenserv.com
hxxp://dl14.devopenserv.com
hxxp://cloud6.devopenserv.com
hxxp://push7.devopenserv.com
hxxp://dp3.devopenserv.com
hxxp://cloud2.devopenserv.com
hxxp://ck2.devopenserv.com
hxxp://dp2.devopenserv.com
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
In, this, post, we'll, provide, actionable, intelligence, about, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, further, expand, the, malicious, infrastructure, behind, the, campaign, successfully, exposing, the, malicious, actors, behind, it.
Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 12e6971511705b7396e4399ac46854f9
MD5: e7d6fef2f1b23cf39a49771eb277e697
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://61.160.234.133/date/getDate
hxxp://g.10086.cn/gamecms/wap/game/wyinfo/700144311000?channelId=12068000
hxxp://ccinchina.com
hxxp://117.135.133.9/source/appsource/15035916BaiduBrowser_Android_2-3-28-6_1000934d.apk?imei=
hxxp://117.135.131.9/push_4/push.action?imei=value
hxxp://61.160.242.35/pro_5/pro.action
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (61.160.234.133)
MD5: ec125a741919574b7de29889845fe648
MD5: 695db5f40c02fa4eaeda76882de6c1f8
MD5: 3281f34e42483b8a32f7a66dfed5a548
MD5: ccd0a5805a82fdccb3ebdbdc95b432e8
MD5: 07950552ddf728685b943254f390778d
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://agoldcomm.plat96.com
hxxp://push7.devopenserv.com
hxxp://cloud6.uuserv10.com
g.10086.cn, is, known, to, have, responded, to, 112.4.19.33; 221.181.195.141; 58.68.142.6; 180.150.163.149; 58.68.142.188; 58.68.142.203; 60.217.242.152; 58.68.142.232; 60.217.242.151; 112.90.217.110; 58.68.142.182; 58.68.142.183; 60.217.232.201; 58.68.142.237;59.151.7.195
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 15ddafe1b32dc0b476cdaac92cc3ea12
MD5: 60e7caba4395c77f88c72103aa3c14e2
MD5: 9c692a6b2fc5b0d9f468ce1a110bd296
MD5: 2beae563023a37559c3d0e2da577c517
MD5: d9f63c321e345b2b1c91a1259003cfed
MD5: 07950552ddf728685b943254f390778d
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://log6.devopenserv.com - 211.151.167.51
hxxp://cloud6.devopenserv.com
hxxp://pus7.devopenserv.com
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 37845effed5d773252f129bd3fce588a
MD5: 08beb447853aae8655f77ddc16a5766b
MD5: 16147ec72345631cc345af69b2640578
MD5: 4fcedf07023619b21358c259d11a90cb
MD5: ab36173205aa7aeb713956b1f9ec7b26
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://down.devopenserv.com
hxxp://cloud.devopenserv.com
hxxp://ck6.devopenserv.com
hxxp://rck6.devopenserv.com
hxxp://img14.devopenserv.com
hxxp://dl8.devopenserv.com
hxxp://dl14.devopenserv.com
hxxp://cloud6.devopenserv.com
hxxp://push7.devopenserv.com
hxxp://dp3.devopenserv.com
hxxp://cloud2.devopenserv.com
hxxp://ck2.devopenserv.com
hxxp://dp2.devopenserv.com
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies
Remember, the, Russian, Business, Network, and, the, New, Media, Malware, Gang?
It's, been, several, years, since, I, last, posted, an, update, regarding, the, group's, activities, including, the, direct, establishing, of, a, direct, connection, between, the, Russian, Business, Network, the, New, Media, Malware, gang, including, a, variety, of, high, profile, Web, site, compromise, campaigns.
What's, particularly, interesting, about, the, group's, activities, is, the, fact, that, back, in, 2007, the, group's, activities, used, to, dominate, the, threat, landscape, in, a, targeted, fashion, including, the, active, utilization, of, client-side, exploits, and, the, active, exploitation, of, legitimate, Web, sites, successfully, positioning, the, group, including, the, Russian, Business, Network, as, a, leading, provider, of, malicious, activities, online, leading, to, a, series, of, analyses, successfully, detailing, the, activities, of, the, group, including, the, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, Storm, Worm, botnet.
In, this, post, I'll, provide, a, detailed, analysis, of, the, group's, activities, discuss, in, the, depth, the, tactics, techniques, and, procedures, (TTPs), of, the, group, including, a, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, direct, compromise, of, a, series, of, high, profile, Web, site, compromise, campaigns.
Having, successfully, tracked, down, and, profiled, the, group's, activities, for, a, period, of, several, years, and, based, on, the, actionable, intelligence, provided, regarding, the, group's, activities, we, can, easily, establish, a, direct, connection, between, the, New, Media, Malware, Gang, and, the, Russian, Business, Network, including, a, series, of, high, profile, Web, site, compromise, campaigns.
Key Summary Points:
- RBN Connection, New Media Malware Gang connection - "ai siktir" "Die()", money mule recruitment, money laundering of virtual currency
- Actionable CYBERINT data to assist law enforcement, academics and the private sector in ongoing or past cybercrime investigations
- Complete domain portfolios registered up to the present day using the same emails used to register the malicious domains during 2007-2009 to assist law enforcement, academics and the private sector in catching up with their malicious activities over the years
- Detailed analysis of each and every campaign's domain portfolios (up to present day) further dissecting the fraudulent schemes launched by the same cybercriminals that embedded malware on the embassies' web sites
- Complete IP Hosting History for each and every of the malicious domains/command and control servers during the time of the attack
- The "Big Picture" detailing the inter-connections between the campaigns, with historical OSINT data pointing to the "New Media Malware Gang", back then customers of the Russian Business Network
Let's, profile, the, group's, activities, including, a, direct, establishing, of, a, connection, between, the, Russian, Business, Network, the, New, Media, Malware, Gang, and, the, Storm, Worm, botnet.
In, 2007, I, profiled, the, direct, compromise, of, the, Syrian, Embassy, in, London, including, a, related, compromise of, the, USAID.gov compromised, malware and exploits served, the, U.S Consulate St. Petersburg Serving Malware, Bank of India Serving Malware, French Embassy in Libya Serving Malware, Ethiopian Embassy in Washington D.C Serving Malware, Embassy of India in Spain Serving Malware, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, detailing, the, malicious, activities, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.
Let's profile, the, campaigns, and, discuss, in, depth, the, direct, connection, between, the, group's, activities, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.
sicil.info - on 2007-09-26 during the time of the attack, the domain was registered using the srvs4you@gmail.com email. The domain name first appeared online on 2006-06-10 with an IP 213.186.33.24. On 2007-07-11, it changed IPs to 203.121.79.71, followed by another change on 2008-01-06 to 202.75.38.150, another change on 2008-05-06 to 203.186.128.154, yet another change on 2008-05-18 to 190.183.63.103, and yet another change on 2008-07-27 to 190.183.63.56.
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (sicil.info):
MD5: 4802db20da46fca2a1896d4c983b13ba
MD5: f9434d86ef2959670b73a79947b0f4d2
MD5: 32dba64ae55e7bb4850e27274da42d1b
MD5: cd6a7ff6388fbd94b7ee9cdc88ca8f4d
MD5: 57dff9e8154189f0a09fb62450decac6
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (sicil.info), are, also, the, following, malicious, domains:
144.217.69.62
63.246.128.71
207.150.177.28
66.111.47.62
66.111.47.4
66.111.47.8
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (213.186.33.24):
MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb
MD5: 95cc3a0243aa050243ab858794c1d221
MD5: cc63d67282789e03469f2e6520c6de80
MD5: 3829506c454b86297d2828077589cbf8
MD5: 1e18b17149899d55d3625d47135a22a7
Once, executed, a, sample, malware (MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ioasis.org - 208.112.115.36
hxxp://polyhedrusgroup.com - 143.95.229.33
hxxp://espoirsetvie.com - 213.186.33.24
hxxp://ladiesdehaan.be - 185.59.17.113
hxxp://chonburicoop.net - 27.254.96.151
hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48
Related posts: Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (0ki.ru; 89.179.174.156):
MD5: cd33ea55b2d13df592663f18e6426921
MD5: 8e0c7757b82d14b988afac075e8ed5dc
MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012
MD5: e513a1b25e59670f777398894dfe41b6
MD5: 0fad43c03d80a1eb3a2c1ae9e9a6c9ed
MD5: 6e1b789f0df30ba0798fbc47cb1cec1c
MD5: 9f02232ed0ee609c8db1b98325beaa94
Once, executed, a, sample, malware (MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012), phones, back, to, the, following, C&C, server, IPs:
hxxp://lordofthepings.ru (173.254.236.159)
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz
hxxp://ladyhaha.xyz
hxxp://porkhalal.site
hxxp://rihannafap.site
hxxp://bieberfans.top
hxxp://runands.top
hxxp://frontlive.net
hxxp://offerlive.net
hxxp://frontserve.net
hxxp://offerserve.net
hxxp://hanghello.ru
hxxp://hanghello.net
hxxp://septemberhello.net
hxxp://hangmine.net
hxxp://septembermine.net
hxxp://hanglive.net
hxxp://wrongserve.ru
hxxp://wrongserve.net
hxxp://madelive.net
Once, executed, a, sample, malware (MD5: e513a1b25e59670f777398894dfe41b6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardlive.ru
hxxp://yardlive.net
hxxp://musiclive.net - 141.8.225.124
hxxp://yardserve.net
hxxp://musicserve.net - 185.53.177.20
hxxp://wenthello.net
hxxp://spendhello.ru
hxxp://wentmine.net
hxxp://spendmine.net
hxxp://spendhello.net
hxxp://joinlive.net
hxxp://wentserve.ru
hxxp://hanghello.net
hxxp://joinhello.net
hxxp://x12345.org - 46.4.22.145
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (miron555.org):
MD5: 0e423596c502c1e28cce0c98df2a2b6d
MD5: e75d92defb11afe50a8cc51dfe4fb6ee
MD5: adcedd763f541e625f91030ee4de7c19
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 0e423596c502c1e28cce0c98df2a2b6d
Over the years (up to present day) srvs4you@gmail.com is also known to have been used to register the following domains:
hxxp://10lann10.org
hxxp://24cargo.net
hxxp://ace-assist.biz
hxxp://activation-confirm.com
hxxp://adwoords.net
hxxp://alert-careerbuilder.com
hxxp://annebehnert.info
hxxp://apollo-services.net
hxxp://appolage.org
hxxp://auctions-ukash.com
hxxp://bbcfinancenews.com
hxxp://bestgreatoffers.org
hxxp://blackbird-registration.com
hxxp://bloomborg.biz
hxxp://businessproc1.com
hxxp://bussolutionsinc.org
hxxp://calisto-trading.com
hxxp://calisto-trading.net
hxxp://calisto-trading.org
hxxp://candy-country.com
hxxp://casheq.com
hxxp://cfca-usa.com
hxxp://cfodaily.biz
hxxp://citizenfinancial.net
hxxp://citylending.net
hxxp://clean2mail.com
hxxp://confirm-activation.com
hxxp://consultingwiz.org
hxxp://courierusa-online.com
hxxp://cristhmasx.com
hxxp://d-stanley.net
hxxp://dariazacherl.info
hxxp://des-group.com
hxxp://digital-investment-projects.com
hxxp://dns4your.net
hxxp://dvasuka.com
hxxp://easy-midnight.com
hxxp://easy-transfer.biz
hxxp://easymidnight.com
hxxp://ecareerstyle.com
hxxp://ecnoho.com
hxxp://efinancialnews.biz
hxxp://eluxuryauctions.com
hxxp://elx-ltd.net
hxxp://elx-trading.org
hxxp://elxltd.net
hxxp://emoney-ex.com
hxxp://epsincorp.net
hxxp://equitrust.org
hxxp://erobersteng.com
hxxp://erxlogistics.com
hxxp://esdeals.com
hxxp://estemaniaks.com
hxxp://eu-bis.com
hxxp://eu-cellular.com
hxxp://eubiz.org
hxxp://euwork.org
hxxp://expressdeal.info
hxxp://ezado.net
hxxp://fairwaylending.org
hxxp://fan-gaming.org
hxxp://fcinternatonal1.com
hxxp://fidelitylending.net
hxxp://financial-forbes.com
hxxp://financialnews-us.net
hxxp://firstcapitalgroup.org
hxxp://freemydns.org
hxxp://fremontlending.net
hxxp://fresh-solutions-mail.com
hxxp://fresh-solutions.us
hxxp://garnantfoundation.com
hxxp://gazenvagen.com
hxxp://globerental.com
hxxp://googmail.biz
hxxp://i-expertadvisor.com
hxxp://icebart.com
hxxp://icqdosug.com
hxxp://iesecurityupdates.com
hxxp://indigo-consulting.org
hxxp://indigo-job-with-us.com
hxxp://indigojob.com
hxxp://indigovacancies.com
hxxp://inncoming.com
hxxp://ivsentns.com
hxxp://iwiwlive.net
hxxp://iwiwonline.net
hxxp://jobs-in-eu.org
hxxp://kelermaket.com
hxxp://kklfnews.com
hxxp://knses.com
hxxp://komodok.com
hxxp://krdns.biz
hxxp://ksfcnews.com
hxxp://ksfcradio.com
hxxp://ktes314.org
hxxp://lda-import.com
hxxp://legal-solutions.org
hxxp://lgcareer.com
hxxp://lgtcareer.com
hxxp://librarysp.com
hxxp://littlexz.com
hxxp://mariawebber.org
hxxp://megamule.net
hxxp://moneycnn.biz
hxxp://njnk.net
hxxp://ns4ur.net
hxxp://nytimesnews.biz
hxxp://o2cash.net
hxxp://offsoftsolutions.com
hxxp://pcpro-tbstumm.com
hxxp://perfect-investments.org
hxxp://progold-inc.biz
hxxp://protectedsession.com
hxxp://razsuka.com
hxxp://reutors.biz
hxxp://rushop.us
hxxp://science-and-trade.com
hxxp://secure-operations.org
hxxp://securesitinngs.com
hxxp://servicessupport.biz
hxxp://sessionprotected.com
hxxp://sicil.info
hxxp://sicil256.info
hxxp://simple-investments-mail.org
hxxp://simple-investments.net
hxxp://simple-investments.org
hxxp://sp3library.com
hxxp://speeduserhost.com
hxxp://storempire.com
hxxp://tas-corporation.com
hxxp://tas-corporation.net
hxxp://tascorporation.net
hxxp://topixus.net
hxxp://tsrcorp.net
hxxp://u-file.org
hxxp://ukashauction.net
hxxp://ultragame.org
hxxp://unitedfinancegroup.org
hxxp://vanessakoepp.org
hxxp://verymonkey.com
hxxp://vesa-group.com
hxxp://vesa-group.net
hxxp://vipvipns.net
hxxp://vipvipns.org
hxxp://wondooweria.com
hxxp://wondoowerka.com
hxxp://wootpwnseal.com
hxxp://worldeconomist.biz
hxxp://wumtt-westernunion.com
hxxp://xsoftwares.com
hxxp://xxx2008xxx.com
hxxp://yourcashlive.com
hxxp://yourlive.biz
hxxp://yourmule.com
On 2008-09-25 0ki.ru was registered using the kseninkopetr@nm.ru email. The same email address is not known to have been used to register any additional domains.
On 2008-06-19 x12345.org was registered using the xix.x12345@yahoo.com email. On 2007-09-10 the domain use to respond to 66.36.243.97, then on 2007-11-13 it changed IPs to 58.65.236.10, following another change on 2008-05-06 to 203.186.128.154. No other domains are known to have been registered using the same email address.
On 2007-06-07, miron555.org was registered using the mironbot@gmail.com email, followed by another registration email change on 2008-02-12 to nepishite555suda@gmail.com. On 2007-04-24, the domain responded to 75.126.4.163. It then changed IPs on 2007-05-09 to 203.121.71.165, followed by another change on 2007-06-08 to 58.65.239.247, yet another change on 2007-07-15 to 58.65.239.10, another change on 2007-08-19 to 58.65.239.66, more IP changes on 2007-09-03 to 217.170.77.210, and yet another change on 2007-09-18 to 88.255.90.138.
Historically (up to present day), mironbot@gmail.com is also known to have been used to register the following domains:
hxxp://24-7onlinepharmacy.net
hxxp://bestmoviesonline.info
hxxp://brightstonepharma.com
hxxp://deapotheke.com
hxxp://dozor555.info
hxxp://my-traff.cn
hxxp://pharmacyit.net
hxxp://trffc.org
hxxp://trffc3.ru
hxxp://xmpharm.com
In, 2008, I, profiled, the, direct, compromise, of, The Dutch Embassy in Moscow Serving Malware, further, detailing, the, malicious, and, activity, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.
Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, direct, compromise, of, the, Embassy's Web, site.
On 2009-03-04, lmifsp.com was registered using the redemption@snapnames.com email. On 2007-11-30, it used to respond to 68.178.194.64, then on 2008-12-01 it changed IPs to 68.178.232.99.
In, 2008, I, profiled, the, direct, compromise, of, Embassy of Brazil in India Compromised, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
hxxp://google-analyze.com - 87.118.118.193
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (google-analyze.com - 87.118.118.193):
MD5: 2bcb74c95f30e3741210c0de0c1b406f
On 2008-10-15, traff.asia was registered using the traffon@gmail.com email.
On 2008-06-19, google-analyze.com was registered using the incremental@list.ru email. On 2007-12-21 it responded to 66.36.241.153, then it changed IPs on 2007-12-22 to 66.36.231.94, followed by another change on 2008-02-03 to 79.135.166.74, then to 195.5.116.251 on 2008-03-16, to 70.84.133.34 on 2008-07-31, followed by yet another change to 216.195.59.77 on 2008-09-15.
On 2008-08-05, google-analystic.net, is, known, to, have, responded, to, 212.117.163.162, and, was registered using the abusecentre@gmail.com email. On 2008-04-11 it used to respond to 64.28.187.84, it then changed IPS to 85.255.120.195 on 2008-08-03, followed by another change on 2008-08-10 to 85.255.120.194, then to 85.255.120.197 on 2008-09-07, to 69.50.161.117 on 2008-09-14, then to 66.98.145.18 on 2008-10-11, followed by another change on 2008-10-25 to 209.160.67.56.
On 2008-11-11, beshragos.com was registered using the migejosh@yahoo.com email. On 2008-11-11 it used to respond to 79.135.187.38.
In, 2009, I, profiled, the, direct, compromise, of, Ethiopian Embassy in Washington D.C Serving Malware, further, detailing, the, group's, activities, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On 2009-01-19, 1tvv.com is, known, to, have, responded, to, 69.172.201.153; 66.96.161.140; 122.10.52.139; 122.10.18.138; 67.229.44.15; 74.200.250.130; 69.170.135.92; 64.74.223.38, and, was registered using the mogensen@fontdrift.com email.
On 2005-08-27, the domain (1tvv.com) is, known, to, have, responded to 198.65.115.93, then on 2006-05-12 to 204.13.161.31, with yet another IP change on 2010-04-08 to 216.240.187.145, followed by yet another change on 2010-06-02 to 69.43.160.145, then on 2010-07-25 to 69.43.160.145.
On 2010-01-04, trafficinc.ru was registered using the auction@r01.ru email.
On 2009-03-01, trafficmonsterinc.ru was registered using the trafficmonsterinc.ru@r01-service.ru email.
On 2009-05-02, us18.ru, is, known, to, have, responded, to, 109.70.26.37; 185.12.92.229; 109.70.26.36, and, was registered using the belyaev_andrey@inbox.ru email.
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0b545cd12231d0a4239ce837cd371166
MD5: dae41c862130daebcff0e463e2c30e50
MD5: 601806c0a01926c2a94558148764797a
MD5: 45f97cd8df4448bbe073a38c264ef93f
MD5: 94aeba45e6fb4d17baa4989511e321b3
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: 4e0ce2f9f92ac5193c2a383de6015523
MD5: a38d47fcfdaf14372cea3de850cf487d
MD5: 014d2f1bae3611e016f96a37f98fd4b7
MD5: daad60cb300101dc05d2ff922966783b
MD5: 0a775110077e2c583be56e5fb3fa4f09
Once, executed, a, sample, malware (MD5: 4e0ce2f9f92ac5193c2a383de6015523), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.66.160
hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100
hxxp://sso.anbtr.com - 195.22.28.222
Once, executed, a, sample, malware (MD5: a38d47fcfdaf14372cea3de850cf487d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ledyazilim.com - 213.128.83.163
hxxp://ksandrafashion.com - 166.78.145.90
hxxp://lafyeri.com - 69.172.201.153
hxxp://kulppasur.com - 52.28.249.128
hxxp://toalladepapel.com.ar
trafficinc.ru, is, known, to, have, responded, to, 222.73.91.203
trafficmonsterinc.ru, is, known, to, have, responded, to, 178.208.83.7; 178.208.83.27; 91.203.4.112
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: ce4e2e12ee16d5bde67a3dc2e3da634b
MD5: 4423e04fb3616512bf98b5a565fccdd7
MD5: 33f890c294b2ac89d1ee657b94e4341d
MD5: 1c5096c3ce645582dd18758fe523840a
MD5: 1efae0b0cb06faacae46584312a12504
Once, executed, a, sample, malware (MD5: ce4e2e12ee16d5bde67a3dc2e3da634b), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://rms-server.tektonit.ru - 109.234.156.179
hxxp://365invest.ru - 178.208.83.7
Once, executed, a, sample, malware (MD5: 4423e04fb3616512bf98b5a565fccdd7), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://topstat.mcdir.ru - 178.208.83.7
Once, executed, a, sample, malware (MD5: 33f890c294b2ac89d1ee657b94e4341d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cadretest.ru - 178.208.83.7
Once, executed, a, sample, malware (MD5: 1c5096c3ce645582dd18758fe523840a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.65.161
hxxp://testtrade.ru - 178.208.83.7
hxxp://chicostara.com - 91.142.252.26
In, 2009, I, profiled, the, direct, compromise, of Embassy of India in Spain Serving Malware, further, detailing, the, malicious, activitity, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On 2008-09-07, msn-analytics.net was registered using the palfreycrossvw@gmail.com email. On 2007-06-17 it used to respond to 82.98.235.50, it then changed IPs on 2008-09-07 to 58.65.234.9, followed by another change on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 2009-12-29, and to 85.249.229.195 on 2010-03-09.
On 2008-07-10, pinoc.org was registered using the 4ykakabra@gmail.com email. On 2008-07-10 it responded to 58.65.234.9, it then changed IPs on 2008-08-17 to 91.203.92.13, followed by another change on 2008-08-24 to 58.65.234.9, followed by yet another change to 208.73.210.76 on 2009-10-03, and yet another change on 2009-10-06 to 96.9.186.245.
On 2008-09-20, wsxhost.net was registered using the palfreycrossvw@gmail.com email. On 2008-09-20 wsxhost.net responded to 58.65.234.9, it then changed IPs on 2008-12-22 to 202.73.57.6, followed by another change on 2009-05-18 to 202.73.57.11, yet another change on 2009-06-22 to 92.38.0.66, then to 91.212.198.116 on 2009-07-06, yet another change on 2009-08-17 to 210.51.187.45, then to 210.51.166.239 on 2009-08-25, and finally to 213.163.89.54 on 2009-09-05.
On 2008-06-29 google-analyze.cn was registered using the johnvernet@gmail.com email.
Historically (up to present day) johnvernet@gmail.com is known to have registered the following domains:
hxxp://baidustatz.com
hxxp://edcomparison.com
hxxp://google-analyze.org
hxxp://google-stat.com
hxxp://kolkoman.com
hxxp://m-analytics.net
hxxp://pinalbal.com
hxxp://pornokman.com
hxxp://robokasa.com
hxxp://rx-white.com
hxxp://sig4forum.com
hxxp://thekapita.com
hxxp://visittds.com
msn-analytics.net, is, known, to, have, responded, to, 216.157.88.21; 85.17.25.214; 216.157.88.22; 85.17.25.215; 85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: eb95798965a18e7844f4c969803fbaf8
MD5: 106b6e80be769fa4a87560f82cd24b57
MD5: 519a9f1cb16399c515723143bf7ff0d0
MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5
MD5: 613e8c31edf4da1b8f8de9350a186f41
Once, executed, a, sample, malware (MD5: eb95798965a18e7844f4c969803fbaf8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://thinstall.abetterinternet.com - 85.17.25.214
hxxp://survey-winner.net - 94.229.72.117
hxxp://survey-winner.net - 208.91.196.145
hxxp://comedy-planet.com
Once, executed, a, sample, malware (MD5: 106b6e80be769fa4a87560f82cd24b57), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147
Once, executed, a, sample, malware (MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://followfortieth.net
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147
pinoc.org, is, known, to, have, responded, to, 103.224.212.222; 185.53.179.24; 185.53.179.9; 185.53.177.10; 188.40.174.81; 46.165.247.18; 178.162.184.130
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 000125b0d0341fc078c7bdb5b7996f9e
MD5: b3bbeaca85823d5c47e36959b286bb22
MD5: 4faa9445394ba4edf73dd67e239bcbca
MD5: 9f3b9de8a3e7cd8ee2d779396799b17a
MD5: 38d07b2a1189eb1fd64296068fbaf08a
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://static.greatappsdownload.com - 54.230.187.48
hxxp://ww1.os.onlineapplicationsdownloads.com - 91.195.241.80
hxxp://os2.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://ww1.os2.onlineapplicationsdownloads.com - 91.195.241.80
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://errors.myserverstat.com - 103.224.212.222
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://scripts.dlv4.com - 103.224.212.222
hxxp://ww38.scripts.dlv4.com - 185.53.179.29
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://complaintsboard.com - 208.100.35.85
hxxp://7ew8gov.firoli-sys.com - 103.224.212.222
hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234
hxxp://q8x3kb.wwwmediahosts.com - 204.11.56.48
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newworldorderreport.com - 50.63.202.29
hxxp://69jh93.firoli-sys.com - 103.224.212.222
hxxp://bpvv11ndq5.wwwmediahosts.com - 204.11.56.48
hxxp://0dbhwuja.hdmediastore.com - 45.33.9.234
wsxhost.net, is, known, to, have, responded, to, 184.168.221.45; 50.63.202.82; 69.43.161.172
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 117036e5a7b895429e954f733e0acada
MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be
MD5: 6e330742d22c5a5e99e6490de65fabd6
MD5: f1c9cd766817ccf55e30bb8af97bfdbb
MD5: 7f4145bc211089d9d3c666078c35cf3d
Once, executed, a, sample, malware (MD5: 117036e5a7b895429e954f733e0acada), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://amacweb.org
hxxp://superaffiliatehookup.com
hxxp://germanamericantax.com
hxxp://lineaidea.it
hxxp://speedysalesletter.com
Once, executed, a, sample, malware (MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://allstatesdui.com - 50.63.202.36
hxxp://wellingtontractorparts.com - 72.167.232.158
hxxp://amacweb.org - 160.16.211.99
hxxp://nctcogic.org - 207.150.212.74
Once, executed, a, sample, malware (MD5: 6e330742d22c5a5e99e6490de65fabd6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://santele.be - 176.62.170.69
hxxp://fever98radio.com - 141.8.224.93
hxxp://brushnpaint.com - 74.220.219.132
hxxp://jameser.com - 54.236.195.15
hxxp://hillsdemocrat.com - 67.225.168.30
Once, executed, a, sample, malware (MD5: f1c9cd766817ccf55e30bb8af97bfdbb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://afterpeace.net - 195.38.137.100
hxxp://sellhouse.net - 184.168.221.45
Once, executed, a, sample, malware (MD5: 7f4145bc211089d9d3c666078c35cf3d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://forcerain.net
hxxp://afterrain.net - 50.63.202.43)
hxxp://forcerain.ru
hxxp://forceheld.net
google-analyze.cn, is, known, to, have, responded, to, 103.51.144.81; 184.105.178.89; 65.19.157.235; 124.16.31.146; 123.254.111.190; 103.232.215.140; 103.232.215.147; 205.164.14.78; 50.117.116.117; 50.117.120.254; 205.164.24.45; 50.117.116.205; 50.117.122.90; 184.105.178.84; 50.117.116.204
Related malicious MD5s known to have phoned back to the same malicious C&C, server, IPs:
MD5: df05460b5e49cbba275f6d5cbd936d1d
MD5: 7732ffcf2f4cf1d834b56df1f9d815c9
MD5: 615eb515da18feb2b87c0fb5744411ac
MD5: 24fec5b3ac1d20e61f2a3de95aeb177c
MD5: 348eed9b371ddb2755eb5c2bfaa782ee
On 2008-08-27, yahoo-analytics.net was registered using the fuadrenalray@gmail.com email.
- google-analyze.org - Email: johnvernet@gmail.com
On, 2008-07-09, google-analyze.org , is, known, to, have, responded, to, 58.65.234.9, followed, by, a, hosting, change, on, 2008-08-17, with, google-analyze.org, responding, to, 91.203.92.13, followed, by, another, hosting, change, on, 2008-08-24, with, google-analyze.org, responding, to, 202.73.57.6.
- qwehost.com - Email: 4ykakabra@gmail.com
On, 2009-05-18, qwehost.com, is, known, to, have, responded, to, 202.73.57.11, followed, by, a, hosting, change, to, 202.73.57.11, followed, by, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 210.51.187.45.
- zxchost.com - Email: 4ykakabra@gmail.com
On, 2009-03-02, zxchost.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-25, pointing, to, 210.51.166.239.
- odile-marco.com - Email: OdileMarcotte@gmail.com
On, 2009-05-18, odile-marco.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 91.212.198.116.
- edcomparison.com - Email: johnvernet@gmail.com
On, 2009-05-18, edcomparison.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 210.51.187.45.
- fuadrenal.com - Email: fuadrenalRay@gmail.com
On, 2009-01-26, fuadrenal.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, time, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.
- rx-white.com - Email: johnvernet@gmail.com
On, 2009-05-18, rx-white.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.
In, 2009, I, profiled, the, direct, compromise, of, Embassy of Portugal in India Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On, 2009-03-30, ntkrnlpa.info, is, known, to, have, responded, to, 83.68.16.6. Related, domains, known, to, have, participated, in, the, same, campaign - betstarwager.cn; ntkrnlpa.cn.
In, 2007, I, profiled, the, direct, compromise, of, French Embassy in Libya Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On, 2008-11-05, tarog.us (Email: bobby10@mail.zp.ua), used, to, respond, to, 67.210.13.94, followed, by, a, hosting, change, on, 2009-03-02, pointing, to, 208.73.210.121. Related, domains, known, to, have, participated, in, the, campaign: fernando123.ws; winhex.org - Email: ipspec@gmail.com
On, 2007-02-18, winhex.org, used, to, respond, to, 195.189.247.56, followed, by, a, hosting, change, on, 2007-03-03, pointing, to, 89.108.85.97, followed, by, yet, another, hosting, change, on, 2007-04-29, this, time, pointing, to, 203.121.71.165, followed, by, yet, another, hosting, change, on, 2007-08-19, this, time, pointing, to, 69.41.162.77.
On, 2007-11-23, kjlksjwflk.com (Email: sflgjlkj45@yahoo.com), used, to, respond, to, 58.65.239.114, followed, by, a, hosting, change, on, 2009-02-16, pointing, to, 38.117.90.45, followed, by, yet, another, hosting, change, on, 2009-03-09, this, time, pointing, to, 216.188.26.235.
In, 2009, I, profiled, the, direct, compromise, of, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
Related, domains, known, to, have, participated, in, the, campaign:
- filmlifemusicsite.cn; promixgroup.cn; betstarwager.cn; clickcouner.cn
In, 2009, I, profiled, the, direct, compromise, of, USAID.gov compromised, malware and exploits served, further, establishing, a, direct, connection, between, the, gang's, activities, and, the, New, Media, Malware, Gang.
Related, domains, known, to, have, participated, in, the, campaign:
should-be.cn - Email: admin@brut.cn; orderasia.cn; fileuploader.cn
In, 2007, I, profiled, the, direct, compromise, of, U.S Consulate St. Petersburg Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On, 2007-08-31, verymonkey.com (Email: srvs4you@gmail.com), used, to, respond, to, 212.175.23.114, followed, by, a, hosting, change, on, 2007-09-07, pointing, to, 209.123.181.185, followed, by, yet, another, hosting, change, on, 2007-09-27, this, time, pointing, to, 88.255.90.50, followed, by, yet, another, hosting, change, on, 2008-11-11, this, time, pointing, to, 216.188.26.235.
What's, particularly, interested, about, the, gang's, activities, is, the, fact, that, back, in 2007, the, group, pioneered, for, the, first, time, the, utilization, of, Web, malware, exploitation, kits, further, utilizing, the, infrastructure, of, the, Russian, Business, Network, successfully, launching, a, multi-tude, of, malicious, campaigns, further, spreading, malicious, software, further, utilizing, the, infrastructure, of, the, Russian, Business, Network.
Related posts:
Syrian Embassy in London Serving Malware
USAID.gov compromised, malware and exploits served
U.S Consulate St. Petersburg Serving Malware
Bank of India Serving Malware
French Embassy in Libya Serving Malware
The Dutch Embassy in Moscow Serving Malware
Ethiopian Embassy in Washington D.C Serving Malware
Embassy of India in Spain Serving Malware
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
It's, been, several, years, since, I, last, posted, an, update, regarding, the, group's, activities, including, the, direct, establishing, of, a, direct, connection, between, the, Russian, Business, Network, the, New, Media, Malware, gang, including, a, variety, of, high, profile, Web, site, compromise, campaigns.
What's, particularly, interesting, about, the, group's, activities, is, the, fact, that, back, in, 2007, the, group's, activities, used, to, dominate, the, threat, landscape, in, a, targeted, fashion, including, the, active, utilization, of, client-side, exploits, and, the, active, exploitation, of, legitimate, Web, sites, successfully, positioning, the, group, including, the, Russian, Business, Network, as, a, leading, provider, of, malicious, activities, online, leading, to, a, series, of, analyses, successfully, detailing, the, activities, of, the, group, including, the, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, Storm, Worm, botnet.
In, this, post, I'll, provide, a, detailed, analysis, of, the, group's, activities, discuss, in, the, depth, the, tactics, techniques, and, procedures, (TTPs), of, the, group, including, a, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, direct, compromise, of, a, series, of, high, profile, Web, site, compromise, campaigns.
Having, successfully, tracked, down, and, profiled, the, group's, activities, for, a, period, of, several, years, and, based, on, the, actionable, intelligence, provided, regarding, the, group's, activities, we, can, easily, establish, a, direct, connection, between, the, New, Media, Malware, Gang, and, the, Russian, Business, Network, including, a, series, of, high, profile, Web, site, compromise, campaigns.
Key Summary Points:
- RBN Connection, New Media Malware Gang connection - "ai siktir" "Die()", money mule recruitment, money laundering of virtual currency
- Actionable CYBERINT data to assist law enforcement, academics and the private sector in ongoing or past cybercrime investigations
- Complete domain portfolios registered up to the present day using the same emails used to register the malicious domains during 2007-2009 to assist law enforcement, academics and the private sector in catching up with their malicious activities over the years
- Detailed analysis of each and every campaign's domain portfolios (up to present day) further dissecting the fraudulent schemes launched by the same cybercriminals that embedded malware on the embassies' web sites
- Complete IP Hosting History for each and every of the malicious domains/command and control servers during the time of the attack
- The "Big Picture" detailing the inter-connections between the campaigns, with historical OSINT data pointing to the "New Media Malware Gang", back then customers of the Russian Business Network
Let's, profile, the, group's, activities, including, a, direct, establishing, of, a, connection, between, the, Russian, Business, Network, the, New, Media, Malware, Gang, and, the, Storm, Worm, botnet.
In, 2007, I, profiled, the, direct, compromise, of, the, Syrian, Embassy, in, London, including, a, related, compromise of, the, USAID.gov compromised, malware and exploits served, the, U.S Consulate St. Petersburg Serving Malware, Bank of India Serving Malware, French Embassy in Libya Serving Malware, Ethiopian Embassy in Washington D.C Serving Malware, Embassy of India in Spain Serving Malware, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, detailing, the, malicious, activities, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.
Let's profile, the, campaigns, and, discuss, in, depth, the, direct, connection, between, the, group's, activities, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.
sicil.info - on 2007-09-26 during the time of the attack, the domain was registered using the srvs4you@gmail.com email. The domain name first appeared online on 2006-06-10 with an IP 213.186.33.24. On 2007-07-11, it changed IPs to 203.121.79.71, followed by another change on 2008-01-06 to 202.75.38.150, another change on 2008-05-06 to 203.186.128.154, yet another change on 2008-05-18 to 190.183.63.103, and yet another change on 2008-07-27 to 190.183.63.56.
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (sicil.info):
MD5: 4802db20da46fca2a1896d4c983b13ba
MD5: f9434d86ef2959670b73a79947b0f4d2
MD5: 32dba64ae55e7bb4850e27274da42d1b
MD5: cd6a7ff6388fbd94b7ee9cdc88ca8f4d
MD5: 57dff9e8154189f0a09fb62450decac6
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (sicil.info), are, also, the, following, malicious, domains:
144.217.69.62
63.246.128.71
207.150.177.28
66.111.47.62
66.111.47.4
66.111.47.8
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (213.186.33.24):
MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb
MD5: 95cc3a0243aa050243ab858794c1d221
MD5: cc63d67282789e03469f2e6520c6de80
MD5: 3829506c454b86297d2828077589cbf8
MD5: 1e18b17149899d55d3625d47135a22a7
Once, executed, a, sample, malware (MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ioasis.org - 208.112.115.36
hxxp://polyhedrusgroup.com - 143.95.229.33
hxxp://espoirsetvie.com - 213.186.33.24
hxxp://ladiesdehaan.be - 185.59.17.113
hxxp://chonburicoop.net - 27.254.96.151
hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48
Related posts: Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (0ki.ru; 89.179.174.156):
MD5: cd33ea55b2d13df592663f18e6426921
MD5: 8e0c7757b82d14b988afac075e8ed5dc
MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012
MD5: e513a1b25e59670f777398894dfe41b6
MD5: 0fad43c03d80a1eb3a2c1ae9e9a6c9ed
MD5: 6e1b789f0df30ba0798fbc47cb1cec1c
MD5: 9f02232ed0ee609c8db1b98325beaa94
Once, executed, a, sample, malware (MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012), phones, back, to, the, following, C&C, server, IPs:
hxxp://lordofthepings.ru (173.254.236.159)
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz
hxxp://ladyhaha.xyz
hxxp://porkhalal.site
hxxp://rihannafap.site
hxxp://bieberfans.top
hxxp://runands.top
hxxp://frontlive.net
hxxp://offerlive.net
hxxp://frontserve.net
hxxp://offerserve.net
hxxp://hanghello.ru
hxxp://hanghello.net
hxxp://septemberhello.net
hxxp://hangmine.net
hxxp://septembermine.net
hxxp://hanglive.net
hxxp://wrongserve.ru
hxxp://wrongserve.net
hxxp://madelive.net
Once, executed, a, sample, malware (MD5: e513a1b25e59670f777398894dfe41b6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardlive.ru
hxxp://yardlive.net
hxxp://musiclive.net - 141.8.225.124
hxxp://yardserve.net
hxxp://musicserve.net - 185.53.177.20
hxxp://wenthello.net
hxxp://spendhello.ru
hxxp://wentmine.net
hxxp://spendmine.net
hxxp://spendhello.net
hxxp://joinlive.net
hxxp://wentserve.ru
hxxp://hanghello.net
hxxp://joinhello.net
hxxp://x12345.org - 46.4.22.145
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (miron555.org):
MD5: 0e423596c502c1e28cce0c98df2a2b6d
MD5: e75d92defb11afe50a8cc51dfe4fb6ee
MD5: adcedd763f541e625f91030ee4de7c19
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 0e423596c502c1e28cce0c98df2a2b6d
Over the years (up to present day) srvs4you@gmail.com is also known to have been used to register the following domains:
hxxp://10lann10.org
hxxp://24cargo.net
hxxp://ace-assist.biz
hxxp://activation-confirm.com
hxxp://adwoords.net
hxxp://alert-careerbuilder.com
hxxp://annebehnert.info
hxxp://apollo-services.net
hxxp://appolage.org
hxxp://auctions-ukash.com
hxxp://bbcfinancenews.com
hxxp://bestgreatoffers.org
hxxp://blackbird-registration.com
hxxp://bloomborg.biz
hxxp://businessproc1.com
hxxp://bussolutionsinc.org
hxxp://calisto-trading.com
hxxp://calisto-trading.net
hxxp://calisto-trading.org
hxxp://candy-country.com
hxxp://casheq.com
hxxp://cfca-usa.com
hxxp://cfodaily.biz
hxxp://citizenfinancial.net
hxxp://citylending.net
hxxp://clean2mail.com
hxxp://confirm-activation.com
hxxp://consultingwiz.org
hxxp://courierusa-online.com
hxxp://cristhmasx.com
hxxp://d-stanley.net
hxxp://dariazacherl.info
hxxp://des-group.com
hxxp://digital-investment-projects.com
hxxp://dns4your.net
hxxp://dvasuka.com
hxxp://easy-midnight.com
hxxp://easy-transfer.biz
hxxp://easymidnight.com
hxxp://ecareerstyle.com
hxxp://ecnoho.com
hxxp://efinancialnews.biz
hxxp://eluxuryauctions.com
hxxp://elx-ltd.net
hxxp://elx-trading.org
hxxp://elxltd.net
hxxp://emoney-ex.com
hxxp://epsincorp.net
hxxp://equitrust.org
hxxp://erobersteng.com
hxxp://erxlogistics.com
hxxp://esdeals.com
hxxp://estemaniaks.com
hxxp://eu-bis.com
hxxp://eu-cellular.com
hxxp://eubiz.org
hxxp://euwork.org
hxxp://expressdeal.info
hxxp://ezado.net
hxxp://fairwaylending.org
hxxp://fan-gaming.org
hxxp://fcinternatonal1.com
hxxp://fidelitylending.net
hxxp://financial-forbes.com
hxxp://financialnews-us.net
hxxp://firstcapitalgroup.org
hxxp://freemydns.org
hxxp://fremontlending.net
hxxp://fresh-solutions-mail.com
hxxp://fresh-solutions.us
hxxp://garnantfoundation.com
hxxp://gazenvagen.com
hxxp://globerental.com
hxxp://googmail.biz
hxxp://i-expertadvisor.com
hxxp://icebart.com
hxxp://icqdosug.com
hxxp://iesecurityupdates.com
hxxp://indigo-consulting.org
hxxp://indigo-job-with-us.com
hxxp://indigojob.com
hxxp://indigovacancies.com
hxxp://inncoming.com
hxxp://ivsentns.com
hxxp://iwiwlive.net
hxxp://iwiwonline.net
hxxp://jobs-in-eu.org
hxxp://kelermaket.com
hxxp://kklfnews.com
hxxp://knses.com
hxxp://komodok.com
hxxp://krdns.biz
hxxp://ksfcnews.com
hxxp://ksfcradio.com
hxxp://ktes314.org
hxxp://lda-import.com
hxxp://legal-solutions.org
hxxp://lgcareer.com
hxxp://lgtcareer.com
hxxp://librarysp.com
hxxp://littlexz.com
hxxp://mariawebber.org
hxxp://megamule.net
hxxp://moneycnn.biz
hxxp://njnk.net
hxxp://ns4ur.net
hxxp://nytimesnews.biz
hxxp://o2cash.net
hxxp://offsoftsolutions.com
hxxp://pcpro-tbstumm.com
hxxp://perfect-investments.org
hxxp://progold-inc.biz
hxxp://protectedsession.com
hxxp://razsuka.com
hxxp://reutors.biz
hxxp://rushop.us
hxxp://science-and-trade.com
hxxp://secure-operations.org
hxxp://securesitinngs.com
hxxp://servicessupport.biz
hxxp://sessionprotected.com
hxxp://sicil.info
hxxp://sicil256.info
hxxp://simple-investments-mail.org
hxxp://simple-investments.net
hxxp://simple-investments.org
hxxp://sp3library.com
hxxp://speeduserhost.com
hxxp://storempire.com
hxxp://tas-corporation.com
hxxp://tas-corporation.net
hxxp://tascorporation.net
hxxp://topixus.net
hxxp://tsrcorp.net
hxxp://u-file.org
hxxp://ukashauction.net
hxxp://ultragame.org
hxxp://unitedfinancegroup.org
hxxp://vanessakoepp.org
hxxp://verymonkey.com
hxxp://vesa-group.com
hxxp://vesa-group.net
hxxp://vipvipns.net
hxxp://vipvipns.org
hxxp://wondooweria.com
hxxp://wondoowerka.com
hxxp://wootpwnseal.com
hxxp://worldeconomist.biz
hxxp://wumtt-westernunion.com
hxxp://xsoftwares.com
hxxp://xxx2008xxx.com
hxxp://yourcashlive.com
hxxp://yourlive.biz
hxxp://yourmule.com
On 2008-09-25 0ki.ru was registered using the kseninkopetr@nm.ru email. The same email address is not known to have been used to register any additional domains.
On 2008-06-19 x12345.org was registered using the xix.x12345@yahoo.com email. On 2007-09-10 the domain use to respond to 66.36.243.97, then on 2007-11-13 it changed IPs to 58.65.236.10, following another change on 2008-05-06 to 203.186.128.154. No other domains are known to have been registered using the same email address.
On 2007-06-07, miron555.org was registered using the mironbot@gmail.com email, followed by another registration email change on 2008-02-12 to nepishite555suda@gmail.com. On 2007-04-24, the domain responded to 75.126.4.163. It then changed IPs on 2007-05-09 to 203.121.71.165, followed by another change on 2007-06-08 to 58.65.239.247, yet another change on 2007-07-15 to 58.65.239.10, another change on 2007-08-19 to 58.65.239.66, more IP changes on 2007-09-03 to 217.170.77.210, and yet another change on 2007-09-18 to 88.255.90.138.
Historically (up to present day), mironbot@gmail.com is also known to have been used to register the following domains:
hxxp://24-7onlinepharmacy.net
hxxp://bestmoviesonline.info
hxxp://brightstonepharma.com
hxxp://deapotheke.com
hxxp://dozor555.info
hxxp://my-traff.cn
hxxp://pharmacyit.net
hxxp://trffc.org
hxxp://trffc3.ru
hxxp://xmpharm.com
In, 2008, I, profiled, the, direct, compromise, of, The Dutch Embassy in Moscow Serving Malware, further, detailing, the, malicious, and, activity, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.
Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, direct, compromise, of, the, Embassy's Web, site.
On 2009-03-04, lmifsp.com was registered using the redemption@snapnames.com email. On 2007-11-30, it used to respond to 68.178.194.64, then on 2008-12-01 it changed IPs to 68.178.232.99.
In, 2008, I, profiled, the, direct, compromise, of, Embassy of Brazil in India Compromised, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
hxxp://google-analyze.com - 87.118.118.193
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (google-analyze.com - 87.118.118.193):
MD5: 2bcb74c95f30e3741210c0de0c1b406f
On 2008-10-15, traff.asia was registered using the traffon@gmail.com email.
On 2008-06-19, google-analyze.com was registered using the incremental@list.ru email. On 2007-12-21 it responded to 66.36.241.153, then it changed IPs on 2007-12-22 to 66.36.231.94, followed by another change on 2008-02-03 to 79.135.166.74, then to 195.5.116.251 on 2008-03-16, to 70.84.133.34 on 2008-07-31, followed by yet another change to 216.195.59.77 on 2008-09-15.
On 2008-08-05, google-analystic.net, is, known, to, have, responded, to, 212.117.163.162, and, was registered using the abusecentre@gmail.com email. On 2008-04-11 it used to respond to 64.28.187.84, it then changed IPS to 85.255.120.195 on 2008-08-03, followed by another change on 2008-08-10 to 85.255.120.194, then to 85.255.120.197 on 2008-09-07, to 69.50.161.117 on 2008-09-14, then to 66.98.145.18 on 2008-10-11, followed by another change on 2008-10-25 to 209.160.67.56.
On 2008-11-11, beshragos.com was registered using the migejosh@yahoo.com email. On 2008-11-11 it used to respond to 79.135.187.38.
In, 2009, I, profiled, the, direct, compromise, of, Ethiopian Embassy in Washington D.C Serving Malware, further, detailing, the, group's, activities, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On 2009-01-19, 1tvv.com is, known, to, have, responded, to, 69.172.201.153; 66.96.161.140; 122.10.52.139; 122.10.18.138; 67.229.44.15; 74.200.250.130; 69.170.135.92; 64.74.223.38, and, was registered using the mogensen@fontdrift.com email.
On 2005-08-27, the domain (1tvv.com) is, known, to, have, responded to 198.65.115.93, then on 2006-05-12 to 204.13.161.31, with yet another IP change on 2010-04-08 to 216.240.187.145, followed by yet another change on 2010-06-02 to 69.43.160.145, then on 2010-07-25 to 69.43.160.145.
On 2010-01-04, trafficinc.ru was registered using the auction@r01.ru email.
On 2009-03-01, trafficmonsterinc.ru was registered using the trafficmonsterinc.ru@r01-service.ru email.
On 2009-05-02, us18.ru, is, known, to, have, responded, to, 109.70.26.37; 185.12.92.229; 109.70.26.36, and, was registered using the belyaev_andrey@inbox.ru email.
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0b545cd12231d0a4239ce837cd371166
MD5: dae41c862130daebcff0e463e2c30e50
MD5: 601806c0a01926c2a94558148764797a
MD5: 45f97cd8df4448bbe073a38c264ef93f
MD5: 94aeba45e6fb4d17baa4989511e321b3
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: 4e0ce2f9f92ac5193c2a383de6015523
MD5: a38d47fcfdaf14372cea3de850cf487d
MD5: 014d2f1bae3611e016f96a37f98fd4b7
MD5: daad60cb300101dc05d2ff922966783b
MD5: 0a775110077e2c583be56e5fb3fa4f09
Once, executed, a, sample, malware (MD5: 4e0ce2f9f92ac5193c2a383de6015523), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.66.160
hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100
hxxp://sso.anbtr.com - 195.22.28.222
Once, executed, a, sample, malware (MD5: a38d47fcfdaf14372cea3de850cf487d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ledyazilim.com - 213.128.83.163
hxxp://ksandrafashion.com - 166.78.145.90
hxxp://lafyeri.com - 69.172.201.153
hxxp://kulppasur.com - 52.28.249.128
hxxp://toalladepapel.com.ar
trafficinc.ru, is, known, to, have, responded, to, 222.73.91.203
trafficmonsterinc.ru, is, known, to, have, responded, to, 178.208.83.7; 178.208.83.27; 91.203.4.112
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: ce4e2e12ee16d5bde67a3dc2e3da634b
MD5: 4423e04fb3616512bf98b5a565fccdd7
MD5: 33f890c294b2ac89d1ee657b94e4341d
MD5: 1c5096c3ce645582dd18758fe523840a
MD5: 1efae0b0cb06faacae46584312a12504
Once, executed, a, sample, malware (MD5: ce4e2e12ee16d5bde67a3dc2e3da634b), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://rms-server.tektonit.ru - 109.234.156.179
hxxp://365invest.ru - 178.208.83.7
Once, executed, a, sample, malware (MD5: 4423e04fb3616512bf98b5a565fccdd7), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://topstat.mcdir.ru - 178.208.83.7
Once, executed, a, sample, malware (MD5: 33f890c294b2ac89d1ee657b94e4341d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cadretest.ru - 178.208.83.7
Once, executed, a, sample, malware (MD5: 1c5096c3ce645582dd18758fe523840a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.65.161
hxxp://testtrade.ru - 178.208.83.7
hxxp://chicostara.com - 91.142.252.26
In, 2009, I, profiled, the, direct, compromise, of Embassy of India in Spain Serving Malware, further, detailing, the, malicious, activitity, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On 2008-09-07, msn-analytics.net was registered using the palfreycrossvw@gmail.com email. On 2007-06-17 it used to respond to 82.98.235.50, it then changed IPs on 2008-09-07 to 58.65.234.9, followed by another change on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 2009-12-29, and to 85.249.229.195 on 2010-03-09.
On 2008-07-10, pinoc.org was registered using the 4ykakabra@gmail.com email. On 2008-07-10 it responded to 58.65.234.9, it then changed IPs on 2008-08-17 to 91.203.92.13, followed by another change on 2008-08-24 to 58.65.234.9, followed by yet another change to 208.73.210.76 on 2009-10-03, and yet another change on 2009-10-06 to 96.9.186.245.
On 2008-09-20, wsxhost.net was registered using the palfreycrossvw@gmail.com email. On 2008-09-20 wsxhost.net responded to 58.65.234.9, it then changed IPs on 2008-12-22 to 202.73.57.6, followed by another change on 2009-05-18 to 202.73.57.11, yet another change on 2009-06-22 to 92.38.0.66, then to 91.212.198.116 on 2009-07-06, yet another change on 2009-08-17 to 210.51.187.45, then to 210.51.166.239 on 2009-08-25, and finally to 213.163.89.54 on 2009-09-05.
On 2008-06-29 google-analyze.cn was registered using the johnvernet@gmail.com email.
Historically (up to present day) johnvernet@gmail.com is known to have registered the following domains:
hxxp://baidustatz.com
hxxp://edcomparison.com
hxxp://google-analyze.org
hxxp://google-stat.com
hxxp://kolkoman.com
hxxp://m-analytics.net
hxxp://pinalbal.com
hxxp://pornokman.com
hxxp://robokasa.com
hxxp://rx-white.com
hxxp://sig4forum.com
hxxp://thekapita.com
hxxp://visittds.com
msn-analytics.net, is, known, to, have, responded, to, 216.157.88.21; 85.17.25.214; 216.157.88.22; 85.17.25.215; 85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: eb95798965a18e7844f4c969803fbaf8
MD5: 106b6e80be769fa4a87560f82cd24b57
MD5: 519a9f1cb16399c515723143bf7ff0d0
MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5
MD5: 613e8c31edf4da1b8f8de9350a186f41
Once, executed, a, sample, malware (MD5: eb95798965a18e7844f4c969803fbaf8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://thinstall.abetterinternet.com - 85.17.25.214
hxxp://survey-winner.net - 94.229.72.117
hxxp://survey-winner.net - 208.91.196.145
hxxp://comedy-planet.com
Once, executed, a, sample, malware (MD5: 106b6e80be769fa4a87560f82cd24b57), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147
Once, executed, a, sample, malware (MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://followfortieth.net
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147
pinoc.org, is, known, to, have, responded, to, 103.224.212.222; 185.53.179.24; 185.53.179.9; 185.53.177.10; 188.40.174.81; 46.165.247.18; 178.162.184.130
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 000125b0d0341fc078c7bdb5b7996f9e
MD5: b3bbeaca85823d5c47e36959b286bb22
MD5: 4faa9445394ba4edf73dd67e239bcbca
MD5: 9f3b9de8a3e7cd8ee2d779396799b17a
MD5: 38d07b2a1189eb1fd64296068fbaf08a
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://static.greatappsdownload.com - 54.230.187.48
hxxp://ww1.os.onlineapplicationsdownloads.com - 91.195.241.80
hxxp://os2.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://ww1.os2.onlineapplicationsdownloads.com - 91.195.241.80
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://errors.myserverstat.com - 103.224.212.222
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://scripts.dlv4.com - 103.224.212.222
hxxp://ww38.scripts.dlv4.com - 185.53.179.29
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://complaintsboard.com - 208.100.35.85
hxxp://7ew8gov.firoli-sys.com - 103.224.212.222
hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234
hxxp://q8x3kb.wwwmediahosts.com - 204.11.56.48
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newworldorderreport.com - 50.63.202.29
hxxp://69jh93.firoli-sys.com - 103.224.212.222
hxxp://bpvv11ndq5.wwwmediahosts.com - 204.11.56.48
hxxp://0dbhwuja.hdmediastore.com - 45.33.9.234
wsxhost.net, is, known, to, have, responded, to, 184.168.221.45; 50.63.202.82; 69.43.161.172
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 117036e5a7b895429e954f733e0acada
MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be
MD5: 6e330742d22c5a5e99e6490de65fabd6
MD5: f1c9cd766817ccf55e30bb8af97bfdbb
MD5: 7f4145bc211089d9d3c666078c35cf3d
Once, executed, a, sample, malware (MD5: 117036e5a7b895429e954f733e0acada), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://amacweb.org
hxxp://superaffiliatehookup.com
hxxp://germanamericantax.com
hxxp://lineaidea.it
hxxp://speedysalesletter.com
Once, executed, a, sample, malware (MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://allstatesdui.com - 50.63.202.36
hxxp://wellingtontractorparts.com - 72.167.232.158
hxxp://amacweb.org - 160.16.211.99
hxxp://nctcogic.org - 207.150.212.74
Once, executed, a, sample, malware (MD5: 6e330742d22c5a5e99e6490de65fabd6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://santele.be - 176.62.170.69
hxxp://fever98radio.com - 141.8.224.93
hxxp://brushnpaint.com - 74.220.219.132
hxxp://jameser.com - 54.236.195.15
hxxp://hillsdemocrat.com - 67.225.168.30
Once, executed, a, sample, malware (MD5: f1c9cd766817ccf55e30bb8af97bfdbb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://afterpeace.net - 195.38.137.100
hxxp://sellhouse.net - 184.168.221.45
Once, executed, a, sample, malware (MD5: 7f4145bc211089d9d3c666078c35cf3d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://forcerain.net
hxxp://afterrain.net - 50.63.202.43)
hxxp://forcerain.ru
hxxp://forceheld.net
google-analyze.cn, is, known, to, have, responded, to, 103.51.144.81; 184.105.178.89; 65.19.157.235; 124.16.31.146; 123.254.111.190; 103.232.215.140; 103.232.215.147; 205.164.14.78; 50.117.116.117; 50.117.120.254; 205.164.24.45; 50.117.116.205; 50.117.122.90; 184.105.178.84; 50.117.116.204
Related malicious MD5s known to have phoned back to the same malicious C&C, server, IPs:
MD5: df05460b5e49cbba275f6d5cbd936d1d
MD5: 7732ffcf2f4cf1d834b56df1f9d815c9
MD5: 615eb515da18feb2b87c0fb5744411ac
MD5: 24fec5b3ac1d20e61f2a3de95aeb177c
MD5: 348eed9b371ddb2755eb5c2bfaa782ee
On 2008-08-27, yahoo-analytics.net was registered using the fuadrenalray@gmail.com email.
- google-analyze.org - Email: johnvernet@gmail.com
On, 2008-07-09, google-analyze.org , is, known, to, have, responded, to, 58.65.234.9, followed, by, a, hosting, change, on, 2008-08-17, with, google-analyze.org, responding, to, 91.203.92.13, followed, by, another, hosting, change, on, 2008-08-24, with, google-analyze.org, responding, to, 202.73.57.6.
- qwehost.com - Email: 4ykakabra@gmail.com
On, 2009-05-18, qwehost.com, is, known, to, have, responded, to, 202.73.57.11, followed, by, a, hosting, change, to, 202.73.57.11, followed, by, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 210.51.187.45.
- zxchost.com - Email: 4ykakabra@gmail.com
On, 2009-03-02, zxchost.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-25, pointing, to, 210.51.166.239.
- odile-marco.com - Email: OdileMarcotte@gmail.com
On, 2009-05-18, odile-marco.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 91.212.198.116.
- edcomparison.com - Email: johnvernet@gmail.com
On, 2009-05-18, edcomparison.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 210.51.187.45.
- fuadrenal.com - Email: fuadrenalRay@gmail.com
On, 2009-01-26, fuadrenal.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, time, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.
- rx-white.com - Email: johnvernet@gmail.com
On, 2009-05-18, rx-white.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.
In, 2009, I, profiled, the, direct, compromise, of, Embassy of Portugal in India Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On, 2009-03-30, ntkrnlpa.info, is, known, to, have, responded, to, 83.68.16.6. Related, domains, known, to, have, participated, in, the, same, campaign - betstarwager.cn; ntkrnlpa.cn.
In, 2007, I, profiled, the, direct, compromise, of, French Embassy in Libya Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On, 2008-11-05, tarog.us (Email: bobby10@mail.zp.ua), used, to, respond, to, 67.210.13.94, followed, by, a, hosting, change, on, 2009-03-02, pointing, to, 208.73.210.121. Related, domains, known, to, have, participated, in, the, campaign: fernando123.ws; winhex.org - Email: ipspec@gmail.com
On, 2007-02-18, winhex.org, used, to, respond, to, 195.189.247.56, followed, by, a, hosting, change, on, 2007-03-03, pointing, to, 89.108.85.97, followed, by, yet, another, hosting, change, on, 2007-04-29, this, time, pointing, to, 203.121.71.165, followed, by, yet, another, hosting, change, on, 2007-08-19, this, time, pointing, to, 69.41.162.77.
On, 2007-11-23, kjlksjwflk.com (Email: sflgjlkj45@yahoo.com), used, to, respond, to, 58.65.239.114, followed, by, a, hosting, change, on, 2009-02-16, pointing, to, 38.117.90.45, followed, by, yet, another, hosting, change, on, 2009-03-09, this, time, pointing, to, 216.188.26.235.
In, 2009, I, profiled, the, direct, compromise, of, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
Related, domains, known, to, have, participated, in, the, campaign:
- filmlifemusicsite.cn; promixgroup.cn; betstarwager.cn; clickcouner.cn
In, 2009, I, profiled, the, direct, compromise, of, USAID.gov compromised, malware and exploits served, further, establishing, a, direct, connection, between, the, gang's, activities, and, the, New, Media, Malware, Gang.
Related, domains, known, to, have, participated, in, the, campaign:
should-be.cn - Email: admin@brut.cn; orderasia.cn; fileuploader.cn
In, 2007, I, profiled, the, direct, compromise, of, U.S Consulate St. Petersburg Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.
On, 2007-08-31, verymonkey.com (Email: srvs4you@gmail.com), used, to, respond, to, 212.175.23.114, followed, by, a, hosting, change, on, 2007-09-07, pointing, to, 209.123.181.185, followed, by, yet, another, hosting, change, on, 2007-09-27, this, time, pointing, to, 88.255.90.50, followed, by, yet, another, hosting, change, on, 2008-11-11, this, time, pointing, to, 216.188.26.235.
What's, particularly, interested, about, the, gang's, activities, is, the, fact, that, back, in 2007, the, group, pioneered, for, the, first, time, the, utilization, of, Web, malware, exploitation, kits, further, utilizing, the, infrastructure, of, the, Russian, Business, Network, successfully, launching, a, multi-tude, of, malicious, campaigns, further, spreading, malicious, software, further, utilizing, the, infrastructure, of, the, Russian, Business, Network.
Related posts:
Syrian Embassy in London Serving Malware
USAID.gov compromised, malware and exploits served
U.S Consulate St. Petersburg Serving Malware
Bank of India Serving Malware
French Embassy in Libya Serving Malware
The Dutch Embassy in Moscow Serving Malware
Ethiopian Embassy in Washington D.C Serving Malware
Embassy of India in Spain Serving Malware
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Dancho Danchev's Mind Streams of Information Security Knowledge - The World's Most Comprehensive Threats Database
Dear blog readers, it's been several years since I last posted a quality update, further sharing actionable intelligence with the security community. As, it's been several years since I last posted a quality update I feel it's about time that we take the stakes a little higher by successfully launching what can be best described as the industry's leading and most versatile JSON-capable threats database successfully empowering companies and security researchers with the necessary knowledge to stay ahead of current and emerging threats, further, positioning their company and enterprise on the top of its game.
02. How to request access?
Approach me at ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
03. How do obtain automated access?
The database is delivered daily/weekly/quarterly in MISP-friendly JSON-capable format, including STIX coverage.
04. Tell me more about the pricing options?
One time purchase of the entire database starts at $2,500. Monthly, subscriptions, covering daily, and, weekly updates, start, at $4,000, including, guaranteed access to in-house, all-source, analysis, including, and, daily, and, monthly, updates.
06. What does the database cover?
- Russian Business Network coverage
- Koobface Botnet coverage
- Kneber Botnet coverage
- Hundreds of IOCs (Indicators of Compromise)
- Tactics Techniques and Procedures In-Depth Coverage
- Malicious and fraudulent infrastructure mapped and exposed
- Malicious and fraudulent Blackhat SEO coverage
- Malicious spam and phishing campaigns
- Malicious and fraudulent scareware campaigns
- Malicious and fraudulent money mule recruitment scams
- Malicious and fraudulent reshipping mule recruitment scams
- Web based mass attack compromise fraudulent and malicious campaigns
- Malicious and fraudulent client-side exploits serving campaigns
07. How often does it update?
Updates as issued on a daily, weekly, monthly, basis, guaranteeing, unlimited access to in-house analysis, all-source analysis, guaranteeing access to daily, weekly, and, monthly updates.
Enjoy!
02. How to request access?
Approach me at ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
03. How do obtain automated access?
The database is delivered daily/weekly/quarterly in MISP-friendly JSON-capable format, including STIX coverage.
04. Tell me more about the pricing options?
One time purchase of the entire database starts at $2,500. Monthly, subscriptions, covering daily, and, weekly updates, start, at $4,000, including, guaranteed access to in-house, all-source, analysis, including, and, daily, and, monthly, updates.
06. What does the database cover?
- Russian Business Network coverage
- Koobface Botnet coverage
- Kneber Botnet coverage
- Hundreds of IOCs (Indicators of Compromise)
- Tactics Techniques and Procedures In-Depth Coverage
- Malicious and fraudulent infrastructure mapped and exposed
- Malicious and fraudulent Blackhat SEO coverage
- Malicious spam and phishing campaigns
- Malicious and fraudulent scareware campaigns
- Malicious and fraudulent money mule recruitment scams
- Malicious and fraudulent reshipping mule recruitment scams
- Web based mass attack compromise fraudulent and malicious campaigns
- Malicious and fraudulent client-side exploits serving campaigns
07. How often does it update?
Updates as issued on a daily, weekly, monthly, basis, guaranteeing, unlimited access to in-house analysis, all-source analysis, guaranteeing access to daily, weekly, and, monthly updates.
Enjoy!
Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available
Dear, blog, readers, as, of, today, I'm, making, publicly, available, my, portfolio, of, services, including, active, threat, intelligence, gathering, and, processing, cybercriminals, and, network, assets, profiling, real, life, personalization, of, malicious, actors, OSINT, analyses, in-depth, understanding, and, processing, of, tactics, techniques, and, procedures (TTPs), including, the, production, of, custom, timely, and, relevant, managed, or, on, demand, client-tailored, reports, and, analysis, briefs, covering, managed, security, blogging, and, conference, attendance, cybercrime, malware, botnets, and, threat, intelligence, including, the, coverage, of, geopolitically, relevant, cyber, threat, assessments.
The, portfolio, of, services, includes, but, is, not, limited, to:
Real-time, managed, or, on, demand, analysis, briefs, and, reports, production:
- analysis, briefs, and, timely, and, relevant, reports, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, not, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network, assets
Geopolitically, relevant, and, geographically, selected, threat, intelligence, processing, and, gathering, relevant, reports:
- geopolitically, relevant, coverage, of, selected, geographic, regions, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network assets
Managed, security, blogging, and, presentation, conference, attendance:
- threat, intelligence, processing, as, a, service, including, but, not, limited, to, the, managed, processing, and, communication, of, threat, intelligence, gathering, and, processing, information, in, the, form, of, managed, communication, to, a, selected, set, of, audiences, including, but, not, limited, to, security, blogging, and, conferences, attendance, on, behalf, of, a, selected, enterprise, further, positioning, its, understanding, and, reaching, out, to, selected, clients
Managed, tactics, techniques, and, procedures (TTPs), processing, managing, and, gathering, analysis, and, reports:
- in-depth, understanding, of, tactics, techniques, and, procesures (TTPs), relevant, to, a, specific, cybercrime, group, geopolitically, relevant, region, or, a, selected, geographically, relevant, region
Enjoy!
DDanchev is for Hire!
Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?
Send your proposition to: ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Send your proposition to: ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Book Proposal - Seeking Sponsorship - Publisher Contact
Dear, blog, readers, as, I'm, currently, busy, writing, a, book, I'm looking for, a publisher, who's, interested, in, publishing, it, with, the, book, proposal, available, on, request.
Send your proposal to: ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Send your proposal to: ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Project Proposal - Cybercrime Research - Seeking Investment
Dear blog readers, I'm currently seeking an investment regarding a cybercrime research project, with, the, project, proposal, available, on request.
Send your proposal at: ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Send your proposal at: ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Invitation to Join a Security Community
Dear blog readers, as I'm currently busy launching a private security community, I decided, to publicly announce, its, existence.
Topics of discussion:
- cybercrime research
- threat intelligence
- malicious software
Request an invite: ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Topics of discussion:
- cybercrime research
- threat intelligence
- malicious software
Request an invite: ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011
Dancho Danchev's 2010 Disappearance - An Elaboration
UPDATE: Prior, to, my, stay, in, another, town, I, was, contacted, by, Riva Richmond, (riva@rivarichmond.com), and, set, up, a, meeting, to, discuss, a, potential, New York Times, article.
UPDATE: Prior, to, my, stay, at, this, particular, apartment, I, contacted, Nart Villeneuve, (n.villeneuve@secdev.ca), seeking, assistance, signaling, potential, trouble.
UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, the, same, person, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, released, by, another, person, known, as, Nesho Sheygunov (https://www.facebook.com/nesho.sheygunov).
UPDATE: While, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, another, person, that, I, know, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, taken, to, the, room, where, I, was, confined, and, I, spent, a, night, in, the, corridor.
UPDATE: While, I, was, taken, to, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, I, had, my, phone, taken, and, I, was, confined.UPDATE: While, I, was, taken, out, of, my, place, to, an, unknown, car, the, fuel, was, charged, to, someone, that, I, know.
UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), I, was, offered, to, take, vitamins.
UPDATE: My, place, was, recently, visited, by, unknown, men, taking, me, to, local, police, department (hxxp://troyan-police.com; police_troyan@abv.bg), and, asking, me, to, write, that, my, equipment, was, interfering, with, that, of, local, police, department.
UPDATE: Prior, to, my, visit, at, a, local, hotel, (hxxp://central-hotel.com/en; central@central-hotel.com), some, of, my, clothes, were, missing.
UPDATE: It, appears, that, my, place, was, recently, supposedly, visited, by, Plamen, Dakov (hxxp://universalstroi.com), Hristo, Radionov (hxxp://universalstroi.com; hxxp://www.facebook.com/hristo.radionov), and, Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), who, left, money, for, me.UPDATE: Prior, to, my, attendance, in, a, local, institution (dpblovech@abv.bg), Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), tried, to, meet, me.
UPDATE: Prior, to, my, attendance, at, this, particular, apartment, I, was, invited, by, Briana Papa (Briana@crenshawcomm.com), to, visit, Prague, on, behalf, of, Avast! Software, where, I, met, with, Vince Steckler (steckler@avast.com), and, Miloslav, Korenko (korenko@avast.com), where, I, met, with, Lucian Constantin (hxxp://twitter.com/lconstantin). 
Prior, to, my, attendance, at, this, apartment, I, was, also, invited, to, another, event, held, at, INTERPOL, by, Steve Santorelli
(steve.santorelli@gmail.com), which, I, successfully, attended, and, presented, at, where, I, also, met, with, Krassimir Tzvetanov (krassi@krassi.biz).
Something, else, worth, pointing, out, is, that, my, place, is, visited, by, an, unknown, woman, known, as, Boriana Mihovska, an, unknown, man, known, as, Leonid, an, unknown, person, known, as, Tzvetan Georgiev (hxxp://www.youtube.com/user/laron640); (hxxp://plus.google.com/107108766077365473231), and, an, unknown, person, known, as, Dobrin Danchev (hxxp://www.facebook.com/dobrin.danchev); (hxxp://www.sibir.bg/parachut).
The, most, recent, visit, to, my, place, was, by, a, person, known, as, Vasil, Stanev, from DANS (dans@dans.bg), who, was, supposedly, asking, me, to, take, a, job, and, consequently, asked, me, to, attend, a, doctor, session.
Dear, blog, readers, I, feel, it's, about, time, I, post, an, honest, response, regarding, my, disappearance, in, 2010, with, the, purpose, of, information, my, readers, on, my, current, situation, and, to, continue, posting, and, contributing, valuable, threat, intelligence, to, the, security, community.In, 2010, I, moved, to, an, apartment, located, in, another, town, and, apparently, my, apartment, have, been, vandalized, including, persistent, harassment, by, my, neighbors, including, a, possible, illegal, entry, courtesy, of, the, person, responsible, for, hiring, the, apartment (Kalin Petrov; kalin_petrov@hotmail.com).
After, a, persistent, chase, down, and, harassment, courtesy, of, the, person, responsible, for, hiring, the, apartment, I, received, a, notice, to, leave, and, had, my, apartment, visited, by, the, person, responsible, for, hiring, including, another, man, including, another, man, that, was, supposedly, supposed, to, take, care, of, my, belongings.
Prior, to, my, accommodation, I, was, contacted, by, Pauline, Roberts (pauline.roberts@ic.fbi.gov), who, recommended, me, to, Yavor, Kolev (javor.kolev@gmail.com), and, Albena, Spasova (albaadvisors@gmail.com), from, Bulgarian, local, authorities, followed, by, a, series, of, communication.
A, few, hours, later, I, find, myself, located, in, an, institution (dpblovech@abv.bg), for, a, period, of, three, months, without, anyone, explaining, the, reason, for, holding, me, there. Upon, entering, I, had, my, phone, taken, without, having, received, any, sort, of, explanation, for, taking, me, and, holding, me, there.
I, can, be, reached, at +359 888 996 888, or, at, ddanchev@protonmail.ch
Subscribe to:
Posts (Atom)