Saturday, May 21, 2016

DDanchev is for Hire!

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?

Send your proposition to: ddanchev@protonmail.ch

Book Proposal - Seeking Sponsorship - Publisher Contact

Dear, blog, readers, as, I'm, currently, busy, writing, a, book, I'm looking for, a publisher, who's, interested, in, publishing, it, with, the, book, proposal, available, on, request.

Send your proposal to: ddanchev@protonmail.ch

Invitation to Join a Security Community

Dear blog readers, as I'm currently busy launching a private security community, I decided, to publicly announce, its, existence.

Topics of discussion:
- cybercrime research
- threat intelligence
- malicious software

Request an invite: ddanchev@protonmail.ch

Project Proposal - Cybercrime Research - Seeking Investment

Dear blog readers, I'm currently seeking an investment regarding a cybercrime research project, with, the, project, proposal, available, on request.

Send your proposal at: ddanchev@protonmail.ch

Tuesday, May 17, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently intercepted, yet, another, malicious, mobile, malware, exposing, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5 known to have been part of the campaign:
MD5: febc8518183e13114e7e4da996e64270

Once executed a sample malware phones back to the following C&C server:
hxxp://adultix.ru - 91.200.14.105; 185.87.51.121; 94.142.141.18
hxxp://xxxmobiletubez.com - 54.72.130.67; 89.144.14.59

Known to have responded to the same malicious C&C server IP (91.200.14.105) are also the following malicious domains:
hxxp://adultix.ru
hxxp://pixtrxxx.com
hxxp://coreectway.com
hxxp://filingun.com.ua

Known to have responded to the same malicious C&C server IP (185.87.51.121):
hxxp://adultix.ru
hxxp://updsandr.com

Related malicious MD5s known to have phoned back to the same malicious C&C server IP (185.87.51.121):
MD5: 662e459a0b3a08f5632934565e8d898e

Known to have responded to the same malicious C&C server IP (94.142.141.18) are also the following malicious domains:
hxxp://updforphone.com
hxxp://adultix.ru

Related malicious MD5s, know, to, have, phoned, back, to, the, same, C&C server IP (91.200.14.105):
MD5: 034f764d5d87d15680fff0256a7cf3f0
MD5: 6a5320f495250ab5e1965fcc3814ef06
MD5: 5a324d1e2dd88a57df0ae34ef1c8c687
MD5: d8f1b92d104c4e68e86f99e7f855caf8
MD5: 1b31d8db32fb7117d7cf985940a10c54

Known to have phoned back to the same malicious C&C server IP (54.72.130.67) are also the following malicious MD5s:
MD5: 007dbbed15e254cba024ea1fb553fbb2
MD5: 0b6c1377fc124cc5de66f39397d0a502
MD5: 2cfba1bce9ee1cfe1f371bcf1755840d
MD5: 26004eacdd59dcc4fd5fd82423079182
MD5: 2a1cfc13dac8cea53ce8937ee9b7a2fe

Once executed a sample malware phones back to the following C&C server:
hxxp://toolkitgold.org (54.72.130.67)

We'll continue monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, yet, another, malicious, malware-serving, campaign, targeting, Google Play, and, exposing, unsuspecting, users, to, a, variety, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Known malicious MD5s, used, in, the, campaign:
MD5: 6f37c58e5513264fd43c6dd21b6dff32
MD5: 933171dbfc5bf49cadfb8c6698a86cec
MD5: d1ab7350b4e12d8ac567f4f937c10b87
MD5: bd33b1133cb5376b660f02c340eea578

Once executed, sample, malware, phones, back, to, the, following C&C server:
hxxp://beest-gamess.com - 85.25.217.151

Known C&C servers, used, in, the, campaign:
hxxp://ldatjgf.goog-upps.pw - 50.30.36.1
hxxp://uwiaoqx.marshmallovw.com/ - 209.126.117.83
hxxp://google-market2016.com - 217.12.223.34

Known to have responded to the same malicious C&C server IP (50.30.36.1), are, also, the, following, malicious, domains:
hxxp://iaohzcd.goog-upps.pw
hxxp://datjgf.goog-upps.pw
hxxp://lrbixtp.goog-upps.pw
hxxp://wqhdzry.goog-upps.pw
hxxp://tqbkmoy.goog-upps.pw

Known to have responded to the same malicious C&C server IP (209.126.117.83), are, also, the, following, malicious, domains:
hxxp://uppdate-android.com
hxxp://ysknauo.android-update17.pw
hxxp://updateosystem.online
hxxp://updateosystem.site
hxxp://rfdgqsc.update-android-8.xyz
hxxp://updateosystem.com
hxxp://gyfwlxt.update-android-4.xyz
hxxp://update-android-4.xyz
hxxp://update-android-0.xyz
hxxp://update-android-1.xyz
hxxp://iauxelv.marshmallovw.com
hxxp://xklzogn.installingmarshmallow.com
hxxp://ytprkmg.marshmallovw.com
hxxp://zknmvga.android-update15.pw
hxxp://btxiqkw.installingmarshmallow.com
hxxp://dqhukoe.installingmarshmallow.com
hxxp://klmtifg.installingmarshmallow.com
hxxp://rxebgnj.installingmarshmallow.com
hxxp://srwflih.installingmarshmallow.com
hxxp://vtgqfcy.marshmallovw.com
hxxp://xvyhwri.marshmallovw.com
hxxp://zxvmqas.installingmarshmallow.com
hxxp://neqmcij.android-update14.pw
hxxp://sdljykc.android-update14.pw
hxxp://absdfvo.android-update15.pw
hxxp://android-update15.pw
hxxp://android-update16.pw
hxxp://awsvgdq.android-update15.pw
hxxp://azhdoxi.android-update15.pw
hxxp://czrptsq.android-update15.pw
hxxp://deluvgs.android-update15.pw
hxxp://dywsaxz.android-update15.pw
hxxp://ebadrwp.android-update15.pw
hxxp://eoiqnwt.android-update15.pw
hxxp://fcibqkz.android-update15.pw
hxxp://fjrklxo.android-update15.pw
hxxp://fwmlsgc.android-update15.pw
hxxp://gldkxub.android-update15.pw
hxxp://hdnloxt.android-update15.pw
hxxp://hdukcea.android-update15.pw
hxxp://hykpbgt.android-update15.pw
hxxp://kbvdqfy.android-update15.pw
hxxp://ljpwbdo.android-update15.pw
hxxp://nbuxlte.android-update15.pw
hxxp://nlezybf.android-update15.pw
hxxp://puafoqt.android-update15.pw
hxxp://qantucb.android-update15.pw
hxxp://qsdmgot.android-update15.pw
hxxp://qzudjyw.android-update15.pw
hxxp://rwfhycb.android-update15.pw
hxxp://rykvsme.android-update15.pw
hxxp://sacjpvl.android-update15.pw
hxxp://sejmxda.android-update15.pw
hxxp://smbanpz.android-update15.pw
hxxp://spjuoza.android-update15.pw
hxxp://srfulbg.android-update15.pw
hxxp://tngezrs.android-update15.pw
hxxp://tnhfaux.android-update15.pw
hxxp://txeyzld.android-update15.pw
hxxp://vzjoasl.android-update15.pw
hxxp://wobsmtc.android-update15.pw
hxxp://xmhgfas.android-update15.pw
hxxp://yufwkqm.android-update15.pw
hxxp://zuxvsqd.android-update15.pw
hxxp://android-update14.pw
hxxp://android-update17.pw
hxxp://anejzpi.android-update17.pw
hxxp://avdeymo.android-update15.pw
hxxp://beswdhm.android-update14.pw
hxxp://blisztk.android-update16.pw
hxxp://bmedkfx.android-update17.pw
hxxp://cgloekx.android-update17.pw
hxxp://cmkxsbu.android-update15.pw
hxxp://cxzmjty.android-update15.pw
hxxp://duyzpsk.android-update15.pw
hxxp://eikjgwc.android-update16.pw
hxxp://ekogdhq.android-update17.pw
hxxp://fldsxwj.android-update15.pw
hxxp://fpgsduq.android-update14.pw
hxxp://gfaulvq.android-update16.pw
hxxp://iaupbtn.android-update15.pw
hxxp://ilcskyb.android-update15.pw
hxxp://ingvbqf.android-update15.pw
hxxp://iqtudlh.android-update14.pw
hxxp://ivpjbnq.android-update17.pw
hxxp://ixzgoue.android-update15.pw
hxxp://jbyxoeq.android-update17.pw
hxxp://jdgrvtx.android-update14.pw
hxxp://jugbhve.android-update15.pw
hxxp://jvintuc.android-update15.pw
hxxp://jznwbmh.android-update15.pw
hxxp://kcbwfmx.android-update17.pw
hxxp://kjqpdli.android-update16.pw
hxxp://lbqzsmf.android-update17.pw
hxxp://ldjgqys.android-update14.pw
hxxp://lmbdrht.android-update14.pw
hxxp://lxbkact.android-update17.pw
hxxp://lyaibec.android-update16.pw
hxxp://movqcrj.android-update14.pw
hxxp://moxeuyn.android-update16.pw
hxxp://mtnvpux.android-update14.pw
hxxp://ncmokfd.android-update16.pw
hxxp://nmhbjwc.android-update16.pw
hxxp://ntlrqih.android-update17.pw
hxxp://nxuivhl.android-update16.pw
hxxp://okthyij.android-update14.pw
hxxp://omcpusk.android-update17.pw
hxxp://oryudhs.android-update17.pw
hxxp://ozdkhwj.android-update16.pw
hxxp://ozfkcgn.android-update14.pw
hxxp://peytxrn.android-update16.pw
hxxp://piolzns.android-update16.pw
hxxp://pqunxfj.android-update17.pw
hxxp://pwkjdar.android-update14.pw
hxxp://qblgpyw.android-update17.pw
hxxp://qfzpmbu.android-update17.pw
hxxp://qlshbur.android-update16.pw
hxxp://qpylhtb.android-update15.pw
hxxp://qzawjve.android-update14.pw
hxxp://riwgvyc.android-update14.pw
hxxp://rklsxfb.marshmallovw.com
hxxp://rucgswq.android-update14.pw
hxxp://sfvguep.android-update17.pw
hxxp://sitgerx.android-update17.pw
hxxp://skzjiec.android-update17.pw
hxxp://snficje.android-update14.pw
hxxp://spjiceq.android-update15.pw
hxxp://tjvbpwq.android-update17.pw
hxxp://tzchpkn.android-update17.pw
hxxp://uavqkrn.android-update17.pw
hxxp://ucbfjtk.android-update14.pw
hxxp://ueinloh.android-update14.pw
hxxp://ugyszlh.android-update14.pw
hxxp://uryoief.android-update16.pw
hxxp://vcxsejr.android-update17.pw
hxxp://vdymzep.android-update15.pw
hxxp://vtdywbe.android-update14.pw
hxxp://vwmispo.android-update16.pw
hxxp://wcvfhkq.android-update16.pw
hxxp://wtboiys.android-update17.pw
hxxp://xcndzit.android-update15.pw
hxxp://xpnqioe.android-update17.pw
hxxp://xzhvitg.android-update14.pw
hxxp://xztrkdj.android-update17.pw
hxxp://yajfspe.android-update17.pw
hxxp://ysknauo.android-update16.pw
hxxp://yxtsncz.android-update16.pw
hxxp://zbmjfxp.android-update15.pw
hxxp://zmvsaxw.android-update16.pw
hxxp://zprvoew.android-update14.pw
hxxp://zqfcsyb.android-update14.pw
hxxp://anmwfig.marshmallovw.com
hxxp://bgeomtx.marshmallovw.com
hxxp://bltferk.marshmallovw.com
hxxp://bwiuozv.marshmallovw.com
hxxp://dastgqu.marshmallovw.com
hxxp://eulcitb.marshmallovw.com
hxxp://fedtvwb.marshmallovw.com
hxxp://fxqynok.android-update17.pw
hxxp://guoiswy.marshmallovw.com
hxxp://gzqxynp.android-update17.pw
hxxp://hufgenk.marshmallovw.com
hxxp://jbpxute.marshmallovw.com
hxxp://kilrezj.android-update17.pw
hxxp://lhcijag.android-update17.pw
hxxp://mocadgb.marshmallovw.com
hxxp://ocqdbal.marshmallovw.com
hxxp://qckexfp.android-update17.pw
hxxp://qzrcaeo.marshmallovw.com
hxxp://revbfau.marshmallovw.com
hxxp://smlerhq.marshmallovw.com
hxxp://syirtxe.android-update17.pw
hxxp://syvkjho.android-update17.pw
hxxp://tejyocm.marshmallovw.com
hxxp://uahtwly.marshmallovw.com
hxxp://uwiaoqx.marshmallovw.com
hxxp://uxvwzip.android-update17.pw
hxxp://wvbcpkg.marshmallovw.com
hxxp://yhfkpmj.marshmallovw.com
hxxp://zjbvrqm.marshmallovw.com
hxxp://zlubmxn.marshmallovw.com
hxxp://zrdesip.marshmallovw.com
hxxp://yctfgmn.marshmallovw.com
hxxp://atyblhn.installingmarshmallow.com
hxxp://bhizvxk.installingmarshmallow.com
hxxp://ctjhgnr.installlingmarshmallow.com
hxxp://glrsudo.installingmarshmallow.com
hxxp://hiovmga.installlingmarshmallow.com
hxxp://jnwxdur.installingmarshmallow.com
hxxp://jnzglas.installingmarshmallow.com
hxxp://jrqbhiw.installingmarshmallow.com
hxxp://lzdapuf.installlingmarshmallow.com
hxxp://mvypoqg.marshmallovw.com
hxxp://ntgmcyx.installingmarshmallow.com
hxxp://owtubye.installingmarshmallow.com
hxxp://rfnjxhe.installingmarshmallow.com
hxxp://xkihgqr.installingmarshmallow.com
hxxp://xmvpguk.installlingmarshmallow.com
hxxp://ygzaunj.installingmarshmallow.com
hxxp://zkodxep.installingmarshmallow.com
hxxp://zyrxwhd.installingmarshmallow.com
hxxp://installingmarshmallow.com
hxxp://installlingmarshmallow.com
hxxp://marshmallovw.com
hxxp://mkxlwut.google-update2017.com
hxxp://brpcwlntjxfskqydzoguivaemh.google-market2016.com
hxxp://jyxqnuz.installlingmarshmallow.com
hxxp://google-update2017.com
hxxp://market-place2017.com
hxxp://market-update2016.com
hxxp://market-update2017.com
hxxp://vknghqw.market-update2017.com
hxxp://update-android2017.com
hxxp://google-android2016.ru
hxxp://google-place2016.ru
hxxp://google-place2017.ru
hxxp://google-app2016.com
hxxp://google-market2016.com
hxxp://android-market2016.com
hxxp://jofzevxmadlwcnpysbhuriqktg.android-market2016.com
hxxp://androidosupdate.com
hxxp://lvizyxjqoukbrfhtmawegpdscn.androidos-60-update.com
hxxp://androidos-60-update.com
hxxp://androidosupdate6.com
hxxp://androidosupdate6-0.com
hxxp://android-update-6google.com
hxxp://android-update-60-google.com
hxxp://android-update6google.com
hxxp://android-update-6-google.com
hxxp://android-update-6.com

Known to have responded to the same malicious C&C server IP (217.12.223.34), are, also, the, following, malicious, domains:
hxxp://android-market2016.com
hxxp://google-app2016.com
hxxp://google-market2016.com
hxxp://update-player2016.com

Known to have responded to the same malicious C&C server IP (85.25.217.151) are, also, the, following, malicious, domains:
hxxp://varr.site
hxxp://varra.top
hxxp://varra.xyz
hxxp://ugugur.com
hxxp://alavar-gamess.com
hxxp://beest-gamess.com
hxxp://krakatao-giraffe.com
hxxp://marine-selling.com
hxxp://quick-sshopping.com
hxxp://shopping-marine.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, mobile, malware, exposing, unsuspecting, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Known malicious MD5s, participating, in, the, campaign:
MD5: 27ad60e62ff86534c0a9331e9451833d
MD5: 78fbac978d9138651678eb63e7dfd998

Malicious C&C server, part, of, the, campaign:
hxxp://apk.longxigame.com - 123.138.67.91; 106.119.191.98

Known to have been downloaded from the same malicious C&C server IP (123.138.67.91), are, also, the, following, malicious, MD5s:
MD5: a6c9a8cfa41b608573f8a9adf767daa0
MD5: a5d98369590bd2e001ac3e2986b3d7e9
MD5: 8c5e6c7bc945877740f10e91e9640f70
MD5: e82c58593e787193b5e19810b7ab504e
MD5: 814d7d6701f00c7b96c7026b5561911c

Known to have responded, to, the, same, malicious, C&C server (apk.longxigame.com), are, also, the, following, malicious, domains:
hxxp://103.243.139.241
hxxp://113.105.245.118
hxxp://183.61.13.192
hxxp://183.61.180.216
hxxp://183.61.180.217
hxxp://106.119.191.98
hxxp://221.233.135.196
hxxp://218.60.119.245
hxxp://218.60.119.30
hxxp://118.123.202.27
hxxp://118.123.202.28
hxxp://218.60.119.244
hxxp://119.84.112.118
hxxp://119.84.112.121
hxxp://220.181.105.232
hxxp://27.221.30.76
hxxp://220.181.105.231
hxxp://27.221.30.77
hxxp://60.2.226.246
hxxp://60.2.226.248
hxxp://121.29.8.235
hxxp://60.28.226.51
hxxp://116.55.241.217
hxxp://124.95.157.252
hxxp://124.160.136.232
hxxp://124.160.136.233
hxxp://218.60.119.243
hxxp://218.60.119.252
hxxp://218.60.119.29
hxxp://122.225.34.233
hxxp://122.225.34.234
hxxp://171.111.154.243
hxxp://124.95.157.253
hxxp://202.100.74.248
hxxp://221.204.186.231
hxxp://221.204.186.232
hxxp://182.140.238.123
hxxp://218.107.196.223
hxxp://218.107.196.224
hxxp://122.227.164.225
hxxp://122.227.164.226
hxxp://122.228.95.171
hxxp://122.228.95.172
hxxp://123.129.244.23
hxxp://123.129.244.24
hxxp://210.22.60.224
hxxp://125.76.247.230
hxxp://125.76.247.231
hxxp://42.81.4.91
hxxp://42.81.4.92
hxxp://117.25.155.17
hxxp://61.154.126.29
hxxp://116.55.241.218
hxxp://106.119.191.97
hxxp://171.111.154.242
hxxp://180.96.17.157
hxxp://180.96.17.160
hxxp://117.25.155.18
hxxp://121.207.229.135
hxxp://61.154.126.28
hxxp://121.207.229.136
hxxp://222.85.26.249
hxxp://222.85.26.250
hxxp://59.46.4.221
hxxp://59.46.4.222
hxxp://183.61.13.191
hxxp://103.243.139.239
hxxp://122.141.227.183
hxxp://114.80.174.98
hxxp://114.80.174.99
hxxp://202.100.74.245
hxxp://58.216.17.111
hxxp://175.6.3.149
hxxp://175.6.3.176
hxxp://61.147.118.229
hxxp://60.28.226.41
hxxp://124.112.127.77
hxxp://124.112.127.78
hxxp://124.238.232.242
hxxp://124.238.232.241
hxxp://112.90.32.242
hxxp://112.90.32.241
hxxp://123.138.67.91
hxxp://123.138.67.92
hxxp://122.141.227.182
hxxp://121.29.8.217
hxxp://42.81.4.83
hxxp://218.107.196.236
hxxp://112.67.242.110
hxxp://112.90.32.232

Known malicious MD5s known to have phoned back to the same C&C server (123.138.67.91):
MD5: 4efbe7fe86f63530d83ae7af5a3dc272
MD5: d8a3466addf81f2afeb2ca81c49d7361
MD5: 06e37b0c4a77bfa6a1052c4dd50afd9b
MD5: ed89d5977e334045500d0415154976b6

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://api.baizhu.cc - 120.76.122.200
hxxp://cdn.baizhu.cc - 123.138.67.91

Once executed a sample malware phones back to the following C&C servers:
hxxp://yscq.v1game.cn (203.130.58.30)
hxxp://pic.v1.cn (123.138.67.92)
hxxp://img.g.v1.cn (203.130.58.30)
hxxp://static.v1game.cn (203.130.58.30)
hxxp://pay.v1game.cn (211.151.85.249)

We'll continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Monday, May 16, 2016

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, malware, campaign, affecting, Google Play, exposing, unsuspecting, users, to, a milti-tude, of malicious, software.

In this post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s, known, to, have, participated, in, the, campaign:
MD5: 1c87344c24d8316c8f408a6f0396aa43
MD5: 390e66ffaccaa557a8d5c43c8f3a20a9
MD5: 8e2f8c52f4bb8a4e7f8393aa4a0536e1
MD5: ada4b19d5348fecffd8e864e506c5a72

Once executed, a sample, malware, phones, back, to, the, following C&C, servers:
hxxp://telbux.pw - 176.9.138.114

Malicious MD5s, known, to, have, been, downloaded, from, the, same, C&C server IP (176.9.138.114):
MD5: f8471c153414b65bbeb80880dc30da0a
MD5: 5955411fe84c10fa6af7e40bf40dcdac
MD5: ec3e5125190d76c19ca1c0c9172ac930
MD5: 0551f10503369f12cd975468bff6d16a
MD5: 1127390826a9409f6fd7ad99c4d4af18

Once executed, a, sampled, malware, phones, back, to, the, following, C&C server:
hxxp://144.76.70.213
hxxp://joyappstech.biz - 136.243.240.229

We'll, continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, yet, another, malicious, campaign, utilizing, Google Play, for, the, purpose, of, serving, malicious, software, to, unsuspecting, users.

In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 3e57ef2802977c3c852a94bab131c84b

Known C&C servers, part, of, the, campaign:
hxxp://localbitcoinsfast.com - 198.105.215.251
hxxp://newdesigns2016.biz - 190.97.166.230

Once executed, the, sample, phones, back, to, the, following, C&C server:
hxxp://netspendexpress.biz - 68.71.49.24

Known to have phoned back to the same malicious C&C server IP (198.105.215.251), are, also, the, following, malicious, MD5s:
MD5: c1b3912711dceab2cfb86f920eb69919

Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://drone.hosterbox.com (68.71.49.24; 68.71.49.25; 142.4.12.128)

Known malicious MD5s, known, to, have, phoned, back, to, the, same C&C server IP (68.71.49.24):
MD5: 7453f9445512e48357d91491b0e32134
MD5: 138c9475d4dc80185d4d3dd612c89d50
MD5: 2be0a8f626430d6c3c9588b55253ef95

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Thousands of Users Affected

We've recently intercepted a new mobile malware, variant, targeting, users, internationally, and exposing, their, devices, to, a, multi-tude, of malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the infrastructure, behind, it, and discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Sample malicious MD5s used in the campaign:
MD5: 4f1696cc06bdab9508ba3434edab2f49
MD5: 15ef763ba561eb91b5790906505f0f79

MD5: 890dfd6b50b7ca870ceb04762725b8a6
MD5: 4a3b68aeb96ef0f26f855f6afb688a3c
MD5: c729ce2babce74998726257f167da62e
MD5: 3db50821ff074a70dcbc5c31c0a78e14

Once executed, a sample, malware, phones back to the following C&C server:
hxxp://alfabrong.eu/data/id=39759ac6-0898-424b-9e0d-790edfaa700e - 5.101.117.79; 5.187.4.15

Known to have responded to the same malicious C&C server (5.101.117.79) are also the following malicious domains:
hxxp://bugstracking.xyz
hxxp://bugstrucking.xyz
hxxp://ssd850pro.pw
hxxp://forclonabster.eu
hxxp://bugtracking.biz
hxxp://directplaytds.com
hxxp://forclonabster.xyz
hxxp://alfabrong.eu
hxxp://innotion.pw

Known to have responded to the same malicious C&C server (5.187.4.15) are also the following malicious C&C servers:
hxxp://alfabrong.eu
hxxp://hyperlabs.biz
hxxp://nkprus.ru
hxxp://programmiandroid.org

We'll continue monitoring the campaign, and, will, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've recently, intercepted, yet, another, mobile, malware, variant, affecting, Google Play, with, the, cybercriminals, behind, it, exposing, its, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Malicious MD5s used in the campaign:
MD5: 7f55e0b91f5151328e779a3a425fc241
MD5: 91139d1dfa5df1f18c7f40192b2c49ce

Once executed, a, sample, phones, back, to, the, following, C&C, server:
hxxp://mob-stats.com - 5.149.252.2

Known C&C server, used, in, the, campaign:
hxxp://update-sys-android.com/upd.php - 192.99.99.186

Once executed, a, sample, malware, phones, back, to, the, following, C&C, servers:
hxxp://counter.wapstart.ru - 185.127.149.76; 81.19.95.17
hxxp://goalez.com - 91.219.195.3; 91.219.194.43; 91.219.194.8

Known to have phoned back to the same C&C server (185.127.149.76; 81.19.95.17), are, also, the, following, malicious, MD5s:
MD5: c8afecd653d4b0b7ea48de13d6001a31
MD5: bfdb43b0f44a986c2cb495c38746cd23

Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://kingwar.mgates.ru - 148.251.154.17
hxxp://counter.wapstart.ru - 185.127.149.76

Known, to, have, phoned, back, to, the, same, malicious, C&C, server (91.219.195.3), are, also, the following, malicious, MD5s:
MD5: 3ad15daf656a06bf850ea6973192ae47
MD5: 117b8362a54ece041307a136aceeb92c
MD5: 4dbdfaf3e8f5a09a7a4b82024f1c1072
MD5: 1521e73bb153f31015ab037f979602bc
MD5: 25318484bab66e0e8762c9fc5a1f888d

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://forces.may-trade.ru - 185.82.216.58
hxxp://plusfiles.890m.com - 91.219.195.3

Known to have been downloaded from the same malicious C&C server IP (91.219.194.8) are also the following malicious MD5s:
MD5: 31ad2a5a5d02e6c5e55817386b8eec01
MD5: 0815607c938c4f2088569be34ff57141
MD5: f629111b34e8e4d97ee26d2c6b19db96
MD5: 29d87de6b476fc1a873962ae04bbe206
MD5: a27158c55555ff2953e0a54a9996713d

Known to have phoned back to the same malicious C&C server IP (91.219.194.43), are, also, the, following, malicious, MD5s:
MD5: 76dd60b9f406be3b808db6fca2d856ff
MD5: ad33371a2495a0f9236c988f7024edb1

Once executed, a, sample, malware, phones, back, to, the, following, C&C server IPs:
hxxp://mu.sanek.com - 208.73.211.168
hxxp://muforum.info - 91.219.194.43
hxxp://best-hoster-group.ru - 91.219.193.252
hxxp://best-hoster.ru - 91.219.193.252
hxxp://freeller.net - 91.219.193.254
hxxp://hostagent.ru - 77.222.40.254
hxxp://ksdnewr.com - 192.64.147.242

We'll continue, monitoring, the, campaign, and post, updates, as soon, as new, developments, take, place.

Malicious Campaign Affects Hundreds of Web Sites, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious, campaign, affecting, hundreds, of Web sites, and exposing, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Malicious URLs used in the campaign:
hxxp://default7.com - 199.48.227.25
hxxp://test246.com - 54.208.99.166
hxxp://test0.com - 72.52.4.119
hxxp://distinctfestive.com - 54.208.99.166
hxxp://ableoccassion.com - 54.208.99.166

Sample malware used in the campaign:
MD5: 9854f14ca653ee7c6bf6506d823f7371

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://intva31.homelandcustom.info (52.6.18.250)

Known to have phoned back to the same malicious C&C server IP (54.208.99.166), are, also, the, following, malicious, MD5s:
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://ii55.net (69.172.201.153)
hxxp://rwai.net (54.208.99.166)

Known to have phoned back to the same malicious C&C server IP (69.172.201.153) are also the following malicious MD5s:
MD5: 5979f69be8b6716c0832b6831c398914
MD5: a27083ff19b187cbc64644bc10d2af11
MD5: b9306bb08ac502c7bcaf3d7e0cd9d846
MD5: cd34980dda700d07b93eef7910a2a8be
MD5: b708860e7962b10e26568c9b037765df

Known to have phoned back to the same malicious C&C server IP (54.208.99.166) are also the following malicious MD5s:
MD5: 9854f14ca653ee7c6bf6506d823f7371
MD5: 90a88230d5b657ced3b2d71162a33cff
MD5: 70465233d93aa88868d7091454592a80
MD5: f8e21525c6848f45e4ab77aee05f0a28

Related malicious MD5s known to have phoned back to the same malicious C&C server (54.208.99.166):
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Sunday, May 15, 2016

Mobile Malware Hits Google Play, Thousands of Users Affected

We've recently, intercepted, a currently, ongoing, malicious, campaign, that's utilizing, Google Play, for, the purpose, of, serving, malicious, software, to, unsuspecting, users.

In this, post, we'll, profile, the campaign, provide malicious MD5s, expose, the, malicious, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to be part, of the, malicious, campaign:
MD5: 4cbc7513072a1c0b03f7cedc6d058af4
MD5: 4defc5803de76f506bfc3a6c2c90bd87
MD5: 13647981b37f0c038e096c58b8962f95

Once, executed, the, sample, phones, back, to, the, following, C&C servers:
hxxp://petrporosya.com/123/ - 185.106.92.110
hxxp://78.46.123.205/111/inj/paypal/paypal.php

Known to have responded to the same malicious C&C server IP (185.106.92.110) is also the following malicious C&C server:
hxxp://traktorporosya.com

Related malicious MD5s known to have phoned back to the same malicious C&C server (185.106.92.110):
MD5: a765d6c0c046ffb88f825b3189f02148
MD5: 48cd9d9e03f92743b673a0c8ce58704a
MD5: 58f02914791f1e3075d574e288c80a26
MD5: 09f3f1bd2e91fb5af0c71db307777bbb
MD5: 568ef0fb4d645350b65edb031f4ade2f
MD5: d06ec8b877e2f0f73c4533c4c105acb8

Related malicious MD5s known to have phoned back to the same malicious C&C server (78.46.123.205):
MD5: 32c8af7e7e9076b35dde4d677b14e594
MD5: 27e4b9ae53c2300723c267cf67b930bf

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Saturday, May 07, 2016

Threat Intelligence - An Adaptive Approach to Information Security

This article, will, detail, the basics, of threat intelligence, gathering, discuss, various, threat, intelligence, gathering, methodologies, discuss, the basics, of threat, intelligence, gathering, as well, as, discuss, various, proactive, threat, intelligence, gathering, methodologies, in the, context, of, proactive security defense.

01. Overview of Threat Intelligence

Threat intelligence, is, a mulch-disciplinary, approach, to, collecting, processing, and, disseminating, actionable, threat, intelligence, for, the purpose, of, ensuring, that, an organization's security defense, is, actively, aware, of threats, facing, it's, infrastructure, so, that, an, adequate, and cost-effective, strategy, can, be, formulated, to, ensure, the confidentiality, integrity, and availability, of the information. Threat Intelligence, is, the process, of, collecting, processing, and disseminating, actionable, intelligence, for, the purpose, of, ensuring, that, an, organization's infrastructure, remains, properly secured, from, threats, facing, its, infrastructure. The collection phrase, can, be, best, described, as the, process, of obtaining, processing, and analyzing, actionable, threat, intelligence, for, the, purpose, of, processing, and disseminating, the processed, data. The collection phrase, consists, of, actively, obtaining, real-time, threat, intelligence, data, for, the, purpose, of, processing, enriching, and assessing, the data, for, the, purpose, of processing, and disseminating, the, data.

The collection phrase, consists, of, active, monitoring, of sources, of interest, including, various, public, and privately, closed, community, sources, for, the purpose, of establishing, an, active, threat, intelligence, gathering, program's, foundations. The collection, phrase, consists, of, assessing, and selecting, a diverse, set, of, primary, and, secondary, public, and, privately closed, sources, for, the, purpose, of, establishing, a, threat, intelligence, gathering model. The collection, phrase, consists, of, assessing, and, selecting, primary, and secondary, public, and, privately closed, sources, for, the, purpose, of establishing, an, active, threat, intelligence, collection, model. The collection, phrase, consists, of, assessing, the, primary, secondary, public, and, privately, closed, sources, for, the, purpose, of, establishing, an, active, threat intelligence, gathering, collection model. The, collection, phase, consists, of, assessing, and selecting, the primary, and, secondary, public, and, privately, closed, sources, for, the purpose, of establishing, the foundations, of, the, collection phrase.

The processing, phrase, consists, of, actively, selecting, processing, tools, and, methodologies, for, the purpose, of, setting, the, foundations, for, a, successful, processing, of, the, data. The processing, phase, consists, of, actively, processing, the, threat intelligence, gathering, collected, data, for, the, purpose, of, establishing, the foundations, for, a successful, processing, of the, data. The processing, phase, consists, of, collecting, the, processed, data, for, the, purpose, of establishing, the foundations, for, a, successful, processing, of, the, collected, data, for, the purpose, of, processing, and enriching, the, processed, data. The processing, phase, consists, of active, collection, enrichment, and, processing, of, the, collected, data, for, the purpose, of, active, processing, of, the, collected, data. The processing, phase, consists, of, active, selection, of, primary, and secondary, public, and, privately, closed, sources, for, the, purpose, of, processing, the, collected, data, for, the, purpose, of enriching, and, processing, the, collected, data. The processing, phase, consists, of, active, real-time, aggregation, of, actionable, threat, intelligence, data, for, the, purpose, of, establishing, the, foundations, of, active, processing, and enrichment, of, the, processed, data, for, the purpose, of, processing, and, enriching, of, the, processed, data.

The dissemination, phase, consists, of, active, processing, and dissemination, of, the, processed, data, for, the, purpose, of, communicating, the, actionable, intelligence, for, the, purpose, of, ensuring, that, an organization's defense, is, actively, aware, of, the, threats, facing, it's, infrastructure, and security defense. The dissemination, phase, consists, of, active, distribution, of, the, processed, and, enriched, actionable, intelligence, for, the, purpose, of, active, dissemination, of, the, processed, and, enriched, data. The dissemination, phase, consists, of, active, dissemination, and enrichment, of, the, processed, data, for, the, purpose, of, establishing, the, foundations, of, an, active, threat, intelligence, gathering, process. The dissemination, phase, consists, of, active, communication, and, distribution, of, the, processed, and, enriched, data, for, the, purpose, of, communicating, the, processed, and, enriched, data, across, the, organization's security defense, mechanisms.

02. Threat Intelligence Methodologies

Numerous threat intelligence methodologies, are currently, available, for, an organization, to, take advantage, of, on its way to properly secure, its, infrastructure, taking into consideration, a proactive, security response. Among, the most, common, data acquisition, strategies, remains, the, active, data acquisition, through forum and communities, monitoring, including, the active, monitoring, of private forums, and communities. Carefully, selecting, and primary, and secondary, sources, of information, is crucial, for, maintaining, the, necessary, situational awareness, to, stay, ahead, of threat, facing, the organization's infrastructure, including, the establishment, of, an, active, response, response, through an active, threat intelligence gathering, program. Among, the most, common, threat intelligence, acquisition, methodologies, remains, the, active, data, acquisition, through, primary and secondary, forums, and communities, including, the, data, acquisition, through, private, and secondary, community based, type, of acquisition platforms.

Among the most common, threat intelligence, data, acquisition, strategies, remains, the, active, team, collaboration, in terms, of data, acquisition, data, processing, and data, dissemination, for, the purpose, of establishing, an active, organization's security response, proactively, responding, to, the, threats, facing, an organization's, infrastructure. Among the most common, data, acquisition, strategies, in terms, of, threat intelligence, gathering, methodologies, remains, the, active, enrichment, of the sources, of information, to, include, a variety, of primary, and secondary, sources, including, private, and community, based, primary and secondary sources.

03. Proactive Threat Intelligence Methodologies

Anticipating the emerging, threat, landscape, greatly, ensures, an organization's successful, implementation, of, a proactive, security, type, of defense, ensuring, that, an organization's security defense, remains, properly, protected, from, the, threats, facing, it's infrastructure. Properly, understanding, the threat, landscape, greatly, ensures, that, a proactive, response, can be, properly, implemented, for, the purpose, of ensuring, that, an organization's security defense, remains, properly, protected, from, the, threats, facing, it's infrastructure. Taking into consideration, the, data, obtained, through, an active, threat intelligence, gathering, program, greatly, ensures, that, a proactive, security, response, can, be, adequately, implemented, to, ensure, that, an organization's security defense, remains, properly, protected, from, the, threats, facing, its, infrastructure.

Among, the, most, common, threat, acquisition, tactics, remains, the, active, understanding, of, the, threats, facing, an organization's security, infrastructure, to, ensure, that, an adequate, response, can, be properly, implemented, ensuring, that, an organization's defense, remains, properly, protected, from the, threats, facing, its, infrastructure. Among the most common, threat intelligence gathering, methodologies, remains, the, active, team, collaboration, to, ensure, that, an active, enrichment, process, can, be properly, implemented, further, ensuring, that, an organization's defense, can, be, properly, protected, from, the, threats, facing, it's infrastructure, based, on, the information, acquired, through, an active, threat intelligence gathering, acquisition, processing, and dissemination, program, further, ensuring, that, an organization's infrastructure, can, be, properly, protected, from, the, threats, facing, its, infrastructure.

04. The Future of Threat Intelligence

The future of threat intelligence, gathering, largely, relies, on, a successful, set, of threat intelligence, gathering, methodologies, active, data, acquisition, processing, and dissemination, strategies, including, the active, enrichment, of the processed, data, for, the, purpose, of ensuring, that, an organization's security defense, remains, properly, in place. The future of threat intelligence, largely, relies, on the, successful, understanding, of, multiple, threat vectors, for, the purpose, of establishing, an organization's security defense. Relying on a multitude, of enrichment, processes, including, the active, establishment, of an, an active, threat intelligence, gathering, acquisition, processing, and dissemination, program, greatly, ensures, that, a proactive, team-oriented, approach, can be implemented, to, ensure, that, an organization's security defense, remains, properly, protected, from, the threats, facing, its, infrastructure.

05. Conclusion

Threat Intelligence acquisition, processing, and dissemination, remains, a largely, proactive, response, to, a growing, set, of emerging threats, facing, an organization's infrastructure, where, the active, establishment, of, an, active, threat intelligence, gathering, acquisition, processing, and dissemination, remains, an active, response, to, a growing, set, of security threats, facing, an organization's infrastructure. Properly, ensuring, that, an organization's security defense, remains, properly, secured, from, the, threats, facing, its, infrastructure, ensures, that, an organization's security defense, remains, properly, in place, further, ensuring, that, a successful, information security strategy, can, be, properly, implemented, and, that, an organization's security defense, can, be, properly, put, in, place.

If you would like to receive additional information regarding a possible threat intelligence program, evaluation, facing, your, company's infrastructure, including, additional, information, regarding, the, threat landscape, discussing, the, threats, facing, your, organizations' infrastructure, you, can, approach me at ddanchev@protonmail.ch

Tuesday, April 26, 2016

Malicious Client-Side Exploits Serving Campaign Intercepted, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious campaign, utilizing, a variety, of compromised, Web sites, for, the purpose, of serving, malicious software, to socially engineered, users.

In this post, we'll profile, the campaign, the infrastructure, behind, it, provide, actionable, intelligence, MD5s, and, discuss, in depth, the tactics, techniques, and procedures, of, the cybercrimnals, behind it.

Sample malicious URL:
hxxp://directbalancejs.com/module.so - 37.48.116.208; 31.31.204.161

hxxp://2-eco.ru
hxxp://2401.ru
hxxp://24xxx.site
hxxp://3502050.ru
hxxp://6553009.xyz
hxxp://7032949.ru
hxxp://academing.ru
hxxp://academyfinance.ru
hxxp://activelifelab.com
hxxp://advokat-mikheev.ru
hxxp://advokatstav.ru
hxxp://akvahim98.ru
hxxp://al-minbar.ru
hxxp://allesmarket.com
hxxp://alltrump.ru
hxxp://altropasso.ru
hxxp://ambertao.info
hxxp://ambertao.org
hxxp://ancra.ru
hxxp://andr-6-update.ru
hxxp://android-new.ru
hxxp://androidid-6-new.ru
hxxp://angrymultik.ru
hxxp://animaciyafoto.ru
hxxp://animaciyaonline.ru
hxxp://animaciyastiker.ru
hxxp://animationline.ru
hxxp://animehvost.ru
hxxp://anyen.ru
hxxp://anywifi.online
hxxp://apple-pro.moscow
hxxp://appliancerepairmonster.com
hxxp://aptechka.farm
hxxp://arbosfera.ru
hxxp://archsalut.ru
hxxp://arstd.ru
hxxp://aslanumarov.ru
hxxp://atlanted.ru
hxxp://aurispc.ru
hxxp://avangardmaster.ru
hxxp://aviacorp24.ru
hxxp://awpashko.com

Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MDSs:
MD5: c3754018dab05b3b8aac5fe8100076ce

Once executed the sample phones back to the following C&C server:
hxxp://info-get.ru - 31.31.204.161

Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MD5s:
MD5: 4ff9bd7a045b0fe42a8f633428a59732
MD5: 46b1eaae5b53668a7ac958aecf4e57c3
MD5: d643025c5d0a2a2940502f4b15ca1801
MD5: 75dce2d84540153107024576bfce08fc
MD5: a23235ed940a75f997c127f59b09011d

This post has been reproduced from Dancho Danchev's blog.

Malware Campaign Using Google Docs Intercepted, Thousands of Users Affected

We've recently intercepted, a malicious campaign, utilizing, Google Docs, for, the purpose, of spreading, malicious software, potentially, exposing, the confidentiality, integrity, and availability, of the, targeted hosts.

In this, post, we'll profile, the malicious campaign, expose, the malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Sample malicious URL:
hxxp://younglean.cba.pl/lean/ - 95.211.80.4

Sample malicious URL hosting locations:
hxxp://ecku.cba.pl/js/bin.exe
hxxp://mondeodoslubu.cba.pl/js/bin.exe
hxxp://piotrkochanski.cba.pl/js/bin.exe
hxxp://szczuczynsp.cba.pl/122/091.exe

Known to have responded to the same malicious (95.211.80.4) are also the following malicious domains:
hxxp://barbedosgroup.cba.pl
hxxp://brutalforce.pl
hxxp://christophar-hacker.pl
hxxp://moto-przestrzen.pl
hxxp://eturva.y0.pl
hxxp://lingirlie.com
hxxp://ogladajmecz.com.pl
hxxp://oriflamekonkurs2l16.c0.pl
hxxp://umeblowani.cba.pl
hxxp://webadminvalidation.cba.pl
hxxp://adamr.pl
hxxp://alea.cba.pl
hxxp://artbymachonis.cba.pl
hxxp://beqwqgdu.cba.pl
hxxp://bleachonline.pl
hxxp://facebook-profile-natalia9320.j.pl
hxxp://fllrev1978.cba.pl
hxxp://gotowesms.pl
hxxp://kbvdfuh.cba.pl
hxxp://maplka1977.c0.pl
hxxp://nagrobkiartek.pl
hxxp://nyzusbojpxnl.cba.pl
hxxp://okilh1973.cba.pl
hxxp://pucusej.cba.pl
hxxp://sajtom.pl
hxxp://tarnowiec.net.pl
hxxp://techtell.pl
hxxp://testujemypl.cba.pl
hxxp://lawendowawyspa.cba.pl
hxxp://younglean.cba.pl
hxxp://delegaturaszczecin.cba.pl
hxxp://metzmoerex.cba.pl
hxxp://kmpk.c0.pl
hxxp://500plus.c0.pl
hxxp://erxhxrrb1981.cba.pl
hxxp://exztwsl.cba.pl
hxxp://fafrvfa.cba.pl
hxxp://fastandfurios.cba.pl
hxxp://filmonline.cba.pl
hxxp://fragcraft.pl
hxxp://fryzjer.cba.pl
hxxp://hgedkom1973.cba.pl
hxxp://luyfiv1972.cba.pl
hxxp://oliviasekulska.com
hxxp://opziwr-zamosc.pl
hxxp://ostro.ga
hxxp://rodzina500plus.c0.pl
hxxp://roknasilowni.tk
hxxp://vfqqgr1971.cba.pl

Sample malicious MD5s known to have phoned back to the same malicious IP (95.211.80.4):
MD5: 495f05d7ebca1022da2cdd1700aeac39
MD5: 68abd8a3a8c18c59f638e50ab0c386a4
MD5: 65b4bdba2d3b3e92b8b96d7d9ba7f88e
MD5: 64b5c6b20e2d758a008812df99a5958e
MD5: a0869b751e4a0bf27685f2f8677f9c62

Once executed the sample phones back to the following C&C servers:
hxxp://smartoptionsinc.com - 216.70.228.110
hxxp://ppc.cba.pl - 95.211.80.4
hxxp://apps.identrust.com - 192.35.177.64
hxxp://cargol.cat - 217.149.7.213
hxxp://bikeceuta.com - 91.142.215.77

This post has been reproduced from Dancho Danchev's blog.

Sunday, April 24, 2016

Analyzing the Bill Gates Botnet - An Analysis

We've, recently, intercepted, a high-profile, Linux-based, botnet-driven, type of, malicious, software, that's capable, of launching, a multitude of malicious attacks, on, compromised servers, potentially, exposing, the, integrity, confidentiality, and, availability, of, the compromised servers. Malicious attackers, often rely, on the use of compromised servers, for, the purpose, of, utilizing the access for malicious purposes, including, the capability, to launch malicious DDoS (Denial of Service Attack) attacks, and the ability, to spread additional malicious software, to potential users, including the capability to monetize access to the service, by, launching, DDoS for hire type of malicious and fraudulent services, including, the capability to launch high performance DDoS attacks.

In this post, we'll, profile, and analyze, the Bill Gates botnet, provide, actionable intelligence, on, the infrastructure, behind it, and, discuss, in depth, the tactics, techniques, and procedures, of the cybercriminals, behind it.

Malicious MD5s known to be part of the Bill Gates botnet:
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 0d79802eeae43459ef0f6f809ef74ecc
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: a89c089b8d020034392536d66851b939
MD5: a5b9270a317c9ef0beda992183717b33

Known Bill Gates botnet C&C server:
hxxp://dgnfd564sdf.com - 122.224.34.42; 122.224.50.37

Malicious C&C servers known to be part of the Bill Gates botnet:
202.103.178.76
121.12.110.96
112.90.252.76
112.90.22.197
112.90.252.79

Known to have responded to the same malicious IP (122.224.50.37) are also the following malicious domains:
hxxp://lfs99.com
hxxp://chchong.com
hxxp://uc43.net
hxxp://59wgw.com
hxxp://frade8c.com
hxxp://96hb.com
hxxp://cq670.com
hxxp://776ka.com

Malicious MD5s known to have phoned back to the same C&C server IP (122.224.50.37):
MD5: 6739ca4a835c7976089e2f00150f252b
MD5: eb234cee4ff769f2b38129bc164809d2
MD5: dc893d16316489dffa4e8d86040189b2
MD5: 0c1cac2a019aa1cc2dcc0d3b17fc4477
MD5: b7765076af036583fc81a50bd0b2a663

Known to have responded to the same malicious IP (122.224.34.42) are also the following malicious domains:
hxxp://76.wawa11.com
hxxp://903.wawa11.com
hxxp://904.wawa11.com
hxxp://905.wawa11.com
hxxp://906.wawa11.com
hxxp://907.wawa11.com
hxxp://91ww.0574yu.com
hxxp://9911sf.com
hxxp://901.t772277.com
hxxp://aisf.jux114.com
hxxp://520.wawa11.com
hxxp://awooolsf.com
hxxp://2288game.com
hxxp://588bc.com
hxxp://488game.com
hxxp://588bc.com

Malicious MD5s known to have been downloaded from the same malicious C&C server IP (122.224.34.42):
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 9a77f1ad125cf34858be5e438b3f0247

Malicious MD5s known to have been phoned back to the same malicious C&C server IP(122.224.34.42):
MD5: 815e453b6e268addf6a6763bfe013928

Once executed the sample phones back to the following malicious C&C server IPs:
hxxp://awooolsf.com/222.txt - 122.224.34.42
hxxp://xxx.com/download/xx.exe - 67.23.112.226

Known to have responded to the same malicious IP (67.23.112.226) are also the following malicious domains:
hxxp://falconglobalimpex.com
hxxp://deschatz-army.net
hxxp://m.xxx.com
hxxp://xxx.com
hxxp://xxxsites.com
hxxp://t.xxx.com
hxxp://m.xxx.org
hxxp://m.xxxsites.com
hxxp://xxx.org

Known to have been downloaded from the same malicious IP (67.23.112.226) are also the following malicious MD5s:
MD5: b4b483eb0d25fa3a9ec589eb11467ab8

Known to have phoned back to the same malicious C&C server (67.23.112.226) are also the following malicious MD5s:
MD5: 53a7fc24cb19463f8df3f4fe3ffd79b9
MD5: 268b8bcacec173eace3079db709b9c69
MD5: 0faf6988dfeaa98241c19fd834eca194
MD5: 87f8ffeb17a72fda7cf28745fa7a6be8
MD5: c973f818a5f9326c412ac9c4dfaeb0bd

This post has been reproduced from Dancho Danchev's blog.

Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users Affected

We've recently intercepted, a currently ongoing malicious malvertising attack, affecting thousands of users globally, potentially exposing their PCs, to, a multitude of malicious software, compromising, the, integrity, confidentiality, and, availability, of, their, PCs.

The campaign relies on the Angler Web malware exploitation kit, for, the, purpose of serving malicious software, on the, PCs, of, affected users exposing, their, PCs, to, a multitude, of, malicious software, potentially leading, to, a compromise, of, their, PCs. Once, users, visit, a legitimate Web site, part, of the, campaign, their, PCs, automatically become, part, of the botnet, operated, by, the, cybercriminals, behind it, with, the, campaign, relying, on, the, use, of, the, exploitation, of, a well known, client-side, vulnerability.

Cybercriminals, often, rely, on, the, use, of, compromised, accounting, data, obtained, through, active data mining, of, a botnet's infected population, for, the purpose, of, embedding, malicious, client-side exploits, on well known, and highly popular, Web sites, next, to, the, active, client-side, exploitation, of, known, vulnerabilities, found, on public, and well, known, Web sites. Yet, another highly popular attack vector, remains, the use, of compromised, advertiser network publisher's account, for, the, purpose, of taking advantage, of, the publisher's, already established, clean, network, reputation.

In this post, we'll profile, the, malicious campaign, provide, actionable, intelligence, for, the, infrastructure, behind it, provide, malicious MD5s, as, well, as, discuss, in depth, the, tactics, techniques, and procedures, utilized, by, the, cybercriminals, behind it.

Sample detection rate for the Trojan.Win32.Waldek.gip malware:
MD5: f2b92d07bb35f1649b015a5ac10d6f05

Once executed the sample phones back to:
hxxp://datanet.cc/extra/status.html - 146.185.251.154

Malicious URLs, used, in the, campaign:
hxxp://gamergrad.top/track/k.track?wd=48&fid=2 - 104.24.112.169
hxxp://talk915.pw/track/k.track?wd=48&fid=2 - 104.27.190.84

Known to have responded to the same IP (146.185.251.154) are also the following malicious domains:
hxxp://crenwat.cc
hxxp://oldbog.cc
hxxp://datanet.cc
hxxp://glomwork.cc
hxxp://speedport.cc
hxxp://myhostclub.cc
hxxp://terminreg.cc
hxxp://currentnow.cc
hxxp://copyinv.cc
hxxp://lableok.cc
hxxp://agentad.cc
hxxp://appclone.cc
hxxp://tune4.cc
hxxp://objects.cc

Once executed, the, sample, phones, back, to the, following, C&C server:
hxxp://188.138.70.19

Known to have responded to the same IP (188.138.70.19) are also the following malicious domains:
hxxp://alfatrade.cxaff.com
hxxp://affiliates.alfatrade.com

Known to have phoned back to the same malicious C&C server, are, also, the following malicious MD5s:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a384337cad9335b34d877dd4c59c73ce
MD5: e7b7b7664e89be18bcf2b79cc116731f
MD5: d712ddbc9b4fb27d950be93c1e144cce

Related malicious MD5s known to have phoned back to the same C&C server:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a2bd512e438801a2aa1871a2ac28e5bd
MD5: f01f9ded34cfe21098a2275563cf0d9d
MD5: e7b7b7664e89be18bcf2b79cc116731f

This post has been reproduced from Dancho Danchev's blog.

Hundreds of Google Play Apps Comrpromised, Lead to Mobile Malware

Malicious attackers, have, managed, to, infiltrate, and populate, Google Play, with, hundreds, of rogue, applications, exposing, users, to mobile, malware, compromising, the, integrity, of, their, devices, and, exposing, them, to, misleading, advertisements. Once, a socially, engineered, user, obtains, the, application, and, execute, it, their, device, the malware, phones, back, to, a malicious URL, exposing, the, integrity, confidentiality, and, availability, of, the, device.

Malicious attackers, often, rely, on, a variety of social engineering tactics, to, obtain, access, to, a user's device, including, the use, of, compromised, publisher's accounts, obtained, through, data mining, of botnet's of infected, population. Once, access, to, a particular, publisher's account, is, obtained, the malicious attackers, would, attempt, to use, a do-it-yourself, type, of, mobile, malware, generating tool, for, the, purpose, of, modifying, a legitimate, application, for, the, purpose, of, obtaining, access, to, a user's device.

Malicious attackers, are, also, known, to rely, on secondary, marketplaces, for, the, purpose, of, attempting, to, obtain, access, to user's, device, with, the, secondary, marketplaces, populated, with, rogue, and compromised, applications.

Once, a, socially, engineered, user, obtains, an, application, their, device, automatically, becomes, part, of, a, malicious attacker's, botnet, with, the malicious, attackers, relying on, a multitude, of monetization techniques, while, earning, fraudulently, obtained, revenue, in, the, process. Malicious attackers, are, also, known, to, rely, on, rogue, and, fraudulent, affiliate networks, for, the, purpose, of, monetizing, access, to, the, obtained, hosts, through, a, variety, of, rogue, advertising, networks, largely, set, up, for, the, purpose, of, earning, fraudulent, revenue, for, the, malicious attackers.

These affiliate networks, are, known, to, provide, managed, support, including, the, systematic, rotation of the command and control, server, and, the, availability, of, various, templates, empowering, malicious attackers, with, access, to, a, variety, of, fraudulent techniques, allowing, them, to, easily, monetize, access, to, the, infected hosts.

In this post, we'll profile, profile, the, Android.Spy.277.origin, mobile, malware, found, on hundreds, of applications, at Google Play, expose, the, malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in, depth, the, various tactics, techniques, and procedures, utilized, by, malicious, attackers, for, the purpose, of, spreading, mobile, malware, attempting, to, trick, users, into, executing, malicious software, on their, devices.

Sample detection rate for a sample malware:
MD5: a51d7f8413aa3857a4682fa631d39054

Once executed the sample phones back to the following C&C server:
hxxp://startappexchange.com - 184.26.136.91; 184.26.136.113

The same malicious C&C server (startappexchange.com) is also known to have responded to the following IPs:
23.15.5.200
23.63.227.171
95.101.2.24
23.62.239.19
96.6.122.67
23.15.5.205
23.62.236.98
61.213.181.153
23.63.227.208
23.63.227.192
23.3.13.65
96.6.122.74
23.3.13.58
23.62.236.74
184.50.232.74
184.84.243.57
217.7.48.104
217.7.48.192
80.157.151.48
80.157.151.67
67.135.105.35
23.61.194.186
88.221.134.192
88.221.134.211
23.0.160.8
95.101.0.24
95.101.0.50
2.21.243.57
2.21.243.64
23.0.160.51
184.29.105.43
173.223.232.66
184.29.105.83
96.16.98.113
107.14.46.80
62.208.24.33
217.65.36.6

Related malicious MD5s known to have phoned back to the same C&C server:
MD5: 53958d60a2d52c99ad305ec105d47486
MD5: 45eaa4fc36c9a69b3ac78ddce7800daa
MD5: b355ed6fa08ef0415d4e7c6bc602f9a8
MD5: e4c7d87b7b20ae9555c6efe6466b32e6
MD5: 83a449691ff40cf9d3c8c4d7119aaea7

This post has been reproduced from Dancho Danchev's blog.

Friday, August 28, 2015

Historical OSINT - How TROYAK-AS Utillized BGP-over-VPN to Serve the Avalance Botnet

Historical OSINT is a crucial part of an intelligence analyst's mindset, further positioning a growing or an emerging trend, as a critical long term early warning system indicator, highlighting the importance, of current and emerging trends.


In this post, I'll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, that represented, the growing factor, for the highest percentage of malicious and fraudulent activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, a malicious innovation applied by cybercriminals, at the time, namely the introduction of malicious netblocks and ISPs, within the RIPE registry, relying on OPSEC (Operational Security) and basic evasive practices.

According to RSA, the Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP,  one whose services haven't been abused in any particular cybercrime-friendly way. 

This analysis, will not only prove, otherwise, namely, that NetAssist LLC's involvement in introducing a dozen of cybercrime friendly networks – including TROYAK-AS – has been taking place for purely commercial reasons, with the ISP charging thousands of euros for the process, but also, expose a malicious innovation applied on behalf of opportunistic cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, techniques and procedures.

Domain name reconnaissance:
troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - Email: staruy.rom@troyak.org; staruy.rom@inbox.ru
smallshopkz.org - 195.78.123.1 (AS12570)


Name servers:
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA
ns.bgpvpn.kz - 91.213.93.10


ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net (AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1

Domain name reconnaissance:
bgpvpn.kz
Organization Using Domain Name
Name...................: Mykola Tabakov
Organization Name......: Mykola Tabakov
Street Address.........: office 211, ul. Pushkina, dom 166
City...................: Astana
State..................: Astana
Postal Code............: 010000
Country................: KZ

Administrative Contact/Agent
NIC Handle.............: CA537455-RT
Name...................: Mykola Tabakov
Phone Number...........: +7.7022065468
Fax Number.............: +7.7022065468
Email Address..........: tabanet@mail.ru

Nameserver in listed order:
Primary server.........: ns.bgpvpn.kz
Primary ip address.....: 91.213.93.10



Domain name reconnaissance:
smallshopz.biz
Domain Name:SMALLSHOPKZ.ORG
Created On:30-Oct-2009 13:42:14 UTC
Last Updated On:19-Mar-2010 14:39:19 UTC
Expiration Date:30-Oct-2010 13:42:14 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_10606443
Registrant Name:Vladimir Vladimirovich Stebluk
Registrant Organization:N/A
Registrant Street1:off. 306, Bulvar Mira, 16
Registrant Street2:
Registrant Street3:
Registrant City:Karaganda
Registrant State/Province:Qaraghandyoblysy
Registrant Postal Code:100008
Registrant Country:KZ
Registrant Phone:+7.7012032605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladcrazy@smallshopkz.org



NetAssist LLC (netassist.ua) (AS29632) reconnaissance:
inetnum:        62.205.128.0 - 62.205.159.255
netname:        UA-NETASSIST-20080201
descr:          NetAssist LLC
country:        UA
org:            ORG-NL64-RIPE
admin-c:        MT6561-RIPE
admin-c:        AVI27-RIPE
tech-c:         MT6561-RIPE
tech-c:         APP18-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MEREZHA-MNT
mnt-routes:     MEREZHA-MNT
mnt-domains:    MEREZHA-MNT
source:         RIPE # Filtered



organisation:  ORG-NL64-RIPE
org-name:      NetAssist LLC
org-type:       LIR
address:        NetAssist LLC
Max Tulyev
GEROEV STALINGRADA AVE  APP 57  BUILD 54
04213 Kiev
UKRAINE
phone:          +380 44 5855265
fax-no:         +380 44 2721514
e-mail:         info@netassist.kiev.ua
admin-c:      AT4266-RIPE
admin-c:      KS3536-RIPE
admin-c:      MT6561-RIPE
mnt-ref:       RIPE-NCC-HM-MNT
mnt-ref:       MEREZHA-MNT
mnt-by:       RIPE-NCC-HM-MNT
source:        RIPE # Filtered




person:         Max Tulyev
address:        off. 32, 12 Artema str.,
address:        Kiev, Ukraine
remarks:        Office phones
phone:          +380 44 2398999
phone:          +7 495 7256396
phone:          +1 347 3414023
phone:          +420 226020344
remarks:        GSM mobile phones, SMS supported
phone:          +7 916 6929474
phone:          +380 50 7775633
remarks:        Fax is in auto-answer mode
fax-no:         +380 44 2726209
remarks:        The phone below is for emergency only
remarks:        You can also send SMS to this phone
phone:          +88216 583 00392
remarks:
remarks:      Jabber ID mt6561@jabber.kiev.ua
remarks:      SIP 7002@195.214.211.129
e-mail:         maxtul@netassist.ua
e-mail:         president@ukraine.su
nic-hdl:        MT6561-RIPE
mnt-by:        MEREZHA-MNT
source:         RIPE # Filtered

person:         Alexander V Ivanov
address:        14-28 Lazoreviy pr
address:        Moscow, Russia
address:        129323
phone:          +7 095 7251401
fax-no:         +7 095 7251401
e-mail:         ivanov077@gmail.com
nic-hdl:        AVI27-RIPE
mnt-by:         MEREZHA-MNT
source:         RIPE # Filtered


person:         Alexey P Panyushev
address:        8-142, Panferova street
address:        Moscow, Russia
address:        117261
phone:          +7 903 6101520
fax-no:         +7 903 6101520
e-mail:         panyushev@gmail.com
nic-hdl:        APP18-RIPE
mnt-by:         MEREZHA-MNT
source:         RIPE # Filtered

Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime-friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? Based on the analysis in this post, and the fact, that the company, continues offering IPv4 RIPE announcing services, I believe, that on the majority of occasions, the company has had its services abused, throughout 2010, leading to the rise of the Avalance bothet.

I expect to continue observing such type of abuse, however, in a cybercrime ecosystem, dominated, by the abuse of legitimate services, I believe that cybercriminals will continue efficiently bypassing defensive measures in place, through the abuse and compromise of legitimate infrastructure.

This post has been reproduced from Dancho Danchev's blog.