Tuesday, June 21, 2016

DDanchev is for Hire!

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?

Send your proposition to: ddanchev@protonmail.ch

Book Proposal - Seeking Sponsorship - Publisher Contact

Dear, blog, readers, as, I'm, currently, busy, writing, a, book, I'm looking for, a publisher, who's, interested, in, publishing, it, with, the, book, proposal, available, on, request.

Send your proposal to: ddanchev@protonmail.ch

Project Proposal - Cybercrime Research - Seeking Investment

Dear blog readers, I'm currently seeking an investment regarding a cybercrime research project, with, the, project, proposal, available, on request.

Send your proposal at: ddanchev@protonmail.ch

Invitation to Join a Security Community

Dear blog readers, as I'm currently busy launching a private security community, I decided, to publicly announce, its, existence.

Topics of discussion:
- cybercrime research
- threat intelligence
- malicious software

Request an invite: ddanchev@protonmail.ch

Follow me on Twitter!

Dear, blog, readers, are, you, on Twitter? If, so, consider, following me.

Conference Attendance - Accepting Invitations

Dear, blog, readers, as I'm currently, busy, booking, my, schedule, for, this, year, I, would, appreciate, your, invitations, to, attend, your, conference, or, security, event.

Send your proposition at: ddanchev@protonmail.ch

Malware Serving Campaign Intercepted, Hundreds of Users Affected

We've recently intercepted, a currently, circulating, malicious, spam, campaign, exposing, users, to, a, multi-tude, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, PCs, to, a, variety, of, malicious, software.

In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 6b422988b8b66e54e68f110c64914744
MD5: 414fc339b2dd57bab972b3175a18d64a

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://hrtests.ru/S.php - 136.243.126.105; 146.185.243.133; 5.135.104.91; 178.33.188.142; 178.32.238.223; 178.208.83.7; 88.214.200.145
hxxp://managtest.ru/WinRAR.exe - 176.126.71.5; 5.196.241.192; 88.214.200.145

Related malicious MD5s known to have phoned back to the same C&C server IPs (136.243.126.105):
MD5: e974e77d0f69b46b9f6c88d98c76c0c6
MD5: 908bb37015af1c863e8e73bb76fdb127
MD5: 87882046d21d2468ee993ea7c3159c4d
MD5: 299c6ac73e225ec5a355b2fb7a618e8f
MD5: 7f2862b5f399bc74dd6d8079da819126

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 47c18c76540b74a1bca6ca3ae10ebd50
MD5: 024807c29f147dd77450a5bc62e59fa5
MD5: e283f13766be7f705c0271bc42681270
MD5: a29d67dad13eef259dc5c872706f15a6
MD5: 2cf7bf436ef8cbfda0136efd11e92341

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 2cf7bf436ef8cbfda0136efd11e92341
MD5: 3a5f263a24728d3805045778978f00b5
MD5: 87435a3fc3799d271b3608955d1c6c4d
MD5: 95c0194351bc2685535544574eb3f5df
MD5: 7224e3698edec9590a5198defae66ef1

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server IP:
hxxp://worktests.ru/test0.txt

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://testswork.ru/test15.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test20.txt
hxxp://testswork.ru/test21.txt

Once executed a sample malware phones, back, to, the, following, C&C, server, IP:
hxxp://tradetests.ru/test0.txt

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (176.126.71.5):
MD5: 44c3ac885206d641a6d2dce5a675f378
MD5: 2bf97da5f11b655428622fb10c68ff11
MD5: 6911f4a5a85e266229debfdf0832faad
MD5: 8f1b264ceef3e116522ec213ee691cd2
MD5: af7275d12796b53f0ad4d7866be49a4c

Once executed, a, sample, malware, phones, back, to, the, following, C&C server, IPs:
61.246.33.84:7974
187.2.210.167:6688
199.189.86.18:6199
62.103.89.163:9333
95.104.13.237:7158
203.231.71.85:6413
150.129.184.145:5560
213.184.4.236:5531
198.27.96.43:6327
115.110.36.121:8009
46.150.36.126:8404
118.233.56.195:6159
187.55.178.150:6984
219.71.10.251:6070
190.37.215.91:7443
122.117.152.249:7894
14.141.70.162:8811
188.173.150.210:6598
60.171.206.39:6349
103.47.194.115:6959
116.241.49.160:7023
175.45.228.54:6324
158.58.204.215:6789
82.76.230.210:6266
220.134.149.93:6688
201.24.187.30:9088
84.108.148.178:6822
186.95.199.115:5943
113.160.112.8:6439
24.190.4.178:6554
52.26.185.23:6549
115.165.241.228:6623
190.254.83.226:7961
177.103.154.31:6554
114.35.121.231:5774
202.65.136.234:7594
91.186.3.83:8673
31.170.141.113:11802
190.205.137.158:6554
223.255.202.23:5949
175.45.228.56:6249
202.143.149.66:9333
5.189.177.10:6843
91.224.25.225:7677
113.176.82.247:6315
121.42.15.50:11649
189.51.15.2:6018
108.61.213.137:9595
96.56.17.58:6126
61.216.32.170:8513
202.166.162.6:6519
119.236.147.67:6755
96.23.181.97:5531
190.142.66.233:7269

Related malicious MD5s known to have phoned back to the same C&C server IP (5.196.241.192):
MD5: 57f6c25f57f6af3feb149d2cf0ca7b70
MD5: 45bc494e569671ac902ac4abeaf52d0e
MD5: b23b41bc40dd6b2d707c07dfb7da8a8b
MD5: 6458ddbaa59448352cfd18d774af1114
MD5: 89bd709329d7a2666e538ee0fdc7e6a0

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://stafftest.ru/test.html

Related malicious MD5s known to have participated in the campaign:
MD5: 414fc339b2dd57bab972b3175a18d64a

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://stafftest.ru
hxxp://hrtests.ru
hxxp://profetest.ru
hxxp://testpsy.ru
hxxp://pstests.ru
hxxp://qptest.ru
hxxp://prtests.ru
hxxp://jobtests.ru
hxxp://iqtesti.ru

Related malicious MD5s known to have participated in the campaign:
MD5: 7838ccf4e448d8c7404bfe86f5c9d116

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://managtest.ru/minerd
hxxp://hrtests.ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s

We'll continue monitoring the campaign and post updates as soon as new developments, take, place.

Monday, June 20, 2016

Malware Serving Campaign Intercepted, Hundreds of Users Affected

We've recently intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, their PCs, to, a, variety, of, malicious, software, compromising, the, integrity, confidentiality, and, availability, of, their, devices.

In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious URLs, known, to, have, participated, in, the, campaign:
hxxp://gv.com.my/0gcgs - 210.48.153.240
hxxp://test.glafuri.net/yxk6s - 176.223.121.193
hxxp://australiancheerleader.com.au/jsc1okam - 103.254.138.242

Related malicious MD5s known to have participated in the campaign:
MD5: c1f95adbcaf520bf182f9014970d33e5

Known to have phoned back to the same C&C server (210.48.153.240) are also the following malicious MD5s:
MD5: 8ea223d68856ba857a485b506259ae00
MD5: 8697121c56d20b602cd866dd1c0c1791
MD5: d668ee452efb2f1dd0dafc3f44b003e9
MD5: b1eedb69ad38d2e9ff3d5165163f1d0f

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php

Related malicious C&C servers, known, to, have, participated, in, the, campaign:
hxxp://pariachat.ir
hxxp://mahshahrchat.top
hxxp://tandischat.xyz
hxxp://irancell-chat.ir
hxxp://shokolatt.ir
hxxp://mahshahrchat.ir
hxxp://roznazchat.com

Related malicious MD5s known to have participated in the campaign:
MD5: 47223a926f70206de5aa9e9f4f4182f0

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php
hxxp://91.200.14.139/userinfo.php
hxxp://104.131.182.103/userinfo.php
hxxp://164.132.40.47/userinfo.php
hxxp://tjpdcrsbkyqscdue.info/userinfo.php - 69.195.129.70

Related malicious MD5s known to have phoned back to the same C&C server IP (91.200.14.139):
MD5: 47223a926f70206de5aa9e9f4f4182f0

Known to have phoned back to the same C&C server IP (69.195.129.70) are also the following malicious MD5s:
MD5: cd867fa29b9cd9b4d16f96aecb179521
MD5: ec12c2a033b3a381a86072c20a0527f2
MD5: d27ecf75aeb611297ed5b9f70b9773f0
MD5: 3b6ad5215f20452417e4af71eefe7bc9
MD5: b75580959b8eef6574ac029333afafa5

Once executed, a, sample, malware, phones, back, to, the, following C&C server IPs:
hxxp://insamertojertoq.cc/in0odrfqwbio0sa
hxxp://tbiimhetdqyn.com/in0odrfqwbio0sa
hxxp://pmiqpskfkwkc.com/in0odrfqwbio0sa
hxxp://osghqrdmlyhh.net/in0odrfqwbio0sa
hxxp://lltlsiirjjjj.com/in0odrfqwbio0sa

Related malicious MD5s known to have participated in the campaign:
MD5: 90eb8948513e21a8c87f8295ac7e81f5

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Thursday, June 09, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently intercepted, a, currently, circulating, malicious, campaign, exposing, users, to, a, variety, of malicious software, potentially, exposing, the, confidentiality, integrity, and availability, of, their, devices.

In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: beff48e790ed35ba081ea5d852e27c98
MD5: e200e630ad3af2e91f10608577e0ece3

Once executed a sample malware phones back to the following C&C server:
hxxp://ksa-sef.com - 166.62.28.116; 107.180.50.244

Related malicious MD5s known to have phoned back to the same C&C server (166.62.28.116; 107.180.50.244):
MD5: c235a6e9700eb647f64113afa7bf028e
MD5: 3e00678672854c59c95eb4e800ec70a7
MD5: a24ba1d529ed33b86d04901f7b8e0d0a

MD5: ce22495bb5dda49a3953b7280b9032ef
MD5: 94885422e458fae7d83f0765c3cfa799
MD5: 180ff0b7620d525a2359f419b29a055e

Once executed a sample malware phones back to the following C&C server:
hxxp://92.222.71.26/userinfo.php

Related malicious MD5s, known, to, have, phoned, back, to the, same, C&C server:
MD5: ea662c74e0cc7f798b9cfa73754e0458
MD5: a33b472659cba92a620e21797118a96d
MD5: 41f7c6937803e18c58e435c86771a381
MD5: cd1bb597d3d9ba25bc983f9be72f78ae
MD5: 92530421468a7532a57757bb1d5c967a

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://188.127.231.124
hxxp://92.222.71.26
hxxp://107.181.174.15

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://orgyyeetrcy.biz
hxxp://kfcsrdphvavgvmds.work
hxxp://dqtfhkgskushlum.org
hxxp://nxmdtliospnbnveuk.pw
hxxp://ahhjmkwfnjkitu.biz
hxxp://gxaabswsxvdohead.su
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info
hxxp://qgbikqjraxhtndbl.biz
hxxp://omlsxegqnuqgpctp.click
hxxp://dinbfdccx.work

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://92.222.71.26
hxxp://188.127.231.124

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://omlsxegqnuqgpctp.click
hxxp://dqtfhkgskushlum.org
hxxp://gxaabswsxvdohead.su
hxxp://evesynbkcji.info
hxxp://kfcsrdphvavgvmds.work
hxxp://ahhjmkwfnjkitu.biz
hxxp://dinbfdccx.work
hxxp://nxmdtliospnbnveuk.pw
hxxp://orgyyeetrcy.biz
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info

Once executed, a, sample. malware, phones, back, to, the, following C&C servers:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://188.127.231.124

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Monday, May 30, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently, intercepted, a currently, circulating, malicious, campaign, exposing, users, to, a variety, of, malicious, software, exposing, the, confidentiality, integrity, and availability, of, their devices.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: bd4ed8b3b5d37f34fb63ce2798c585e9
MD5: 1c2c8894ab12a38b7420c7e04ed690f3

MD5: 7e3410e3b74866b02f8c8d6a3220aa23
MD5: 427ec5aef2a0ca2b2c8edbf24f1aeb8f
MD5: 770c77bfa64dc89638d5ac07ca6d1246
MD5: 3670576f507327fc4cbec45d0b3b6d2e

MD5: 5a3d1953631d1e78af6390c88a4ea434
MD5: 7322362d952eb63c07b9585107604a90

MD5: d9f63a6944648646343be1b7fbebe734
MD5: 611a6489bb7c9357765b8dd00f00d953
MD5: c81a88af87dfd05f5f757eea56d83fb8
MD5: 381a9b123d2b43ae8ff617d708bcfce8
MD5: a3bbf048865c48d2b2d5c8973d8a95d3
MD5: 66f31f76a5633e8a16ffe763093b546b

MD5: ac74bdca918dc6416cfa4e710d238f43
MD5: b169837db80e53c4564b62c0a4b9eba3
MD5: b334c20de944bb15cc8ac6aa59215e73
MD5: 677aa8cba92cdda2ec80b61fb7052813
MD5: 7b366d1273c65d0be63b7d68b268d3b8

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://sklasse-b.in.ua/777/gate.php - 217.12.201.60

Known to have phoned back to the same C&C server IP (217.12.201.60) are also the following malicious MD5s:
MD5: e070535dd1ca923d1b12a71307b2639a
MD5: 3092a0a15dceb494a62eb00ea1c51283
MD5: 90123fd7978d42c2cd0a1fdc62651eb6
MD5: 553bed2a3cab5f1ec98bbec6dc151dd3
MD5: 947efe328858d816a77ef6b103097097

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://apimobiapps.com/api/app.php - 54.72.9.115; 37.1.210.139

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 7e6429d92bf457f5580457260c92d615
MD5: f89ee0bd2fa97380ceedbfe5bf3d5c93

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 886d621a5abeea5609ae813b50ea35a5
MD5: 576da1ff48ae7d4ce092698c20bb9c2c
MD5: 1c93b5c33585ab60c61c698713a6446d
MD5: 6afea2ece23b57fe3d3076ca799c18fe
MD5: 9a43a4bee370f7ae3759a5633b0ee40a

Once executed a sample malware phones back to the following C&C server:
hxxp://dh005.com - 54.72.9.115; 172.99.89.215
hxxp://parkingcrew.net - 185.53.179.29
hxxp://quickdomainfwd.com - 208.91.196.46

We'll continue, monitoring, the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've recently intercepted a currently circulating, malicious, campaign, affecting, hundreds, of Google Play users, potentially, exposing, the confidentiality, integrity, and availability, of their devices, to, a variety, of malicious, software.

In this, post, we'll, profile, the campaign, provide, malicious MD5s, expose, the infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 3f57dfe0ca2440bf03fda3e3b1295edc

Once executed the sample phones back to the following C&C server:
hxxp://37.1.207.31/api/?id=5

Related malicious MD5s known to have been downloaded from the same C&C server (37.1.207.31):
MD5: 1fa7df305b49f03e9ecf05fbb9cf74b8
MD5: 52b256f04bc9f5f003e9f292e6fabcc2
MD5: 76cc87289fa2a2363b42551b180c05de
MD5: 4ac2c20905c9761b863fdc9e737ea3d5
MD5: be0493f06f55ef7daf30e7e4d9cd03db

Related malicious MD5s known to have phoned back to the same C&C server (37.1.207.31):
MD5: 6ebe7504bcc4003c5b224801e961848c
MD5: 6f918766c935c7a472c9518c5b4aa7ba
MD5: 4d083b01c850c418e97c2fcf4031eff5
MD5: 2ce8dc9e399dc90d54d151aefec97091
MD5: 8f524b8daa68063af05313870ba198cd

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Hundreds of Users Affected

We've, recently, intercepted, a currently, circulating, malicious, campaign, exposing, Google Play, users, to, a variety, of malicious, software, exposing, the confidentiality, integrity, and availability, of, their, devices, to, a multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: f6aedc30fdab1b0a0bfebb3d51cb82ea

Related malicious MD5s known to have participated in the campaign:
MD5: ff844a8bb40da72b5c9f3a8c3cda7c9d051921e6
MD5: 83e56809b1662be002f4e1c4bcd3aef90d060d8f
MD5: 7c3f693d0b0ea6c6fdbb078e56d7e71ffaf648b8
MD5: 9e36414341e4dbaa113980f7d900e0ac4baa4103
MD5: 21266e72c8becbb439cb6d77f174b5eccefa2769

Once executed a sample malware phones back to the following C&C server:
hxxp://193.201.224.22
hxxp://85.143.221.46
hxxp://85.143.219.118

Known to have phoned back to the same C&C server IP(193.201.224.22) are also the following malicious MD5s:
MD5: 99f66211f75ace7d103fc2fbc147cd8c
MD5: ab712f0c6339d2c33cf34df44da972b8
MD5: d66f59cd897e5992c4dca3c6f6d198ce
MD5: 635fbe342c0732294db648e36b8e0a58

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Tuesday, May 17, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently intercepted, yet, another, malicious, mobile, malware, exposing, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5 known to have been part of the campaign:
MD5: febc8518183e13114e7e4da996e64270

Once executed a sample malware phones back to the following C&C server:
hxxp://adultix.ru - 91.200.14.105; 185.87.51.121; 94.142.141.18
hxxp://xxxmobiletubez.com - 54.72.130.67; 89.144.14.59

Known to have responded to the same malicious C&C server IP (91.200.14.105) are also the following malicious domains:
hxxp://adultix.ru
hxxp://pixtrxxx.com
hxxp://coreectway.com
hxxp://filingun.com.ua

Known to have responded to the same malicious C&C server IP (185.87.51.121):
hxxp://adultix.ru
hxxp://updsandr.com

Related malicious MD5s known to have phoned back to the same malicious C&C server IP (185.87.51.121):
MD5: 662e459a0b3a08f5632934565e8d898e

Known to have responded to the same malicious C&C server IP (94.142.141.18) are also the following malicious domains:
hxxp://updforphone.com
hxxp://adultix.ru

Related malicious MD5s, know, to, have, phoned, back, to, the, same, C&C server IP (91.200.14.105):
MD5: 034f764d5d87d15680fff0256a7cf3f0
MD5: 6a5320f495250ab5e1965fcc3814ef06
MD5: 5a324d1e2dd88a57df0ae34ef1c8c687
MD5: d8f1b92d104c4e68e86f99e7f855caf8
MD5: 1b31d8db32fb7117d7cf985940a10c54

Known to have phoned back to the same malicious C&C server IP (54.72.130.67) are also the following malicious MD5s:
MD5: 007dbbed15e254cba024ea1fb553fbb2
MD5: 0b6c1377fc124cc5de66f39397d0a502
MD5: 2cfba1bce9ee1cfe1f371bcf1755840d
MD5: 26004eacdd59dcc4fd5fd82423079182
MD5: 2a1cfc13dac8cea53ce8937ee9b7a2fe

Once executed a sample malware phones back to the following C&C server:
hxxp://toolkitgold.org (54.72.130.67)

We'll continue monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, yet, another, malicious, malware-serving, campaign, targeting, Google Play, and, exposing, unsuspecting, users, to, a, variety, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Known malicious MD5s, used, in, the, campaign:
MD5: 6f37c58e5513264fd43c6dd21b6dff32
MD5: 933171dbfc5bf49cadfb8c6698a86cec
MD5: d1ab7350b4e12d8ac567f4f937c10b87
MD5: bd33b1133cb5376b660f02c340eea578

Once executed, sample, malware, phones, back, to, the, following C&C server:
hxxp://beest-gamess.com - 85.25.217.151

Known C&C servers, used, in, the, campaign:
hxxp://ldatjgf.goog-upps.pw - 50.30.36.1
hxxp://uwiaoqx.marshmallovw.com/ - 209.126.117.83
hxxp://google-market2016.com - 217.12.223.34

Known to have responded to the same malicious C&C server IP (50.30.36.1), are, also, the, following, malicious, domains:
hxxp://iaohzcd.goog-upps.pw
hxxp://datjgf.goog-upps.pw
hxxp://lrbixtp.goog-upps.pw
hxxp://wqhdzry.goog-upps.pw
hxxp://tqbkmoy.goog-upps.pw

Known to have responded to the same malicious C&C server IP (209.126.117.83), are, also, the, following, malicious, domains:
hxxp://uppdate-android.com
hxxp://ysknauo.android-update17.pw
hxxp://updateosystem.online
hxxp://updateosystem.site
hxxp://rfdgqsc.update-android-8.xyz
hxxp://updateosystem.com
hxxp://gyfwlxt.update-android-4.xyz
hxxp://update-android-4.xyz
hxxp://update-android-0.xyz
hxxp://update-android-1.xyz
hxxp://iauxelv.marshmallovw.com
hxxp://xklzogn.installingmarshmallow.com
hxxp://ytprkmg.marshmallovw.com
hxxp://zknmvga.android-update15.pw
hxxp://btxiqkw.installingmarshmallow.com
hxxp://dqhukoe.installingmarshmallow.com
hxxp://klmtifg.installingmarshmallow.com
hxxp://rxebgnj.installingmarshmallow.com
hxxp://srwflih.installingmarshmallow.com
hxxp://vtgqfcy.marshmallovw.com
hxxp://xvyhwri.marshmallovw.com
hxxp://zxvmqas.installingmarshmallow.com
hxxp://neqmcij.android-update14.pw
hxxp://sdljykc.android-update14.pw
hxxp://absdfvo.android-update15.pw
hxxp://android-update15.pw
hxxp://android-update16.pw
hxxp://awsvgdq.android-update15.pw
hxxp://azhdoxi.android-update15.pw
hxxp://czrptsq.android-update15.pw
hxxp://deluvgs.android-update15.pw
hxxp://dywsaxz.android-update15.pw
hxxp://ebadrwp.android-update15.pw
hxxp://eoiqnwt.android-update15.pw
hxxp://fcibqkz.android-update15.pw
hxxp://fjrklxo.android-update15.pw
hxxp://fwmlsgc.android-update15.pw
hxxp://gldkxub.android-update15.pw
hxxp://hdnloxt.android-update15.pw
hxxp://hdukcea.android-update15.pw
hxxp://hykpbgt.android-update15.pw
hxxp://kbvdqfy.android-update15.pw
hxxp://ljpwbdo.android-update15.pw
hxxp://nbuxlte.android-update15.pw
hxxp://nlezybf.android-update15.pw
hxxp://puafoqt.android-update15.pw
hxxp://qantucb.android-update15.pw
hxxp://qsdmgot.android-update15.pw
hxxp://qzudjyw.android-update15.pw
hxxp://rwfhycb.android-update15.pw
hxxp://rykvsme.android-update15.pw
hxxp://sacjpvl.android-update15.pw
hxxp://sejmxda.android-update15.pw
hxxp://smbanpz.android-update15.pw
hxxp://spjuoza.android-update15.pw
hxxp://srfulbg.android-update15.pw
hxxp://tngezrs.android-update15.pw
hxxp://tnhfaux.android-update15.pw
hxxp://txeyzld.android-update15.pw
hxxp://vzjoasl.android-update15.pw
hxxp://wobsmtc.android-update15.pw
hxxp://xmhgfas.android-update15.pw
hxxp://yufwkqm.android-update15.pw
hxxp://zuxvsqd.android-update15.pw
hxxp://android-update14.pw
hxxp://android-update17.pw
hxxp://anejzpi.android-update17.pw
hxxp://avdeymo.android-update15.pw
hxxp://beswdhm.android-update14.pw
hxxp://blisztk.android-update16.pw
hxxp://bmedkfx.android-update17.pw
hxxp://cgloekx.android-update17.pw
hxxp://cmkxsbu.android-update15.pw
hxxp://cxzmjty.android-update15.pw
hxxp://duyzpsk.android-update15.pw
hxxp://eikjgwc.android-update16.pw
hxxp://ekogdhq.android-update17.pw
hxxp://fldsxwj.android-update15.pw
hxxp://fpgsduq.android-update14.pw
hxxp://gfaulvq.android-update16.pw
hxxp://iaupbtn.android-update15.pw
hxxp://ilcskyb.android-update15.pw
hxxp://ingvbqf.android-update15.pw
hxxp://iqtudlh.android-update14.pw
hxxp://ivpjbnq.android-update17.pw
hxxp://ixzgoue.android-update15.pw
hxxp://jbyxoeq.android-update17.pw
hxxp://jdgrvtx.android-update14.pw
hxxp://jugbhve.android-update15.pw
hxxp://jvintuc.android-update15.pw
hxxp://jznwbmh.android-update15.pw
hxxp://kcbwfmx.android-update17.pw
hxxp://kjqpdli.android-update16.pw
hxxp://lbqzsmf.android-update17.pw
hxxp://ldjgqys.android-update14.pw
hxxp://lmbdrht.android-update14.pw
hxxp://lxbkact.android-update17.pw
hxxp://lyaibec.android-update16.pw
hxxp://movqcrj.android-update14.pw
hxxp://moxeuyn.android-update16.pw
hxxp://mtnvpux.android-update14.pw
hxxp://ncmokfd.android-update16.pw
hxxp://nmhbjwc.android-update16.pw
hxxp://ntlrqih.android-update17.pw
hxxp://nxuivhl.android-update16.pw
hxxp://okthyij.android-update14.pw
hxxp://omcpusk.android-update17.pw
hxxp://oryudhs.android-update17.pw
hxxp://ozdkhwj.android-update16.pw
hxxp://ozfkcgn.android-update14.pw
hxxp://peytxrn.android-update16.pw
hxxp://piolzns.android-update16.pw
hxxp://pqunxfj.android-update17.pw
hxxp://pwkjdar.android-update14.pw
hxxp://qblgpyw.android-update17.pw
hxxp://qfzpmbu.android-update17.pw
hxxp://qlshbur.android-update16.pw
hxxp://qpylhtb.android-update15.pw
hxxp://qzawjve.android-update14.pw
hxxp://riwgvyc.android-update14.pw
hxxp://rklsxfb.marshmallovw.com
hxxp://rucgswq.android-update14.pw
hxxp://sfvguep.android-update17.pw
hxxp://sitgerx.android-update17.pw
hxxp://skzjiec.android-update17.pw
hxxp://snficje.android-update14.pw
hxxp://spjiceq.android-update15.pw
hxxp://tjvbpwq.android-update17.pw
hxxp://tzchpkn.android-update17.pw
hxxp://uavqkrn.android-update17.pw
hxxp://ucbfjtk.android-update14.pw
hxxp://ueinloh.android-update14.pw
hxxp://ugyszlh.android-update14.pw
hxxp://uryoief.android-update16.pw
hxxp://vcxsejr.android-update17.pw
hxxp://vdymzep.android-update15.pw
hxxp://vtdywbe.android-update14.pw
hxxp://vwmispo.android-update16.pw
hxxp://wcvfhkq.android-update16.pw
hxxp://wtboiys.android-update17.pw
hxxp://xcndzit.android-update15.pw
hxxp://xpnqioe.android-update17.pw
hxxp://xzhvitg.android-update14.pw
hxxp://xztrkdj.android-update17.pw
hxxp://yajfspe.android-update17.pw
hxxp://ysknauo.android-update16.pw
hxxp://yxtsncz.android-update16.pw
hxxp://zbmjfxp.android-update15.pw
hxxp://zmvsaxw.android-update16.pw
hxxp://zprvoew.android-update14.pw
hxxp://zqfcsyb.android-update14.pw
hxxp://anmwfig.marshmallovw.com
hxxp://bgeomtx.marshmallovw.com
hxxp://bltferk.marshmallovw.com
hxxp://bwiuozv.marshmallovw.com
hxxp://dastgqu.marshmallovw.com
hxxp://eulcitb.marshmallovw.com
hxxp://fedtvwb.marshmallovw.com
hxxp://fxqynok.android-update17.pw
hxxp://guoiswy.marshmallovw.com
hxxp://gzqxynp.android-update17.pw
hxxp://hufgenk.marshmallovw.com
hxxp://jbpxute.marshmallovw.com
hxxp://kilrezj.android-update17.pw
hxxp://lhcijag.android-update17.pw
hxxp://mocadgb.marshmallovw.com
hxxp://ocqdbal.marshmallovw.com
hxxp://qckexfp.android-update17.pw
hxxp://qzrcaeo.marshmallovw.com
hxxp://revbfau.marshmallovw.com
hxxp://smlerhq.marshmallovw.com
hxxp://syirtxe.android-update17.pw
hxxp://syvkjho.android-update17.pw
hxxp://tejyocm.marshmallovw.com
hxxp://uahtwly.marshmallovw.com
hxxp://uwiaoqx.marshmallovw.com
hxxp://uxvwzip.android-update17.pw
hxxp://wvbcpkg.marshmallovw.com
hxxp://yhfkpmj.marshmallovw.com
hxxp://zjbvrqm.marshmallovw.com
hxxp://zlubmxn.marshmallovw.com
hxxp://zrdesip.marshmallovw.com
hxxp://yctfgmn.marshmallovw.com
hxxp://atyblhn.installingmarshmallow.com
hxxp://bhizvxk.installingmarshmallow.com
hxxp://ctjhgnr.installlingmarshmallow.com
hxxp://glrsudo.installingmarshmallow.com
hxxp://hiovmga.installlingmarshmallow.com
hxxp://jnwxdur.installingmarshmallow.com
hxxp://jnzglas.installingmarshmallow.com
hxxp://jrqbhiw.installingmarshmallow.com
hxxp://lzdapuf.installlingmarshmallow.com
hxxp://mvypoqg.marshmallovw.com
hxxp://ntgmcyx.installingmarshmallow.com
hxxp://owtubye.installingmarshmallow.com
hxxp://rfnjxhe.installingmarshmallow.com
hxxp://xkihgqr.installingmarshmallow.com
hxxp://xmvpguk.installlingmarshmallow.com
hxxp://ygzaunj.installingmarshmallow.com
hxxp://zkodxep.installingmarshmallow.com
hxxp://zyrxwhd.installingmarshmallow.com
hxxp://installingmarshmallow.com
hxxp://installlingmarshmallow.com
hxxp://marshmallovw.com
hxxp://mkxlwut.google-update2017.com
hxxp://brpcwlntjxfskqydzoguivaemh.google-market2016.com
hxxp://jyxqnuz.installlingmarshmallow.com
hxxp://google-update2017.com
hxxp://market-place2017.com
hxxp://market-update2016.com
hxxp://market-update2017.com
hxxp://vknghqw.market-update2017.com
hxxp://update-android2017.com
hxxp://google-android2016.ru
hxxp://google-place2016.ru
hxxp://google-place2017.ru
hxxp://google-app2016.com
hxxp://google-market2016.com
hxxp://android-market2016.com
hxxp://jofzevxmadlwcnpysbhuriqktg.android-market2016.com
hxxp://androidosupdate.com
hxxp://lvizyxjqoukbrfhtmawegpdscn.androidos-60-update.com
hxxp://androidos-60-update.com
hxxp://androidosupdate6.com
hxxp://androidosupdate6-0.com
hxxp://android-update-6google.com
hxxp://android-update-60-google.com
hxxp://android-update6google.com
hxxp://android-update-6-google.com
hxxp://android-update-6.com

Known to have responded to the same malicious C&C server IP (217.12.223.34), are, also, the, following, malicious, domains:
hxxp://android-market2016.com
hxxp://google-app2016.com
hxxp://google-market2016.com
hxxp://update-player2016.com

Known to have responded to the same malicious C&C server IP (85.25.217.151) are, also, the, following, malicious, domains:
hxxp://varr.site
hxxp://varra.top
hxxp://varra.xyz
hxxp://ugugur.com
hxxp://alavar-gamess.com
hxxp://beest-gamess.com
hxxp://krakatao-giraffe.com
hxxp://marine-selling.com
hxxp://quick-sshopping.com
hxxp://shopping-marine.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, mobile, malware, exposing, unsuspecting, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Known malicious MD5s, participating, in, the, campaign:
MD5: 27ad60e62ff86534c0a9331e9451833d
MD5: 78fbac978d9138651678eb63e7dfd998

Malicious C&C server, part, of, the, campaign:
hxxp://apk.longxigame.com - 123.138.67.91; 106.119.191.98

Known to have been downloaded from the same malicious C&C server IP (123.138.67.91), are, also, the, following, malicious, MD5s:
MD5: a6c9a8cfa41b608573f8a9adf767daa0
MD5: a5d98369590bd2e001ac3e2986b3d7e9
MD5: 8c5e6c7bc945877740f10e91e9640f70
MD5: e82c58593e787193b5e19810b7ab504e
MD5: 814d7d6701f00c7b96c7026b5561911c

Known to have responded, to, the, same, malicious, C&C server (apk.longxigame.com), are, also, the, following, malicious, domains:
hxxp://103.243.139.241
hxxp://113.105.245.118
hxxp://183.61.13.192
hxxp://183.61.180.216
hxxp://183.61.180.217
hxxp://106.119.191.98
hxxp://221.233.135.196
hxxp://218.60.119.245
hxxp://218.60.119.30
hxxp://118.123.202.27
hxxp://118.123.202.28
hxxp://218.60.119.244
hxxp://119.84.112.118
hxxp://119.84.112.121
hxxp://220.181.105.232
hxxp://27.221.30.76
hxxp://220.181.105.231
hxxp://27.221.30.77
hxxp://60.2.226.246
hxxp://60.2.226.248
hxxp://121.29.8.235
hxxp://60.28.226.51
hxxp://116.55.241.217
hxxp://124.95.157.252
hxxp://124.160.136.232
hxxp://124.160.136.233
hxxp://218.60.119.243
hxxp://218.60.119.252
hxxp://218.60.119.29
hxxp://122.225.34.233
hxxp://122.225.34.234
hxxp://171.111.154.243
hxxp://124.95.157.253
hxxp://202.100.74.248
hxxp://221.204.186.231
hxxp://221.204.186.232
hxxp://182.140.238.123
hxxp://218.107.196.223
hxxp://218.107.196.224
hxxp://122.227.164.225
hxxp://122.227.164.226
hxxp://122.228.95.171
hxxp://122.228.95.172
hxxp://123.129.244.23
hxxp://123.129.244.24
hxxp://210.22.60.224
hxxp://125.76.247.230
hxxp://125.76.247.231
hxxp://42.81.4.91
hxxp://42.81.4.92
hxxp://117.25.155.17
hxxp://61.154.126.29
hxxp://116.55.241.218
hxxp://106.119.191.97
hxxp://171.111.154.242
hxxp://180.96.17.157
hxxp://180.96.17.160
hxxp://117.25.155.18
hxxp://121.207.229.135
hxxp://61.154.126.28
hxxp://121.207.229.136
hxxp://222.85.26.249
hxxp://222.85.26.250
hxxp://59.46.4.221
hxxp://59.46.4.222
hxxp://183.61.13.191
hxxp://103.243.139.239
hxxp://122.141.227.183
hxxp://114.80.174.98
hxxp://114.80.174.99
hxxp://202.100.74.245
hxxp://58.216.17.111
hxxp://175.6.3.149
hxxp://175.6.3.176
hxxp://61.147.118.229
hxxp://60.28.226.41
hxxp://124.112.127.77
hxxp://124.112.127.78
hxxp://124.238.232.242
hxxp://124.238.232.241
hxxp://112.90.32.242
hxxp://112.90.32.241
hxxp://123.138.67.91
hxxp://123.138.67.92
hxxp://122.141.227.182
hxxp://121.29.8.217
hxxp://42.81.4.83
hxxp://218.107.196.236
hxxp://112.67.242.110
hxxp://112.90.32.232

Known malicious MD5s known to have phoned back to the same C&C server (123.138.67.91):
MD5: 4efbe7fe86f63530d83ae7af5a3dc272
MD5: d8a3466addf81f2afeb2ca81c49d7361
MD5: 06e37b0c4a77bfa6a1052c4dd50afd9b
MD5: ed89d5977e334045500d0415154976b6

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://api.baizhu.cc - 120.76.122.200
hxxp://cdn.baizhu.cc - 123.138.67.91

Once executed a sample malware phones back to the following C&C servers:
hxxp://yscq.v1game.cn (203.130.58.30)
hxxp://pic.v1.cn (123.138.67.92)
hxxp://img.g.v1.cn (203.130.58.30)
hxxp://static.v1game.cn (203.130.58.30)
hxxp://pay.v1game.cn (211.151.85.249)

We'll continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Monday, May 16, 2016

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, malware, campaign, affecting, Google Play, exposing, unsuspecting, users, to, a milti-tude, of malicious, software.

In this post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s, known, to, have, participated, in, the, campaign:
MD5: 1c87344c24d8316c8f408a6f0396aa43
MD5: 390e66ffaccaa557a8d5c43c8f3a20a9
MD5: 8e2f8c52f4bb8a4e7f8393aa4a0536e1
MD5: ada4b19d5348fecffd8e864e506c5a72

Once executed, a sample, malware, phones, back, to, the, following C&C, servers:
hxxp://telbux.pw - 176.9.138.114

Malicious MD5s, known, to, have, been, downloaded, from, the, same, C&C server IP (176.9.138.114):
MD5: f8471c153414b65bbeb80880dc30da0a
MD5: 5955411fe84c10fa6af7e40bf40dcdac
MD5: ec3e5125190d76c19ca1c0c9172ac930
MD5: 0551f10503369f12cd975468bff6d16a
MD5: 1127390826a9409f6fd7ad99c4d4af18

Once executed, a, sampled, malware, phones, back, to, the, following, C&C server:
hxxp://144.76.70.213
hxxp://joyappstech.biz - 136.243.240.229

We'll, continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, yet, another, malicious, campaign, utilizing, Google Play, for, the, purpose, of, serving, malicious, software, to, unsuspecting, users.

In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 3e57ef2802977c3c852a94bab131c84b

Known C&C servers, part, of, the, campaign:
hxxp://localbitcoinsfast.com - 198.105.215.251
hxxp://newdesigns2016.biz - 190.97.166.230

Once executed, the, sample, phones, back, to, the, following, C&C server:
hxxp://netspendexpress.biz - 68.71.49.24

Known to have phoned back to the same malicious C&C server IP (198.105.215.251), are, also, the, following, malicious, MD5s:
MD5: c1b3912711dceab2cfb86f920eb69919

Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://drone.hosterbox.com (68.71.49.24; 68.71.49.25; 142.4.12.128)

Known malicious MD5s, known, to, have, phoned, back, to, the, same C&C server IP (68.71.49.24):
MD5: 7453f9445512e48357d91491b0e32134
MD5: 138c9475d4dc80185d4d3dd612c89d50
MD5: 2be0a8f626430d6c3c9588b55253ef95

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Thousands of Users Affected

We've recently intercepted a new mobile malware, variant, targeting, users, internationally, and exposing, their, devices, to, a, multi-tude, of malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the infrastructure, behind, it, and discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Sample malicious MD5s used in the campaign:
MD5: 4f1696cc06bdab9508ba3434edab2f49
MD5: 15ef763ba561eb91b5790906505f0f79

MD5: 890dfd6b50b7ca870ceb04762725b8a6
MD5: 4a3b68aeb96ef0f26f855f6afb688a3c
MD5: c729ce2babce74998726257f167da62e
MD5: 3db50821ff074a70dcbc5c31c0a78e14

Once executed, a sample, malware, phones back to the following C&C server:
hxxp://alfabrong.eu/data/id=39759ac6-0898-424b-9e0d-790edfaa700e - 5.101.117.79; 5.187.4.15

Known to have responded to the same malicious C&C server (5.101.117.79) are also the following malicious domains:
hxxp://bugstracking.xyz
hxxp://bugstrucking.xyz
hxxp://ssd850pro.pw
hxxp://forclonabster.eu
hxxp://bugtracking.biz
hxxp://directplaytds.com
hxxp://forclonabster.xyz
hxxp://alfabrong.eu
hxxp://innotion.pw

Known to have responded to the same malicious C&C server (5.187.4.15) are also the following malicious C&C servers:
hxxp://alfabrong.eu
hxxp://hyperlabs.biz
hxxp://nkprus.ru
hxxp://programmiandroid.org

We'll continue monitoring the campaign, and, will, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've recently, intercepted, yet, another, mobile, malware, variant, affecting, Google Play, with, the, cybercriminals, behind, it, exposing, its, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Malicious MD5s used in the campaign:
MD5: 7f55e0b91f5151328e779a3a425fc241
MD5: 91139d1dfa5df1f18c7f40192b2c49ce

Once executed, a, sample, phones, back, to, the, following, C&C, server:
hxxp://mob-stats.com - 5.149.252.2

Known C&C server, used, in, the, campaign:
hxxp://update-sys-android.com/upd.php - 192.99.99.186

Once executed, a, sample, malware, phones, back, to, the, following, C&C, servers:
hxxp://counter.wapstart.ru - 185.127.149.76; 81.19.95.17
hxxp://goalez.com - 91.219.195.3; 91.219.194.43; 91.219.194.8

Known to have phoned back to the same C&C server (185.127.149.76; 81.19.95.17), are, also, the, following, malicious, MD5s:
MD5: c8afecd653d4b0b7ea48de13d6001a31
MD5: bfdb43b0f44a986c2cb495c38746cd23

Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://kingwar.mgates.ru - 148.251.154.17
hxxp://counter.wapstart.ru - 185.127.149.76

Known, to, have, phoned, back, to, the, same, malicious, C&C, server (91.219.195.3), are, also, the following, malicious, MD5s:
MD5: 3ad15daf656a06bf850ea6973192ae47
MD5: 117b8362a54ece041307a136aceeb92c
MD5: 4dbdfaf3e8f5a09a7a4b82024f1c1072
MD5: 1521e73bb153f31015ab037f979602bc
MD5: 25318484bab66e0e8762c9fc5a1f888d

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://forces.may-trade.ru - 185.82.216.58
hxxp://plusfiles.890m.com - 91.219.195.3

Known to have been downloaded from the same malicious C&C server IP (91.219.194.8) are also the following malicious MD5s:
MD5: 31ad2a5a5d02e6c5e55817386b8eec01
MD5: 0815607c938c4f2088569be34ff57141
MD5: f629111b34e8e4d97ee26d2c6b19db96
MD5: 29d87de6b476fc1a873962ae04bbe206
MD5: a27158c55555ff2953e0a54a9996713d

Known to have phoned back to the same malicious C&C server IP (91.219.194.43), are, also, the, following, malicious, MD5s:
MD5: 76dd60b9f406be3b808db6fca2d856ff
MD5: ad33371a2495a0f9236c988f7024edb1

Once executed, a, sample, malware, phones, back, to, the, following, C&C server IPs:
hxxp://mu.sanek.com - 208.73.211.168
hxxp://muforum.info - 91.219.194.43
hxxp://best-hoster-group.ru - 91.219.193.252
hxxp://best-hoster.ru - 91.219.193.252
hxxp://freeller.net - 91.219.193.254
hxxp://hostagent.ru - 77.222.40.254
hxxp://ksdnewr.com - 192.64.147.242

We'll continue, monitoring, the, campaign, and post, updates, as soon, as new, developments, take, place.

Malicious Campaign Affects Hundreds of Web Sites, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious, campaign, affecting, hundreds, of Web sites, and exposing, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Malicious URLs used in the campaign:
hxxp://default7.com - 199.48.227.25
hxxp://test246.com - 54.208.99.166
hxxp://test0.com - 72.52.4.119
hxxp://distinctfestive.com - 54.208.99.166
hxxp://ableoccassion.com - 54.208.99.166

Sample malware used in the campaign:
MD5: 9854f14ca653ee7c6bf6506d823f7371

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://intva31.homelandcustom.info (52.6.18.250)

Known to have phoned back to the same malicious C&C server IP (54.208.99.166), are, also, the, following, malicious, MD5s:
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://ii55.net (69.172.201.153)
hxxp://rwai.net (54.208.99.166)

Known to have phoned back to the same malicious C&C server IP (69.172.201.153) are also the following malicious MD5s:
MD5: 5979f69be8b6716c0832b6831c398914
MD5: a27083ff19b187cbc64644bc10d2af11
MD5: b9306bb08ac502c7bcaf3d7e0cd9d846
MD5: cd34980dda700d07b93eef7910a2a8be
MD5: b708860e7962b10e26568c9b037765df

Known to have phoned back to the same malicious C&C server IP (54.208.99.166) are also the following malicious MD5s:
MD5: 9854f14ca653ee7c6bf6506d823f7371
MD5: 90a88230d5b657ced3b2d71162a33cff
MD5: 70465233d93aa88868d7091454592a80
MD5: f8e21525c6848f45e4ab77aee05f0a28

Related malicious MD5s known to have phoned back to the same malicious C&C server (54.208.99.166):
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.