I'm Back!

Tuesday, September 17, 2019

Dear blog readers - it's been a while since I've last posted a quality update following my disappearance and possible kidnapping attempt circa 2010 but as many of you have noticed I've recently published a variety of research and CYBERINT type of articles in a variety of areas which means that I'll be shortly returning to the usual blogging rhythm successfully publishing a quality set of research articles anytime soon. I've also wanted to let you know that I've recently launched an extremely popular News Portal called Unit-123 offering practical advice to the U.S Intelligence Community including Cyber Warriors and Cyber Warfare experts including a Cyber Security and Hacking Community called Offensive Warfare including a Bitcoin soliciting bid on the Dark Web for the upcoming launch of a proprietary custom-based Virtual Reality Social Network for Hackers and Security Experts called Cybertronics (dzxvmqrl3rjxbzuer6vv5ejahniz2nefqxfmwspfmvzjo4xxzm7n4xad.onion) including the usual interview spree in an attempt to land a permanent job position as I've been working on a variety of personal and proprietary Security and OSINT projects.

• Are you interested in having me speak at your event? Are you interested in inviting me to join a classified and potentially sensitive event or research group? Are you interested in becoming a writer at this blog? Are you interested in advertising at this blog? Feel free to approach me - disruptive.individuals@gmail.com

Consider going through some of my most recently published research:

• Exposing Iran's Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis
• Exposing Yet Another Currently Active Fraudulent and Malicious Pro-Hamas Online Infastructure
• Flashpoint Intel Official Web Site Serving Malware - An Analysis
• Historical OSINT - "I Know Who DDoS-ed Georgia and Bobbear.co.uk Last Summer"
• Historical OSINT - A Peek Inside The Georgia Government's Web Site Compromise Malware Serving Campaign - 2010
• Historical OSINT - Profiling a Rogue and Malicious Domain Portfolio of OEM-Pirated Software
• Historical OSINT - Able Express Courier Service Re-Shipping Mule Recruitment Scam Spotted in the Wild
• Historical OSINT - Global Postal Express Re-Shipping Mule Recruitment Scam Spotted in the Wild
• Historical OSINT - Re-Shipping Money Mule Recruitment "Your Shipping Panel LLC" Scam Domain Portfolio Spotted in the Wild
• The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compromise - An Open Letter to the U.S Intelligence Community
• Historical OSINT - A Portfolio of Fake Tech Support Scam Domains - An Analysis
• Historical OSINT - Georgian Justice Department and Georgia Ministry of Defense Compromised Serving Malware Courtesy of the Kneber Botnet
• Historical OSINT - The Russian Business Network Says "Hi"
• Profiling "Innovative Marketing" - The Flagship Malvertising andf Scareware Distributor - Circa 2008 - An OSINT Analysis
• Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An OSINT Analysis
• Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jabber and XMPP Accounts

In this post I'll walk you though the story of my disappearance including a brief introduction and explanation of my "hacker enthusiast" years circa the 90's where I've been busy doing "lawful surveillance" and "lawful interception" throughout my teenage years while I was not busy working full-time with several H/C/P/A (Hacking/Cracking/Phreaking/Anarchy) groups as a full-time member practically setting up the foundations of the Threat Intelligence market segment a few years later including the basics of Technical Collection type of position including Independent Contractor working under NDA in a post 9/11 World including a personal greeting to everyone who's been approaching me and reaching out offering support and technical and operational "know-how" including general "say hi" advice.

I want to express a personal gratitude to a good old research friend - Internet Anthropologist - who actually initiated a track-down action and managed to indirectly find me circa 2010 with the help of international and Bulgarian law-enforcement including fellow colleagues and friends from the Security Industry and U.S Intelligence Community circa 2008-2013 who attempted to track me down and find out more about my disappearance.

In this post I'll discuss my visit to the GCHQ circa 2008 with the Honeynet Project including an in-depth discussion on my "lawful interception" and "lawful surveillance" experience circa the 90's throughout my teenage hacker years including an in-depth discussion on the hacking Scene that I was proud to be a member of throughout the 90's having successfully participated in a variety of community and commercial projects including a personal thanks to the following friends and colleagues for offering support and keeping track of my research:

• Jamie Riden for making a personal contribution to my PayPal account for research purposes
• Steve Santorelli from Team Cymru for expressing interest in a proprietary Threats Database 
• Michal Salat for participating in a brief trial of my Threat Data service 
• Ian Cook for making a personal introduction to my current part-time employer KCS Group Europe 
• Jeffrey Bardin from Treadstone71 who reached out and offered employment opportunity 
• Harrison Cook who's been persistently donating and reaching out to support the Offensive Warfare 2.0 community 
• John Young from Cryptome.org who helped spread the word about the Offensive Warfare 2.0 Community 
• Liran Sorani from Webhose for the opportunity to participate in a part-time project 

An In-depth Analysis of the Hacking Scene circa the 90's through the prism of Dancho Danchev also known as tHe mAnIaC:

In a World where we've successfully set the foundation of offensive clandestine and psychological operations including the foundations of Technical Collection and the foundations of the Threat Intelligence market segment including the persistent emphasis on cyber threats facing U.S Government and U.S National Infrastructure in the context of enriching and disseminating actionable Threat Intelligence on a variety of U.S Intelligence Community including academic partners throughout the past decade successfully leading me to participate in a Top Secret GCHQ Surveillance and Monitoring Program basically keeping track of hackers and security researchers on Twitter for proactive Cyber Defense and OSINT purposes called "Lovely Horse" including a possible "4th Party Collection" trend-setting initiative circa 2008-2013 labeling some of my research as a possible "4th Party Collection" partner of U.S Intelligence Community including the tracking and take down of the Koobface botnet including my experience as a Managing Director of "The Underground" also known as Astalavista Security Group's Astalavista.com (Security Interviews - Part 01; Security Interviews - Part 02; Security Interviews - Part 03) throughout 2003-2006 with my ex-girlfriend now partner in life - Yordanka Ilieva -  when we used to rock the boat - and are prone to do so. Takes you back doesn't it? Keep reading.

Personal Photo of bedroom hacker - today's leading expert in the field of cybercrime research security blogging and threat intelligence gathering - Dancho Danchev also known as the tHe mAnIaC circa the 90's with his hacker girlfriend - Yordanka Ilieva - including various personal projects circa the 90's

• I happen to have directly established a connection with one of the primary Sub7 Trojan Horse authors HeLLfiReZ which makes me pretty close to Steve Gibson in one way or another - throughout the 90's where we exchanged Trojan Horse samples while I was busy working for Trojan Defense Suite and the infamous Lockdown2000 anti-trojan software suite where I was busy working on signatures and help-guides compilation while I was also busy being a member of several hacking groups primarily found on the Cyberarmy.com Top 50 Hacking List including Progenic.com Top 100 hacking sites list.
• Mail-bombing was a trend - in particular my personal experience of making jokes with friends who were unable to take care of 100+ email messages in their Inbox
• Mass-Mailing List subscription - in particular the fact that my friends were not capable of finding a productive way to get rid of the messages and unsubscribe themselves
  
• Telephony Denial of Service attack circa the 90's exploiting a popular for Eastern Europe Mail2SMS mobile provider feature - in particular the fact that it's not necessarily a pleasant experience to get rid of 100+ SMS messages received in a short-period of time
• "Lawful Interception" of friends - something else that I'm not particularly proud of is my "lawful surveillance" and "lawful interception" experience and capabilities of people that I knew and that I used to know largely driven by the need to explore and learn more
• Corporate Experience in the field of anti-trojan detection technologies and categorization - in particular my experience in creating trojan horse signatures and writing actual technical descriptions for the purpose of improving my employer's overall detection rate for a variety of trojan horse vendors circa the 90's.

Do you remember my work from the 90's? Are you familiar with the Scene circa the 90's? Feel free to approach me - disruptive.individuals@gmail.com or make a PayPal donation using my PayPal ID: dancho.danchev@hush.com for the purpose of fueling growth into my research.

Continue Reading | comments

Dancho Danchev's Blog - Open Call for Blog Contributors and Guest Bloggers

Sunday, September 15, 2019

UPDATE: Do you know which is one of the World's most popular Security blogs and who's running it? Guess what - you've been reading it all along. Ever since I started this blog in December, 2005 for the purpose of impressing my girlfriend and greatly inspired by a successful venture with Astalavista Security Group circa 2003-2006 I've received over 5M page views courtesy of a loyal base of users to whom I owe a great debt of gratitude for keeping track of my research and following my comments - in real-time. The time has come to expand and eventually launch a new set of products and services including a possible Advertising Inventory - therefore I've decided to launch an Open Call for Blog Contributors including Guest Bloggers. Interested in writing at this blog? Feel free to approach me - disruptive.individuals@gmail.com

Dancho Danchev's Blog - Major Security Web Property Statistics:

Dear blog readers, friends, partners, colleagues, Security Industry friends and partners including U.S Intelligence Community and U.S and International Law Enforcement friends and partners - it's been a decade since I originally decided to launch this blog positioning it as a top Security and Threat Intelligence including Cybercrime Research Major Web Property attracting thousands of high-profile and loyal users throughout the decade to whom I owe a great deal of personal thanks and admiration for following me and supporting my research and personal opinion throughout the years including the active spreading of high-quality and never-published before OSINT analysis cybercrime and threat intelligence gathering type of technical analysis.

In the spirit of offering high-quality research and malicious and fraudulent campaign analysis including the expansion of my personal blog to include a diverse set of new areas including a possible Advertising Inventory to offer to selected and invite-only vendors and organizations - I've decided to make an Open Call for Blog Contributors and Guest Bloggers with the idea to keep the spirit of my 2008-2013 series of analysis where I was busy dominating the news with new attack vectors and attacks techniques including the profiling and tracking down of new malware and cybercrime groups.

Interested in writing at this blog? Do you have a lot to say in the area of cybercrime research and Threat Intelligence including Privacy Anonymity and malicious software including botnets? Keep reading.

Who's Welcome to Approach me?

• Academic Institutions looking for ways to properly promote their research and content by offering a selected individuals who'd be responsible for offering an in-depth never published before perspective on the Institution's cybercrime and malicious software research perspective
• Threat Intelligence Vendors looking for ways to approach a new set of loyal user base and to promote their research products and services by appointing a selected individual who would be interested in communicating Key Vendor findings on a daily basis
• Independent Freelancers looking to reach out to a loyal user base and receive the necessary expose in terms of having their article read by thousands of loyal and selected users on a daily basis
• Friends and Colleagues with whom I've worked in the past or with who I continue to work nowadays who might be interested in making a valuable contributing to this high-quality Web property publication

Interested in writing at this blog? Do you want to make a valuable contribution? Feel free to approach me disruptive.individuals@gmail.com and I'll get back to you with proper access as soon as possible.

Continue Reading | comments

Historical OSINT - Georgian Justice Department and Georgia Ministry of Defense Compromised Serving Malware Courtesy of the Kneber Botnet

Wednesday, September 11, 2019

It's 2010 and I've recently came across to a compromised Georgian Government Ministry of Defense and Ministry of Justice official Web site spreading potentially participating in a wide-spread phishing and malware-serving campaign enticing users into interacting with the rogue U.S Intelligence and U.S Law Enforcement themed emails for the purpose of spreading and dropping malicious software on the targeted host's PC.

Sample malicious URL known to have participated in the campaign abusing common Web Site redirection application vulnerability flaw:

hxxp://www.mod.gov.ge/2007/video/movie.php?l=G&v=%20%3E%20a%20href%20http%3A%2F%2Fofficialweightlosshelp.org%2Fwp-admin%2Freport.zip%20%3EDownload%20%3C%2Fa%3E%20script%3Ewindow.OPEN%20http%3A%2F%2Fofficialweightlosshelp.org%2Fwp-admin%2Freport.zip%20%3C%2Fscript%3E%20#05184916461921807121

Related malicious URLs known to have participated in the campaign:

hxxp://officialweightlosshelp.org/wp-admin/report.zip

Spread URL found within the config:

hxxp://www.adventure-center.net/upload/x.txt - 195.70.48.67

Related compromised malicious URLs known to have participated in the campaign:

hxxp://new.justice.gov.ge/files/Headers/in.txt

hxxp://new.justice.gov.ge/files/Headers/fresh.txt

hxxp://new.justice.gov.ge/files/Headers/rollers1.php

Related MD5s known to have participated in the campaign:

MD5: d0c0a2e6b30f451f69df9e2514ba36f2

MD5: 974a4a516260a4fafb36234897469013

MD5: ecb7304f838efb8e30a21189458b8544

MD5: 81b3bff487fc9a02e10288114fc2b5be

MD5: 234523904033f8dc692c743cbcf5cf2b

MD5: e2fffaffc1064d24e7ea6bab90fd86fc

MD5: 5941c9b5bd567c5baaecc415e453b5c8

MD5: 0ff325365f1d8395322d1ef0525f3b1f

MD5: 4437617b7095ed412f3c663d4b878c30

MD5: eb66a3e11690069b28c38cea926b61d2

MD5: 2b7e4b7c5faf45ebe48df580b63c376b

Known to have participated in the campaign are also the following two domains part of the Hilary Kneber botnet:
hxxp://dnicenter.com - Email: abuseemaildhcp@gmail.com
hxxp://dhsorg.org - Email: hilarykneber@yahoo.com

Related malicious download location URLs known to have participated in the campaign:
hxxp://www.zeropaid.com/bbs/includes/CYBERCAFE.zip
hxxp://rapidshare.com/files/318309046/CYBERCAFE.zip.html
hxxp://www.sendspace.com/file/fmbt01
hxxp://hkcaregroup.com/modlogan/MILSOFT.zip
hxxp://rapidshare.com/files/320369638/MILSOFT.zip.html
hxxp://fcpra.org/downloads/MILSOFT.zip
hxxp://fcpra.org/downloads/winupdate.zip
hxxp://www.sendspace.com/file/tj373l
hxxp://mv.net.md/update/update.zip - 195.22.225.5
hxxp://www.sendspace.com/file/7jmxtq
hxxp://mv.net.md/dsb/DSB.zip
hxxp://www.sendspace.com/file/rdxgzd
hxxp://timingsolution.com/Doc/BULLETIN.zip
hxxp://www.sendspace.com/file/goz3yd
hxxp://dnicenter.com/docs/report.zip
hxxp://dhsorg.org/docs/instructions.zip - 222.122.60.186; 222.122.60.1
hxxp://www.sendspace.com/file/h96uh1
hxxp://depositfiles.com/files/xj1wvamc4
hxxp://tiesiog.puikiai.lt/report.zip
hxxp://somashop.lv/report.zip
hxxp://www.christianrantsen.dk/report.zip
hxxp://enigmazones.eu/report.zip
hxxp://www.christianrantsen.dk/report.zip
hxxp://enigmazones.eu/report.zip

hxxp://gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN.zip
hxxp://quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.zip - 66.147.242.169

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://dhsinfo.info - 218.240.28.34
hxxp://greylogic.info - 218.240.28.34; 218.240.28.4
hxxp://intelfusion.info - 218.240.28.34

hxxp://greylogic.org - 222.122.60.1

Related malicious MD5s known to have participated in the campaign:
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5
MD5: 28c4648f05f46a3ec37d664cee0d84a8

Once executed a sample malware phones back to the following C&C server IPs:
hxxp://from-us-with-love.info - 91.216.141.171
hxxp://from-us-with-love.info/imglov/zmpt4d/n16v18.bin
hxxp://vittles.mobi - 174.132.255.10

hxxp://nicupdate.com - 85.31.97.194

Related malicious and fraudulent IPs known to have participated in the Hilary Kneber botnet campaign:
hxxp://58.218.199.239
hxxp://59.53.91.102
hxxp://60.12.117.147
hxxp://61.235.117.71
hxxp://61.235.117.86
hxxp://61.4.82.216
hxxp://193.104.110.88
hxxp://95.169.186.103
hxxp://222.122.60.186
hxxp://217.23.10.19
hxxp://85.17.144.78
hxxp://200.106.149.171
hxxp://200.63.44.192
hxxp://200.63.46.134
hxxp://91.206.231.189
hxxp://124.109.3.135
hxxp://61.61.20.134
hxxp://91.206.201.14
hxxp://91.206.201.222
hxxp://91.206.201.8
hxxp://216.104.40.218
hxxp://69.197.128.203

Related malicious and fraudulent domains known to have participated in the Hilary Kneber botnet campaign:
hxxp://123.30d5546ce2d9ab37.d99q.cn
hxxp://d99q.cn
hxxp://524ay.cn
hxxp://adcounters.net
hxxp://adobe-config-s3.net
hxxp://mywarworld.cn
hxxp://aqaqaqaq.com
hxxp://avchecker123.com
hxxp://bizelitt.com
hxxp://biznessnews.cn
hxxp://bizuklux.cn
hxxp://fcrazy.com
hxxp://fcrazy.eu
hxxp://boolred.in
hxxp://brans.pl
hxxp://britishsupport.net
hxxp://bulkbin.cn
hxxp://chaujoi.cn
hxxp://checkvirus.net
hxxp://chinaoilfactory.cn
hxxp://chris25project.cn
hxxp://client158.faster-hosting.com
hxxp://cwbnewsonline.cn
hxxp://cxzczxccc.com.cn
hxxp://dasfkjsdsfg.biz
hxxp://dia2.cn
hxxp://digitalinspiration.e37z.cn
hxxp://dolbanov.net
hxxp://dolcegabbana.djbormand.cn
hxxp://djbormand.cn
hxxp://download.sttcounter.cn - 61.61.20.134; 211.95.78.98
hxxp://sttcounter.cn
hxxp://dred3.cn
hxxp://dsfad.in
hxxp://e37z.cn
hxxp://e58z.cn
hxxp://electrofunny.cn
hxxp://electromusicnow.cn
hxxp://elsemon.cn
hxxp://fcrazy.info
hxxp://filemarket.net
hxxp://flo5.cn
hxxp://footballcappers.biz
hxxp://fobsl.cn
hxxp://forum.d99q.cn
hxxp://gamno6.cn
hxxp://gidrasil.cn
hxxp://gifts2010.net
hxxp://ginmap.cn
hxxp://giopnon.cn
hxxp://gksdh.cn
hxxp://glousc.com
hxxp://gnfdt.cn
hxxp://gold-smerch.cn
hxxp://goldenmac.cn
hxxp://google.maniyakat.cn
hxxp://maniyakat.cn
hxxp://greenpl.com
hxxp://grizzli-counter.com
hxxp://grobin1.cn
hxxp://inpanel.cn
hxxp://itmasterz.org
hxxp://iuylqb.cn
hxxp://kaizerr.org
hxxp://keepmeupdated.cn
hxxp://khalej.cn
hxxp://kimosimotuma.cn
hxxp://klaikius.com
hxxp://klitar.cn
hxxp://kolordat482.com
hxxp://kotopes.cn
hxxp://liagand.cn
hxxp://love2coffee.cn
hxxp://majorsoftwareupdate.info
hxxp://marcusmed.com
hxxp://mcount.net
hxxp://mega-counter.com
hxxp://monstersoftware.info
hxxp://morsayniketamere.cn
hxxp://mydailymail.cn
hxxp://mynewworldorder.cn
hxxp://newsdownloads.cn
hxxp://nit99.biz
hxxp://nm.fcrazy.com
hxxp://nmalodbp.com
hxxp://not99.biz
hxxp://online-counter.cn
hxxp://pedersii.net
hxxp://piramidsoftware.info
hxxp://popupserf.cn
hxxp://qaqaqaqa.com
hxxp://qaqaqaqa.net
hxxp://qbxq16.com
hxxp://redlinecompany.ravelotti.cn
hxxp://ravelotti.cn
hxxp://relevant-information.cn

Related Hilary Kneber botnet posts:
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Dissecting the Exploits/Scareware Serving Twitter Spam Campaign
Koobface Botnet Starts Serving Client-Side Exploits

Continue Reading | comments

Fake NordVPN Web Site Drops Banking Malware Spotted in the Wild

I've recently came across to a rogue NordVPN web site distributing malicious software potentially exposing NordVPN users to a multi-tude of malicious software further compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

In this post, I'll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Sample malicious URL known to have participated in the campaign:
hxxp://nord-vpn.club - 192.64.119.159; 2.56.215.159

Sample malicious MD5s known to have participated in the campaign:
MD5: 3c24aa2c26e3556194ffd182a4dfaae5a41f
MD5: 7d6c24992eff0d64f19c78f05ea95ae44bc83af1
MD5: d39c320c3a43873db2577b2c9c99d9bf2bdb285c
MD5: d5ed3c70a8d7213ed1b9a124bbc1942e2b8cfeea
MD5: e89efde8ae72857b1542e3ae47f047c54b3d341a
MD5: 59f511ea1e34753f41a75e05de96456ca28f14a7
MD5: 453c428edda0fc01b306cc6f3252893fce9763a7

Continue Reading | comments

Join Me on Patreon Community!

Monday, September 09, 2019

Dear blog readers,

I decided to let everyone know that I've recently launched my own Patreon Community Page with the idea to let everyone know that I'm currently busy crowd-funding a high-profile upcoming Cyber Security Investment Project - and I would love to hear from you more details about your thoughts regarding new Tier Features and whether or not you could make a possible long-term type of financial donation or sponsorship regarding my research and my security expertise.

The current status of the project:
- I'm currently busy soliciting additional input from colleagues regarding upcoming Tier Features
- I'm currently busy reaching out to colleagues to possibly convert them to Patreon Sponsors
- I'm currently busy working on a high-profile Security Podcast
- I'm currently busy working on a high-profile Security Newsletter

Has my research helped you or your organization in the past? Have you been a long-time blog reader? Have you learned something new? Did my active cybercrime and nation-state actor profiling helped you excel in your career path? Are you happy with what you're seeing? Dare to take a moment and refer a colleague or an organization my personal blog including my Patreon Community Page including a possible Patreon Sponsor request confirmation?

Looking forward to hearing from you at - dancho.danchev@hush.com

Enjoy!

Continue Reading | comments

Historical OSINT - The Russian Business Network Says "Hi"

You know you're popular when "they" say "hi".

It's 2009 and I've received a surprising personal email courtesy of guess who - The Russian Business Network showing off the actual ownership of the hxxp://rbnnetwork.com domain and basically saying "hi". It's worth pointing out that throughout 2008-2013 I've extensively profiled the activities including the customer activities of some of the most prolific customers and members of the infamous Russian Business Network also known as the RBN in the context of blackhat SEO iFrame and input validation abuse across major Web properties including malvertising and various other malware-serving and client-side exploits serving campaigns including money mule recruitment and phishing campaigns the ubiquitous at the time fake security software also known as scareware in a variety of post series.

• Related post - Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise

It's been a decade since I last profiled the most prolific and sophisticated market-leading bullet-proof hosting cybercrime enterprise - the Russian Business network which at the time was dominating the majority of campaigns that I was busy profiling with the help of fellow researchers to whom I owe a big deal of thanks for approaching me circa 2008-2013 namely Jart Armin and James McQuaid with whom I've been directly or indirectly keeping in touch throughout 2008-2013 for the purpose of offering quality research on the activities of the Russian Business Network including their customers and fraudulent and malicious campaigns.

• Related post - Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies

Stay tuned and thanks for reaching out!

Related Russian Business Network (RBN) Research:
I See Alive IFRAMEs Everywhere - Part Two
I See Alive IFRAMEs Everywhere
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
Compromised Sites Serving Malware and Spam
U.S Consulate St. Petersburg Serving Malware
Massive RealPlayer Exploit Embedded Attack
Malware Serving Exploits Embedded Sites as Usual
MDAC ActiveX Code Execution Exploit Still in the Wild
Yet Another Massive Embedded Malware Attack
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Over 100 Malwares Hosted on a Single RBN IP
Detecting and Blocking the Russian Business Network
Exposing the Russian Business Network
Go to Sleep, Go to Sleep my Little RBN
Injecting IFRAMEs by Abusing Input Validation
RBN's Fake Account Suspended Notices
ZDNet Asia and TorrentReactor IFRAME-ed
Russia's FSB vs Cybercrime
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
Wired.com and History.com Getting RBN-ed
The Russian Business Network
Exposing the Russian Business Network
More CNET Sites Under IFRAME Attack
Embedded Malware at Bloggies Awards Site
Have Your Malware In a Timely Fashion
Geolocating Malicious ISPs
More High Profile Sites IFRAME Injected
The New Media Malware Gang - Part Four
Another Massive Embedded Malware Attack

Continue Reading | comments

DDanchev is for Hire!

Saturday, September 07, 2019

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?




Approach me at dancho.danchev@hush.com

Continue Reading | comments

g0t Bitcoin?

Monday, August 19, 2019

Dear blog readers, dare to take a moment of your precious time to check a venerable and recently proposed cyber security project investment including the opportunity to enter a Bold New World of Hacking and Information Security? Has the time come to set them straight? Keep reading.

Check out this Onion - http://dzxvmqrl3rjxbzuer6vv5ejahniz2nefqxfmwspfmvzjo4xxzm7n4xad.onion and donate today!

Stay tuned!

Continue Reading | comments

Assessing the Recently Leaked FSB Contractor Data - A Peek Inside Russia's Understanding of Social Network Analysis and Tailored Access Operations

Friday, August 02, 2019

I've recently managed to obtain a copy of the recently leaked FSB contractor data courtesy of 0v1ru$ and "Digital Revolution" and I've decided to take a closer look including an in-depth overview and discussion of the leaked data in the context of today's modern-driven AI-powered automated OSINT technologies in the broader context of the U.S Intelligence Community in particular the utilization of rogue TOR exit nodes for the purpose of intercepting and harvesting TOR exit node data within the Russian Federation including social-network analysis data-mining and possible "lawful surveillance" and "lawful interception" including possible data collection type of Tailored Access Operation campaigns launched by "0day Technologies" and "SyTech".

Sample Company Logo:

Sample Company Logo:

Sample personal photos of the individuals behind "0day Technologies" and "SyTech":

Sample Screenshots of the User-Interface behind the "Lawful Surveillance" and "Lawful Interception":

Sample Screenshots of the Rogue and Bogus Tor-Exit-Node Research Project:

Sample URLs involved in the campaign:

hxxp://0day.ru

hxxp://sytech.ru

Sample Telegram account involved in the campaign:

hxxp://t.me/D1G1R3V_DigitalRevolution

Sample Vkontakt account involved in the campaign:

hxxp://vk.com/d1g1r3v

Sample Twitter account involved in the campaign:
hxxp://twitter.com/d1g1r3v
hxxp://twitter.com/0v1ruS

Sample URL known to have participated in the campaign:
hxxp://d1g1r3v.net

Related URL of the currently leaked data:
https://mega.nz/#F!3c0lTaLI!jVUS_O7Q0opCHUPYgK1E_w

Continue Reading | comments

Profiling "Innovative Marketing" - The Flagship Malvertising andf Scareware Distributor - Circa 2008 - An OSINT Analysis

Tuesday, July 30, 2019

Continuing the "FBI Most Wanted Cybercriminals" series I've decided to take a closer look at "Innovative Marketing" the primary malvertising and scareware distributor participating in several high-profile malvertising and scareware-serving campaigns circa 2008 including personally identifiable information on two of the main group operators - Shaileshkumar P. Jain and Bjorn Daniel Sundin with the idea to provide law enforcement and the U.S Intelligence community with the necessary information to track down and prosecute the gang behind these campaigns.

In this post I'll profile actionable intelligence on the infrastructure behind the "Innovative Marketing" malvertising and scareware distributor circa 2008 including personally identifiable information on two of the key members of the gang.

Known "Innovative Marketing" alternative brand names and related associates:
Billingnow
BillPlanet PTE Ltd.
Globedat
Innovative Marketing Ukraine
Revenue Response
Sunwell
Synergy Software BV
Winpayment
Consultancy SPC
Winsecure Solutions,
Winsolutions FZ-LLC
ByteHosting Internet Services, LLC
Setupahost.net

Known related campaigns and related brands launched by the same group:
BurnAds
UniqAds
Infyte
NetMediaGroup
ForceUp

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://ad2cash.net 
hxxp://adtraff.com 
hxxp://adzyclon.com 
hxxp://bestadmedia.com
hxxp://bestsearchnet.com 
hxxp://bucksbill.com 
hxxp://burnads.com 
hxxp://casinoaceking.com 
hxxp://cryptdrive.com 
hxxp://fileprotector.com 
hxxp://forceup.com 
hxxp://freetvnow.net 
hxxp://fulsearch.com 
hxxp://getfreecar.com 
hxxp://greyhathosting.com

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://installprovider.com 
hxxp://libresystm.com 
hxxp://magicsearcher.com 
hxxp://moneypalacecash.com 
hxxp://myhealth-life.org 
hxxp://myonlinefinance.com 
hxxp://netmediagroup.net 
hxxp://netturbopro.com 
hxxp://newbieadguide.com 
hxxp://pcsupercharger.com 
hxxp://popsmedia.com 
hxxp://popupnukerpro.com 
hxxp://prizesforyou.com 
hxxp://searchcolours.com 
hxxp://searchoperation.com 
hxxp://sellmoresoft.net 
hxxp://sellmysoft.net 
hxxp://sharpadverts.com 
hxxp://softwcs.com 
hxxp://tallgrass-seach.com 
hxxp://theringtonesource.com 
hxxp://traffalo.com 
hxxp://unicsearch.com 
hxxp://uniqads.com 
hxxp://vitecmedia.com 
hxxp://wewillfind.com 
hxxp://windefender.com 
hxxp://workhomecenter.com 
hxxp://yourseeker.com 
hxxp://yourteacheronline.com 
hxxp://zappinads.com

Related scareware products known to have been sold and distributed by "Innovative Marketing":
SpyGuarder
SpyKiller Pro
Spyware Sweeper
SpywareIsolator
SwiftCleaner
SystemDoctor
SystemErrorFixer
SystemSweeper
TotalAntivirus
Trasheraser
Trustedprotecion
UltimateCleaner
VirusRemover 2008
WinAntiSpyware
WinAntiVirusPro
WinBugFixer
WinDefender2008
WinFixer
Winsecureav
WinSpyware Protect
WinxDefender
XLifeGuarder
XP AntiSpyware 2009
XP AntiVirus

Related domains known to have participated in the campaign:
hxxp://acchiappavirus.com
hxxp://adiosvirus.com
hxxp://ahorrememoria.com
hxxp://altalimpeza.com
hxxp://anonimutente.com
hxxp://ad2cash.net
hxxp://ad2profit.com
hxxp://adcomatoz.com
hxxp://adgurman.com
hxxp://adhokuspokus.com
hxxp://adnetserver.com
hxxp://ad2profit.com
hxxp://adcomatoz.com
hxxp://adgurman.com
hxxp://adhokuspokus.com
hxxp://adnetserver.com
hxxp://adredired.com
hxxp://adsolutio.com
hxxp://adtraff.com
hxxp://adverdaemon.com
hxxp://adverlounge.com
hxxp://adzyclon.com
hxxp://adredired.com
hxxp://adsolutio.com
hxxp://adtraff.com
hxxp://adverdaemon.com
hxxp://adverlounge.com
hxxp://adzyclon.com
hxxp://alg-search.com
hxxp://alhoster.com
hxxp://aligarx.biz
hxxp://all-search-it.com
hxxp://alphatown.us
hxxp://anmira.info
hxxp://anonymbrowser.com
hxxp://antivirussecuritypro.com
hxxp://aptprog.com
hxxp://art-earn.biz
hxxp://astalaprofit.com
hxxp://antiamenazas.com
hxxp://antiespiamaestro.com
hxxp://antievidence.com
hxxp://antispionimaestro.com
hxxp://antispywareconductor.com
hxxp://antispywarecontrol.com
hxxp://antispywaremaster.com
hxxp://antispywaremeister.com
hxxp://antivirusfiable.com
hxxp://antivirusforall.com
hxxp://antivirusforalla.com
hxxp://antivirusforalle.com
hxxp://antivirusfueralle.com
hxxp://antivirusgenial.com
hxxp://antivirusmagique.com
hxxp://antivirusparatodos.com
hxxp://anzentsuru.com
hxxp://apagahistorico.com
hxxp://apolloantivirus.com
hxxp://antivirussecuritypro.com
hxxp://astalaprofit.com
hxxp://b2adz.com
hxxp://bestadmedia.com
hxxp://bestpharmacydeals.com
hxxp://archivosenestado.com
hxxp://atemaiserro.com
hxxp://atrapavirus.com
hxxp://aucunchoixpourvirus.com
hxxp://aucunefaute.com
hxxp://aucuninfection.com
hxxp://aucunmenace.com
hxxp://aucunserreurs.com
hxxp://avcompleto.com
hxxp://autodealer-search.com
hxxp://b2adz.com
hxxp://bazaard.com
hxxp://belkran.com
hxxp://belshar.com
hxxp://bestadmedia.com
hxxp://avsecurityplus.com
hxxp://avseguro.com
hxxp://bandoaivirus.com
hxxp://bandoalleinfezioni.com
hxxp://barreraintegral.com
hxxp://bastioneantivirus.com
hxxp://beskyttelseonline.com
hxxp://beskyttendevaerktoj.com
hxxp://bestsellerantivirus.com
hxxp://best-biznes.info
hxxp://best-cools.info
hxxp://bestdatafinder.com
hxxp://besteversearch.com
hxxp://bestpharmacydeals.com
hxxp://best-screensavers.biz
hxxp://bestsearchnet.com
hxxp://bestshopz.com
hxxp://bestsearchnet.com
hxxp://bestshopz.com
hxxp://bestwnvmovies.com
hxxp://bizadverts.com
hxxp://bizmarketads.com
hxxp://bestwm.info
hxxp://bestwnvmovies.com
hxxp://bezzz.info
hxxp://bi-bi-search.com
hxxp://bizadverts.com
hxxp://bizmarketads.com
hxxp://blessedads.com
hxxp://bm-redy.com
hxxp://bovavi.com
hxxp://brandmarketads.com
hxxp://blanchdisc.com
hxxp://borresuspasos.com
hxxp://bossedeserreurs.com
hxxp://brossedesfautes.com
hxxp://bugseraser.com
hxxp://blessedads.com
hxxp://brandmarketads.com
hxxp://bucksinsoft.com
hxxp://burnads.com
hxxp://cancerno.com
hxxp://bucksinsoft.com
hxxp://burnads.com
hxxp://cancerno.com
hxxp://candid-search.com
hxxp://carpropane.com
hxxp://caiforavirus.com
hxxp://ceroamenazas.com
hxxp://cerovirus.com
hxxp://chasseurdeserreures.com
hxxp://cleanerpotente.com
hxxp://cashloanprofit.com
hxxp://casinoaceking.com
hxxp://casinodealsgalore.com
hxxp://cheap-auto-deals.com
hxxp://cashloanprofit.com
hxxp://casinoaceking.com
hxxp://casinoby.com
hxxp://casinodealsgalore.com
hxxp://cleanpctool.com
hxxp://cleanuptool.com
hxxp://confidentsurf.com
hxxp://confidentuser.com
hxxp://contenidoseguros.com
hxxp://clubheat.info
hxxp://come-from-stars.com
hxxp://co-search.com
hxxp://creamme.net
hxxp://cryptdrive.com
hxxp://contenteraser.com
hxxp://controledemenaces.com
hxxp://controlloreprivacy.com
hxxp://curerrores.com
hxxp://cyndyk.info
hxxp://deuscleanerpay.com
hxxp://didosearch.com
hxxp://diphelp.biz
hxxp://dmitry-v.info
hxxp://doma2000.com
hxxp://dataconfidentiality.com
hxxp://defensaantivirus.com
hxxp://defensecelebre.com
hxxp://defensededriver.com
hxxp://defensedinformation.com
hxxp://defensedudisque.com
hxxp://defensenetsurfage.com
hxxp://defensivesystem.com
hxxp://dejitarufukugen.com
hxxp://dejitarukyoikira.com
hxxp://dejitaruwakuchin.com
hxxp://detapurotekuta.com
hxxp://detaripea.com
hxxp://detectaerrores.com
hxxp://discoseguro.com
hxxp://diskassistent.com
hxxp://diskretter.com
hxxp://disksaeuberung.com
hxxp://disksizesaver.com
hxxp://disksparare.com
hxxp://disukushuri.com
hxxp://doubledefender.com
hxxp://driversecurise.com
hxxp://einwandfreierpc.com
hxxp://eliminadordeamenazas.com
hxxp://elmejorantivirus.com
hxxp://durtsev.com
hxxp://easybestdeals.com
hxxp://energostroj.com
hxxp://enothost.com
hxxp://eroticabsolute.com
hxxp://emperahogo.com
hxxp://enmiendaerrores.com
hxxp://equipoantiespia.com
hxxp://eracheisa.com
hxxp://erasutoppu.com
hxxp://erreurchasseur.com
hxxp://errorfighter.com
hxxp://essentialeraser.com
hxxp://expertdantispyware.com
hxxp://errordigger.com
hxxp://errorinspector.com
hxxp://evrogame.info
hxxp://fandasearch.com
hxxp://fantazybill.com
hxxp://exterminadordevirus.com
hxxp://extremuclean.com
hxxp://fairukyua.com
hxxp://feilvakt.com
hxxp://fejlfripc.com
hxxp://fantazybill.com
hxxp://favouriteshop.com
hxxp://fileprotector.com
hxxp://forceup.com
hxxp://freepcsecure.com
hxxp://fastwm.info
hxxp://fastzetup.info
hxxp://fati-gati-search.com
hxxp://favourable-search.com
hxxp://favouriteshop.com
hxxp://feel-search.com
hxxp://f-host.net
hxxp://fifaallchamp.com
hxxp://fight-arts.com
hxxp://fejlreparering.com
hxxp://felfixare.com
hxxp://ferramentadesolucao.com
hxxp://ferramentasegura.com
hxxp://festplattencleaner.com
hxxp://festplattentool.com
hxxp://fiksdinpc.com
hxxp://filtredetraces.com
hxxp://filtrototal.com
hxxp://fileprotector.com
hxxp://findbyall.com
hxxp://firstbestsearch.com
hxxp://firstlastsearch.com
hxxp://first-ts.com
hxxp://fixthemnow.com
hxxp://fjernervirus.com
hxxp://foutenwacht.com
hxxp://geheugenredder.com
hxxp://foamplastic.net
hxxp://fokus-search.com
hxxp://force-search.com
hxxp://forceup.com
hxxp://forex-instruments.info
hxxp://forceup.com
hxxp://forvatormail.com
hxxp://freepcsecure.com
hxxp://freerepair.org
hxxp://freetvnow.net
hxxp://friedads.com
hxxp://freetvnow.net
hxxp://friedads.com
hxxp://getfreecar.com
hxxp://glorymarkets.com
hxxp://great4mac.com
hxxp://greyhathosting.com
hxxp://fulsearch.com
hxxp://getfreecar.com
hxxp://gibdd.us
hxxp://glass-search.com
hxxp://glorymarkets.com
hxxp://gosthost.net
hxxp://great4mac.com
hxxp://greyhathosting.com
hxxp://gt-search.com
hxxp://hackerpro.us
hxxp://hardlinecenter.com
hxxp://guardiandelaprivacidad.com
hxxp://guardianodelpc.com
hxxp://gubbishremover.com
hxxp://hackerstaisaku.com
hxxp://hadodoraibugado.com
hxxp://harddriveguard.com
hxxp://herramientasegura.com
hxxp://historialout.com
hxxp://hebooks-service.com
hxxp://iddqdmarketing.com
hxxp://infyte.com
hxxp://installprovider.com
hxxp://hebooks-service.com
hxxp://hintway-international.com
hxxp://homeofsite.com
hxxp://hromeos.com
hxxp://hyip2all.org
hxxp://hotbevakning.com
hxxp://ingavirus.com
hxxp://ingenmulighetforvirus.com
hxxp://inhaltsaeuberung.com
hxxp://icq-lot.org
hxxp://iddqdmarketing.com
hxxp://ideal-search.com
hxxp://idea-rem.com
hxxp://i-forexbank.biz
hxxp://infyte.com
hxxp://inhaltspeicher.com
hxxp://inmunepc.com
hxxp://kakujitsutsuru.com
hxxp://keinespurenlassen.com
hxxp://keineviren.com
hxxp://initial-search.com
hxxp://insochi2014.com
hxxp://installprovider.com
hxxp://internetadaultfriend.com
hxxp://internetadaultfriend.com
hxxp://internetanonymizer.com
hxxp://intervarioclick.com
hxxp://invulnerableads.com
hxxp://internetanonymizer.com
hxxp://internetsupernanny.com
hxxp://intervarioclick.com
hxxp://investmentsgroup.org
hxxp://invulnerableads.com
hxxp://it-translation.biz
hxxp://izol-tech.com
hxxp://kamerton-tests.com
hxxp://kazilkasearch.com
hxxp://keytooday.com
hxxp://keywordcpv.com
hxxp://kiridi.net
hxxp://kpoba.net
hxxp://kurgan45.info
hxxp://keywordcpv.com
hxxp://libresystm.com
hxxp://luckyadcoin.com
hxxp://luckyadsols.com
hxxp://magicsearcher.com
hxxp://knowhowprotection.com
hxxp://konsekiauto.com
hxxp://kontentsufiruta.com
hxxp://kurinkonseki.com
hxxp://kyoiireza.com
hxxp://kyoikanshi.com
hxxp://kyoryokucleaner.com
hxxp://largavidapc.com
hxxp://laufwerkcleaner.com
hxxp://limpiapc.com
hxxp://ladadc.com
hxxp://lanastyle.com
hxxp://ldizain.info
hxxp://libresystm.com
hxxp://liders.biz
hxxp://linii.net
hxxp://prevedmarketing
hxxp://malware-scan.com
hxxp://limpietodo.com
hxxp://lomejorenantivirus.com
hxxp://longlifepc.com
hxxp://lungavitapc.com
hxxp://maechtigerreiniger.com
hxxp://liveclix.net
hxxp://loffersearch.com
hxxp://londasearch.com
hxxp://lovecraft-forum.net
hxxp://loveopen.info
hxxp://lseom.biz
hxxp://luckyadcoin.com
hxxp://luckyadsols.com
hxxp://mad-search.com
hxxp://magicsearcher.com
hxxp://mailcap.info
hxxp://manage-search.com
hxxp://marketingdungeon.com
hxxp://mass-send.com
hxxp://max-expo.net
hxxp://malwareschutz.com
hxxp://manutencaopc.com
hxxp://memorisebu.com
hxxp://menacecontrole.com
hxxp://menacefighter.com
hxxp://maxyanoff.com
hxxp://mediatornado.com
hxxp://mega-project.biz
hxxp://megashopcity.com
hxxp://mightyfaq.com
hxxp://menacemonitor.com
hxxp://menacescrubber.com
hxxp://menacesprotection.com
hxxp://miavcompleto.com
hxxp://mightycleaner.com
hxxp://minnesparere.com
hxxp://monitordeamenazas.com
hxxp://moteurpcpro.com
hxxp://moneypalacecash.com
hxxp://mounthost.net
hxxp://myfavouritesearch.com
hxxp://myhealth-life.org
hxxp://mycontentassistant.com
hxxp://netsurfageassure.com
hxxp://nettoyeurdepc.com
hxxp://nettoyeurdeserreures.com
hxxp://myfavouritesearch.com
hxxp://myhealth-life.org
hxxp://myonlinefinance.com
hxxp://mysurvey4u.com
hxxp://myonlinefinance.com
hxxp://mysurvey4u.com
hxxp://mythmarketing.com
hxxp://mytravelgeek.com
hxxp://mythmarketing.com
hxxp://mytravelgeek.com
hxxp://netmediagroup.net
hxxp://netturbopro.com
hxxp://onestopshopz.com
hxxp://myusefulsearch.com
hxxp://napol.net
hxxp://navygante.com
hxxp://netmediagroup.net
hxxp://netturbopro.com
hxxp://netmediagroup.net
hxxp://nettoyeurdevirus.com
hxxp://nettoyeurpuissant.com
hxxp://neuerantivirus.com
hxxp://neuerschild.com
hxxp://newbieadguide.com
hxxp://nryb.com
hxxp://of-by.info
hxxp://olgalml.com
hxxp://ol-search.com
hxxp://onedaysoft.com
hxxp://nientetracce.com
hxxp://nouvelantivirus.com
hxxp://nurdeinpc.com
hxxp://ohnespurensurfen.com
hxxp://omelhorantivirus.com
hxxp://onlinehelpmate.com
hxxp://onlineverktyg.com
hxxp://onrainpurotekuta.com
hxxp://onestopshopz.com
hxxp://onwey.com
hxxp://opensols.com
hxxp://original-search.com
hxxp://osetua.com
hxxp://osminog.org
hxxp://opensols.com
hxxp://pcsoftw.com
hxxp://pcsupercharger.com
hxxp://popadprovider.com
hxxp://popsmedia.com
hxxp://ordureffaceur.com
hxxp://oruripea.com
hxxp://pasderreurs.com
hxxp://pasdesfautes.com
hxxp://pasdesmenaces.com
hxxp://parischat.org
hxxp://passwordinspector.com
hxxp://pcsoftw.com
hxxp://pcsupercharger.com
hxxp://pasendommagement.com
hxxp://pasplusdespertes.com
hxxp://pasplusdevirus.com
hxxp://pcantiviruspro.com
hxxp://pcassertor.com
hxxp://pcbewaker.com
hxxp://pcboosterpro.com
hxxp://pcbunan.com
hxxp://pceternel.com
hxxp://pcforfender.com
hxxp://pchealthkeeper.com
hxxp://pchjaelper.com
hxxp://pcinforedder.com
hxxp://pclibredevirus.com
hxxp://pcohnespuren.com
hxxp://pcredskab.com
hxxp://pcsansbug.com
hxxp://pcsecuresystem.com
hxxp://pcsecurise.com
hxxp://pcsentineru.com
hxxp://pcsiemprenueva.com
hxxp://pctoolpro.com
hxxp://pcultralimpia.com
hxxp://pcveiligheidstool.com
hxxp://pcvirussweeper.com
hxxp://perfektantivirus.com
hxxp://personalityprotector.com
hxxp://poseidonantivirus.com
hxxp://poupememoria.com
hxxp://performanceoptimizer.com
hxxp://piramidki.com
hxxp://podelkin.info
hxxp://popadprovider.com
hxxp://popsmedia.com
hxxp://popupnukerpro.com
hxxp://prenetsearch.com
hxxp://prevedmarketing.com
hxxp://prizesforyou.com
hxxp://r2d2adverising.com
hxxp://popupnukerpro.com
hxxp://postcity.info,
hxxp://prenetsearch.com,
hxxp://prevedmarketing.com,
hxxp://prizesforyou.com,
hxxp://preservingtool.com
hxxp://privacidadconductor.com
hxxp://privacidadgarantizada.com
hxxp://privacidadyseguridad.com
hxxp://privacyredder.com
hxxp://privacywaker.com
hxxp://privacywarrior.com
hxxp://privatsicherer.com
hxxp://protecaoconfiavel.com
hxxp://proteccionasegurada.com
hxxp://proteccioncompleta.com
hxxp://pro-dom.info
hxxp://propotolok.info
hxxp://pro-svet.info
hxxp://r2d2adverising.com
hxxp://radiosfera.net
hxxp://proteccionimperial.com
hxxp://protecteurdinfo.com
hxxp://protectionassuree.com
hxxp://protectionconue.com
hxxp://protectiondedriver.com
hxxp://protectiondenetsurfage.com
hxxp://proteggidati.com
hxxp://protezioneesperta.com
hxxp://protezionefidata.com
hxxp://pulituraestrema.com
hxxp://puraibashihosho.com
hxxp://puraibashimaneja.com
hxxp://puraibashitoshinrai.com
hxxp://rendimientototal.com
hxxp://rensanu.com
hxxp://reparaerrores.com
hxxp://reparateurdesysteme.com
hxxp://repareja.com
hxxp://reparemenaces.com
hxxp://repareya.com
hxxp://rimuoviciarpame.com
hxxp://riparaminacce.com
hxxp://riparasubito.com
hxxp://riservatezzanet.com
hxxp://safeharddrive.com
hxxp://safepctool.com
hxxp://rocktheads.com
hxxp://roller-search.com
hxxp://rombic-search.com
hxxp://searchcolours.com
hxxp://sellmoresoft.com
hxxp://rocktheads.com
hxxp://roller-search.com
hxxp://rombic-search.com
hxxp://rus-invest.net
hxxp://rusnets.info
hxxp://russia-post.com
hxxp://sajruen.info
hxxp://samson-pro.com
hxxp://sauni.net
hxxp://se7ensearch.com
hxxp://safudaijoubu.com
hxxp://salvaspaziosudisco.com
hxxp://sansendommagement.com
hxxp://sansinfections.com
hxxp://sayonarabaggu.com
hxxp://schijfbewaker.com
hxxp://schijfcontroleur.com
hxxp://schijfredder.com
hxxp://schijfruimteredder.com
hxxp://schutzderdaten.com
hxxp://schutzfuerpc.com
hxxp://secretissimosoft.com
hxxp://secretopertutti.com
hxxp://secretosasalvo.com
hxxp://secretoseguro.com
hxxp://securepccleaner.com
hxxp://sefunahimitsu.com
hxxp://sekretessforsvarare.com
hxxp://senzadoppioni.com
hxxp://shingaidome.com
hxxp://shinraihogo.com
hxxp://selvascreensaver.com
hxxp://sharpadverts.com
hxxp://shivanetworking.com
hxxp://shopshot.com
hxxp://softwcs.com
hxxp://shinraipafomansu.com
hxxp://shisutemudifensu.com
hxxp://sichererantivirus.com
hxxp://sichererschutz.com
hxxp://sicherheitstool.com
hxxp://sikkerbrukere.com
hxxp://sikkerpcredskap.com
hxxp://sikkersystem.com
hxxp://sinataques.com
hxxp://sinrrastros.com
hxxp://sinsenales.com
hxxp://sistemaprotegido.com
hxxp://sistemupyua.com
hxxp://sisutemuantei.com
hxxp://sisutemuorugurin.com
hxxp://skyddsprogram.com
hxxp://smittfri.com
hxxp://solelunaantivirus.com
hxxp://speichertool.com
hxxp://spyguardpro.com
hxxp://spywaretaisakumaster.com
hxxp://stopbedreiging.com
hxxp://stopminacce.com
hxxp://spywareisolator
hxxp://storageprotector.com
hxxp://succesantivirus.com
hxxp://superanonimo.com
hxxp://surfforsure.com
hxxp://surfremover.com
hxxp://stratosearch.com
hxxp://swiftcleaner.com
hxxp://tallgrass-seach.com
hxxp://traffalo.com
hxxp://traveltray.com
hxxp://sutoppuwirusu.com
hxxp://syssauvegarde.com
hxxp://systemerrorfixer.com
hxxp://systemesansfaute.com
hxxp://systemesansvirus.com
hxxp://systemhoover.com
hxxp://systemschild.com
hxxp://tackanejvirus.com
hxxp://tilforlatelig.com
hxxp://toolsicuro.com
hxxp://topsalgantivirus.com
hxxp://trasheraser.com
hxxp://trusselovervagning.com
hxxp://trustedantivirus.com
hxxp://trustedprotection.com
hxxp://tryggpcverktyg.com
hxxp://trygpcbruger.com
hxxp://turnkeyantivirus.com
hxxp://unidadessanas.com
hxxp://usuarioprotegido.com
hxxp://utiledereparation.com
hxxp://vitecmedia.com
hxxp://waytotheprofit.com
hxxp://windefender.com
hxxp://wontu-search.com
hxxp://utilisateursur.com
hxxp://vaktmotvirus.com
hxxp://veiligheidsagent.com
hxxp://virenvernichter.com
hxxp://virusbekaemper.com
hxxp://viruskrakker.com
hxxp://virussperr.com
hxxp://virusurimuva.com
hxxp://virusvanger.com
hxxp://virusvijand.com
hxxp://volumformatredskap.com
hxxp://wirusufinisshu.com
hxxp://wirusuk.com
hxxp://wirusukyua.com
hxxp://aboutstat.net
hxxp://freeorangestats.com
hxxp://newstat.net
hxxp://aboutstat.net
hxxp://freeorangestats.com
hxxp://getmosales.com
hxxp://newstat.net
hxxp://sexprofit.com
hxxp://ad2cash.net
hxxp://admiragroup.com
hxxp://antispyexpert.com
hxxp://antispyexpertpro.com
hxxp://getmosales.com
hxxp://malwarecrash.com
hxxp://adtraff.com
hxxp://bucksbill.com
hxxp://burnads.com
hxxp://forceup.com
hxxp://freetvnow.com
hxxp://getfreecar.com
hxxp://adtraff.com
hxxp://adzyclon.com
hxxp://checkm8.com
hxxp://adtraff.com
hxxp://blessedads.com
hxxp://prevedmarketing.com
hxxp://checkm8.com
hxxp://newbieadguide.com
hxxp://blessedads.com
hxxp://prevedmarketing.com
hxxp://malwarecrashpro.com
hxxp://bestadmedia.com
hxxp://bestsearchnet.com
hxxp://blessedads.com
hxxp://bucksbill.com
hxxp://burnads.com
hxxp://burnads.com
hxxp://casinoaceking.com
hxxp://cryptdrive.com
hxxp://newbieadguide.com
hxxp://blessedads.com
hxxp://prevedmarketing.com
hxxp://fileprotector.com
hxxp://forceup.com
hxxp://forceup.com
hxxp://freetvnow.net
hxxp://fulsearch.com
hxxp://games.biz
hxxp://Imamis.net
hxxp://Individ-search.com
hxxp://Information-advertising.info
hxxp://Infyte.com
hxxp://getfreecar.com
hxxp://greyhathosting.com
hxxp://netmediagroup.net
hxxp://netturbopro.com
hxxp://newbieadguide.com
hxxp://getfreecar.com
hxxp://greyhathosting.com
hxxp://netmediagroup.net
hxxp://netturbopro.com
hxxp://newbieadguide.com
hxxp://greyhathosting.com
hxxp://installprovider.com
hxxp://libresystm.com
hxxp://loffersearch.com
hxxp://magicsearcher.com
hxxp://malware-scan.com
hxxp://manage-search.com
hxxp://megashopcity.com
hxxp://mightyfaq.com
hxxp://misc-search.com
hxxp://moneycometrue.com
hxxp://moneypalacecash.com
hxxp://myhealth-life.org
hxxp://myonlinefinance.com
hxxp://mysurvey4u.com
hxxp://netmediagroup.net
hxxp://netturbopro.com
hxxp://newbieadguide.com
hxxp://newstat.net
hxxp://newbieadguide.com
hxxp://blessedads.com
hxxp://prevedmarketing.com
hxxp://pcsupercharger.com
hxxp://performanceoptimizer.com
hxxp://popupnukerpro.com
hxxp://prizesforyou.com
hxxp://traffalo.com
hxxp://uniqads.com
hxxp://popadprovider.com
hxxp://popsmedia.com
hxxp://popupnukerpro.com
hxxp://prevedmarketing.com
hxxp://prevedmarketing.com
hxxp://prizesforyou.com
hxxp://proximogroup.com
hxxp://adtraff.com
hxxp://bucksbill.com
hxxp://burnads.com
hxxp://forceup.com
hxxp://freetvnow.com
hxxp://proximogroup.com
hxxp://rocktheads.com
hxxp://roller-search.com
hxxp://rombic-search.com
hxxp://se7ensearch.com
hxxp://search-expand.com
hxxp://search-the-prey.com
hxxp://Cryptdrive.com
hxxp://Deuscleanerpay.com
hxxp://Easybestdeals.com
hxxp://Eroticabsolute.com
hxxp://Marketingdungeon.com
hxxp://Mediatornado.com
hxxp://Megashopcity.com
hxxp://Mightyfaq.com
hxxp://Mobilesoftmarketing.com
hxxp://Moneycometrue.com
hxxp://Moneypalacecash.com
hxxp://Cheap-auto-deals.com
hxxp://Checkstocklist.com
hxxp://Chushok.com
hxxp://Clever-at-search.com
hxxp://Mobilesoftmarketing.com
hxxp://Mobiletops.com
hxxp://Mobilorg.org
hxxp://Moneycometrue.com
hxxp://searchcolours.com
hxxp://searchmandrake.com
hxxp://searchonline-ease.com
hxxp://searchoperation.com
hxxp://searchvirtuoso.com
hxxp://sellmoresoft.net
hxxp://sellmysoft.net
hxxp://malware-scan.com
hxxp://sharpadverts.com
hxxp://shivanetworking.com
hxxp://shivanetworking.com,
hxxp://deuscleaneronline.com
hxxp://shivanetworking.com
hxxp://simplesamplesearch.com
hxxp://soccernet
hxxp://burnads.com,
hxxp://adtech.de
hxxp://blessedads.com,
hxxp://performanceoptimizer.com
hxxp://softwareprofit.com
hxxp://softwcs.com
hxxp://stratosearch.com
hxxp://tallgrass-seach.com
hxxp://theringtonesource.com
hxxp://traffalo.com
hxxp://traveltray.com
hxxp://treekindsearch.com
hxxp://unicsearch.com
hxxp://uniqads.com
hxxp://upg-soft.net
hxxp://vitecmedia.com
hxxp://wewillfind.com
hxxp://win.com
hxxp://windefender.com
hxxp://workhomecentre.com
hxxp://zappinads.com
hxxp://windefender.com
hxxp://wontu-search.com
hxxp://workhomecenter.com
hxxp://yourseeker.com
hxxp://yourshopz.com
hxxp://yourteacheronline.com
hxxp://zappinads.com
hxxp://zooworld-search.com

Related domains known to have participated in the campaign:
hxxp://adtraff.com – 190.15.73.254
hxxp://forceup.com – 190.15.73.254
hxxp://burnads.com – 190.15.73.254
hxxp://blessedads.com – 190.15.73.254
hxxp://prevedmarketing.com – 190.15.73.254
hxxp://r2d2adverising.com – 190.15.73.254
hxxp://shivanetworking.com – 190.15.73.254

We'll post updates as soon as new developments take place.

Continue Reading | comments

Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An OSINT Analysis

Monday, July 29, 2019

Continuing the "FBI Most Wanted Cybercriminals" series I've decided to take a closer look at the "Jabber ZeuS" including Evgeniy Mikhaylovich Bogachev for the purpose of providing actionable intelligence on the fraudulent and malicious infrastructure that was utilized in the campaign including personally identifiable information of the individuals behind it with the idea to assist law enforcement and the U.S Intelligence community with the necessary data to track down and prosecute the individuals behind the campaign.

In this post I'll provide actionable intelligence on the infrastructure used by the "Jabber ZeuS" gang including personally identifiable information for Evgeniy Mikhaylovich Bogachev and some of his known associates.

Sample Personal Photos of Evgeniy Mikhaylovich Bogachev:

Slavik's IM and personal email including responding IP:
bashorg@talking.cc - 112.175.50.220

Personal Address:
Lermontova Str. Anapa, Russian Federation

Instant Messaging account:
lucky12345@jabber.cz

Related name servers:
ns.humboldtec.cz - 88.86.102.49
ns2.humboldtec.cz - 188.165.248.173

Related domains part of a C&C phone-back location:
hxxp://slaviki-res1.com
hxxp://slavik1.com - 91.213.72.115
hxxp://slavik2.com
hxxp://slavik3.com

Slavik's primary email:
luckycats2008@yahoo.com

Slavik's ICQ numbers:
ICQ - 42729771
ICQ - 312456

Related emails known to have participated in the campaign:
alexgarbar-chuck@yahoo.com
bollinger.evgeniy@yandex.ru
charajiang16@gmail.com

Related domains known to have participated in the campaign:
hxxp://visitcoastweekend.com - 103.224.182.253; 70.32.1.32; 192.184.12.62; 141.8.224.93; 69.43.160.163
hxxp://incomeet.com - 192.186.226.71; 66.199.248.195
hxxp://work.businessclub.so

Related information on his colleague (chingiz) as seen in the attached screenshot:

Real Name: Galdziev Chingiz

Related domains known to have participated in the campaign:
hxxp://fizot.org
hxxp://fizot.com - 50.63.202.35; 184.168.221.33
hxxp://poymi.ru - 109.206.190.54

Related name servers known to have participated in the campaign:
ns1.fizot.com - 35.186.238.101
ns2.fizot.com

Related domain including an associated email using the same name server:
hxxp://averfame.org - harold@avereanoia.org

Google Analytics ID: UA-3816538

Related domains known to have participated in the campaign:
hxxp://awmproxy.com
hxxp://pornxplayer.com

Related emails known to have participated in the campaign:
fizot@mail.ru
xtexgroup@gmail.com
xtexcounter@bk.ru

Related domains known to have responded to the same malicious and fraudulent IP - 178.162.188.28:
hxxp://dnevnik.cc
hxxp://xvpn.ru
hxxp://xsave.ru
hxxp://anyget.ru
hxxp://nezayti.ru
hxxp://proproxy.ru
hxxp://hitmovies.ru
hxxp://appfriends.ru
hxxp://naraboteya.ru
hxxp://naraboteya.ru
hxxp://awmproxy.com
hxxp://zzyoutube.com
hxxp://pornxplayer.com
hxxp://awmproxy.net
hxxp://checkerproxy.net

Related domains known to have participated in the campaign:
hxxp://fizot.livejournal.com/
hxxp://russiaru.net/fizot/

Instant Messaging Account:
ICQ - 795781

Related personally identifiable information of Galdziev Chingiz:
hxxp://phpnow.ru
ICQ - 434929
Email: info@phpnow.ru

Related domains known to have participated in the campaign:
hxxp://filmv.net
hxxp://finance-customer.com
hxxp://firelinesecrets.com
hxxp://fllmphpxpwqeyhj.net
hxxp://flsunstate333.com

Related individuals known to have participated in the campaign:
Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits

Related Instant Messaging accounts and emails known to have participated in the campaign:
iceix@secure-jabber.biz
shwark.power.andrew@gmail.com
johnlecun@gmail.com
gribodemon@pochta.ru,
glazgo-update-notifier@gajim.org
gribo-demon@jabber.ru
aqua@incomeet.com
miami@jabbluisa.com
um@jabbim.com
hof@headcounter.org
theklutch@gmail.com
niko@grad.com
Johnny@guru.bearin.donetsk.au
petr0vich@incomeet.com
mricq@incomeet.com
T4ank@ua.fm
tank@incomeet.com
getreadysafebox.ru
john.mikleymaiI.com
aIexeysafinyahoo.corn
rnoscow.berlin@yahoo.com
cruelintention@email.ru,
bind@ernail.ru
firstmen17@rarnbler.ru
benny@jabber.cz
airlord1988@gmail.com
bxl@hotmail.com
i_amhere@hotmail.fr
daniel.h.b@universityofsutton.com
princedelune@hotmail.fr
bxl_@msn.com
danibxl@hotmail.fr
danieldelcore@hotmail.com.
d.frank@jabber.jp
d.frank@0nl1ne.at
duo@jabber.cn
fering99@yahoo.com
secustar@mail.ru
h4x0rdz@hotmail.com
Donsft@hotmail.com
mary.j555@hotmail.com
susanneon@googlemail.com
kainehabe@hotmail.com
virus_e_2003@hotmail.com
spanishp@hotmail.com
sere.bro@hotmail.com
lostbuffer@hotmail.com
lostbuffer@gmail.com
vlad.dimitrov@hotmail.com
jheto2002@gmail.com
sector.exploits@gmail.com

We'll post new updates as soon as new developments take place.

Related posts:
Exposing Iran's Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis
Who's Behind the Syrian Electronic Army? - An OSINT Analysis

Continue Reading | comments