We've recently intercepted, a malicious campaign, utilizing, Google Docs, for, the purpose, of spreading, malicious software, potentially, exposing, the confidentiality, integrity, and availability, of the, targeted hosts.
In this, post, we'll profile, the malicious campaign, expose, the malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.
Sample malicious URL:
hxxp://younglean.cba.pl/lean/ - 95.211.80.4
Sample malicious URL hosting locations:
hxxp://ecku.cba.pl/js/bin.exe
hxxp://mondeodoslubu.cba.pl/js/bin.exe
hxxp://piotrkochanski.cba.pl/js/bin.exe
hxxp://szczuczynsp.cba.pl/122/091.exe
Known to have responded to the same malicious (95.211.80.4) are also the following malicious domains:
hxxp://barbedosgroup.cba.pl
hxxp://brutalforce.pl
hxxp://christophar-hacker.pl
hxxp://moto-przestrzen.pl
hxxp://eturva.y0.pl
hxxp://lingirlie.com
hxxp://ogladajmecz.com.pl
hxxp://oriflamekonkurs2l16.c0.pl
hxxp://umeblowani.cba.pl
hxxp://webadminvalidation.cba.pl
hxxp://adamr.pl
hxxp://alea.cba.pl
hxxp://artbymachonis.cba.pl
hxxp://beqwqgdu.cba.pl
hxxp://bleachonline.pl
hxxp://facebook-profile-natalia9320.j.pl
hxxp://fllrev1978.cba.pl
hxxp://gotowesms.pl
hxxp://kbvdfuh.cba.pl
hxxp://maplka1977.c0.pl
hxxp://nagrobkiartek.pl
hxxp://nyzusbojpxnl.cba.pl
hxxp://okilh1973.cba.pl
hxxp://pucusej.cba.pl
hxxp://sajtom.pl
hxxp://tarnowiec.net.pl
hxxp://techtell.pl
hxxp://testujemypl.cba.pl
hxxp://lawendowawyspa.cba.pl
hxxp://younglean.cba.pl
hxxp://delegaturaszczecin.cba.pl
hxxp://metzmoerex.cba.pl
hxxp://kmpk.c0.pl
hxxp://500plus.c0.pl
hxxp://erxhxrrb1981.cba.pl
hxxp://exztwsl.cba.pl
hxxp://fafrvfa.cba.pl
hxxp://fastandfurios.cba.pl
hxxp://filmonline.cba.pl
hxxp://fragcraft.pl
hxxp://fryzjer.cba.pl
hxxp://hgedkom1973.cba.pl
hxxp://luyfiv1972.cba.pl
hxxp://oliviasekulska.com
hxxp://opziwr-zamosc.pl
hxxp://ostro.ga
hxxp://rodzina500plus.c0.pl
hxxp://roknasilowni.tk
hxxp://vfqqgr1971.cba.pl
Sample malicious MD5s known to have phoned back to the same malicious IP (95.211.80.4):
MD5: 495f05d7ebca1022da2cdd1700aeac39
MD5: 68abd8a3a8c18c59f638e50ab0c386a4
MD5: 65b4bdba2d3b3e92b8b96d7d9ba7f88e
MD5: 64b5c6b20e2d758a008812df99a5958e
MD5: a0869b751e4a0bf27685f2f8677f9c62
Once executed the sample phones back to the following C&C servers:
hxxp://smartoptionsinc.com - 216.70.228.110
hxxp://ppc.cba.pl - 95.211.80.4
hxxp://apps.identrust.com - 192.35.177.64
hxxp://cargol.cat - 217.149.7.213
hxxp://bikeceuta.com - 91.142.215.77
This post has been reproduced from Dancho Danchev's blog.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Tuesday, April 26, 2016
Malware Campaign Using Google Docs Intercepted, Thousands of Users Affected
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com