Monday, May 30, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently, intercepted, a currently, circulating, malicious, campaign, exposing, users, to, a variety, of, malicious, software, exposing, the, confidentiality, integrity, and availability, of, their devices.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: bd4ed8b3b5d37f34fb63ce2798c585e9
MD5: 1c2c8894ab12a38b7420c7e04ed690f3

MD5: 7e3410e3b74866b02f8c8d6a3220aa23
MD5: 427ec5aef2a0ca2b2c8edbf24f1aeb8f
MD5: 770c77bfa64dc89638d5ac07ca6d1246
MD5: 3670576f507327fc4cbec45d0b3b6d2e

MD5: 5a3d1953631d1e78af6390c88a4ea434
MD5: 7322362d952eb63c07b9585107604a90

MD5: d9f63a6944648646343be1b7fbebe734
MD5: 611a6489bb7c9357765b8dd00f00d953
MD5: c81a88af87dfd05f5f757eea56d83fb8
MD5: 381a9b123d2b43ae8ff617d708bcfce8
MD5: a3bbf048865c48d2b2d5c8973d8a95d3
MD5: 66f31f76a5633e8a16ffe763093b546b

MD5: ac74bdca918dc6416cfa4e710d238f43
MD5: b169837db80e53c4564b62c0a4b9eba3
MD5: b334c20de944bb15cc8ac6aa59215e73
MD5: 677aa8cba92cdda2ec80b61fb7052813
MD5: 7b366d1273c65d0be63b7d68b268d3b8

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://sklasse-b.in.ua/777/gate.php - 217.12.201.60

Known to have phoned back to the same C&C server IP (217.12.201.60) are also the following malicious MD5s:
MD5: e070535dd1ca923d1b12a71307b2639a
MD5: 3092a0a15dceb494a62eb00ea1c51283
MD5: 90123fd7978d42c2cd0a1fdc62651eb6
MD5: 553bed2a3cab5f1ec98bbec6dc151dd3
MD5: 947efe328858d816a77ef6b103097097

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://apimobiapps.com/api/app.php - 54.72.9.115; 37.1.210.139

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 7e6429d92bf457f5580457260c92d615
MD5: f89ee0bd2fa97380ceedbfe5bf3d5c93

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 886d621a5abeea5609ae813b50ea35a5
MD5: 576da1ff48ae7d4ce092698c20bb9c2c
MD5: 1c93b5c33585ab60c61c698713a6446d
MD5: 6afea2ece23b57fe3d3076ca799c18fe
MD5: 9a43a4bee370f7ae3759a5633b0ee40a

Once executed a sample malware phones back to the following C&C server:
hxxp://dh005.com - 54.72.9.115; 172.99.89.215
hxxp://parkingcrew.net - 185.53.179.29
hxxp://quickdomainfwd.com - 208.91.196.46

We'll continue, monitoring, the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've recently intercepted a currently circulating, malicious, campaign, affecting, hundreds, of Google Play users, potentially, exposing, the confidentiality, integrity, and availability, of their devices, to, a variety, of malicious, software.

In this, post, we'll, profile, the campaign, provide, malicious MD5s, expose, the infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 3f57dfe0ca2440bf03fda3e3b1295edc

Once executed the sample phones back to the following C&C server:
hxxp://37.1.207.31/api/?id=5

Related malicious MD5s known to have been downloaded from the same C&C server (37.1.207.31):
MD5: 1fa7df305b49f03e9ecf05fbb9cf74b8
MD5: 52b256f04bc9f5f003e9f292e6fabcc2
MD5: 76cc87289fa2a2363b42551b180c05de
MD5: 4ac2c20905c9761b863fdc9e737ea3d5
MD5: be0493f06f55ef7daf30e7e4d9cd03db

Related malicious MD5s known to have phoned back to the same C&C server (37.1.207.31):
MD5: 6ebe7504bcc4003c5b224801e961848c
MD5: 6f918766c935c7a472c9518c5b4aa7ba
MD5: 4d083b01c850c418e97c2fcf4031eff5
MD5: 2ce8dc9e399dc90d54d151aefec97091
MD5: 8f524b8daa68063af05313870ba198cd

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Hundreds of Users Affected

We've, recently, intercepted, a currently, circulating, malicious, campaign, exposing, Google Play, users, to, a variety, of malicious, software, exposing, the confidentiality, integrity, and availability, of, their, devices, to, a multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: f6aedc30fdab1b0a0bfebb3d51cb82ea

Related malicious MD5s known to have participated in the campaign:
MD5: ff844a8bb40da72b5c9f3a8c3cda7c9d051921e6
MD5: 83e56809b1662be002f4e1c4bcd3aef90d060d8f
MD5: 7c3f693d0b0ea6c6fdbb078e56d7e71ffaf648b8
MD5: 9e36414341e4dbaa113980f7d900e0ac4baa4103
MD5: 21266e72c8becbb439cb6d77f174b5eccefa2769

Once executed a sample malware phones back to the following C&C server:
hxxp://193.201.224.22
hxxp://85.143.221.46
hxxp://85.143.219.118

Known to have phoned back to the same C&C server IP(193.201.224.22) are also the following malicious MD5s:
MD5: 99f66211f75ace7d103fc2fbc147cd8c
MD5: ab712f0c6339d2c33cf34df44da972b8
MD5: d66f59cd897e5992c4dca3c6f6d198ce
MD5: 635fbe342c0732294db648e36b8e0a58

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Tuesday, May 17, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently intercepted, yet, another, malicious, mobile, malware, exposing, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5 known to have been part of the campaign:
MD5: febc8518183e13114e7e4da996e64270

Once executed a sample malware phones back to the following C&C server:
hxxp://adultix.ru - 91.200.14.105; 185.87.51.121; 94.142.141.18
hxxp://xxxmobiletubez.com - 54.72.130.67; 89.144.14.59

Known to have responded to the same malicious C&C server IP (91.200.14.105) are also the following malicious domains:
hxxp://adultix.ru
hxxp://pixtrxxx.com
hxxp://coreectway.com
hxxp://filingun.com.ua

Known to have responded to the same malicious C&C server IP (185.87.51.121):
hxxp://adultix.ru
hxxp://updsandr.com

Related malicious MD5s known to have phoned back to the same malicious C&C server IP (185.87.51.121):
MD5: 662e459a0b3a08f5632934565e8d898e

Known to have responded to the same malicious C&C server IP (94.142.141.18) are also the following malicious domains:
hxxp://updforphone.com
hxxp://adultix.ru

Related malicious MD5s, know, to, have, phoned, back, to, the, same, C&C server IP (91.200.14.105):
MD5: 034f764d5d87d15680fff0256a7cf3f0
MD5: 6a5320f495250ab5e1965fcc3814ef06
MD5: 5a324d1e2dd88a57df0ae34ef1c8c687
MD5: d8f1b92d104c4e68e86f99e7f855caf8
MD5: 1b31d8db32fb7117d7cf985940a10c54

Known to have phoned back to the same malicious C&C server IP (54.72.130.67) are also the following malicious MD5s:
MD5: 007dbbed15e254cba024ea1fb553fbb2
MD5: 0b6c1377fc124cc5de66f39397d0a502
MD5: 2cfba1bce9ee1cfe1f371bcf1755840d
MD5: 26004eacdd59dcc4fd5fd82423079182
MD5: 2a1cfc13dac8cea53ce8937ee9b7a2fe

Once executed a sample malware phones back to the following C&C server:
hxxp://toolkitgold.org (54.72.130.67)

We'll continue monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, yet, another, malicious, malware-serving, campaign, targeting, Google Play, and, exposing, unsuspecting, users, to, a, variety, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Known malicious MD5s, used, in, the, campaign:
MD5: 6f37c58e5513264fd43c6dd21b6dff32
MD5: 933171dbfc5bf49cadfb8c6698a86cec
MD5: d1ab7350b4e12d8ac567f4f937c10b87
MD5: bd33b1133cb5376b660f02c340eea578

Once executed, sample, malware, phones, back, to, the, following C&C server:
hxxp://beest-gamess.com - 85.25.217.151

Known C&C servers, used, in, the, campaign:
hxxp://ldatjgf.goog-upps.pw - 50.30.36.1
hxxp://uwiaoqx.marshmallovw.com/ - 209.126.117.83
hxxp://google-market2016.com - 217.12.223.34

Known to have responded to the same malicious C&C server IP (50.30.36.1), are, also, the, following, malicious, domains:
hxxp://iaohzcd.goog-upps.pw
hxxp://datjgf.goog-upps.pw
hxxp://lrbixtp.goog-upps.pw
hxxp://wqhdzry.goog-upps.pw
hxxp://tqbkmoy.goog-upps.pw

Known to have responded to the same malicious C&C server IP (209.126.117.83), are, also, the, following, malicious, domains:
hxxp://uppdate-android.com
hxxp://ysknauo.android-update17.pw
hxxp://updateosystem.online
hxxp://updateosystem.site
hxxp://rfdgqsc.update-android-8.xyz
hxxp://updateosystem.com
hxxp://gyfwlxt.update-android-4.xyz
hxxp://update-android-4.xyz
hxxp://update-android-0.xyz
hxxp://update-android-1.xyz
hxxp://iauxelv.marshmallovw.com
hxxp://xklzogn.installingmarshmallow.com
hxxp://ytprkmg.marshmallovw.com
hxxp://zknmvga.android-update15.pw
hxxp://btxiqkw.installingmarshmallow.com
hxxp://dqhukoe.installingmarshmallow.com
hxxp://klmtifg.installingmarshmallow.com
hxxp://rxebgnj.installingmarshmallow.com
hxxp://srwflih.installingmarshmallow.com
hxxp://vtgqfcy.marshmallovw.com
hxxp://xvyhwri.marshmallovw.com
hxxp://zxvmqas.installingmarshmallow.com
hxxp://neqmcij.android-update14.pw
hxxp://sdljykc.android-update14.pw
hxxp://absdfvo.android-update15.pw
hxxp://android-update15.pw
hxxp://android-update16.pw
hxxp://awsvgdq.android-update15.pw
hxxp://azhdoxi.android-update15.pw
hxxp://czrptsq.android-update15.pw
hxxp://deluvgs.android-update15.pw
hxxp://dywsaxz.android-update15.pw
hxxp://ebadrwp.android-update15.pw
hxxp://eoiqnwt.android-update15.pw
hxxp://fcibqkz.android-update15.pw
hxxp://fjrklxo.android-update15.pw
hxxp://fwmlsgc.android-update15.pw
hxxp://gldkxub.android-update15.pw
hxxp://hdnloxt.android-update15.pw
hxxp://hdukcea.android-update15.pw
hxxp://hykpbgt.android-update15.pw
hxxp://kbvdqfy.android-update15.pw
hxxp://ljpwbdo.android-update15.pw
hxxp://nbuxlte.android-update15.pw
hxxp://nlezybf.android-update15.pw
hxxp://puafoqt.android-update15.pw
hxxp://qantucb.android-update15.pw
hxxp://qsdmgot.android-update15.pw
hxxp://qzudjyw.android-update15.pw
hxxp://rwfhycb.android-update15.pw
hxxp://rykvsme.android-update15.pw
hxxp://sacjpvl.android-update15.pw
hxxp://sejmxda.android-update15.pw
hxxp://smbanpz.android-update15.pw
hxxp://spjuoza.android-update15.pw
hxxp://srfulbg.android-update15.pw
hxxp://tngezrs.android-update15.pw
hxxp://tnhfaux.android-update15.pw
hxxp://txeyzld.android-update15.pw
hxxp://vzjoasl.android-update15.pw
hxxp://wobsmtc.android-update15.pw
hxxp://xmhgfas.android-update15.pw
hxxp://yufwkqm.android-update15.pw
hxxp://zuxvsqd.android-update15.pw
hxxp://android-update14.pw
hxxp://android-update17.pw
hxxp://anejzpi.android-update17.pw
hxxp://avdeymo.android-update15.pw
hxxp://beswdhm.android-update14.pw
hxxp://blisztk.android-update16.pw
hxxp://bmedkfx.android-update17.pw
hxxp://cgloekx.android-update17.pw
hxxp://cmkxsbu.android-update15.pw
hxxp://cxzmjty.android-update15.pw
hxxp://duyzpsk.android-update15.pw
hxxp://eikjgwc.android-update16.pw
hxxp://ekogdhq.android-update17.pw
hxxp://fldsxwj.android-update15.pw
hxxp://fpgsduq.android-update14.pw
hxxp://gfaulvq.android-update16.pw
hxxp://iaupbtn.android-update15.pw
hxxp://ilcskyb.android-update15.pw
hxxp://ingvbqf.android-update15.pw
hxxp://iqtudlh.android-update14.pw
hxxp://ivpjbnq.android-update17.pw
hxxp://ixzgoue.android-update15.pw
hxxp://jbyxoeq.android-update17.pw
hxxp://jdgrvtx.android-update14.pw
hxxp://jugbhve.android-update15.pw
hxxp://jvintuc.android-update15.pw
hxxp://jznwbmh.android-update15.pw
hxxp://kcbwfmx.android-update17.pw
hxxp://kjqpdli.android-update16.pw
hxxp://lbqzsmf.android-update17.pw
hxxp://ldjgqys.android-update14.pw
hxxp://lmbdrht.android-update14.pw
hxxp://lxbkact.android-update17.pw
hxxp://lyaibec.android-update16.pw
hxxp://movqcrj.android-update14.pw
hxxp://moxeuyn.android-update16.pw
hxxp://mtnvpux.android-update14.pw
hxxp://ncmokfd.android-update16.pw
hxxp://nmhbjwc.android-update16.pw
hxxp://ntlrqih.android-update17.pw
hxxp://nxuivhl.android-update16.pw
hxxp://okthyij.android-update14.pw
hxxp://omcpusk.android-update17.pw
hxxp://oryudhs.android-update17.pw
hxxp://ozdkhwj.android-update16.pw
hxxp://ozfkcgn.android-update14.pw
hxxp://peytxrn.android-update16.pw
hxxp://piolzns.android-update16.pw
hxxp://pqunxfj.android-update17.pw
hxxp://pwkjdar.android-update14.pw
hxxp://qblgpyw.android-update17.pw
hxxp://qfzpmbu.android-update17.pw
hxxp://qlshbur.android-update16.pw
hxxp://qpylhtb.android-update15.pw
hxxp://qzawjve.android-update14.pw
hxxp://riwgvyc.android-update14.pw
hxxp://rklsxfb.marshmallovw.com
hxxp://rucgswq.android-update14.pw
hxxp://sfvguep.android-update17.pw
hxxp://sitgerx.android-update17.pw
hxxp://skzjiec.android-update17.pw
hxxp://snficje.android-update14.pw
hxxp://spjiceq.android-update15.pw
hxxp://tjvbpwq.android-update17.pw
hxxp://tzchpkn.android-update17.pw
hxxp://uavqkrn.android-update17.pw
hxxp://ucbfjtk.android-update14.pw
hxxp://ueinloh.android-update14.pw
hxxp://ugyszlh.android-update14.pw
hxxp://uryoief.android-update16.pw
hxxp://vcxsejr.android-update17.pw
hxxp://vdymzep.android-update15.pw
hxxp://vtdywbe.android-update14.pw
hxxp://vwmispo.android-update16.pw
hxxp://wcvfhkq.android-update16.pw
hxxp://wtboiys.android-update17.pw
hxxp://xcndzit.android-update15.pw
hxxp://xpnqioe.android-update17.pw
hxxp://xzhvitg.android-update14.pw
hxxp://xztrkdj.android-update17.pw
hxxp://yajfspe.android-update17.pw
hxxp://ysknauo.android-update16.pw
hxxp://yxtsncz.android-update16.pw
hxxp://zbmjfxp.android-update15.pw
hxxp://zmvsaxw.android-update16.pw
hxxp://zprvoew.android-update14.pw
hxxp://zqfcsyb.android-update14.pw
hxxp://anmwfig.marshmallovw.com
hxxp://bgeomtx.marshmallovw.com
hxxp://bltferk.marshmallovw.com
hxxp://bwiuozv.marshmallovw.com
hxxp://dastgqu.marshmallovw.com
hxxp://eulcitb.marshmallovw.com
hxxp://fedtvwb.marshmallovw.com
hxxp://fxqynok.android-update17.pw
hxxp://guoiswy.marshmallovw.com
hxxp://gzqxynp.android-update17.pw
hxxp://hufgenk.marshmallovw.com
hxxp://jbpxute.marshmallovw.com
hxxp://kilrezj.android-update17.pw
hxxp://lhcijag.android-update17.pw
hxxp://mocadgb.marshmallovw.com
hxxp://ocqdbal.marshmallovw.com
hxxp://qckexfp.android-update17.pw
hxxp://qzrcaeo.marshmallovw.com
hxxp://revbfau.marshmallovw.com
hxxp://smlerhq.marshmallovw.com
hxxp://syirtxe.android-update17.pw
hxxp://syvkjho.android-update17.pw
hxxp://tejyocm.marshmallovw.com
hxxp://uahtwly.marshmallovw.com
hxxp://uwiaoqx.marshmallovw.com
hxxp://uxvwzip.android-update17.pw
hxxp://wvbcpkg.marshmallovw.com
hxxp://yhfkpmj.marshmallovw.com
hxxp://zjbvrqm.marshmallovw.com
hxxp://zlubmxn.marshmallovw.com
hxxp://zrdesip.marshmallovw.com
hxxp://yctfgmn.marshmallovw.com
hxxp://atyblhn.installingmarshmallow.com
hxxp://bhizvxk.installingmarshmallow.com
hxxp://ctjhgnr.installlingmarshmallow.com
hxxp://glrsudo.installingmarshmallow.com
hxxp://hiovmga.installlingmarshmallow.com
hxxp://jnwxdur.installingmarshmallow.com
hxxp://jnzglas.installingmarshmallow.com
hxxp://jrqbhiw.installingmarshmallow.com
hxxp://lzdapuf.installlingmarshmallow.com
hxxp://mvypoqg.marshmallovw.com
hxxp://ntgmcyx.installingmarshmallow.com
hxxp://owtubye.installingmarshmallow.com
hxxp://rfnjxhe.installingmarshmallow.com
hxxp://xkihgqr.installingmarshmallow.com
hxxp://xmvpguk.installlingmarshmallow.com
hxxp://ygzaunj.installingmarshmallow.com
hxxp://zkodxep.installingmarshmallow.com
hxxp://zyrxwhd.installingmarshmallow.com
hxxp://installingmarshmallow.com
hxxp://installlingmarshmallow.com
hxxp://marshmallovw.com
hxxp://mkxlwut.google-update2017.com
hxxp://brpcwlntjxfskqydzoguivaemh.google-market2016.com
hxxp://jyxqnuz.installlingmarshmallow.com
hxxp://google-update2017.com
hxxp://market-place2017.com
hxxp://market-update2016.com
hxxp://market-update2017.com
hxxp://vknghqw.market-update2017.com
hxxp://update-android2017.com
hxxp://google-android2016.ru
hxxp://google-place2016.ru
hxxp://google-place2017.ru
hxxp://google-app2016.com
hxxp://google-market2016.com
hxxp://android-market2016.com
hxxp://jofzevxmadlwcnpysbhuriqktg.android-market2016.com
hxxp://androidosupdate.com
hxxp://lvizyxjqoukbrfhtmawegpdscn.androidos-60-update.com
hxxp://androidos-60-update.com
hxxp://androidosupdate6.com
hxxp://androidosupdate6-0.com
hxxp://android-update-6google.com
hxxp://android-update-60-google.com
hxxp://android-update6google.com
hxxp://android-update-6-google.com
hxxp://android-update-6.com

Known to have responded to the same malicious C&C server IP (217.12.223.34), are, also, the, following, malicious, domains:
hxxp://android-market2016.com
hxxp://google-app2016.com
hxxp://google-market2016.com
hxxp://update-player2016.com

Known to have responded to the same malicious C&C server IP (85.25.217.151) are, also, the, following, malicious, domains:
hxxp://varr.site
hxxp://varra.top
hxxp://varra.xyz
hxxp://ugugur.com
hxxp://alavar-gamess.com
hxxp://beest-gamess.com
hxxp://krakatao-giraffe.com
hxxp://marine-selling.com
hxxp://quick-sshopping.com
hxxp://shopping-marine.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, mobile, malware, exposing, unsuspecting, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Known malicious MD5s, participating, in, the, campaign:
MD5: 27ad60e62ff86534c0a9331e9451833d
MD5: 78fbac978d9138651678eb63e7dfd998

Malicious C&C server, part, of, the, campaign:
hxxp://apk.longxigame.com - 123.138.67.91; 106.119.191.98

Known to have been downloaded from the same malicious C&C server IP (123.138.67.91), are, also, the, following, malicious, MD5s:
MD5: a6c9a8cfa41b608573f8a9adf767daa0
MD5: a5d98369590bd2e001ac3e2986b3d7e9
MD5: 8c5e6c7bc945877740f10e91e9640f70
MD5: e82c58593e787193b5e19810b7ab504e
MD5: 814d7d6701f00c7b96c7026b5561911c

Known to have responded, to, the, same, malicious, C&C server (apk.longxigame.com), are, also, the, following, malicious, domains:
hxxp://103.243.139.241
hxxp://113.105.245.118
hxxp://183.61.13.192
hxxp://183.61.180.216
hxxp://183.61.180.217
hxxp://106.119.191.98
hxxp://221.233.135.196
hxxp://218.60.119.245
hxxp://218.60.119.30
hxxp://118.123.202.27
hxxp://118.123.202.28
hxxp://218.60.119.244
hxxp://119.84.112.118
hxxp://119.84.112.121
hxxp://220.181.105.232
hxxp://27.221.30.76
hxxp://220.181.105.231
hxxp://27.221.30.77
hxxp://60.2.226.246
hxxp://60.2.226.248
hxxp://121.29.8.235
hxxp://60.28.226.51
hxxp://116.55.241.217
hxxp://124.95.157.252
hxxp://124.160.136.232
hxxp://124.160.136.233
hxxp://218.60.119.243
hxxp://218.60.119.252
hxxp://218.60.119.29
hxxp://122.225.34.233
hxxp://122.225.34.234
hxxp://171.111.154.243
hxxp://124.95.157.253
hxxp://202.100.74.248
hxxp://221.204.186.231
hxxp://221.204.186.232
hxxp://182.140.238.123
hxxp://218.107.196.223
hxxp://218.107.196.224
hxxp://122.227.164.225
hxxp://122.227.164.226
hxxp://122.228.95.171
hxxp://122.228.95.172
hxxp://123.129.244.23
hxxp://123.129.244.24
hxxp://210.22.60.224
hxxp://125.76.247.230
hxxp://125.76.247.231
hxxp://42.81.4.91
hxxp://42.81.4.92
hxxp://117.25.155.17
hxxp://61.154.126.29
hxxp://116.55.241.218
hxxp://106.119.191.97
hxxp://171.111.154.242
hxxp://180.96.17.157
hxxp://180.96.17.160
hxxp://117.25.155.18
hxxp://121.207.229.135
hxxp://61.154.126.28
hxxp://121.207.229.136
hxxp://222.85.26.249
hxxp://222.85.26.250
hxxp://59.46.4.221
hxxp://59.46.4.222
hxxp://183.61.13.191
hxxp://103.243.139.239
hxxp://122.141.227.183
hxxp://114.80.174.98
hxxp://114.80.174.99
hxxp://202.100.74.245
hxxp://58.216.17.111
hxxp://175.6.3.149
hxxp://175.6.3.176
hxxp://61.147.118.229
hxxp://60.28.226.41
hxxp://124.112.127.77
hxxp://124.112.127.78
hxxp://124.238.232.242
hxxp://124.238.232.241
hxxp://112.90.32.242
hxxp://112.90.32.241
hxxp://123.138.67.91
hxxp://123.138.67.92
hxxp://122.141.227.182
hxxp://121.29.8.217
hxxp://42.81.4.83
hxxp://218.107.196.236
hxxp://112.67.242.110
hxxp://112.90.32.232

Known malicious MD5s known to have phoned back to the same C&C server (123.138.67.91):
MD5: 4efbe7fe86f63530d83ae7af5a3dc272
MD5: d8a3466addf81f2afeb2ca81c49d7361
MD5: 06e37b0c4a77bfa6a1052c4dd50afd9b
MD5: ed89d5977e334045500d0415154976b6

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://api.baizhu.cc - 120.76.122.200
hxxp://cdn.baizhu.cc - 123.138.67.91

Once executed a sample malware phones back to the following C&C servers:
hxxp://yscq.v1game.cn (203.130.58.30)
hxxp://pic.v1.cn (123.138.67.92)
hxxp://img.g.v1.cn (203.130.58.30)
hxxp://static.v1game.cn (203.130.58.30)
hxxp://pay.v1game.cn (211.151.85.249)

We'll continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Monday, May 16, 2016

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, malware, campaign, affecting, Google Play, exposing, unsuspecting, users, to, a milti-tude, of malicious, software.

In this post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s, known, to, have, participated, in, the, campaign:
MD5: 1c87344c24d8316c8f408a6f0396aa43
MD5: 390e66ffaccaa557a8d5c43c8f3a20a9
MD5: 8e2f8c52f4bb8a4e7f8393aa4a0536e1
MD5: ada4b19d5348fecffd8e864e506c5a72

Once executed, a sample, malware, phones, back, to, the, following C&C, servers:
hxxp://telbux.pw - 176.9.138.114

Malicious MD5s, known, to, have, been, downloaded, from, the, same, C&C server IP (176.9.138.114):
MD5: f8471c153414b65bbeb80880dc30da0a
MD5: 5955411fe84c10fa6af7e40bf40dcdac
MD5: ec3e5125190d76c19ca1c0c9172ac930
MD5: 0551f10503369f12cd975468bff6d16a
MD5: 1127390826a9409f6fd7ad99c4d4af18

Once executed, a, sampled, malware, phones, back, to, the, following, C&C server:
hxxp://144.76.70.213
hxxp://joyappstech.biz - 136.243.240.229

We'll, continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, yet, another, malicious, campaign, utilizing, Google Play, for, the, purpose, of, serving, malicious, software, to, unsuspecting, users.

In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 3e57ef2802977c3c852a94bab131c84b

Known C&C servers, part, of, the, campaign:
hxxp://localbitcoinsfast.com - 198.105.215.251
hxxp://newdesigns2016.biz - 190.97.166.230

Once executed, the, sample, phones, back, to, the, following, C&C server:
hxxp://netspendexpress.biz - 68.71.49.24

Known to have phoned back to the same malicious C&C server IP (198.105.215.251), are, also, the, following, malicious, MD5s:
MD5: c1b3912711dceab2cfb86f920eb69919

Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://drone.hosterbox.com (68.71.49.24; 68.71.49.25; 142.4.12.128)

Known malicious MD5s, known, to, have, phoned, back, to, the, same C&C server IP (68.71.49.24):
MD5: 7453f9445512e48357d91491b0e32134
MD5: 138c9475d4dc80185d4d3dd612c89d50
MD5: 2be0a8f626430d6c3c9588b55253ef95

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Thousands of Users Affected

We've recently intercepted a new mobile malware, variant, targeting, users, internationally, and exposing, their, devices, to, a, multi-tude, of malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the infrastructure, behind, it, and discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Sample malicious MD5s used in the campaign:
MD5: 4f1696cc06bdab9508ba3434edab2f49
MD5: 15ef763ba561eb91b5790906505f0f79

MD5: 890dfd6b50b7ca870ceb04762725b8a6
MD5: 4a3b68aeb96ef0f26f855f6afb688a3c
MD5: c729ce2babce74998726257f167da62e
MD5: 3db50821ff074a70dcbc5c31c0a78e14

Once executed, a sample, malware, phones back to the following C&C server:
hxxp://alfabrong.eu/data/id=39759ac6-0898-424b-9e0d-790edfaa700e - 5.101.117.79; 5.187.4.15

Known to have responded to the same malicious C&C server (5.101.117.79) are also the following malicious domains:
hxxp://bugstracking.xyz
hxxp://bugstrucking.xyz
hxxp://ssd850pro.pw
hxxp://forclonabster.eu
hxxp://bugtracking.biz
hxxp://directplaytds.com
hxxp://forclonabster.xyz
hxxp://alfabrong.eu
hxxp://innotion.pw

Known to have responded to the same malicious C&C server (5.187.4.15) are also the following malicious C&C servers:
hxxp://alfabrong.eu
hxxp://hyperlabs.biz
hxxp://nkprus.ru
hxxp://programmiandroid.org

We'll continue monitoring the campaign, and, will, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've recently, intercepted, yet, another, mobile, malware, variant, affecting, Google Play, with, the, cybercriminals, behind, it, exposing, its, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Malicious MD5s used in the campaign:
MD5: 7f55e0b91f5151328e779a3a425fc241
MD5: 91139d1dfa5df1f18c7f40192b2c49ce

Once executed, a, sample, phones, back, to, the, following, C&C, server:
hxxp://mob-stats.com - 5.149.252.2

Known C&C server, used, in, the, campaign:
hxxp://update-sys-android.com/upd.php - 192.99.99.186

Once executed, a, sample, malware, phones, back, to, the, following, C&C, servers:
hxxp://counter.wapstart.ru - 185.127.149.76; 81.19.95.17
hxxp://goalez.com - 91.219.195.3; 91.219.194.43; 91.219.194.8

Known to have phoned back to the same C&C server (185.127.149.76; 81.19.95.17), are, also, the, following, malicious, MD5s:
MD5: c8afecd653d4b0b7ea48de13d6001a31
MD5: bfdb43b0f44a986c2cb495c38746cd23

Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://kingwar.mgates.ru - 148.251.154.17
hxxp://counter.wapstart.ru - 185.127.149.76

Known, to, have, phoned, back, to, the, same, malicious, C&C, server (91.219.195.3), are, also, the following, malicious, MD5s:
MD5: 3ad15daf656a06bf850ea6973192ae47
MD5: 117b8362a54ece041307a136aceeb92c
MD5: 4dbdfaf3e8f5a09a7a4b82024f1c1072
MD5: 1521e73bb153f31015ab037f979602bc
MD5: 25318484bab66e0e8762c9fc5a1f888d

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://forces.may-trade.ru - 185.82.216.58
hxxp://plusfiles.890m.com - 91.219.195.3

Known to have been downloaded from the same malicious C&C server IP (91.219.194.8) are also the following malicious MD5s:
MD5: 31ad2a5a5d02e6c5e55817386b8eec01
MD5: 0815607c938c4f2088569be34ff57141
MD5: f629111b34e8e4d97ee26d2c6b19db96
MD5: 29d87de6b476fc1a873962ae04bbe206
MD5: a27158c55555ff2953e0a54a9996713d

Known to have phoned back to the same malicious C&C server IP (91.219.194.43), are, also, the, following, malicious, MD5s:
MD5: 76dd60b9f406be3b808db6fca2d856ff
MD5: ad33371a2495a0f9236c988f7024edb1

Once executed, a, sample, malware, phones, back, to, the, following, C&C server IPs:
hxxp://mu.sanek.com - 208.73.211.168
hxxp://muforum.info - 91.219.194.43
hxxp://best-hoster-group.ru - 91.219.193.252
hxxp://best-hoster.ru - 91.219.193.252
hxxp://freeller.net - 91.219.193.254
hxxp://hostagent.ru - 77.222.40.254
hxxp://ksdnewr.com - 192.64.147.242

We'll continue, monitoring, the, campaign, and post, updates, as soon, as new, developments, take, place.

Malicious Campaign Affects Hundreds of Web Sites, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious, campaign, affecting, hundreds, of Web sites, and exposing, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Malicious URLs used in the campaign:
hxxp://default7.com - 199.48.227.25
hxxp://test246.com - 54.208.99.166
hxxp://test0.com - 72.52.4.119
hxxp://distinctfestive.com - 54.208.99.166
hxxp://ableoccassion.com - 54.208.99.166

Sample malware used in the campaign:
MD5: 9854f14ca653ee7c6bf6506d823f7371

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://intva31.homelandcustom.info (52.6.18.250)

Known to have phoned back to the same malicious C&C server IP (54.208.99.166), are, also, the, following, malicious, MD5s:
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://ii55.net (69.172.201.153)
hxxp://rwai.net (54.208.99.166)

Known to have phoned back to the same malicious C&C server IP (69.172.201.153) are also the following malicious MD5s:
MD5: 5979f69be8b6716c0832b6831c398914
MD5: a27083ff19b187cbc64644bc10d2af11
MD5: b9306bb08ac502c7bcaf3d7e0cd9d846
MD5: cd34980dda700d07b93eef7910a2a8be
MD5: b708860e7962b10e26568c9b037765df

Known to have phoned back to the same malicious C&C server IP (54.208.99.166) are also the following malicious MD5s:
MD5: 9854f14ca653ee7c6bf6506d823f7371
MD5: 90a88230d5b657ced3b2d71162a33cff
MD5: 70465233d93aa88868d7091454592a80
MD5: f8e21525c6848f45e4ab77aee05f0a28

Related malicious MD5s known to have phoned back to the same malicious C&C server (54.208.99.166):
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Sunday, May 15, 2016

Mobile Malware Hits Google Play, Thousands of Users Affected

We've recently, intercepted, a currently, ongoing, malicious, campaign, that's utilizing, Google Play, for, the purpose, of, serving, malicious, software, to, unsuspecting, users.

In this, post, we'll, profile, the campaign, provide malicious MD5s, expose, the, malicious, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to be part, of the, malicious, campaign:
MD5: 4cbc7513072a1c0b03f7cedc6d058af4
MD5: 4defc5803de76f506bfc3a6c2c90bd87
MD5: 13647981b37f0c038e096c58b8962f95

Once, executed, the, sample, phones, back, to, the, following, C&C servers:
hxxp://petrporosya.com/123/ - 185.106.92.110
hxxp://78.46.123.205/111/inj/paypal/paypal.php

Known to have responded to the same malicious C&C server IP (185.106.92.110) is also the following malicious C&C server:
hxxp://traktorporosya.com

Related malicious MD5s known to have phoned back to the same malicious C&C server (185.106.92.110):
MD5: a765d6c0c046ffb88f825b3189f02148
MD5: 48cd9d9e03f92743b673a0c8ce58704a
MD5: 58f02914791f1e3075d574e288c80a26
MD5: 09f3f1bd2e91fb5af0c71db307777bbb
MD5: 568ef0fb4d645350b65edb031f4ade2f
MD5: d06ec8b877e2f0f73c4533c4c105acb8

Related malicious MD5s known to have phoned back to the same malicious C&C server (78.46.123.205):
MD5: 32c8af7e7e9076b35dde4d677b14e594
MD5: 27e4b9ae53c2300723c267cf67b930bf

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Saturday, May 07, 2016

Threat Intelligence - An Adaptive Approach to Information Security

This article will detail the basics of threat intelligence gathering discuss various threat intelligence gathering methodologies discuss the basics of threat intelligence gathering as well as discuss various proactive threat intelligence gathering methodologies in the context of proactive security defense

01. Overview of Threat Intelligence

Threat intelligence is a multi-disciplinary approach to collecting processing and disseminating actionable threat intelligence for the purpose of ensuring that an organizations security defense is actively aware of threats facing its infrastructure so that an adequate and cost-effective strategy can be formulated to ensure the confidentiality integrity and availability of the information. Threat Intelligence is the process of collecting processing and disseminating actionable intelligence for the purpose of ensuring that an organizations infrastructure remains properly secured from threats facing its infrastructure. The collection phrase can be best described as the process of obtaining processing and analyzing actionable threat intelligence for the purpose of processing and disseminating the processed data. The collection phrase consists of actively obtaining real-time threat intelligence data for the purpose of processing enriching and assessing the data for the purpose of processing and disseminating the data.

The collection phrase consists of active monitoring of sources of interest including various public and privately closed community sources for the purpose of establishing an active threat intelligence gathering program foundation. The collection phrase consists of assessing and selecting a diverse set of primary and secondary public and privately closed sources for the purpose of establishing a threat intelligence gathering model. The collection phrase consists of assessing and selecting primary and secondary public and privately closed sources for the purpose of establishing an active threat intelligence collection model. The collection phrase consists of assessing the primary secondary public and privately closed sources for the purpose of establishing an active threat intelligence gathering collection model. The collection phase consists of assessing and selecting the primary and secondary public and privately closed sources for the purpose of establishing the foundations of the collection phrase.

The processing phrase consists of actively selecting processing tools and methodologies for the purpose of setting the foundations for a successful processing of the data. The processing phase consists of actively processing the threat intelligence gathering collected data for the purpose of establishing the foundations for a successful processing of the data. The processing phase consists of collecting the processed data for the purpose of establishing the foundations for a successful processing of the collected data for the purpose of processing and enriching the processed data. The processing phase consists of active collection enrichment and processing of the collected data for the purpose of active processing of the collected data. The processing phase consists of active selection of primary and secondary public and privately closed sources for the purpose of processing the collected data for the purpose of enriching and processing the collected data. The processing phase consists of active real-time aggregation of actionable threat intelligence data for the purpose of establishing the foundations of active processing and enrichment of the processed data for the purpose of processing and enriching of the processed data.

The dissemination phase consists of active processing and dissemination of the processed data for the purpose of communicating the actionable intelligence for the purpose of ensuring that an organizations defense is actively aware of the threats facing its infrastructure and security defense mechanisms. The dissemination phase consists of active distribution of the processed and enriched actionable intelligence for the purpose of active dissemination of the processed and enriched data. The dissemination phase consists of active dissemination and enrichment of the processed data for the purpose of establishing the foundations of an active threat intelligence gathering process. The dissemination phase consists of active communication and distribution of the processed and enriched data for the purpose of communicating the processed and enriched data across the organizations security defense mechanisms.

02. Threat Intelligence Methodologies

Numerous threat intelligence methodologies are currently available for an organization to take advantage of on its way to properly secure its infrastructure taking into consideration a proactive security response. Among the most common data acquisition strategies remains the active data acquisition through forum and communities monitoring including the active monitoring of private forums and communities. Carefully selecting and primary and secondary sources of information is crucial for maintaining the necessary situational awareness to stay ahead of threat facing the organizations infrastructure including the establishment of an active response response through an active threat intelligence gathering program. Among the most common threat intelligence acquisition methodologies remains the active data acquisition through primary and secondary forums and communities including the data acquisition through private and secondary community based type of acquisition platforms.

Among the most common threat intelligence data acquisition strategies remains the active team collaboration in terms of data acquisition data processing and data dissemination for the purpose of establishing an active organizations security response proactively responding to the threats facing an organizations infrastructure. Among the most common data acquisition strategies in terms of threat intelligence gathering methodologies remains the active enrichment of the sources of information to include a variety of primary and secondary sources including private and community based primary and secondary sources.

03. Proactive Threat Intelligence Methodologies

Anticipating the emerging threat landscape greatly ensures an organizations successful implementation of a proactive security type of defense ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Properly understanding the threat landscape greatly ensures that a proactive response can be properly implemented for the purpose of ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Taking into consideration the data obtained through an active threat intelligence gathering program greatly ensures that a proactive security response can be adequately implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.

Among the most common threat acquisition tactics remains the active understanding of the threats facing an organizations security infrastructure to ensure that an adequate response can be properly implemented ensuring that an organizations defense remains properly protected from the threats facing its infrastructure. Among the most common threat intelligence gathering methodologies remains the active team collaboration to ensure that an active enrichment process can be properly implemented further ensuring that an organizations defense can be properly protected from the threats facing its infrastructure. Based on the information acquired through an active threat intelligence gathering acquisition processing and dissemination program further ensuring that an organizations infrastructure can be properly protected from the threats facing its infrastructure.

04. The Future of Threat Intelligence

The future of threat intelligence gathering largely relies on a successful set of threat intelligence gathering methodologies active data acquisition processing and dissemination strategies including the active enrichment of the processed data for the purpose of ensuring that an organizations security defense remains properly in place. The future of threat intelligence largely relies on the successful understanding of multiple threat vectors for the purpose of establishing an organizations security defense. Relying on a multi-tude of enrichment processes including the active establishment of an an active threat intelligence gathering acquisition processing and dissemination program greatly ensures that a proactive team-oriented approach can be implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.

05. Conclusion

Threat Intelligence acquisition processing and dissemination remains a largely proactive response to a growing set of emerging threats facing an organizations infrastructure where the active establishment of an active threat intelligence gathering acquisition processing and dissemination remains an active response to a growing set of security threats facing an organization's infrastructure. Properly ensuring that an organization's security defense remains properly secured from the threats facing its infrastructure ensures that an organizations security defense remains properly in place further ensuring that a successful information security strategy can be properly implemented and that an organization's security defense can be properly put in place.

If you would like to receive additional information regarding a possible threat intelligence program evaluation facing your company's infrastructure including additional information regarding the threat landscape discussing the threats facing your organizations infrastructure you can approach me at dancho.danchev@hush.com