Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, May 16, 2016

Malicious Campaign Affects Hundreds of Web Sites, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious, campaign, affecting, hundreds, of Web sites, and exposing, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Malicious URLs used in the campaign:
hxxp://default7.com - 199.48.227.25
hxxp://test246.com - 54.208.99.166
hxxp://test0.com - 72.52.4.119
hxxp://distinctfestive.com - 54.208.99.166
hxxp://ableoccassion.com - 54.208.99.166

Sample malware used in the campaign:
MD5: 9854f14ca653ee7c6bf6506d823f7371

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://intva31.homelandcustom.info (52.6.18.250)

Known to have phoned back to the same malicious C&C server IP (54.208.99.166), are, also, the, following, malicious, MD5s:
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://ii55.net (69.172.201.153)
hxxp://rwai.net (54.208.99.166)

Known to have phoned back to the same malicious C&C server IP (69.172.201.153) are also the following malicious MD5s:
MD5: 5979f69be8b6716c0832b6831c398914
MD5: a27083ff19b187cbc64644bc10d2af11
MD5: b9306bb08ac502c7bcaf3d7e0cd9d846
MD5: cd34980dda700d07b93eef7910a2a8be
MD5: b708860e7962b10e26568c9b037765df

Known to have phoned back to the same malicious C&C server IP (54.208.99.166) are also the following malicious MD5s:
MD5: 9854f14ca653ee7c6bf6506d823f7371
MD5: 90a88230d5b657ced3b2d71162a33cff
MD5: 70465233d93aa88868d7091454592a80
MD5: f8e21525c6848f45e4ab77aee05f0a28

Related malicious MD5s known to have phoned back to the same malicious C&C server (54.208.99.166):
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me dancho.danchev@hush.com

Subscribe to: Posts (Atom)

Who is Dancho Danchev?

Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodology for processing threat intelligence throughout the past decade following a successful career as a hacker-enthusiast in the 90's leading to active-community participation and contribution as a Member to WarIndustries, List Moderator at BlackCode Ravers, Contributor to Black Sun Research Facility (BSRF) List Moderator Software Contributor (TDS-2 Trojan Information Database) at DiamondCS Trojan Defense Suite, contributor to LockDownCorp, Contributor to HelpNetSecurity, Managing Director of Astalavista Security Group's Astalavista.com - The Underground, a Security Consultant for Frame4 Security Systems, contributor to TechGenix's WindowSecurity.com, security blogger for ZDNet Zero Day, Threat Intelligence Analyst for Webroot, leading to a successful set of hundreds of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day, Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge.

With his research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol the researcher continues to actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe.

What is Disruptive Individuals?

Disruptive Indivuduals is a research-intensive data-driven company successfully establishing the world's largest snapshot of malicious cybercrime activity for the purpose of offering the industry the world's most versatile portfolio of malicious cybercrime-driven services successfully positioning itself as the world's leading provider of real-time intelligence-driven services and product portfolio including cybercrime-research data malicious activity profiling services and custom-tailored intelligence assessments successfully positioning the company as the world's leading provider of cybercrime-data driven research-intensive intelligence data-driven company.

What is Astalavista Security Group?

Astalavista Security Group 2.0 - The Underground is Europe's oldest running and most popular international hacking and security brand successfully serving the needs of millions of users globally throughout the decade successfully converting hundreds of thousands of unique users into loyal long-term type of customers and premium members of the portal. Following the original split of the original founding partners prozac and r00tless a new kid on the block acting as Managing Director circa 2003-2006 - Dancho Danchev - decided to undertake the initiative to lauch and re-surrect the portal the way we know it - the Scene's most popular hacking and computer security Web Site in an attempt to once again re-position the Web site as the primary destination point for hackers/crackers/phreakers/anarchists.

What is Offensive Warfare 2.0?

Offensive Warfare 2.0 - The Future of Cyber Warfare is an international Pro-Western Hacking and Security Community managed and operated by the World's leading expert in the field of cybercrime research - Dancho Danchev - ex-hacker back in the infamous hacking spree back in the 90's. Its purpose is to spread information data and knowledge and educate millions of active users on current and emerging cyber threats and to provide general and in-depth discussion on current and emerging hacking and security technologies empowering the U.S Intelligence Community with the necessary data information and knowledge to stay on the top of its game.

What is the Obmonix Platform?

The Obmonix platform aims to build the World's most versatile and comprehensive sensor network for intercepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of prorietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally empowering the operator law enforcement and the security industry with then necessary tactics techniques and procedures (TTPs) for successfully responding and monitoring cybercrime and cyber jihad activity globally leading to successful launch of the Disruptive Individuals startup successfully serving the needs of the Intelligenge Community, the security industry and law enforcement agencies globally successfully anticipating an emerging set of malicious and fraudulent tactics techniques and procedures sucessfully protecting millions of users globally.

What is World Hacker Global Domination Group (WHGDG)?

World Hacker Global Domination Group (WHGDG) - the Dark Web's most popular single-page one-man hacking and security hacking group is a project launched by the World's Leading Expert in the field of cybercrime research security blogging and threat intelligence gathering - Dancho Danchev - who undertook the initiative to launch and re-surrect the portal the way we know it - the Dark Web's most popular hacking and computer security Web Site in an attempt to once again re-position the Dark Web Onion as the primary destination point for hackers/crackers/phreakers/anarchists.