We've recently intercepted, a currently, circulating, malicious, campaign, affecting, hundreds, of Web sites, and exposing, users, to, a, multi-tude, of, malicious, software.
In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.
Malicious URLs used in the campaign:
hxxp://default7.com - 199.48.227.25
hxxp://test246.com - 54.208.99.166
hxxp://test0.com - 72.52.4.119
hxxp://distinctfestive.com - 54.208.99.166
hxxp://ableoccassion.com - 54.208.99.166
Sample malware used in the campaign:
MD5: 9854f14ca653ee7c6bf6506d823f7371
Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://intva31.homelandcustom.info (52.6.18.250)
Known to have phoned back to the same malicious C&C server IP (54.208.99.166), are, also, the, following, malicious, MD5s:
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://ii55.net (69.172.201.153)
hxxp://rwai.net (54.208.99.166)
Known to have phoned back to the same malicious C&C server IP (69.172.201.153) are also the following malicious MD5s:
MD5: 5979f69be8b6716c0832b6831c398914
MD5: a27083ff19b187cbc64644bc10d2af11
MD5: b9306bb08ac502c7bcaf3d7e0cd9d846
MD5: cd34980dda700d07b93eef7910a2a8be
MD5: b708860e7962b10e26568c9b037765df
Known to have phoned back to the same malicious C&C server IP (54.208.99.166) are also the following malicious MD5s:
MD5: 9854f14ca653ee7c6bf6506d823f7371
MD5: 90a88230d5b657ced3b2d71162a33cff
MD5: 70465233d93aa88868d7091454592a80
MD5: f8e21525c6848f45e4ab77aee05f0a28
Related malicious MD5s known to have phoned back to the same malicious C&C server (54.208.99.166):
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def
We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Author
Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodology for processing threat intelligence throughout the past decade following a successful career as a hacker-enthusiast in the 90's leading to active-community participation and contribution as a Member to WarIndustries List Moderator at BlackCode Ravers Contributor to Black Sun Research Facility (BSRF) List Moderator Software Contributor (TDS-2 Trojan Information Database) at DiamondCS Trojan Defense contributor to LockDownCorp Contributor to HelpNetSecurity Managing Director of Astalavista Security Group's Astalavista.com - The Underground a Security Consultant for Frame4 Security Systems contributor to TechGenix's WindowSecurity.com security blogger for ZDNet Zero Day Threat Intelligence Analyst for Webroot leading to a successful set of hundreds of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme ZDNet CNN PCWorld SCMagazine TheRegister NYTimes CNET ComputerWorld H+Magazine currently producing threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge. With his research featured at RSA Europe CyberCamp InfoSec GCHQ and Interpol the researcher continues to actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe. Approach him at dancho.danchev@hush.com or visit him at https://astalavista.box.sk where he's currently running a high-profile hacking and security project on the original Astalavista.box.sk part of the Box.sk network circa 1994.
Blog Archive
- September 2020 (4)
- August 2020 (3)
- July 2020 (8)
- June 2020 (1)
- May 2020 (2)
- February 2020 (1)
- January 2020 (2)
- December 2019 (9)
- November 2019 (1)
- October 2019 (1)
- September 2019 (8)
- August 2019 (2)
- July 2019 (6)
- May 2019 (11)
- April 2019 (3)
- March 2019 (1)
- February 2019 (9)
- January 2019 (4)
- December 2018 (1)
- October 2018 (25)
- September 2018 (1)
- July 2018 (1)
- November 2017 (1)
- May 2017 (8)
- January 2017 (2)
- December 2016 (12)
- August 2016 (7)
- May 2016 (1)
- April 2016 (4)
- August 2015 (2)
- July 2015 (1)
- October 2014 (1)
- March 2014 (3)
- January 2014 (7)
- December 2013 (5)
- November 2013 (12)
- October 2013 (3)
- September 2013 (6)
- August 2013 (14)
- July 2013 (6)
- June 2013 (8)
- May 2013 (5)
- April 2013 (5)
- March 2013 (3)
- February 2013 (6)
- January 2013 (6)
- December 2012 (2)
- November 2012 (7)
- October 2012 (3)
- September 2012 (4)
- August 2012 (2)
- July 2012 (2)
- June 2012 (2)
- May 2012 (4)
- April 2012 (2)
- March 2012 (2)
- February 2012 (2)
- January 2012 (6)
- December 2011 (1)
- October 2011 (7)
- September 2011 (4)
- August 2011 (4)
- July 2011 (3)
- June 2011 (1)
- May 2011 (10)
- April 2011 (5)
- March 2011 (12)
- February 2011 (6)
- January 2011 (5)
- September 2010 (2)
- August 2010 (3)
- July 2010 (7)
- June 2010 (7)
- May 2010 (16)
- April 2010 (15)
- March 2010 (13)
- February 2010 (17)
- January 2010 (9)
- December 2009 (9)
- November 2009 (13)
- October 2009 (9)
- September 2009 (10)
- August 2009 (12)
- July 2009 (14)
- June 2009 (11)
- May 2009 (11)
- April 2009 (11)
- March 2009 (11)
- February 2009 (13)
- January 2009 (10)
- December 2008 (10)
- November 2008 (15)
- October 2008 (25)
- September 2008 (17)
- August 2008 (26)
- July 2008 (38)
- June 2008 (19)
- May 2008 (33)
- April 2008 (30)
- March 2008 (19)
- February 2008 (21)
- January 2008 (13)
- December 2007 (21)
- November 2007 (34)
- October 2007 (32)
- September 2007 (28)
- August 2007 (25)
- July 2007 (22)
- June 2007 (20)
- May 2007 (30)
- April 2007 (20)
- March 2007 (41)
- February 2007 (32)
- January 2007 (29)
- December 2006 (20)
- November 2006 (20)
- October 2006 (28)
- September 2006 (40)
- August 2006 (27)
- July 2006 (28)
- June 2006 (29)
- May 2006 (33)
- April 2006 (20)
- March 2006 (19)
- February 2006 (23)
- January 2006 (39)
- December 2005 (6)
Popular Posts
-
I've recently came across to a news article detailing the recently leaked Bulgaria NAP records database and I decided to take a closer... -
In a world dominated by fraudulent propositions it should be noted that Jabber and XMPP remain the primary secure communication channel f... -
You know you're popular when "they" say "hi". It's 2009 and I've received a surprising personal email co... -
Dear blog readers, Surprise, surprise! I wanted to let everyone know that I've spend a decent portion of my time crawling and actual... -
Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger? Approach me at dancho.danchev@hush... -
Dear blog readers, I decided to let everyone know that I've recently launched my own Patreon Community Page with the idea to let ev... -
Dear blog readers, It's a pleasure and an honor to let you know of a recently released commercially available report on Iran's H... -
Dear blog readers - it's been a while since I've last posted a quality update following my disappearance and possible kidnapping at... -
Dear blog readers, I wanted to let everyone know that I've recently changed the official Dark Web Onion address for my Cybertronics ...
-
It's 2010 and I've recently came across to a compromised Georgian Government Ministry of Defense and Ministry of Justice official ...
Labels
- 419 Scam
- AbdAllah
- Abdallah Internet Hizmetleri
- Able Danger
- Active Security Monitor
- Advance Fee Scam
- Advanced Persistent Threat
- Advertising
- Adware
- Affiliate Network
- Ahmad Al Agha
- Al Qaeda
- Allied Group Inc
- Amazon AWS
- ANA Spoofer Project
- Anonymity
- Anonymizer
- Anti-Phishing Group
- Antivirus
- Antivirus Signatures
- Anton Nikolaevich Korotchenko
- AOL
- Apple
- APT
- Ashiyane Digital Security Team
- ASProx
- Astalavista
- Astalavista Security Group
- Astalavista.box.sk
- ATM Skimmer
- ATS
- Authentication
- Avalance Botnet
- Background Check
- BadB
- Bahama Botnet
- BakaSoftware
- Bantu
- BBC
- Bebo
- Bed Time Reading
- Best Practices
- BGP
- Big Brother
- Bill Gates Botnet
- Biometrics
- Bitcoin
- Bjorn Andreasson
- Blackhat SEO
- Boeing
- Bogus Account
- Botnet
- Box.sk
- Brute-Forcing
- Bulgaria
- Bullet Proof Hosting
- C4I
- CALEA
- Candid Wuest
- CAPTCHA
- Career Enrichment
- Cash Transfers
- CCTV
- CDT
- Cell Phone Monitoring
- Cell Phone Surveillance
- CellDEK
- Censorship
- Center for Democracy and Technology
- CERT
- Cheyenne Mountain Operations Center
- Child Pornography
- China
- China Eagle Union
- CIA
- CipherTrust
- Classified Information
- Client-Side Exploits
- Client-Side Vulnerabilities
- CNO
- COCOM
- Cold War
- COMINT
- Competitive Intelligence
- Compliance
- Computer Crime Survey
- Computer Network Operation
- Conficker
- Confidential Connections
- Conspiracy
- Conspiracy Theory
- Cookies
- Corporate Risk Management
- Credit Cards
- Crimeware
- Critical Infrastructure
- Crusade Affiliates
- Crypters
- Cryptography
- Cryptome
- Cryptoviral Extortion
- CSIA
- Cyber Attack
- Cyber Espionage
- Cyber Insurance
- Cyber Jihad
- Cyber Militia
- Cyber Security Industry Alliance
- Cyber Security Investment
- Cyber Terrorism
- Cyber Warfare
- Cyber Weapon
- Cyber Weapons
- Cybercrime
- Cybercrime Ecosystem
- Cybercrime Forum
- Cybercrime Forum Data Set
- Cybercrime Search Engine
- Cyberpunk
- Cyberspace
- Cybertronics
- Daniel Brandt
- Dark Forum
- Dark Web
- Dark Web Onion
- Dark Web Search Engine
- DarkComet RAT
- Data Acquisition
- Data Breach
- Data Center
- Data Leak
- Data Mining
- David Endler
- DDoS
- Defense Complex
- Delicious Information Warfare
- Denmark
- DHS
- DIA
- Digital Armaments
- Digital Forensics
- Digital Rights
- Dilbert
- Distributed Computing
- Distributed Computing Project
- Distributed Project
- DNS
- DNS Changer
- DoJ
- DotCom
- DreamHost
- Dropbox
- Durzhavna Sigurnost
- DVD of the Weekend
- E-Banking
- E-Business
- E-Commerce
- Eavesdropping
- Ebay
- ECHELON
- ECOFIN Projects
- Economics
- eID
- Electromagnetic Pulse Weapons
- Electronic Banking
- ELINT
- EMP
- Encrypted Communication
- Encryption
- Enigma
- ENISA
- Enki Bilal
- Enron
- Erasmus Bridge
- Eric Goldman
- Espionage
- Evgeniy Mikhaylovich Bogachev
- Exmanoize
- Exploit Broker
- Exploits
- Eyeball Series
- F-Secure
- Fake Account
- Fake Adobe Flash Player
- Fake Certificate
- Fake Chrome Extension
- Fake Chrome Update
- Fake Code Signing Certificate
- Fake Confirmed Facebook Friend Request Email
- Fake Documents
- Fake Facebook Notification
- Fake Facebook Profile Spy Application
- Fake Firefox Update
- Fake Hosting Provider
- Fake ID
- Fake Internet Explorer Update
- Fake Passport
- Fake Safari Update
- Fake Security Software
- Fake Utility Bill
- Fake Video Codec
- Fake Visa
- Fake Visa Application
- Fake Web Site
- Fake Who's Viewed Your Facebook Profile Extension
- Fake YouTube Player
- Fast-Flux
- FBI
- FBI Most Wanted
- FCC
- FDIC
- Financial Management
- Firas Nur Al Din Dardar
- FireEye
- Flashpoint Intel
- Forensics
- FoxNews
- Fraud
- Free Speech
- FSB
- FTLog
- FTLog Worm
- Gartner
- Gavril Danilkin
- GazTranzitStroyInfo
- GCHQ
- Generation I
- George Bush
- Georgi Markov
- Georgia
- GiveMeDB
- Global Security Challenge
- GoDaddy
- Google Ads
- Google Docs
- Google Earth
- Google Groups
- Google Hacking
- Google Maps
- Google Store
- Greece
- Growth Hacker
- GUI
- Gumblar
- Hacked Database
- Hacked Web Site
- Hacking
- Hacking Book
- Hacking Forum
- Hacktivism
- Haiti
- Hamas
- Hezbollah
- High Tech Brazil Hack Team
- Hilary Kneber
- Homebrew
- Honeynet Project
- Honker Union of China
- HUMINT
- ICBM
- ID Theft
- iDefense
- Identity Theft
- Illegal Hosting
- IMINT
- IMLogic
- Information Security
- Information Security Forum
- Information Security Market
- Information Warfare
- Infrastructure Security
- InqTana Mac OS X Malware
- Insider
- Insider Monitoring
- Insider Threat
- Instant Messaging
- Intellectual Property
- Intelligence
- Intelligence Agency
- Intelligence Community
- Internal Revenue Service
- International Exploit Shop
- Internet
- Internet Censorship
- Internet Economy
- Internet Relay Chat
- Investment Banking
- IP Cloaking
- IP Hiding
- IP Spoofing
- iPowerWeb
- IPSec
- IPv4
- IPv6
- Iran
- Iran Hacker Groups
- Iran Hacking Groups
- IRC
- IRS
- Jabber
- Joanna Rutkowska
- Johannes Ullrich
- John Young
- K Rudolph
- Katrina
- Keylogger
- KGB
- Kidnapping
- Koobface
- Korean Demilitarized Zone
- KrotReal
- Latvia
- Law Enforcement
- Lawful Interception
- Lenovo
- Lizamoon
- Loads.cc
- Localization
- Location Tracking
- Lockheed Martin
- Logicube
- Lone Gunmen
- Lovely Horse
- Lubyanka Square Headquarters
- M4 Project
- Mac OS X
- Malicious Software
- Maltego
- Malvertising
- Malware
- Marketing
- Mass Web Site Defacement
- Mastercard
- McAfee
- Metrics
- Microsoft
- Microsoft Live
- Military Communications
- Missile Base
- Mobile
- Mobile Communication Censorship
- Mobile Internet
- Mobile Location Tracking
- Mobile Malware
- Money Laundering
- Money Mule
- Money Mule Recruitment
- Monoculture
- Morgan Stanley
- MSN
- Muhammad Cartoons
- MyWebFace
- NASA
- National Security
- Native Intelligence
- NBC
- NetAssist LLC
- NetCraft
- Network Solutions
- New Media
- Nikolay Nedyalkov
- Nikopol Trilogy
- Nintendo
- Nintendo DS
- NordVPN
- Norman Sandbox
- North Korea
- North Korea Missile Launch Pad
- NSA
- Nuclear Weapons
- Nyxem
- OEM
- One-Time Passwords In Everything
- OneCare
- Online Advertising
- Online Fraud
- Online Marketing
- Open Source Malware
- Operation Uncle George
- OPIE
- OPSEC
- Osama Bin Laden
- OSINT
- OTC
- OTP
- Over-The-Counter
- Packers
- Parked Domains
- Passwords
- PayPal
- Perplex City
- Persistent Cookies
- Personal Career
- Personal Data
- Pharmaceutical Scams
- Phileas Crawler
- Phishing
- Phishing Campaign
- Phishing Toolbar
- PhishTube
- Phreedom
- Physical Security
- Piracy
- PlushForums
- Podcast
- Point of Sale Terrminal
- Politics
- PornTube
- POS
- Potentially Unwanted Application
- PR
- Press Coverage
- Privacy
- Prolexic
- Protonmail
- Proxy Service
- PSYOPS
- Qassam Cyber Fighters
- Radicati Group
- Ransomware
- RAT
- Ray Kurzweil
- RBN
- Reconnaissance Satellite
- Regulation
- Remote Access Tool
- Reporters Without Borders
- Return On Investment
- Return On Security Investment
- Revolution in Militvry Affairs
- RIPA
- Risk Management
- Rogue Account
- Rogue Chrome Extension
- Rogue Video Codec
- Rogue YouTube Player
- ROI
- Roman Polesek
- Root Server
- Rootkit
- ROSI
- Russia
- Russian Bomber
- Russian Business Network
- Russian Submarine
- Safe Harbor
- Satellite Imagery
- Satellite Jamming
- Satellite SIGINT
- Scams
- Scandoo
- ScanSafe
- Scareware
- Scribd
- Search Engine
- Search Engine Optimization
- SEC
- Secure Communication
- Securities and Exchange Commission
- Security
- Security Awareness
- Security Book
- Security Breach
- Security Education
- Security Forum
- Security Game
- Security Industry
- Security Interviews
- Security Investment
- Security Metrics
- Security Podcast
- Security Project
- Security Research
- Security Statistics
- Security Training
- Security Trends
- Sensitive Information
- Shadow Server
- ShadowCrew
- SIGINT
- SIPRNET
- SITE Institute
- SiteAdvisor
- Skype
- Sniffing
- Social Engineering
- Social Network Analysis
- SocialMediaSystem
- Software Piracy
- Sophos
- Space Warfare
- Space Weapons
- Spam
- Spam Campaign
- Spam Operations
- Spoofing
- Sprott Asset Management
- Spyware
- SQL Injection
- SSL
- SSN
- Starlight
- Stealth Ideas Inc
- Steganography
- Stolen Credit Card
- Strider Crawler
- Sub7
- Suri Pluma
- Surveillance
- Swine Flu
- Symantec
- Symbian
- Syria
- Syrian Electronic Army
- Syrian Embassy
- TAN
- Tech Support Scam
- Technical Collection
- Technical Mujahid
- Terrorism
- The Bunker
- The Immortals
- The Lawnmower Man
- The Outer Limits
- Thought Leadership
- Threat Intelligence
- Threat Intelligence Report
- TIA
- Tipping Point
- Tor
- TorrentReactor
- Total Information Awareness
- Travel Without Moving
- TrendMicro
- Trifinite Group
- Trojan Horse
- TROYAK-AS
- Two-Factor Authentication
- Typosquatting
- U.S Bureau of Engraving and Printing
- U.S Driving License
- U.S Elections
- Underground Search Engine
- University ID Card
- Vault 7
- VeriSign
- Vertex Net Loader
- Virtual Private Network
- Virtual Reality
- Virtual Reality Social Network
- Virtual World
- Virus for You
- Virus Map
- Virus Recovery Button
- Viruses
- VirusTotal
- Visa
- Visual Information System
- Visualization
- VoIP
- VPN
- Vulnerabilities
- Vulnerability Broker
- War Driving
- War Games
- Weapon Systems
- Web 2.0
- Web Application Worm
- Web Crawler
- Web Inject
- Web Proxy Service
- Web Site Defacement
- Webroot
- WHGDG
- Wireless
- Wireless Hacking
- Wireless Internet
- Wiretapping
- WMF Vulnerability
- World Hacker Global Domination Group
- X-Files
- XMPP
- XSS
- Yahoo
- YouTube
- Zero Day Exploit
- Zero Day Initiative
- Zerodium
- ZeuS
- Zombie Alert
- Zone-H
- Zotob