We've, recently, intercepted, yet, another, malicious, campaign, utilizing, Google Play, for, the, purpose, of, serving, malicious, software, to, unsuspecting, users.
In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the cybercriminals, behind, it.
Malicious MD5s known to have participated in the campaign:
MD5: 3e57ef2802977c3c852a94bab131c84b
Known C&C servers, part, of, the, campaign:
hxxp://localbitcoinsfast.com - 198.105.215.251
hxxp://newdesigns2016.biz - 190.97.166.230
Once executed, the, sample, phones, back, to, the, following, C&C server:
hxxp://netspendexpress.biz - 68.71.49.24
Known to have phoned back to the same malicious C&C server IP (198.105.215.251), are, also, the, following, malicious, MD5s:
MD5: c1b3912711dceab2cfb86f920eb69919
Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://drone.hosterbox.com (68.71.49.24; 68.71.49.25; 142.4.12.128)
Known malicious MD5s, known, to, have, phoned, back, to, the, same C&C server IP (68.71.49.24):
MD5: 7453f9445512e48357d91491b0e32134
MD5: 138c9475d4dc80185d4d3dd612c89d50
MD5: 2be0a8f626430d6c3c9588b55253ef95
We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.