Monday, May 30, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently, intercepted, a currently, circulating, malicious, campaign, exposing, users, to, a variety, of, malicious, software, exposing, the, confidentiality, integrity, and availability, of, their devices.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: bd4ed8b3b5d37f34fb63ce2798c585e9
MD5: 1c2c8894ab12a38b7420c7e04ed690f3

MD5: 7e3410e3b74866b02f8c8d6a3220aa23
MD5: 427ec5aef2a0ca2b2c8edbf24f1aeb8f
MD5: 770c77bfa64dc89638d5ac07ca6d1246
MD5: 3670576f507327fc4cbec45d0b3b6d2e

MD5: 5a3d1953631d1e78af6390c88a4ea434
MD5: 7322362d952eb63c07b9585107604a90

MD5: d9f63a6944648646343be1b7fbebe734
MD5: 611a6489bb7c9357765b8dd00f00d953
MD5: c81a88af87dfd05f5f757eea56d83fb8
MD5: 381a9b123d2b43ae8ff617d708bcfce8
MD5: a3bbf048865c48d2b2d5c8973d8a95d3
MD5: 66f31f76a5633e8a16ffe763093b546b

MD5: ac74bdca918dc6416cfa4e710d238f43
MD5: b169837db80e53c4564b62c0a4b9eba3
MD5: b334c20de944bb15cc8ac6aa59215e73
MD5: 677aa8cba92cdda2ec80b61fb7052813
MD5: 7b366d1273c65d0be63b7d68b268d3b8

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://sklasse-b.in.ua/777/gate.php - 217.12.201.60

Known to have phoned back to the same C&C server IP (217.12.201.60) are also the following malicious MD5s:
MD5: e070535dd1ca923d1b12a71307b2639a
MD5: 3092a0a15dceb494a62eb00ea1c51283
MD5: 90123fd7978d42c2cd0a1fdc62651eb6
MD5: 553bed2a3cab5f1ec98bbec6dc151dd3
MD5: 947efe328858d816a77ef6b103097097

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://apimobiapps.com/api/app.php - 54.72.9.115; 37.1.210.139

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 7e6429d92bf457f5580457260c92d615
MD5: f89ee0bd2fa97380ceedbfe5bf3d5c93

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 886d621a5abeea5609ae813b50ea35a5
MD5: 576da1ff48ae7d4ce092698c20bb9c2c
MD5: 1c93b5c33585ab60c61c698713a6446d
MD5: 6afea2ece23b57fe3d3076ca799c18fe
MD5: 9a43a4bee370f7ae3759a5633b0ee40a

Once executed a sample malware phones back to the following C&C server:
hxxp://dh005.com - 54.72.9.115; 172.99.89.215
hxxp://parkingcrew.net - 185.53.179.29
hxxp://quickdomainfwd.com - 208.91.196.46

We'll continue, monitoring, the campaign, and, post, updates, as, soon, as, new, developments, take, place.