We've recently intercepted a new mobile malware, variant, targeting, users, internationally, and exposing, their, devices, to, a, multi-tude, of malicious, software.
In this post, we'll profile, the campaign, provide malicious MD5s, expose, the infrastructure, behind, it, and discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.
Sample malicious MD5s used in the campaign:
MD5: 4f1696cc06bdab9508ba3434edab2f49
MD5: 15ef763ba561eb91b5790906505f0f79
MD5: 890dfd6b50b7ca870ceb04762725b8a6
MD5: 4a3b68aeb96ef0f26f855f6afb688a3c
MD5: c729ce2babce74998726257f167da62e
MD5: 3db50821ff074a70dcbc5c31c0a78e14
Once executed, a sample, malware, phones back to the following C&C server:
hxxp://alfabrong.eu/data/id=39759ac6-0898-424b-9e0d-790edfaa700e - 5.101.117.79; 5.187.4.15
Known to have responded to the same malicious C&C server (5.101.117.79) are also the following malicious domains:
hxxp://bugstracking.xyz
hxxp://bugstrucking.xyz
hxxp://ssd850pro.pw
hxxp://forclonabster.eu
hxxp://bugtracking.biz
hxxp://directplaytds.com
hxxp://forclonabster.xyz
hxxp://alfabrong.eu
hxxp://innotion.pw
Known to have responded to the same malicious C&C server (5.187.4.15) are also the following malicious C&C servers:
hxxp://alfabrong.eu
hxxp://hyperlabs.biz
hxxp://nkprus.ru
hxxp://programmiandroid.org
We'll continue monitoring the campaign, and, will, post, updates, as, soon, as, new, developments, take, place.