Tuesday, May 17, 2016

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, mobile, malware, exposing, unsuspecting, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Known malicious MD5s, participating, in, the, campaign:
MD5: 27ad60e62ff86534c0a9331e9451833d
MD5: 78fbac978d9138651678eb63e7dfd998

Malicious C&C server, part, of, the, campaign:
hxxp://apk.longxigame.com - 123.138.67.91; 106.119.191.98

Known to have been downloaded from the same malicious C&C server IP (123.138.67.91), are, also, the, following, malicious, MD5s:
MD5: a6c9a8cfa41b608573f8a9adf767daa0
MD5: a5d98369590bd2e001ac3e2986b3d7e9
MD5: 8c5e6c7bc945877740f10e91e9640f70
MD5: e82c58593e787193b5e19810b7ab504e
MD5: 814d7d6701f00c7b96c7026b5561911c

Known to have responded, to, the, same, malicious, C&C server (apk.longxigame.com), are, also, the, following, malicious, domains:
hxxp://103.243.139.241
hxxp://113.105.245.118
hxxp://183.61.13.192
hxxp://183.61.180.216
hxxp://183.61.180.217
hxxp://106.119.191.98
hxxp://221.233.135.196
hxxp://218.60.119.245
hxxp://218.60.119.30
hxxp://118.123.202.27
hxxp://118.123.202.28
hxxp://218.60.119.244
hxxp://119.84.112.118
hxxp://119.84.112.121
hxxp://220.181.105.232
hxxp://27.221.30.76
hxxp://220.181.105.231
hxxp://27.221.30.77
hxxp://60.2.226.246
hxxp://60.2.226.248
hxxp://121.29.8.235
hxxp://60.28.226.51
hxxp://116.55.241.217
hxxp://124.95.157.252
hxxp://124.160.136.232
hxxp://124.160.136.233
hxxp://218.60.119.243
hxxp://218.60.119.252
hxxp://218.60.119.29
hxxp://122.225.34.233
hxxp://122.225.34.234
hxxp://171.111.154.243
hxxp://124.95.157.253
hxxp://202.100.74.248
hxxp://221.204.186.231
hxxp://221.204.186.232
hxxp://182.140.238.123
hxxp://218.107.196.223
hxxp://218.107.196.224
hxxp://122.227.164.225
hxxp://122.227.164.226
hxxp://122.228.95.171
hxxp://122.228.95.172
hxxp://123.129.244.23
hxxp://123.129.244.24
hxxp://210.22.60.224
hxxp://125.76.247.230
hxxp://125.76.247.231
hxxp://42.81.4.91
hxxp://42.81.4.92
hxxp://117.25.155.17
hxxp://61.154.126.29
hxxp://116.55.241.218
hxxp://106.119.191.97
hxxp://171.111.154.242
hxxp://180.96.17.157
hxxp://180.96.17.160
hxxp://117.25.155.18
hxxp://121.207.229.135
hxxp://61.154.126.28
hxxp://121.207.229.136
hxxp://222.85.26.249
hxxp://222.85.26.250
hxxp://59.46.4.221
hxxp://59.46.4.222
hxxp://183.61.13.191
hxxp://103.243.139.239
hxxp://122.141.227.183
hxxp://114.80.174.98
hxxp://114.80.174.99
hxxp://202.100.74.245
hxxp://58.216.17.111
hxxp://175.6.3.149
hxxp://175.6.3.176
hxxp://61.147.118.229
hxxp://60.28.226.41
hxxp://124.112.127.77
hxxp://124.112.127.78
hxxp://124.238.232.242
hxxp://124.238.232.241
hxxp://112.90.32.242
hxxp://112.90.32.241
hxxp://123.138.67.91
hxxp://123.138.67.92
hxxp://122.141.227.182
hxxp://121.29.8.217
hxxp://42.81.4.83
hxxp://218.107.196.236
hxxp://112.67.242.110
hxxp://112.90.32.232

Known malicious MD5s known to have phoned back to the same C&C server (123.138.67.91):
MD5: 4efbe7fe86f63530d83ae7af5a3dc272
MD5: d8a3466addf81f2afeb2ca81c49d7361
MD5: 06e37b0c4a77bfa6a1052c4dd50afd9b
MD5: ed89d5977e334045500d0415154976b6

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://api.baizhu.cc - 120.76.122.200
hxxp://cdn.baizhu.cc - 123.138.67.91

Once executed a sample malware phones back to the following C&C servers:
hxxp://yscq.v1game.cn (203.130.58.30)
hxxp://pic.v1.cn (123.138.67.92)
hxxp://img.g.v1.cn (203.130.58.30)
hxxp://static.v1game.cn (203.130.58.30)
hxxp://pay.v1game.cn (211.151.85.249)

We'll continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.
-