Malware Serving Campaign Intercepted, Hundreds of Users Affected

June 21, 2016
We've recently intercepted, a currently, circulating, malicious, spam, campaign, exposing, users, to, a, multi-tude, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, PCs, to, a, variety, of, malicious, software.

In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 6b422988b8b66e54e68f110c64914744
MD5: 414fc339b2dd57bab972b3175a18d64a

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://hrtests.ru/S.php - 136.243.126.105; 146.185.243.133; 5.135.104.91; 178.33.188.142; 178.32.238.223; 178.208.83.7; 88.214.200.145
hxxp://managtest.ru/WinRAR.exe - 176.126.71.5; 5.196.241.192; 88.214.200.145

Related malicious MD5s known to have phoned back to the same C&C server IPs (136.243.126.105):
MD5: e974e77d0f69b46b9f6c88d98c76c0c6
MD5: 908bb37015af1c863e8e73bb76fdb127
MD5: 87882046d21d2468ee993ea7c3159c4d
MD5: 299c6ac73e225ec5a355b2fb7a618e8f
MD5: 7f2862b5f399bc74dd6d8079da819126

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 47c18c76540b74a1bca6ca3ae10ebd50
MD5: 024807c29f147dd77450a5bc62e59fa5
MD5: e283f13766be7f705c0271bc42681270
MD5: a29d67dad13eef259dc5c872706f15a6
MD5: 2cf7bf436ef8cbfda0136efd11e92341

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 2cf7bf436ef8cbfda0136efd11e92341
MD5: 3a5f263a24728d3805045778978f00b5
MD5: 87435a3fc3799d271b3608955d1c6c4d
MD5: 95c0194351bc2685535544574eb3f5df
MD5: 7224e3698edec9590a5198defae66ef1

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server IP:
hxxp://worktests.ru/test0.txt

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://testswork.ru/test15.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test20.txt
hxxp://testswork.ru/test21.txt

Once executed a sample malware phones, back, to, the, following, C&C, server, IP:
hxxp://tradetests.ru/test0.txt

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (176.126.71.5):
MD5: 44c3ac885206d641a6d2dce5a675f378
MD5: 2bf97da5f11b655428622fb10c68ff11
MD5: 6911f4a5a85e266229debfdf0832faad
MD5: 8f1b264ceef3e116522ec213ee691cd2
MD5: af7275d12796b53f0ad4d7866be49a4c

Once executed, a, sample, malware, phones, back, to, the, following, C&C server, IPs:
61.246.33.84:7974
187.2.210.167:6688
199.189.86.18:6199
62.103.89.163:9333
95.104.13.237:7158
203.231.71.85:6413
150.129.184.145:5560
213.184.4.236:5531
198.27.96.43:6327
115.110.36.121:8009
46.150.36.126:8404
118.233.56.195:6159
187.55.178.150:6984
219.71.10.251:6070
190.37.215.91:7443
122.117.152.249:7894
14.141.70.162:8811
188.173.150.210:6598
60.171.206.39:6349
103.47.194.115:6959
116.241.49.160:7023
175.45.228.54:6324
158.58.204.215:6789
82.76.230.210:6266
220.134.149.93:6688
201.24.187.30:9088
84.108.148.178:6822
186.95.199.115:5943
113.160.112.8:6439
24.190.4.178:6554
52.26.185.23:6549
115.165.241.228:6623
190.254.83.226:7961
177.103.154.31:6554
114.35.121.231:5774
202.65.136.234:7594
91.186.3.83:8673
31.170.141.113:11802
190.205.137.158:6554
223.255.202.23:5949
175.45.228.56:6249
202.143.149.66:9333
5.189.177.10:6843
91.224.25.225:7677
113.176.82.247:6315
121.42.15.50:11649
189.51.15.2:6018
108.61.213.137:9595
96.56.17.58:6126
61.216.32.170:8513
202.166.162.6:6519
119.236.147.67:6755
96.23.181.97:5531
190.142.66.233:7269

Related malicious MD5s known to have phoned back to the same C&C server IP (5.196.241.192):
MD5: 57f6c25f57f6af3feb149d2cf0ca7b70
MD5: 45bc494e569671ac902ac4abeaf52d0e
MD5: b23b41bc40dd6b2d707c07dfb7da8a8b
MD5: 6458ddbaa59448352cfd18d774af1114
MD5: 89bd709329d7a2666e538ee0fdc7e6a0

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://stafftest.ru/test.html

Related malicious MD5s known to have participated in the campaign:
MD5: 414fc339b2dd57bab972b3175a18d64a

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://stafftest.ru
hxxp://hrtests.ru
hxxp://profetest.ru
hxxp://testpsy.ru
hxxp://pstests.ru
hxxp://qptest.ru
hxxp://prtests.ru
hxxp://jobtests.ru
hxxp://iqtesti.ru

Related malicious MD5s known to have participated in the campaign:
MD5: 7838ccf4e448d8c7404bfe86f5c9d116

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://managtest.ru/minerd
hxxp://hrtests.ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s

We'll continue monitoring the campaign and post updates as soon as new developments, take, place.

Malware Serving Campaign Intercepted, Hundreds of Users Affected

June 20, 2016
We've recently intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, their PCs, to, a, variety, of, malicious, software, compromising, the, integrity, confidentiality, and, availability, of, their, devices.

In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious URLs, known, to, have, participated, in, the, campaign:
hxxp://gv.com.my/0gcgs - 210.48.153.240
hxxp://test.glafuri.net/yxk6s - 176.223.121.193
hxxp://australiancheerleader.com.au/jsc1okam - 103.254.138.242

Related malicious MD5s known to have participated in the campaign:
MD5: c1f95adbcaf520bf182f9014970d33e5

Known to have phoned back to the same C&C server (210.48.153.240) are also the following malicious MD5s:
MD5: 8ea223d68856ba857a485b506259ae00
MD5: 8697121c56d20b602cd866dd1c0c1791
MD5: d668ee452efb2f1dd0dafc3f44b003e9
MD5: b1eedb69ad38d2e9ff3d5165163f1d0f

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php

Related malicious C&C servers, known, to, have, participated, in, the, campaign:
hxxp://pariachat.ir
hxxp://mahshahrchat.top
hxxp://tandischat.xyz
hxxp://irancell-chat.ir
hxxp://shokolatt.ir
hxxp://mahshahrchat.ir
hxxp://roznazchat.com

Related malicious MD5s known to have participated in the campaign:
MD5: 47223a926f70206de5aa9e9f4f4182f0

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php
hxxp://91.200.14.139/userinfo.php
hxxp://104.131.182.103/userinfo.php
hxxp://164.132.40.47/userinfo.php
hxxp://tjpdcrsbkyqscdue.info/userinfo.php - 69.195.129.70

Related malicious MD5s known to have phoned back to the same C&C server IP (91.200.14.139):
MD5: 47223a926f70206de5aa9e9f4f4182f0

Known to have phoned back to the same C&C server IP (69.195.129.70) are also the following malicious MD5s:
MD5: cd867fa29b9cd9b4d16f96aecb179521
MD5: ec12c2a033b3a381a86072c20a0527f2
MD5: d27ecf75aeb611297ed5b9f70b9773f0
MD5: 3b6ad5215f20452417e4af71eefe7bc9
MD5: b75580959b8eef6574ac029333afafa5

Once executed, a, sample, malware, phones, back, to, the, following C&C server IPs:
hxxp://insamertojertoq.cc/in0odrfqwbio0sa
hxxp://tbiimhetdqyn.com/in0odrfqwbio0sa
hxxp://pmiqpskfkwkc.com/in0odrfqwbio0sa
hxxp://osghqrdmlyhh.net/in0odrfqwbio0sa
hxxp://lltlsiirjjjj.com/in0odrfqwbio0sa

Related malicious MD5s known to have participated in the campaign:
MD5: 90eb8948513e21a8c87f8295ac7e81f5

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Hundreds of Users Affected

June 09, 2016
We've recently intercepted, a, currently, circulating, malicious, campaign, exposing, users, to, a, variety, of malicious software, potentially, exposing, the, confidentiality, integrity, and availability, of, their, devices.

In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: beff48e790ed35ba081ea5d852e27c98
MD5: e200e630ad3af2e91f10608577e0ece3

Once executed a sample malware phones back to the following C&C server:
hxxp://ksa-sef.com - 166.62.28.116; 107.180.50.244

Related malicious MD5s known to have phoned back to the same C&C server (166.62.28.116; 107.180.50.244):
MD5: c235a6e9700eb647f64113afa7bf028e
MD5: 3e00678672854c59c95eb4e800ec70a7
MD5: a24ba1d529ed33b86d04901f7b8e0d0a

MD5: ce22495bb5dda49a3953b7280b9032ef
MD5: 94885422e458fae7d83f0765c3cfa799
MD5: 180ff0b7620d525a2359f419b29a055e

Once executed a sample malware phones back to the following C&C server:
hxxp://92.222.71.26/userinfo.php

Related malicious MD5s, known, to, have, phoned, back, to the, same, C&C server:
MD5: ea662c74e0cc7f798b9cfa73754e0458
MD5: a33b472659cba92a620e21797118a96d
MD5: 41f7c6937803e18c58e435c86771a381
MD5: cd1bb597d3d9ba25bc983f9be72f78ae
MD5: 92530421468a7532a57757bb1d5c967a

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://188.127.231.124
hxxp://92.222.71.26
hxxp://107.181.174.15

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://orgyyeetrcy.biz
hxxp://kfcsrdphvavgvmds.work
hxxp://dqtfhkgskushlum.org
hxxp://nxmdtliospnbnveuk.pw
hxxp://ahhjmkwfnjkitu.biz
hxxp://gxaabswsxvdohead.su
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info
hxxp://qgbikqjraxhtndbl.biz
hxxp://omlsxegqnuqgpctp.click
hxxp://dinbfdccx.work

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://92.222.71.26
hxxp://188.127.231.124

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://omlsxegqnuqgpctp.click
hxxp://dqtfhkgskushlum.org
hxxp://gxaabswsxvdohead.su
hxxp://evesynbkcji.info
hxxp://kfcsrdphvavgvmds.work
hxxp://ahhjmkwfnjkitu.biz
hxxp://dinbfdccx.work
hxxp://nxmdtliospnbnveuk.pw
hxxp://orgyyeetrcy.biz
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info

Once executed, a, sample. malware, phones, back, to, the, following C&C servers:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://188.127.231.124

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.