We've recently intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, their PCs, to, a, variety, of, malicious, software, compromising, the, integrity, confidentiality, and, availability, of, their, devices.
In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Malicious URLs, known, to, have, participated, in, the, campaign:
hxxp://gv.com.my/0gcgs - 210.48.153.240
hxxp://test.glafuri.net/yxk6s - 176.223.121.193
hxxp://australiancheerleader.com.au/jsc1okam - 103.254.138.242
Related malicious MD5s known to have participated in the campaign:
MD5: c1f95adbcaf520bf182f9014970d33e5
Known to have phoned back to the same C&C server (210.48.153.240) are also the following malicious MD5s:
MD5: 8ea223d68856ba857a485b506259ae00
MD5: 8697121c56d20b602cd866dd1c0c1791
MD5: d668ee452efb2f1dd0dafc3f44b003e9
MD5: b1eedb69ad38d2e9ff3d5165163f1d0f
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php
Related malicious C&C servers, known, to, have, participated, in, the, campaign:
hxxp://pariachat.ir
hxxp://mahshahrchat.top
hxxp://tandischat.xyz
hxxp://irancell-chat.ir
hxxp://shokolatt.ir
hxxp://mahshahrchat.ir
hxxp://roznazchat.com
Related malicious MD5s known to have participated in the campaign:
MD5: 47223a926f70206de5aa9e9f4f4182f0
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php
hxxp://91.200.14.139/userinfo.php
hxxp://104.131.182.103/userinfo.php
hxxp://164.132.40.47/userinfo.php
hxxp://tjpdcrsbkyqscdue.info/userinfo.php - 69.195.129.70
Related malicious MD5s known to have phoned back to the same C&C server IP (91.200.14.139):
MD5: 47223a926f70206de5aa9e9f4f4182f0
Known to have phoned back to the same C&C server IP (69.195.129.70) are also the following malicious MD5s:
MD5: cd867fa29b9cd9b4d16f96aecb179521
MD5: ec12c2a033b3a381a86072c20a0527f2
MD5: d27ecf75aeb611297ed5b9f70b9773f0
MD5: 3b6ad5215f20452417e4af71eefe7bc9
MD5: b75580959b8eef6574ac029333afafa5
Once executed, a, sample, malware, phones, back, to, the, following C&C server IPs:
hxxp://insamertojertoq.cc/in0odrfqwbio0sa
hxxp://tbiimhetdqyn.com/in0odrfqwbio0sa
hxxp://pmiqpskfkwkc.com/in0odrfqwbio0sa
hxxp://osghqrdmlyhh.net/in0odrfqwbio0sa
hxxp://lltlsiirjjjj.com/in0odrfqwbio0sa
Related malicious MD5s known to have participated in the campaign:
MD5: 90eb8948513e21a8c87f8295ac7e81f5
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Monday, June 20, 2016
Malware Serving Campaign Intercepted, Hundreds of Users Affected
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com