We've recently intercepted, a currently, circulating, malicious, spam, campaign, exposing, users, to, a, multi-tude, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, PCs, to, a, variety, of, malicious, software.
In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Malicious MD5s known to have participated in the campaign:
MD5: 6b422988b8b66e54e68f110c64914744
MD5: 414fc339b2dd57bab972b3175a18d64a
Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://hrtests.ru/S.php - 136.243.126.105; 146.185.243.133; 5.135.104.91; 178.33.188.142; 178.32.238.223; 178.208.83.7; 88.214.200.145
hxxp://managtest.ru/WinRAR.exe - 176.126.71.5; 5.196.241.192; 88.214.200.145
Related malicious MD5s known to have phoned back to the same C&C server IPs (136.243.126.105):
MD5: e974e77d0f69b46b9f6c88d98c76c0c6
MD5: 908bb37015af1c863e8e73bb76fdb127
MD5: 87882046d21d2468ee993ea7c3159c4d
MD5: 299c6ac73e225ec5a355b2fb7a618e8f
MD5: 7f2862b5f399bc74dd6d8079da819126
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 47c18c76540b74a1bca6ca3ae10ebd50
MD5: 024807c29f147dd77450a5bc62e59fa5
MD5: e283f13766be7f705c0271bc42681270
MD5: a29d67dad13eef259dc5c872706f15a6
MD5: 2cf7bf436ef8cbfda0136efd11e92341
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 2cf7bf436ef8cbfda0136efd11e92341
MD5: 3a5f263a24728d3805045778978f00b5
MD5: 87435a3fc3799d271b3608955d1c6c4d
MD5: 95c0194351bc2685535544574eb3f5df
MD5: 7224e3698edec9590a5198defae66ef1
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server IP:
hxxp://worktests.ru/test0.txt
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://testswork.ru/test15.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test20.txt
hxxp://testswork.ru/test21.txt
Once executed a sample malware phones, back, to, the, following, C&C, server, IP:
hxxp://tradetests.ru/test0.txt
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (176.126.71.5):
MD5: 44c3ac885206d641a6d2dce5a675f378
MD5: 2bf97da5f11b655428622fb10c68ff11
MD5: 6911f4a5a85e266229debfdf0832faad
MD5: 8f1b264ceef3e116522ec213ee691cd2
MD5: af7275d12796b53f0ad4d7866be49a4c
Once executed, a, sample, malware, phones, back, to, the, following, C&C server, IPs:
61.246.33.84:7974
187.2.210.167:6688
199.189.86.18:6199
62.103.89.163:9333
95.104.13.237:7158
203.231.71.85:6413
150.129.184.145:5560
213.184.4.236:5531
198.27.96.43:6327
115.110.36.121:8009
46.150.36.126:8404
118.233.56.195:6159
187.55.178.150:6984
219.71.10.251:6070
190.37.215.91:7443
122.117.152.249:7894
14.141.70.162:8811
188.173.150.210:6598
60.171.206.39:6349
103.47.194.115:6959
116.241.49.160:7023
175.45.228.54:6324
158.58.204.215:6789
82.76.230.210:6266
220.134.149.93:6688
201.24.187.30:9088
84.108.148.178:6822
186.95.199.115:5943
113.160.112.8:6439
24.190.4.178:6554
52.26.185.23:6549
115.165.241.228:6623
190.254.83.226:7961
177.103.154.31:6554
114.35.121.231:5774
202.65.136.234:7594
91.186.3.83:8673
31.170.141.113:11802
190.205.137.158:6554
223.255.202.23:5949
175.45.228.56:6249
202.143.149.66:9333
5.189.177.10:6843
91.224.25.225:7677
113.176.82.247:6315
121.42.15.50:11649
189.51.15.2:6018
108.61.213.137:9595
96.56.17.58:6126
61.216.32.170:8513
202.166.162.6:6519
119.236.147.67:6755
96.23.181.97:5531
190.142.66.233:7269
Related malicious MD5s known to have phoned back to the same C&C server IP (5.196.241.192):
MD5: 57f6c25f57f6af3feb149d2cf0ca7b70
MD5: 45bc494e569671ac902ac4abeaf52d0e
MD5: b23b41bc40dd6b2d707c07dfb7da8a8b
MD5: 6458ddbaa59448352cfd18d774af1114
MD5: 89bd709329d7a2666e538ee0fdc7e6a0
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://stafftest.ru/test.html
Related malicious MD5s known to have participated in the campaign:
MD5: 414fc339b2dd57bab972b3175a18d64a
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://stafftest.ru
hxxp://hrtests.ru
hxxp://profetest.ru
hxxp://testpsy.ru
hxxp://pstests.ru
hxxp://qptest.ru
hxxp://prtests.ru
hxxp://jobtests.ru
hxxp://iqtesti.ru
Related malicious MD5s known to have participated in the campaign:
MD5: 7838ccf4e448d8c7404bfe86f5c9d116
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://managtest.ru/minerd
hxxp://hrtests.ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s
We'll continue monitoring the campaign and post updates as soon as new developments, take, place.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Tuesday, June 21, 2016
Malware Serving Campaign Intercepted, Hundreds of Users Affected
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com