We've recently intercepted, a, currently, circulating, malicious, campaign, exposing, users, to, a, variety, of malicious software, potentially, exposing, the, confidentiality, integrity, and availability, of, their, devices.
In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.
Malicious MD5s known to have participated in the campaign:
MD5: beff48e790ed35ba081ea5d852e27c98
MD5: e200e630ad3af2e91f10608577e0ece3
Once executed a sample malware phones back to the following C&C server:
hxxp://ksa-sef.com - 166.62.28.116; 107.180.50.244
Related malicious MD5s known to have phoned back to the same C&C server (166.62.28.116; 107.180.50.244):
MD5: c235a6e9700eb647f64113afa7bf028e
MD5: 3e00678672854c59c95eb4e800ec70a7
MD5: a24ba1d529ed33b86d04901f7b8e0d0a
MD5: ce22495bb5dda49a3953b7280b9032ef
MD5: 94885422e458fae7d83f0765c3cfa799
MD5: 180ff0b7620d525a2359f419b29a055e
Once executed a sample malware phones back to the following C&C server:
hxxp://92.222.71.26/userinfo.php
Related malicious MD5s, known, to, have, phoned, back, to the, same, C&C server:
MD5: ea662c74e0cc7f798b9cfa73754e0458
MD5: a33b472659cba92a620e21797118a96d
MD5: 41f7c6937803e18c58e435c86771a381
MD5: cd1bb597d3d9ba25bc983f9be72f78ae
MD5: 92530421468a7532a57757bb1d5c967a
Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://188.127.231.124
hxxp://92.222.71.26
hxxp://107.181.174.15
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://orgyyeetrcy.biz
hxxp://kfcsrdphvavgvmds.work
hxxp://dqtfhkgskushlum.org
hxxp://nxmdtliospnbnveuk.pw
hxxp://ahhjmkwfnjkitu.biz
hxxp://gxaabswsxvdohead.su
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info
hxxp://qgbikqjraxhtndbl.biz
hxxp://omlsxegqnuqgpctp.click
hxxp://dinbfdccx.work
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://92.222.71.26
hxxp://188.127.231.124
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://omlsxegqnuqgpctp.click
hxxp://dqtfhkgskushlum.org
hxxp://gxaabswsxvdohead.su
hxxp://evesynbkcji.info
hxxp://kfcsrdphvavgvmds.work
hxxp://ahhjmkwfnjkitu.biz
hxxp://dinbfdccx.work
hxxp://nxmdtliospnbnveuk.pw
hxxp://orgyyeetrcy.biz
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info
Once executed, a, sample. malware, phones, back, to, the, following C&C servers:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://188.127.231.124
We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.