We've, recently, intercepted, a,
currently, circulating, malicious, campaign, affecting, hundreds, of,
Google, Play, users, potentially, exposing, their, devices, to, a,
multi-tide, of, malicious, software, potentially, exposing, the,
confidentiality, integrity, and, availability, of, their, devices.
Largely, relying, on a, set, of, social, engineering, vectors,
cybercriminals, continue, populating, Google, Play, with, hundreds,
of, malicious, releases, successfully, bypassing, Google, Play's,
security, mechanisms.
Thanks, to, a, vibrant, cybercrime,
ecosystem, stolen, and, compromised, accounting, data, continues, to,
represent, an, underground, market, commodity, successfully,
empowering, novice, cybercriminals, with, the, necessary, tools, and,
know-how, to, continue, launching, malicious, attacks. Largely,
relying, on, a, set, of, social, engineering, vectors,
cybercriminals, continue, to, successfully, compromise, and, take,
advantage, of, stolen, publisher's, account, successfully,
bypassing, Google, Play's, security, mechanisms, potentially,
exposing, hundreds, of, thousands, of, users, to, a, multi-tude, of,
malicious, software.
In, this, post, we'll, profile, the,
campaign, expose, the, infrastructure, behind, it, and, discuss,
in-depth, the, tactics, techniques, and, procedures, of, the,
cybercriminals, behind, it.
Related malicious MD5s known to have
participated in the campaign:
MD5: 3c4f56ebf48a0b47bffec547804d94f4
MD5: 8a81ef6673321bddc557c486bce2a025
MD5: 789cb05effb586bda98e87e71e340c39
MD5: 505e4d58c53d47245aa89c0fd7cded83
MD5: c7bb64012126e7f75feb5d021e755903
Once, executed, a, sample, malware
(MD5: 3c4f56ebf48a0b47bffec547804d94f4), phones, back, to, the,
following, C&C, server, IPs:
hxxp://art.hornymilfporna.com/g/getasite/
hxxp://art.hornymilfporna.com/z/orap/
hxxp://art.hornymilfporna.com/z/z2/
hxxp://art.hornymilfporna.com/z/z5/
Related malicious MD5s known to have
phoned back to the same C&C server IP (art.hornymilfporna.com):
MD5: ee329ffcd6fe835bfdc0ec1a7f033584
Related malicious MD5s known to have
phoned back to the same C&C server IP (hornymilfporna.com -
54.72.9.51; 104.27.188.20; 104.24.124.113):
MD5: d990fe6ed56e5f087dfc4c1ad09e2591
MD5: d129b79a68dd362714a4d35f9901c661
MD5: d74aab1f688c670c172c3767a17c4953
MD5: 5f8a4de87409b399d262bd0ae0a908d7
MD5: 189803a93cde9e0c401ac386c154328f
Once, executed, a, sample, malware,
phones, back, to, the, following, C&C, server IPs:
hxxp://fullset.link
hxxp://allmodel-pro.com
hxxp://sso.anbtr.com
hxxp://xsso.allmodel-pro.com
hxxp://fullset.info
hxxp://groupmodel.biz
Once, executed, a, sample, malware,
phones, back, to, the, following, C&C, server, IPs:
212.61.180.100
195.22.28.222
212.61.180.100
54.72.9.51
Once, executed, a, sample, malware
(MD5: 8a81ef6673321bddc557c486bce2a025), phones, back, to, the,
following, C&C, server, IPs:
hxxp://cinar.pussyteenx.com/g/getasite/
- 8.5.1.44; 46.45.168.84
hxxp://cinar.pussyteenx.com/z/orap/
hxxp://cinar.pussyteenx.com/z/z2/
hxxp://cinar.pussyteenx.com/z/z5/
Related, malicious, MD5s, known, to,
have, phoned, back, to, the, same, C&C, server, IPs
(cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):
MD5: b9a2447a5b292566b4998c5d996f488b
Related, malicious, MD5s, known, to,
have, phoned, back, to, the, same, C&C, server, IP
(cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):
MD5: f8205b4b9ae5d8ac8bf7b3996a6be408
MD5: a73138a8275b68296bfcf0ed39b2665c
MD5: ff06679eb18932e31f8b05d92a48b4eb
MD5: 107993dce5417356d40279feb2be0017
MD5: d5ed564fd2f4c10e3a26df9342a09545
Once, executed, a, sample, malware
(MD5: f8205b4b9ae5d8ac8bf7b3996a6be408), phones, back, to, the,
following, C&C, server, IPs:
hxxp://englishmeasure.net
hxxp://eitherdinner.net
hxxp://englishdinner.net
hxxp://eitherafraid.net
hxxp://englishafraid.net
hxxp://eithercircle.net
hxxp://englishcircle.net
hxxp://expectwheat.net
hxxp://becausewheat.net
hxxp://expectanger.net
hxxp://becauseanger.net
hxxp://expectalways.net
hxxp://becausealways.net
hxxp://expectforest.net
hxxp://becauseforest.net
hxxp://personwheat.net
hxxp://machinewheat.net
hxxp://personanger.net
hxxp://machineanger.net
hxxp://personalways.net
hxxp://machinealways.net
hxxp://personforest.net
hxxp://machineforest.net
hxxp://suddenwheat.net
hxxp://foreignwheat.net
hxxp://suddenanger.net
hxxp://foreignanger.net
hxxp://suddenalways.net
hxxp://foreignalways.net
hxxp://suddenforest.net
hxxp://foreignforest.net
hxxp://whetherwheat.net
hxxp://rightwheat.net
hxxp://whetheranger.net
hxxp://rightanger.net
hxxp://whetheralways.net
hxxp://rightalways.net
hxxp://whetherforest.net
hxxp://rightforest.net
hxxp://figurewheat.net
hxxp://thoughwheat.net
hxxp://figureanger.net
hxxp://thoughanger.net
hxxp://figurealways.net
hxxp://thoughalways.net
hxxp://figureforest.net
hxxp://thoughforest.net
hxxp://picturewheat.net
hxxp://cigarettewheat.net
hxxp://pictureanger.net
hxxp://cigaretteanger.net
hxxp://picturealways.net
hxxp://cigarettealways.net
hxxp://pictureforest.net
hxxp://cigaretteforest.net
hxxp://childrenwheat.net
hxxp://familywheat.net
hxxp://childrenanger.net
hxxp://familyanger.net
hxxp://childrenalways.net
hxxp://familyalways.net
hxxp://childrenforest.net
hxxp://familyforest.net
hxxp://eitherwheat.net
hxxp://englishwheat.net
hxxp://eitheranger.net
hxxp://englishanger.net
hxxp://eitheralways.net
hxxp://englishalways.net
hxxp://eitherforest.net
hxxp://englishforest.net
hxxp://expectschool.net
hxxp://becauseschool.net
hxxp://expectwhile.net
hxxp://becausewhile.net
hxxp://expectquestion.net
hxxp://becausequestion.net
hxxp://expecttherefore.net
hxxp://becausetherefore.net
hxxp://personschool.net
hxxp://machineschool.net
hxxp://personwhile.net
hxxp://machinewhile.net
hxxp://personquestion.net
hxxp://machinequestion.net
Once, executed, a, sample, malware
(MD5: a73138a8275b68296bfcf0ed39b2665c), phones, back, to, the,
following, C&C, server, IPs:
hxxp://figurefather.net
hxxp://thoughfather.net
hxxp://figureapple.net
hxxp://thoughapple.net
hxxp://figurebuilt.net
hxxp://thoughbuilt.net
hxxp://figurecarry.net
hxxp://thoughcarry.net
hxxp://picturefather.net
hxxp://cigarettefather.net
hxxp://pictureapple.net
hxxp://cigaretteapple.net
hxxp://picturebuilt.net
hxxp://cigarettebuilt.net
hxxp://picturecarry.net
hxxp://cigarettecarry.net
hxxp://childrenfather.net
hxxp://familyfather.net
hxxp://childrenapple.net
hxxp://familyapple.net
hxxp://childrenbuilt.net
hxxp://familybuilt.net
hxxp://childrencarry.net
hxxp://familycarry.net
hxxp://eitherfather.net
hxxp://englishfather.net
hxxp://eitherapple.net
hxxp://englishapple.net
hxxp://eitherbuilt.net
hxxp://englishbuilt.net
hxxp://eithercarry.net
hxxp://englishcarry.net
hxxp://expectmeasure.net
hxxp://becausemeasure.net
hxxp://expectdinner.net
hxxp://becausedinner.net
hxxp://expectafraid.net
hxxp://becauseafraid.net
hxxp://expectcircle.net
hxxp://becausecircle.net
hxxp://personmeasure.net
hxxp://machinemeasure.net
hxxp://persondinner.net
hxxp://machinedinner.net
hxxp://personafraid.net
hxxp://machineafraid.net
hxxp://personcircle.net
hxxp://machinecircle.net
hxxp://suddenmeasure.net
hxxp://foreignmeasure.net
hxxp://suddendinner.net
hxxp://foreigndinner.net
hxxp://suddenafraid.net
hxxp://foreignafraid.net
hxxp://suddencircle.net
hxxp://foreigncircle.net
hxxp://whethermeasure.net
hxxp://rightmeasure.net
hxxp://whetherdinner.net
hxxp://rightdinner.net
hxxp://whetherafraid.net
hxxp://rightafraid.net
hxxp://whethercircle.net
hxxp://rightcircle.net
hxxp://figuremeasure.net
hxxp://thoughmeasure.net
hxxp://figuredinner.net
hxxp://thoughdinner.net
hxxp://figureafraid.net
hxxp://thoughafraid.net
hxxp://figurecircle.net
hxxp://thoughcircle.net
hxxp://picturemeasure.net
hxxp://cigarettemeasure.net
hxxp://picturedinner.net
hxxp://cigarettedinner.net
hxxp://pictureafraid.net
hxxp://cigaretteafraid.net
hxxp://picturecircle.net
hxxp://cigarettecircle.net
hxxp://childrenmeasure.net
hxxp://familymeasure.net
hxxp://childrendinner.net
hxxp://familydinner.net
hxxp://childrenafraid.net
hxxp://familyafraid.net
hxxp://childrencircle.net
hxxp://familycircle.net
hxxp://eithermeasure.net
hxxp://englishmeasure.net
hxxp://eitherdinner.net
hxxp://englishdinner.net
hxxp://eitherafraid.net
hxxp://englishafraid.net
hxxp://eithercircle.net
hxxp://englishcircle.net
hxxp://expectwheat.net
hxxp://becausewheat.net
hxxp://expectanger.net
hxxp://becauseanger.net
hxxp://expectalways.net
hxxp://becausealways.net
hxxp://expectforest.net
hxxp://becauseforest.net
hxxp://personwheat.net
hxxp://machinewheat.net
hxxp://personanger.net
hxxp://machineanger.net
hxxp://personalways.net
hxxp://machinealways.net
hxxp://personforest.net
hxxp://machineforest.net
hxxp://suddenwheat.net
hxxp://foreignwheat.net
hxxp://suddenanger.net
hxxp://foreignanger.net
hxxp://suddenalways.net
hxxp://foreignalways.net
hxxp://suddenforest.net
hxxp://foreignforest.net
hxxp://whetherwheat.net
hxxp://rightwheat.net
hxxp://whetheranger.net
hxxp://rightanger.net
hxxp://whetheralways.net
hxxp://rightalways.net
hxxp://whetherforest.net
hxxp://rightforest.net
hxxp://figurewheat.net
hxxp://thoughwheat.net
hxxp://figureanger.net
Once, executed, a, sample, malware, phones, back, to the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://195.22.28.199
hxxp://184.168.221.55
hxxp://208.100.26.234
hxxp://184.168.221.35
hxxp://98.124.243.42
hxxp://208.100.26.234
hxxp://184.168.221.104
hxxp://173.236.80.218
hxxp://195.22.26.248
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://98.130.238.135
Once, executed, a, sample, malware, phones, back, to the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://195.22.28.199
hxxp://184.168.221.55
hxxp://208.100.26.234
hxxp://184.168.221.35
hxxp://98.124.243.42
hxxp://208.100.26.234
hxxp://184.168.221.104
hxxp://173.236.80.218
hxxp://195.22.26.248
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://98.130.238.135
Once, executed, a, sample, malware
(MD5: ff06679eb18932e31f8b05d92a48b4eb), phones, back, to, the,
following, C&C, server, IPs:
hxxp://strengthbecame.net
hxxp://stillbecame.net
hxxp://strengthcontain.net
hxxp://stillcontain.net
hxxp://strengthbasket.net
hxxp://stillbasket.net
hxxp://movementsettle.net
hxxp://outsidesettle.net
hxxp://movementlanguage.net
hxxp://outsidelanguage.net
hxxp://movementdevice.net
hxxp://outsidedevice.net
hxxp://movementbefore.net
hxxp://outsidebefore.net
hxxp://buildingsettle.net
hxxp://eveningsettle.net
hxxp://buildinglanguage.net
hxxp://eveninglanguage.net
hxxp://buildingdevice.net
hxxp://eveningdevice.net
hxxp://buildingbefore.net
hxxp://eveningbefore.net
hxxp://storesettle.net
hxxp://mightsettle.net
hxxp://storelanguage.net
hxxp://mightlanguage.net
hxxp://storedevice.net
hxxp://mightdevice.net
hxxp://storebefore.net
hxxp://mightbefore.net
hxxp://doctorsettle.net
hxxp://prettysettle.net
hxxp://doctorlanguage.net
hxxp://prettylanguage.net
hxxp://doctordevice.net
hxxp://prettydevice.net
hxxp://doctorbefore.net
hxxp://prettybefore.net
hxxp://fellowsettle.net
hxxp://doublesettle.net
hxxp://fellowlanguage.net
hxxp://doublelanguage.net
hxxp://fellowdevice.net
hxxp://doubledevice.net
hxxp://fellowbefore.net
hxxp://doublebefore.net
hxxp://brokensettle.net
hxxp://resultsettle.net
hxxp://brokenlanguage.net
hxxp://resultlanguage.net
hxxp://brokendevice.net
hxxp://resultdevice.net
hxxp://brokenbefore.net
hxxp://resultbefore.net
hxxp://preparesettle.net
hxxp://desiresettle.net
hxxp://preparelanguage.net
hxxp://desirelanguage.net
hxxp://preparedevice.net
hxxp://desiredevice.net
hxxp://preparebefore.net
hxxp://desirebefore.net
hxxp://strengthsettle.net
hxxp://stillsettle.net
hxxp://strengthlanguage.net
hxxp://stilllanguage.net
hxxp://strengthdevice.net
hxxp://stilldevice.net
hxxp://strengthbefore.net
hxxp://stillbefore.net
hxxp://movementfound.net
hxxp://outsidefound.net
hxxp://movementspring.net
hxxp://outsidespring.net
hxxp://movementsuccess.net
hxxp://outsidesuccess.net
hxxp://movementbanker.net
hxxp://outsidebanker.net
hxxp://buildingfound.net
hxxp://eveningfound.net
hxxp://buildingspring.net
hxxp://eveningspring.net
hxxp://buildingsuccess.net
hxxp://eveningsuccess.net
hxxp://buildingbanker.net
hxxp://eveningbanker.net
hxxp://storefound.net
hxxp://mightfound.net
hxxp://storespring.net
hxxp://mightspring.net
hxxp://storesuccess.net
hxxp://mightsuccess.net
hxxp://storebanker.net
hxxp://mightbanker.net
hxxp://doctorfound.net
hxxp://prettyfound.net
hxxp://doctorspring.net
hxxp://prettyspring.net
hxxp://doctorsuccess.net
hxxp://prettysuccess.net
hxxp://doctorbanker.net
hxxp://prettybanker.net
hxxp://fellowfound.net
hxxp://doublefound.net
hxxp://fellowspring.net
hxxp://doublespring.net
hxxp://fellowsuccess.net
hxxp://doublesuccess.net
hxxp://fellowbanker.net
hxxp://doublebanker.net
hxxp://brokenfound.net
hxxp://resultfound.net
hxxp://brokenspring.net
hxxp://resultspring.net
hxxp://brokensuccess.net
hxxp://resultsuccess.net
hxxp://brokenbanker.net
hxxp://resultbanker.net
hxxp://preparefound.net
hxxp://desirefound.net
hxxp://preparespring.net
hxxp://desirespring.net
hxxp://preparesuccess.net
hxxp://desiresuccess.net
hxxp://preparebanker.net
hxxp://desirebanker.net
hxxp://strengthfound.net
hxxp://stillfound.net
hxxp://strengthspring.net
hxxp://stillspring.net
hxxp://strengthsuccess.net
hxxp://stillsuccess.net
hxxp://strengthbanker.net
hxxp://stillbanker.net
hxxp://movementairplane.net
hxxp://outsideairplane.net
hxxp://movementstraight.net
hxxp://outsidestraight.net
hxxp://movementguard.net
hxxp://outsideguard.net
hxxp://movementfence.net
hxxp://outsidefence.net
hxxp://buildingairplane.net
hxxp://eveningairplane.net
hxxp://buildingstraight.net
hxxp://eveningstraight.net
hxxp://buildingguard.net
hxxp://eveningguard.net
hxxp://buildingfence.net
hxxp://eveningfence.net
hxxp://storeairplane.net
hxxp://mightairplane.net
hxxp://storestraight.net
hxxp://mightstraight.net
hxxp://storeguard.net
hxxp://mightguard.net
Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://98.124.243.39
hxxp://195.22.28.198
hxxp://216.239.34.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66
hxxp://81.21.76.62
hxxp://50.63.202.55
hxxp://208.91.197.25
hxxp://5.2.189.251
hxxp://195.22.28.198
Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://98.124.243.39
hxxp://195.22.28.198
hxxp://216.239.34.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66
hxxp://81.21.76.62
hxxp://50.63.202.55
hxxp://208.91.197.25
hxxp://5.2.189.251
hxxp://195.22.28.198
Once, executed, a, sample, malware
(MD5: 107993dce5417356d40279feb2be0017), phones, back, to, the,
following, C&C, server, IPs:
hxxp://movementindustry.net
hxxp://outsideindustry.net
hxxp://movementbecame.net
hxxp://outsidebecame.net
hxxp://movementcontain.net
hxxp://outsidecontain.net
hxxp://movementbasket.net
hxxp://outsidebasket.net
hxxp://buildingindustry.net
hxxp://eveningindustry.net
hxxp://buildingbecame.net
hxxp://eveningbecame.net
hxxp://buildingcontain.net
hxxp://eveningcontain.net
hxxp://buildingbasket.net
hxxp://eveningbasket.net
hxxp://storeindustry.net
hxxp://mightindustry.net
hxxp://storebecame.net
hxxp://mightbecame.net
hxxp://storecontain.net
hxxp://mightcontain.net
hxxp://storebasket.net
hxxp://mightbasket.net
hxxp://doctorindustry.net
hxxp://prettyindustry.net
hxxp://doctorbecame.net
hxxp://prettybecame.net
hxxp://doctorcontain.net
hxxp://prettycontain.net
hxxp://doctorbasket.net
hxxp://prettybasket.net
hxxp://fellowindustry.net
hxxp://doubleindustry.net
hxxp://fellowbecame.net
hxxp://doublebecame.net
hxxp://fellowcontain.net
hxxp://doublecontain.net
hxxp://fellowbasket.net
hxxp://doublebasket.net
hxxp://brokenindustry.net
hxxp://resultindustry.net
hxxp://brokenbecame.net
hxxp://resultbecame.net
hxxp://brokencontain.net
hxxp://resultcontain.net
hxxp://brokenbasket.net
hxxp://resultbasket.net
hxxp://prepareindustry.net
hxxp://desireindustry.net
hxxp://preparebecame.net
hxxp://desirebecame.net
hxxp://preparecontain.net
hxxp://desirecontain.net
hxxp://preparebasket.net
hxxp://desirebasket.net
hxxp://strengthindustry.net
hxxp://stillindustry.net
hxxp://strengthbecame.net
hxxp://stillbecame.net
hxxp://strengthcontain.net
hxxp://stillcontain.net
hxxp://strengthbasket.net
hxxp://stillbasket.net
hxxp://movementsettle.net
hxxp://outsidesettle.net
hxxp://movementlanguage.net
hxxp://outsidelanguage.net
hxxp://movementdevice.net
hxxp://outsidedevice.net
hxxp://movementbefore.net
hxxp://outsidebefore.net
hxxp://buildingsettle.net
hxxp://eveningsettle.net
hxxp://buildinglanguage.net
hxxp://eveninglanguage.net
hxxp://buildingdevice.net
hxxp://eveningdevice.net
hxxp://buildingbefore.net
hxxp://eveningbefore.net
hxxp://storesettle.net
hxxp://mightsettle.net
hxxp://storelanguage.net
hxxp://mightlanguage.net
hxxp://storedevice.net
hxxp://mightdevice.net
hxxp://storebefore.net
hxxp://mightbefore.net
hxxp://doctorsettle.net
hxxp://prettysettle.net
hxxp://doctorlanguage.net
hxxp://prettylanguage.net
hxxp://doctordevice.net
hxxp://prettydevice.net
hxxp://doctorbefore.net
hxxp://prettybefore.net
fhxxp://ellowsettle.net
hxxp://doublesettle.net
hxxp://fellowlanguage.net
hxxp://doublelanguage.net
fhxxp://ellowdevice.net
hxxp://doubledevice.net
hxxp://fellowbefore.net
hxxp://doublebefore.net
hxxp://brokensettle.net
hxxp://resultsettle.net
hxxp://brokenlanguage.net
hxxp://resultlanguage.net
hxxp://brokendevice.net
hxxp://resultdevice.net
hxxp://brokenbefore.net
hxxp://resultbefore.net
hxxp://preparesettle.net
hxxp://desiresettle.net
hxxp://preparelanguage.net
hxxp://desirelanguage.net
hxxp://preparedevice.net
hxxp://desiredevice.net
hxxp://preparebefore.net
hxxp://desirebefore.net
hxxp://strengthsettle.net
hxxp://stillsettle.net
hxxp://strengthlanguage.net
hxxp://stilllanguage.net
hxxp://strengthdevice.net
hxxp://stilldevice.net
hxxp://strengthbefore.net
hxxp://stillbefore.net
hxxp://movementfound.net
hxxp://outsidefound.net
hxxp://movementspring.net
hxxp://outsidespring.net
hxxp://movementsuccess.net
hxxp://outsidesuccess.net
hxxp://movementbanker.net
hxxp://outsidebanker.net
hxxp://buildingfound.net
hxxp://eveningfound.net
hxxp://buildingspring.net
hxxp://eveningspring.net
hxxp://buildingsuccess.net
hxxp://eveningsuccess.net
hxxp://buildingbanker.net
hxxp://eveningbanker.net
hxxp://storefound.net
hxxp://mightfound.net
hxxp://storespring.net
hxxp://mightspring.net
hxxp://storesuccess.net
hxxp://mightsuccess.net
hxxp://storebanker.net
hxxp://mightbanker.net
hxxp://doctorfound.net
hxxp://prettyfound.net
hxxp://doctorspring.net
hxxp://prettyspring.net
hxxp://doctorsuccess.net
hxxp://prettysuccess.net
hxxp://doctorbanker.net
hxxp://prettybanker.net
hxxp://fellowfound.net
hxxp://doublefound.net
hxxp://fellowspring.net
hxxp://doublespring.net
hxxp://fellowsuccess.net
hxxp://doublesuccess.net
hxxp://fellowbanker.net
hxxp://doublebanker.net
hxxp://brokenfound.net
hxxp://resultfound.net
Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://207.148.248.143
hxxp://50.63.202.56
hxxp://208.100.26.234
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://98.124.243.39
hxxp://195.22.28.199
hxxp://216.239.32.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66
Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://207.148.248.143
hxxp://50.63.202.56
hxxp://208.100.26.234
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://98.124.243.39
hxxp://195.22.28.199
hxxp://216.239.32.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66
Once, executed, a, sample, malware
(MD5: d5ed564fd2f4c10e3a26df9342a09545), phones, back, to, the,
following, C&C, server, IPs:
hxxp://desiredress.net
hxxp://strengthcatch.net
hxxp://stillcatch.net
hxxp://strengtheearly.net
hxxp://stilleearly.net
hxxp://strengthpublic.net
hxxp://stillpublic.net
hxxp://strengthdress.net
hxxp://stilldress.net
hxxp://expectlength.net
hxxp://becauselength.net
hxxp://expectnotice.net
hxxp://becausenotice.net
hxxp://expectindeed.net
hxxp://becauseindeed.net
hxxp://expectduring.net
hxxp://becauseduring.net
hxxp://personlength.net
hxxp://machinelength.net
hxxp://personnotice.net
hxxp://machinenotice.net
hxxp://personindeed.net
hxxp://machineindeed.net
hxxp://personduring.net
hxxp://machineduring.net
hxxp://suddenlength.net
hxxp://foreignlength.net
hxxp://suddennotice.net
hxxp://foreignnotice.net
hxxp://suddenindeed.net
hxxp://foreignindeed.net
hxxp://suddenduring.net
hxxp://foreignduring.net
hxxp://whetherlength.net
hxxp://rightlength.net
hxxp://whethernotice.net
hxxp://rightnotice.net
hxxp://whetherindeed.net
hxxp://rightindeed.net
hxxp://whetherduring.net
hxxp://rightduring.net
hxxp://figurelength.net
hxxp://thoughlength.net
hxxp://figurenotice.net
hxxp://thoughnotice.net
hxxp://figureindeed.net
hxxp://thoughindeed.net
hxxp://figureduring.net
hxxp://thoughduring.net
hxxp://picturelength.net
hxxp://cigarettelength.net
hxxp://picturenotice.net
hxxp://cigarettenotice.net
hxxp://pictureindeed.net
hxxp://cigaretteindeed.net
hxxp://pictureduring.net
hxxp://cigaretteduring.net
hxxp://childrenlength.net
hxxp://familylength.net
hxxp://childrennotice.net
hxxp://familynotice.net
hxxp://childrenindeed.net
hxxp://familyindeed.net
hxxp://childrenduring.net
hxxp://familyduring.net
hxxp://eitherlength.net
hxxp://englishlength.net
hxxp://eithernotice.net
hxxp://englishnotice.net
hxxp://eitherindeed.net
hxxp://englishindeed.net
hxxp://eitherduring.net
hxxp://englishduring.net
hxxp://expectclear.net
hxxp://becauseclear.net
hxxp://expectgeneral.net
hxxp://becausegeneral.net
hxxp://expectinclude.net
hxxp://becauseinclude.net
hxxp://expectnorth.net
hxxp://becausenorth.net
hxxp://personclear.net
hxxp://machineclear.net
hxxp://persongeneral.net
hxxp://machinegeneral.net
hxxp://personinclude.net
hxxp://machineinclude.net
hxxp://personnorth.net
hxxp://machinenorth.net
hxxp://suddenclear.net
hxxp://foreignclear.net
hxxp://suddengeneral.net
hxxp://foreigngeneral.net
hxxp://suddeninclude.net
hxxp://foreigninclude.net
hxxp://suddennorth.net
hxxp://foreignnorth.net
hxxp://whetherclear.net
hxxp://rightclear.net
hxxp://whethergeneral.net
hxxp://rightgeneral.net
hxxp://whetherinclude.net
hxxp://rightinclude.net
hxxp://whethernorth.net
hxxp://rightnorth.net
hxxp://figureclear.net
hxxp://thoughclear.net
hxxp://figuregeneral.net
hxxp://thoughgeneral.net
hxxp://figureinclude.net
hxxp://thoughinclude.net
hxxp://figurenorth.net
hxxp://thoughnorth.net
hxxp://pictureclear.net
hxxp://cigaretteclear.net
hxxp://picturegeneral.net
hxxp://cigarettegeneral.net
hxxp://pictureinclude.net
hxxp://cigaretteinclude.net
hxxp://picturenorth.net
hxxp://cigarettenorth.net
hxxp://childrenclear.net
hxxp://familyclear.net
hxxp://childrengeneral.net
hxxp://familygeneral.net
hxxp://childreninclude.net
hxxp://familyinclude.net
hxxp://childrennorth.net
hxxp://familynorth.net
hxxp://eitherclear.net
hxxp://englishclear.net
hxxp://eithergeneral.net
hxxp://englishgeneral.net
hxxp://eitherinclude.net
hxxp://englishinclude.net
hxxp://eithernorth.net
Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://208.100.26.234
hxxp://195.22.28.199
hxxp://162.255.119.249
hxxp://208.100.26.234
hxxp://98.124.243.44
Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://208.100.26.234
hxxp://195.22.28.199
hxxp://162.255.119.249
hxxp://208.100.26.234
hxxp://98.124.243.44
Once, executed, a, sample, malware
(MD5: 789cb05effb586bda98e87e71e340c39), phones, back, to, the,
following, C&C, server, IPs:
hxxp://diyar.collegegirlteen.com/g/getasite/
- 46.45.168.84
hxxp://diyar.collegegirlteen.com/z/orap/
hxxp://diyar.collegegirlteen.com/z/z2/
hxxp://diyar.collegegirlteen.com/z/z5/
Related, malicious, MD5s, known, to,
have, phoned, back, to, the, following, C&C, server, IPs:
MD5: acd62483446c7ed057f312784bfddd61
Once, executed, a, sample, malware
(MD5: 505e4d58c53d47245aa89c0fd7cded83), phones, back, to, the,
following, C&C, server, IPs:
hxxp://van.cowteen.com/g/getasite/ -
46.45.168.84
hxxp://van.cowteen.com/z/orap/
hxxp://van.cowteen.com/z/z2/
hxxp://van.cowteen.com/z/z5/
Related. malicious, MD5s, known, to,
have, phoned, back, to, the, same, C&C, server, IP:
MD5: 13f2e7b3141b84666e0209e140663ef2
Once, executed, a, sample, malware,
phones, back, to, the, following, C&C, server, IPs:
hxxp://w.bestmobile.mobi/ -
104.31.66.169; 104.31.67.169; 104.28.0.226; 104.28.1.226
Related, malicious, MD5s, known, to,
have, phoned, back, to, the, same, C&C, server, IPs:
MD5: 92bd8e7e58816bcb14f9dcbf839178ca
MD5: 1ee44596b174edb55c4bc497c1fe5f34
MD5: 443f732e406b3d96e53184917525e14a
MD5: a24fad894881b746c48420b019a225cf
MD5: 7c8a8f96c5b31e6ccae936ddc5226c91
Once, executed, a, sample, malware
(MD5: a24fad894881b746c48420b019a225cf), phones, back, to, the,
following, C&C, server, IPs:
hxxp://au.umeng.co - 140.205.170.6;
140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238;
110.173.196.195; 211.151.139.211; 211.151.139.210
hxxp://au.umeng.com/api/check_app_update
- 140.205.134.243; 140.205.170.6; 140.205.250.51; 140.205.230.45;
140.205.155.238; 110.173.196.195; 211.151.151.6; 211.151.139.210;
211.151.139.211
Related, malicious, MD5s, known, to,
have, phoned, back, to, the, same, C&C, server, IP (au.umeng.co -
140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195;
211.151.139.211; 211.151.139.210):
MD5: 65a6f1e29b09ba7caa98a9763593aedb
MD5: 102111b9024b71f6ab584d22abdbc589
MD5: 9ad137e51a5b6b2288c774a74a7e80da
MD5: a70595e99b3471216404400b736eaf7c
MD5: 3d3360250c96dff33e177121113b5a3f
Once, executed, a, sample, malware,
phones, back, to, the, same, C&C, server, IPs:
hxxp://211.139.191.223
hxxp://221.179.35.113
Once, executed, a, sample, malware,
phones, back, to, the, same, C&C, server, IPs:
hxxp://115.28.174.189/hft/rq.php
Related, malicious, MD5s, known, to,
have, phoned, back, to, the, same, C&C, server, IPs:
MD5: c0464c5193dec0980a07fa2e50deffb1
We'll, continue, monitoring, the,
market, segment, for, mobile, malware, and, post, updates, as, soon,
as, new, developments, take, place.