In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, a, botnet's, infected, population, further, spreading, malicious, software, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, potentially, exposing, the, affected, user, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, malware-infected, hosts, largely, relying, on, the, use, of, affiliate-network, based, type, of, fraudulent, revenue, monetization, scheme.
We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, clicking, on, bogus, and, rogue, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, ultimately, attempting, to, socially, engineer, users, into, interacting, with, rogue, YouTube, Video, Players, ultimately, dropping, fake, security, software, also, known, as, scareware, on, the, affected, hosts, with, the, cybercriminals, behind, the, campaign, actively, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.
In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Sample, URL, redirection, chain:
hxxp://acquaintive.in/x.html - 208.87.35.103
- hxxp://xxxvideo-hlyl.cz.cc/video7/?afid=24 - 63.223.117.10
- hxxp://binarymode.in/topic/j.php - 159.148.117.21 - Email: enquepuedo.senior@gmail.com
- hxxp://binarymode.in/topic/exe.php?x=jjar
- hxxp://binarymode.in/topic/?showtopic=ecard&bid=151&e=post&done=image
Related, malicious, MD5s, known, to, have, responded, to, the, same, C&C, server, IPs (208.87.35.103):
MD5: a12c055f201841f4640084a70b34c0c4
MD5: b4d435f15d094289839eac6228088baf
MD5: 2782220da587427b981f07dc3e3e0d96
MD5: 1151cd39495c295975b8c85bd4b385e5
MD5: 2539d5d836f058afbbf03cb24e41970c
Once, executed, a, sample, malware (MD5: a12c055f201841f4640084a70b34c0c4), phones, back, to, the, following, C&C, server, IPs:
hxxp://926garage.com - 185.28.193.192
hxxp://quistsolutions.eu - 188.165.239.53
hxxp://rehabilitacion-de-drogas.org - 188.240.1.110
hxxp://bcbrownmusic.com - 69.89.21.66
hxxp://andzi0l.5v.pl - 46.41.150.7
hxxp://alsaei.com - 192.186.194.133
Once, executed, a, sample, malware (MD5: 2782220da587427b981f07dc3e3e0d96), phones, back, to, the, following, C&C, server, IPs:
hxxp://lafyeri.com
hxxp://kulppasur.com - 209.222.14.3
hxxp://toalladepapel.com.ar - 184.168.57.1
hxxp://www.ecole-saint-simon.net - 208.87.35.103
Once, executed, a, sample, malware (MD5: 2539d5d836f058afbbf03cb24e41970c), phones, back, to, the, following, C&C, server, IPs:
hxxp://realquickmedia.com (208.87.35.103)
Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
hxxp://trustidsoftware.com
hxxp://tc28q8cxl2a5ljwa60skl87w6.cdx1cdx1cdx1.in
hxxp://golubu6ka.com
hxxp://cdx2cdx2cdx2.in
hxxp://redmewire.com
hxxp://5zw3t6jq8fiv9jtdqg23.cdx2cdx2cdx2.in
hxxp://es3iz6lb0pet3ix6la0p.cdx2cdx2cdx2.in
hxxp://qsd79bd0j8f7c90e057a.cdx1cdx1cdx1.in
hxxp://w8ncqpet2hx5kf9mbr1a.cdx1cdx1cdx1.in
hxxp://skygaran4ik.com
hxxp://5xj7wk9amqcpse2ug4ve.cdx1cdx1cdx1.in
hxxp://readrelay.com
hxxp://bk5sbm7xgo6vk0e6b3xc.cdx1cdx1cdx1.in
hxxp://d51f1qam8wi15wpxmtjq.cdx2cdx2cdx2.in
hxxp://wxvtsr98642pomligfed.cdx2cdx2cdx2.in
hxxp://zonkjhgebawzvsq09753.cdx1cdx1cdx1.in
hxxp://nightphantom.com
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
MD5: a6c06a59da36ee1ae96ffaff37d12f28
MD5: 2d1bb6ca54f4c093282ea30e2096af0f
MD5: adf037ecbd4e7af573ddeb7794b61c40
MD5: ce7d4a493fc4b3c912703f084d0d61e1
MD5: c36941693eeef3fa54ca486044c6085a
Once, executed, a, sample, malware (MD5:a6c06a59da36ee1ae96ffaff37d12f28), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 109.74.195.149
hxxp://zeplost.com - 109.74.195.149
Once, executed, a, sample, malware (MD5:2d1bb6ca54f4c093282ea30e2096af0f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qweplost.com - 109.74.195.149
Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (96.126.106.156):
hxxp://checkwebspeed.net
hxxp://gercourses.com
hxxp://replost.com
hxxp://boltoflexaria.in
hxxp://levartnetcom.net
hxxp://boltoflex.in
hxxp://borderspot.net
hxxp://diathbsp.in
hxxp://ganzagroup.in
hxxp://httpsstarss.in
hxxp://missingsync.net
hxxp://qqplot.com
hxxp://evelice.in
hxxp://gotheapples.com
hxxp://surfacechicago.net
hxxp://zeplost.com
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0183a687365cc3eb97bb5c2710952f95
MD5: f1e3030a83fa2f14f271612a4de914cb
MD5: 97269450de58ef5fb8d449008e550bf0
MD5: c83962659f6773b729aa222bd5b03f2f
MD5: e0aa08d4d98c3430204c1bb6f4c980e1
Once, executed, a, sample, malware (MD5:0183a687365cc3eb97bb5c2710952f95), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156
Once, executed, a, sample, malware (MD5:f1e3030a83fa2f14f271612a4de914cb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://gercourses.com/borders.php
Once, executed, a, sample, malware (MD5:97269450de58ef5fb8d449008e550bf0), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156
Once, executed, a, sample, malware (MD5:c83962659f6773b729aa222bd5b03f2f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156
Once, executed, a, sample, malware (MD5:e0aa08d4d98c3430204c1bb6f4c980e1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.