In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, populating, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.
We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Groups, potentially, exposing, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, further, enticing, users, into, interacting, with, the, bogus, links, potentially, exposing, their, devices, to, a, multi-tude, of, malicious, software.
In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, between, the, campaign, and, the, Koobface, gang.
Related, malicious, rogue, content, URLs, known, to, have, participated, in, the, campaign:
- anisimivachev17 - 1125 messages
- ilariongrishelev24 - 1099 messages
- yuvenaliyarzhannikov15 - 1108 messages
- burniemetheny52 - 1035 messages
- mengrug - 1090 messages
- silabobrov27 - 1116 messages
Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://wut.im/343535
hxxp://tpal.us/wedding2
hxxp://shrtb.us/New_year_video
hxxp://snipurl.com/tx2r6
hxxp://www.tcp3.com/helga-4315
hxxp://budurl.com/egph
hxxp://flipto.com/jokes/
hxxp://rejoicetv.info/newyear
hxxp://fauz.me/?livetv
hxxp://go2.vg/funnykids
hxxp://usav.us/anecdotes
hxxp://vaime.org/joke
hxxp://theflooracle.com/mistakes
hxxp://dashurl.com/video-jokes
hxxp://www.shortme.info/smileykids/
hxxp://starturl.com/clip32112
hxxp://starturl.com/rebeca
hxxp://starturl.com/video2231
hxxp://starturl.com/funclip
hxxp://starturl.com/sexchat
hxxp://snipurl.com/tx2r6
hxxp://www.41z.com/animals
hxxp://www.rehttp.com/?smileykids
hxxp://starturl.com/adamaura
hxxp://mytinyurls.com/wfj
hxxp://budurl.com/egph
Sample, detection, rate, for, a, malicious, executable:
MD5: 1e0d06095a32645c3f57f1b4dcbcfe5c
Sample, malicious, URL, involved, in, the, campaign:
hxxp://newsekuritylist.com/index.php?affid=92600 - 213.163.89.56 - Bobby.J.Hyatt@gmail.com
Parked there are also:
hxxp://networkstabilityinc .com - Email: juliacanderson@pookmail.com; marcusmhuffaker@mailinator.com; justinpnelson@dodgit.com
hxxp://indiansoftwareworld .com - Email: thelmamhandley@trashymail.com; leanngscofield@gmail.com; ernestygresham@trashymail.com
hxxp://antyvirusdevice .com - Email: latonyawmiller@pookmail.com; royawiley@pookmail.com; gracegoshea@pookmail.com; latonyawmiller@pookmail.com
hxxp://digitalprotectionservice .com - Email: clarencepfetter@trashymail.com; jamesdrobinson@pookmail.com; jamesdrobinson@pookmail.com; clarencepfetter@trashymail .com
hxxp://bestantyvirusservice .com - Email: kathrynrsmith@gmail.com; richardbhughey@gmail.com; joshuamwest@trashymail.com; kathrynrsmith@gmail.com
hxxp://antivirussoftrock .com - Email: michaelaturner@trashymail.com; gracemparker@trashymail.com; cliffordsfernandez@pookmail.com; michaelaturner@trashymail.com
hxxp://antywiramericasell .com - Email: Shannon.J.Ferguson@gmail.com
hxxp://antydetectivewaemergencyroom .com - Email: brettdpetro@gmail.com; valeriejweaver@dodgit.com; williekharris@mailinator.com; brettdpetro@gmail.com
hxxp://freeinternetvacation .com - Email: edwardmyoung@trashymail.com; aileenasaylor@gmail.com; williamjoverby@trashymail.com; edwardmyoung@trashymail.com
hxxp://aolbillinghq .com - Email: haroldamccarthy@trashymail.com; teodoromkeller@trashymail.com; joanswhite@dodgit.com; haroldamccarthy@trashymail.com
hxxp://scanserviceprovider .com - Email: rogerdmurphy@gmail.com; charlescvalentino@mailinator.com; eliarmcdonald@trashymail.com; rogerdmurphy@gmail.com
hxxp://securitytoolsquotes .com - Email: thurmanepidgeon@dodgit.com; jessicapgrady@dodgit.com; jamesmcummings@trashymail.com; thurmanepidgeon@dodgit.com
hxxp://electionprogress .com - Email: clarenceafloyd@pookmail.com; junerwurth@pookmail.com; edjbaxter@gmail.com; clarenceafloyd@pookmail.com
hxxp://myantywiruslist .com - Email: Nathan.S.Dennis@gmail.com
hxxp://antyspywarelistnow .com - Email: James.M.Miller@gmail.com
hxxp://securitylabtoday .com - Email: Marc.N.Torres@gmail.com
hxxp://yournecessary .com - Email: debrahbettis@gmail.com; myracbryant@dodgit.com; marycwilliams@dodgit.com; debrahbettis@gmail.com
hxxp://securityutilitysite .net - Email: michellemwelch@mailinator.com; charlesdfrazier@trashymail.com; rosaliejhumphrey@pookmail.com; michellemwelch@mailinator.com
hxxp://securitytoolsshop .net - Email: sarajgunter@gmail.com; kerstinrbray@gmail.com; keithrdejesus@mailinator.com; sarajgunter@gmail.com
hxxp://securitytooledit .net - Email: byronlross@pookmail.com; jamesslewis@mailinator.com; leighschancey@trashymail.com; byronlross@pookmail.com
hxxp://portsecurityutility .net - Email: marquettacpettit@trashymail.com; melindakbolin@pookmail.com; rhondaehipp@mailinator.com; marquettacpettit@trashymail.com
Sample, detection, rate, for, a, malicious, executable:
MD5: 4a3e8b6b7f42df0f26e22faafaa0327f
MD5: 64a111acdc77762f261b9f4202e98d29
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsekuritylist.com/in.php?affid=92600
hxxp://newsekuritylist.com/in.php?affid=92600
Sample, URL, redirection, chain:
hxxp://rejoicetv.info/newyear
- hxxp://91.207.4.19/tds/go.php?sid=3
- hxxp://liveeditionpc.net?uid=297&pid=3&ttl=11845621a62 - 95.169.187.216 - korn989.net; liveeditionpc.net; createpc-pcscan-korn.net
- hxxp://www1.hotcleanofyour-pc.net/p=== - 98.142.243.174 - live-guard-forpc.net is also parked there:
Sample, detection, rate, for, a, malicious, executable:
MD5: 4912961c36306d156e4e2b335c51151b
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://update2.pcliveguard.com/index.php?controller=hash - 124.217.251.99
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://securityearth.cn/Reports/MicroinstallServiceReport.php - 210.56.53.125
Sample, URL, redirection, chain:
hxxp://garlandvenit.150m.com
- hxxp://online-style2.com
- hxxp://scanner-malware15.com/scn3/?engine=
- hxxp://scanner-malware15.com/download.php?id=328s3
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://eclipserisa.150m.com
hxxp://adamaura.150m.com
hxxp://hugodinah.150m.com
hxxp://roycesylvia.150m.com
hxxp://lindaagora.150m.com
hxxp://sharolynpam.150m.com
hxxp://letarebeca.150m.com
hxxp://letarebeca.150m.com
Sample, URL, redirection, chain:
hxxp://egoldenglove.com/Images/bin/movie/
- hxxp://egoldenglove.com/Images/bin/movie/Flash_Update_1260873156.exe
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://2-weather.com/?pid=328s03&sid=3593b2&d=3&name=Loading%20video - 66.197.160.104 -mail@tatrum-verde.com
hxxp://scanner-spya8.com/scn3/?engine= - info@gainweight.com -
Sample, detection, rate, for, a, malicious, executable:
MD5: bfaba92c3c0eaec61679f03ff0eb0911
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://91.212.226.185/download/winlogo.bmp (windowsaltserver.com)
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://2-coat.com - 193.104.22.202 - Email: mail@tatrum-verde.com
hxxp://2-weather.com - 193.104.22.202 - - Email: mail@tatrum-verde.com - currently embedded on Koobface-infected hosts pushing scareware
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://online-style2.com - 66.197.160.104 - Email: mail@tatrum-verde.com
hxxp://scanner-malware15.com - Email: info@natural-health.org
Related, malicious, IPs, known, to, have, participated, in, the, campaign:
hxxp://68.168.212.142
hxxp://91.212.226.97
hxxp://66.197.160.105
Parked on 68.168.212.142:
hxxp://antispywareguide20 .com - Email: contacts@vertigo.us
hxxp://antispywareguide22 .com - Email: contacts@vertigo.us
hxxp://antispywareguide23 .com - Email: contacts@vertigo.us
hxxp://antispywareguide25 .com - Email: contacts@vertigo.us
hxxp://antispywareguide27 .com - Email: contacts@vertigo.us
hxxp://antispywaretools10 .com - Email: contacts@vertigo.us
hxxp://antispywaretools11 .com - Email: contacts@vertigo.us
hxxp://antispywaretools12 .com - Email: contacts@vertigo.us
hxxp://antispywaretools17 .com - Email: contacts@vertigo.us
hxxp://antispywaretools18 .com - Email: contacts@vertigo.us
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://birthday-gifts2 .com - Email: TheodoreWTurner@live.com
hxxp://christmasdecoration2 .com - Email: contact@trythreewish.us
hxxp://computerscanm0 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm2 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm4 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm6 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm8 .com - Email: JamesNTurner@yahoo.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com
hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com
hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://pc-antispyo3 .com
hxxp://pc-antispyo5 .com
hxxp://pc-antispyo6 .com
hxxp://pc-antispyo9 .com
hxxp://pc-securityv8 .com - Email: info@billBlog.com
hxxp://protect-pca1 .com
hxxp://protect-pcr1 .com
hxxp://protect-pct1 .com
hxxp://protect-pcu1 .com
hxxp://quick-antispy91 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy92 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy93 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy95 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy99 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner2 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner4 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner6 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner77 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner78 .com - Email: williams.trio@yahoo.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://safe-pc01 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc02 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc03 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc07 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc09 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc002 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc004.com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc009 .com - Email: JamesNTurner@yahoo.com
hxxp://scan-and-secure01 .com
hxxp://scan-and-secure04 .com
hxxp://scan-and-secure06 .com
hxxp://scan-and-secure07 .com
hxxp://scan-and-secure09 .com
hxxp://scan-computerab .com
hxxp://scan-computere0 .com
hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org
hxxp://securitysoftware1 .com
hxxp://securitysoftware3 .com
hxxp://securitysoftware5 .com
hxxp://securitysoftwaree .com
hxxp://securitysoftwaree7 .com
hxxp://security-softwareo1 .com
hxxp://security-softwareo5 .com
hxxp://security-softwareo7 .com
hxxp://unique-gifts2 .com - Email: contact@trythreewish.us
hxxp://unusual-gifts2 .com - Email: contact@trythreewish.us
hxxp://xmas-song .com - Email: contact@trythreewish.us
Parked on 91.212.226.97; 66.197.160.105:
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com
hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com
hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org
Parked on 66.197.160.104:
hxxp://2activities.com - Email: mail@tatrum-verde.com
hxxp://2-scenes.com - Email: mail@tatrum-verde.com
hxxp://2-weather.com - Email: mail@tatrum-verde.com
hxxp://online-fun2 .com - Email: mail@tatrum-verde.com
hxxp://online-news2.com - Email: mail@tatrum-verde.com
hxxp://online-style2 .com - Email: mail@tatrum-verde.com
hxxp://online-tv2.com - Email: mail@tatrum-verde.com
hxxp://snow-and-fun2 .com - Email: mail@tatrum-verde.com
hxxp://winterart2 .com - Email: info@territoryplace.us
hxxp://winterchristmas2 .com - Email: info@territoryplace.us
hxxp://wintercrafts2 .com - Email: info@territoryplace.us
hxxp://winterkids2 .com - Email: info@territoryplace.us
hxxp://winterphotos2 .com - Email: info@territoryplace.us
hxxp://winterpicture2 .com - Email: info@territoryplace.us
hxxp://winterscene2 .com - Email: info@territoryplace.us
hxxp://winterwallpaper2 .com - Email: info@territoryplace.us
What's particularly, interesting, about, this, particular, campaign, is, the, direct, connection, with, the, Koobface, gang, taking, into, consideration, the, fact, that, hxxp://redirector online-style2.com/?pid=312s03&sid=4db12f has, also, been, used, by, Koobface-infected hosts, and, most, importantly, the, fact, that, a, sampled, scareware, campaign from December 2009, were serving scareware parked on 193.104.22.200, where the Koobface scareware portfolio is parked, as, previously, profiled, and, analyzed.
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Related posts:
Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Sunday, December 25, 2016
Historical OSINT - Koobface Gang Utilizes, Google Groups, Serves, Scareware and Malicious Software
Tags:
Botnet,
Cybercrime,
Fake Security Software,
Google Groups,
Hacking,
Information Security,
Koobface,
Malicious Software,
Scareware,
Security
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com