In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.
We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, executing, a, malicious, software, largely, relying, on, basic, visual, social, engineering, enticing, users, into, executing, a, rogue, application, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, host.
In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Related, malicious, domain, reconnaissance:
hxxp://mywebsearch.com - 74.113.233.48; 74.113.237.48; 66.235.119.48
hxxp://mywebface.mywebsearch.com - 74.113.233.64; 74.113.233.180
Sample, detection, rate, for, a, malicious, executable:
MD5: b32acfece8089e52fa2288cb421fa9de
Related, malicious, domains, known, to, have, responded, to, the,
same, malicious, C&C, server, IPs (74.113.233.48; 74.113.237.48;
66.235.119.48):
hxxp://myinfo.mywebsearch.com
hxxp://dl.mywebsearch.com
hxxp://tbedits.mywebsearch.com
hxxp://celebsauce.dl.mywebsearch.com
hxxp://bfc.mywebsearch.com
hxxp://bar.mywebsearch.com
hxxp://int.search.mywebsearch.com
hxxp://inboxace.dl.mywebsearch.com
hxxp://internetspeedtracker.dl.mywebsearch.com
hxxp://mywebface.dl.mywebsearch.com
hxxp://easypdfcombine.dl.mywebsearch.com
hxxp://onlinemapfinder.dl.mywebsearch.com
hxxp://eliteunzip.dl.mywebsearch.com
hxxp://mytransitguide.dl.mywebsearch.com
hxxp://packagetracer.dl.mywebsearch.com
hxxp://myway.mywebsearch.com
hxxp://helpint.mywebsearch.com
hxxp://zwinky.dl.mywebsearch.com
hxxp://weatherblink.dl.mywebsearch.com
hxxp://videoscavenger.dl.mywebsearch.com
hxxp://videodownloadconverter.dl.mywebsearch.com
hxxp://translationbuddy.dl.mywebsearch.com
hxxp://totalrecipesearch.dl.mywebsearch.com
hxxp://televisionfanatic.dl.mywebsearch.com
hxxp://retrogamer.dl.mywebsearch.com
hxxp://myscrapnook.dl.mywebsearch.com
hxxp://myfuncards.dl.mywebsearch.com
hxxp://gamingwonderland.dl.mywebsearch.com
hxxp://dictionaryboss.dl.mywebsearch.com
hxxp://astrology.dl.mywebsearch.com
hxxp://utmtrk2.mywebsearch.com
hxxp://utm2.mywebsearch.com
hxxp://utm.trk.mywebsearch.com
hxxp://utm.mywebsearch.com
hxxp://ak.ssl.toolbar.mywebsearch.com
hxxp://www122.mywebsearch.com
hxxp://couponalert.dl.mywebsearch.com
hxxp://help.mywebsearch.com
hxxp://srchsugg.mywebsearch.com
hxxp://utm.gr.mywebsearch.com
hxxp://utmtrk.gr.mywebsearch.com
hxxp://dp.mywebsearch.com
hxxp://download.mywebsearch.com
hxxp://www64.mywebsearch.com
hxxp://filmfanatic.mywebsearch.com
hxxp://mywebface.mywebsearch.com
hxxp://fromdoctopdf.dl.mywebsearch.com
hxxp://www173.mywebsearch.com
hxxp://www153.mywebsearch.com
hxxp://www170.mywebsearch.com
hxxp://www176.mywebsearch.com
hxxp://www155.mywebsearch.com
hxxp://www186.mywebsearch.com
hxxp://www156a.mywebsearch.com
hxxp://www187.mywebsearch.com
hxxp://www198.mywebsearch.com
hxxp://www154.mywebsearch.com
hxxp://cfg.mywebsearch.com
hxxp://mapsgalaxy.dl.mywebsearch.com
hxxp://edits.mywebsearch.com
hxxp://www.mywebsearch.com
hxxp://enable.mywebsearch.com
hxxp://live.mywebsearch.com
hxxp://config.mywebsearch.com
hxxp://anx.mywebsearch.com
hxxp://bstat.mywebsearch.com
hxxp://updates.mywebsearch.com
hxxp://home.mywebsearch.com
hxxp://search.mywebsearch.com
hxxp://stats.mywebsearch.com
hxxp://akd.search.mywebsearch.com
hxxp://ak2.home.mywebsearch.com
hxxp://ak.search.mywebsearch.com
hxxp://ak.toolbar.mywebsearch.com
Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 83cdb402fcd68947f7519eaad515fa5a
MD5: 6b31cc25e68d5d008e319c4a1c8c4098
MD5: f2392d18a266f554743b495b4e71b2be
MD5: 9bcaeb5b4bdd6b9e22852a98ca630914
MD5: 4fd260e17ca40a31a7baace9af1b7db9
Once, executed, a, sample, malware, (MD5: 83cdb402fcd68947f7519eaad515fa5a), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.150.139.157/search.htm
hxxp://sev2012.com/page_click.php - 141.8.224.239; 54.72.9.51; 91.220.131.33; 91.236.116.20
hxxp://62.122.107.119/install.htm
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (178.150.139.157), are, also, the, following, malicious, domains:
hxxp://cejzesu.com
hxxp://hqyibul.wuwykym.net
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: c92a9961e6096eb7af3a34e9e48114f1
MD5: 25789eec9e0d4b5cdf184bf41460808e
MD5: 1a72e482e6ec352ae4c9206b92776f01
MD5: e22a0fd64e5b6193be655cc29ed19755
MD5: fe8a027fd45ec9621b34a20bc907fb2c
Once, executed, a, sample, malware (MD5: c92a9961e6096eb7af3a34e9e48114f1), phones, back, to, the, following, C&C, server, IPs:
http://178.150.244.54/mod2/mentalc.exe
http://178.150.139.157/mod1/mentalc.exe
Once, executed, a, sample, malware (MD5: 25789eec9e0d4b5cdf184bf41460808e), phones, back, to, the, following, C&C, server, IPs:
http://95.180.66.40/mod2/b0ber01.exe
http://91.245.79.46/mod1/b0ber01.exe
http://178.150.139.157/mod1/b0ber01.exe
Once, executed, a, sample, malware (MD5: 1a72e482e6ec352ae4c9206b92776f01), phones, back, to, the, following, C&C, server, IPs:
http://77.123.73.34/keybex4.exe
http://178.150.139.157/keybex4.exe
Once, executed, a, sample, malware (MD5: e22a0fd64e5b6193be655cc29ed19755), phones, back, to, the, following, C&C, server, IPs:
http://176.194.18.198/mod2/ozersid.exe
http://176.110.28.238/mod1/ozersid.exe
http://46.73.67.61/mod2/ozersid.exe
http://178.150.209.116/mod2/ozersid.exe
http://178.150.139.157/mod2/ozersid.exe
http://193.32.14.186/mod1/ozersid.exe
http://46.211.9.37/mod1/ozersid.exe
Once, executed, a, sample, malware (MD5: fe8a027fd45ec9621b34a20bc907fb2c), phones, back, to, the, following, C&C, server, IPs:
http://178.150.139.157/welcome.htm
http://77.122.28.206/default.htm
http://77.122.28.206/online.htm
http://mydear.name/page_umax.php
Once, executed, a, sample, malware, (MD5: 6b31cc25e68d5d008e319c4a1c8c4098), phones, back, to, the, following, C&C, server, IPs:
hxxp://cytpaxiz.us/rasta01.exe
hxxp://60.36.47.71/file.htm
hxxp://219.204.4.3/search.htm
Once, executed, a, sample, malware, (MD5: f2392d18a266f554743b495b4e71b2be), phones, back, to, the, following, C&C, server, IPs:
hxxp://46.121.221.173/start.htm
hxxp://burhyyal.epfusgy.com/calc.exe
hxxp://178.150.138.2/install.htm
Once, executed, a, sample, malware, (MD5: 9bcaeb5b4bdd6b9e22852a98ca630914), phones, back, to, the, following, C&C, server, IPs:
hxxp://159.224.191.47/install.htm
hxxp://109.87.184.7/setup.htm
Once, executed, a, sample, malware, (MD5: 4fd260e17ca40a31a7baace9af1b7db9), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.158.237.37/welcome.htm
hxxp://178.165.13.17/home.htm
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (74.113.233.48):
MD5: a3470a214ec34f7a0b9330e44af80714
MD5: 31593f94936e63152d35ca682fb9ef0b
MD5: eb003b7665b34f6ed3a7944e4254ad2d
MD5: ed1c465beca9596a9031580d1093cb13
MD5: cace61ddd8f8e30cf1f52f9ad6c66578
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://home.mywebsearch.com - 74.113.233.48
hxxp://akd.search.mywebsearch.com - 5.178.43.17
hxxp://ak.imgfarm.com - 90.84.60.81
hxxp://anx.mywebsearch.com - 74.113.233.187
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 11ddcf7bd806c9ef24cc84a440629e68
MD5: 8c1e63b34c678b48c63ba369239d5718
MD5: 10b4c54646567dcee605f5c36bfa8f17
MD5: 70dbce98f1d62c03317797a1dd3da151
MD5: ee00f47a51e91a1f70a5c7a0086b7220
Once, executed, a, sample, malware (MD5: 11ddcf7bd806c9ef24cc84a440629e68), phones, back, to, the, following, malicious, C&C, server, IPs:
http://78.62.197.14/online.htm
http://89.46.92.232/welcome.htm
http://89.46.92.232/login.htm
Once, executed, a, sample, malware (MD5: 8c1e63b34c678b48c63ba369239d5718), phones, back, to, the, following, malicious, C&C, server, IPs:
http://109.251.217.207/home.htm
http://109.251.217.207/login.htm
Once, executed, a, sample, malware, (MD5: 10b4c54646567dcee605f5c36bfa8f17), phones, back, to, the, following, malicious, C&C, server, IPs:
http://91.221.219.12/setup.htm
Once, executed, a, sample, malware, (MD5: 70dbce98f1d62c03317797a1dd3da151), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm
Once, executed, a, sample, malware (MD5: ee00f47a51e91a1f70a5c7a0086b7220), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Sunday, December 25, 2016
Historical OSINT - Rogue MyWebFace Application Serving Adware Spotted in the Wild
Tags:
Adware,
Botnet,
Cybercrime,
Hacking,
Information Security,
Malicious Software,
MyWebFace,
Potentially Unwanted Application,
Security
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com