Historical OSINT - Zeus and Client-Side Exploit Serving Facebook Phishing Campaign Spotted in the Wild
In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercrimianals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, thousands, of, newly, affected, users, globally, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, botnet's, population, largely, relying, on, the, utilization, of, affiliate-based, type, of, fraudulent, revenue, monetization, scheme.
We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, impersonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, type, of, fraudulent, revenue, monetizing, scheme.
In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.
Sample, URL, exploitation, chain:
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
- hxxp://wqdfr.salefale.com/index.php - 62.193.127.197
- hxxp://spain.salefale.com/index.php
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://salefale.com - 112.137.165.114
- hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru
Sample, detection, rate, for, the, malicious, executable:
MD5: e96c8d23e3b64d79e5e134a9633d6077
MD5: 19d9cc4d9d512e60f61746ef4c741f09
Once, executed, a, sample, malware, phones back to:
hxxp://makotoro.com
Related, malicious, C&C, server, IPs, known, to, have, participated, in, the, campaign:
hxxp://91.201.196.99
hxxp://91.201.196.77
hxxp://91.201.196.101
hxxp://91.201.196.35
hxxp://91.201.196.75
hxxp://91.201.196.76
hxxp://91.201.196.38
hxxp://91.201.196.34
hxxp://91.201.196.37
Related, malicious, C&C, server, IPs (212.175.173.88), known, to, have, participated, in, the, campaign:
hxxp://downloads.fileserversa.org
hxxp://downloads.fileserversc.org
hxxp://downloads.fileserversd.org
hxxp://downloads.portodrive.org
hxxp://downloads.fileserversj.org
hxxp://downloads.fileserversk.org
hxxp://downloads.fileserversm.org
hxxp://downloads.fileserversn.org
hxxp://downloads.fileserverso.org
hxxp://downloads.fileserversq.org
hxxp://downloads.fileserversr.org
hxxp://auth.facebook.com.megavids.org
hxxp://auth.facebook.com.fileserversl.com
hxxp://auth.facebook.com.legomay.com
hxxp://auth.facebook.com.crymyway.com
hxxp://auth.facebook.com.portodrive.net
hxxp://auth.facebook.com.modavedis.net
hxxp://auth.facebook.com.migpix.net
hxxp://auth.facebook.com.legomay.net
hxxp://auth.facebook.com.crymyway.net
hxxp://downloads.megavids.org
hxxp://downloads.regzavids.org
hxxp://downloads.vedivids.org
hxxp://downloads.restpictures.org
hxxp://downloads.modavedis.org
hxxp://downloads.fileserverst.org
hxxp://downloads.fileserversu.org
hxxp://downloads.regzapix.org
hxxp://downloads.reggiepix.org
hxxp://downloads.migpix.org
hxxp://downloads.restopix.org
hxxp://downloads.legomay.org
hxxp://downloads.vediway.org
hxxp://downloads.compoway.org
hxxp://downloads.restway.org
hxxp://downloads.crymyway.org
hxxp://downloads.fileserversa.com
hxxp://downloads.fileserversb.com
hxxp://downloads.fileserversc.com
hxxp://downloads.fileserversd.com
hxxp://downloads.fileserverse.com
hxxp://downloads.fileserversf.com
hxxp://downloads.fileserversg.com
hxxp://downloads.fileserversh.com
hxxp://downloads.fileserversi.com
hxxp://downloads.fileserversj.com
hxxp://downloads.fileserversk.com
hxxp://downloads.fileserversl.com
hxxp://downloads.fileserversm.com
hxxp://downloads.fileserversn.com
hxxp://downloads.fileserverso.com
hxxp://downloads.fileserversp.com
hxxp://downloads.fileserversq.com
hxxp://downloads.fileserversr.com
hxxp://downloads.regzavids.com
hxxp://downloads.vedivids.com
hxxp://downloads.restpictures.com
hxxp://downloads.modavedis.com
hxxp://downloads.fileserverss.com
hxxp://downloads.fileserverst.com
hxxp://downloads.fileserversu.com
hxxp://downloads.regzapix.com
hxxp://downloads.reggiepix.com
hxxp://downloads.migpix.com
hxxp://downloads.legomay.com
hxxp://downloads.vediway.com
hxxp://downloads.compoway.com
hxxp://downloads.crymyway.com
hxxp://downloads.fileserversa.net
hxxp://downloads.fileserversb.net
hxxp://downloads.fileserversc.net
hxxp://downloads.fileserversd.net
hxxp://downloads.fileserverse.net
hxxp://downloads.portodrive.net
hxxp://downloads.fileserversf.net
hxxp://downloads.fileserversg.net
hxxp://downloads.fileserversh.net
hxxp://downloads.fileserversi.net
hxxp://downloads.fileserversj.net
hxxp://downloads.fileserversk.net
hxxp://downloads.fileserversl.net
hxxp://downloads.fileserversm.net
hxxp://downloads.fileserversn.net
hxxp://downloads.fileserverso.net
hxxp://downloads.fileserversp.net
hxxp://downloads.fileserversq.net
hxxp://downloads.fileserversr.net
hxxp://downloads.regzavids.net
hxxp://downloads.vedivids.net
hxxp://downloads.tastyfiles.net
hxxp://downloads.restpictures.net
hxxp://downloads.modavedis.net
hxxp://downloads.fileserverss.net
hxxp://downloads.fileserverst.net
hxxp://downloads.fileserversu.net
hxxp://downloads.regzapix.net
hxxp://downloads.reggiepix.net
hxxp://downloads.migpix.net
hxxp://downloads.legomay.net
hxxp://downloads.vediway.net
hxxp://downloads.compoway.net
hxxp://downloads.restway.net
hxxp://downloads.crymyway.net
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, impersonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, type, of, fraudulent, revenue, monetizing, scheme.
In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.
Sample, URL, exploitation, chain:
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
- hxxp://wqdfr.salefale.com/index.php - 62.193.127.197
- hxxp://spain.salefale.com/index.php
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://salefale.com - 112.137.165.114
- hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru
Sample, detection, rate, for, the, malicious, executable:
MD5: e96c8d23e3b64d79e5e134a9633d6077
MD5: 19d9cc4d9d512e60f61746ef4c741f09
Once, executed, a, sample, malware, phones back to:
hxxp://makotoro.com
Related, malicious, C&C, server, IPs, known, to, have, participated, in, the, campaign:
hxxp://91.201.196.99
hxxp://91.201.196.77
hxxp://91.201.196.101
hxxp://91.201.196.35
hxxp://91.201.196.75
hxxp://91.201.196.76
hxxp://91.201.196.38
hxxp://91.201.196.34
hxxp://91.201.196.37
Related, malicious, C&C, server, IPs (212.175.173.88), known, to, have, participated, in, the, campaign:
hxxp://downloads.fileserversa.org
hxxp://downloads.fileserversc.org
hxxp://downloads.fileserversd.org
hxxp://downloads.portodrive.org
hxxp://downloads.fileserversj.org
hxxp://downloads.fileserversk.org
hxxp://downloads.fileserversm.org
hxxp://downloads.fileserversn.org
hxxp://downloads.fileserverso.org
hxxp://downloads.fileserversq.org
hxxp://downloads.fileserversr.org
hxxp://auth.facebook.com.megavids.org
hxxp://auth.facebook.com.fileserversl.com
hxxp://auth.facebook.com.legomay.com
hxxp://auth.facebook.com.crymyway.com
hxxp://auth.facebook.com.portodrive.net
hxxp://auth.facebook.com.modavedis.net
hxxp://auth.facebook.com.migpix.net
hxxp://auth.facebook.com.legomay.net
hxxp://auth.facebook.com.crymyway.net
hxxp://downloads.megavids.org
hxxp://downloads.regzavids.org
hxxp://downloads.vedivids.org
hxxp://downloads.restpictures.org
hxxp://downloads.modavedis.org
hxxp://downloads.fileserverst.org
hxxp://downloads.fileserversu.org
hxxp://downloads.regzapix.org
hxxp://downloads.reggiepix.org
hxxp://downloads.migpix.org
hxxp://downloads.restopix.org
hxxp://downloads.legomay.org
hxxp://downloads.vediway.org
hxxp://downloads.compoway.org
hxxp://downloads.restway.org
hxxp://downloads.crymyway.org
hxxp://downloads.fileserversa.com
hxxp://downloads.fileserversb.com
hxxp://downloads.fileserversc.com
hxxp://downloads.fileserversd.com
hxxp://downloads.fileserverse.com
hxxp://downloads.fileserversf.com
hxxp://downloads.fileserversg.com
hxxp://downloads.fileserversh.com
hxxp://downloads.fileserversi.com
hxxp://downloads.fileserversj.com
hxxp://downloads.fileserversk.com
hxxp://downloads.fileserversl.com
hxxp://downloads.fileserversm.com
hxxp://downloads.fileserversn.com
hxxp://downloads.fileserverso.com
hxxp://downloads.fileserversp.com
hxxp://downloads.fileserversq.com
hxxp://downloads.fileserversr.com
hxxp://downloads.regzavids.com
hxxp://downloads.vedivids.com
hxxp://downloads.restpictures.com
hxxp://downloads.modavedis.com
hxxp://downloads.fileserverss.com
hxxp://downloads.fileserverst.com
hxxp://downloads.fileserversu.com
hxxp://downloads.regzapix.com
hxxp://downloads.reggiepix.com
hxxp://downloads.migpix.com
hxxp://downloads.legomay.com
hxxp://downloads.vediway.com
hxxp://downloads.compoway.com
hxxp://downloads.crymyway.com
hxxp://downloads.fileserversa.net
hxxp://downloads.fileserversb.net
hxxp://downloads.fileserversc.net
hxxp://downloads.fileserversd.net
hxxp://downloads.fileserverse.net
hxxp://downloads.portodrive.net
hxxp://downloads.fileserversf.net
hxxp://downloads.fileserversg.net
hxxp://downloads.fileserversh.net
hxxp://downloads.fileserversi.net
hxxp://downloads.fileserversj.net
hxxp://downloads.fileserversk.net
hxxp://downloads.fileserversl.net
hxxp://downloads.fileserversm.net
hxxp://downloads.fileserversn.net
hxxp://downloads.fileserverso.net
hxxp://downloads.fileserversp.net
hxxp://downloads.fileserversq.net
hxxp://downloads.fileserversr.net
hxxp://downloads.regzavids.net
hxxp://downloads.vedivids.net
hxxp://downloads.tastyfiles.net
hxxp://downloads.restpictures.net
hxxp://downloads.modavedis.net
hxxp://downloads.fileserverss.net
hxxp://downloads.fileserverst.net
hxxp://downloads.fileserversu.net
hxxp://downloads.regzapix.net
hxxp://downloads.reggiepix.net
hxxp://downloads.migpix.net
hxxp://downloads.legomay.net
hxxp://downloads.vediway.net
hxxp://downloads.compoway.net
hxxp://downloads.restway.net
hxxp://downloads.crymyway.net
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
About the author
Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.
