We've, recently, intercepted, yet, another, malicious, malware, campaign, affecting, Google Play, exposing, unsuspecting, users, to, a milti-tude, of malicious, software.
In this post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.
Malicious MD5s, known, to, have, participated, in, the, campaign:
MD5: 1c87344c24d8316c8f408a6f0396aa43
MD5: 390e66ffaccaa557a8d5c43c8f3a20a9
MD5: 8e2f8c52f4bb8a4e7f8393aa4a0536e1
MD5: ada4b19d5348fecffd8e864e506c5a72
Once executed, a sample, malware, phones, back, to, the, following C&C, servers:
hxxp://telbux.pw - 176.9.138.114
Malicious MD5s, known, to, have, been, downloaded, from, the, same, C&C server IP (176.9.138.114):
MD5: f8471c153414b65bbeb80880dc30da0a
MD5: 5955411fe84c10fa6af7e40bf40dcdac
MD5: ec3e5125190d76c19ca1c0c9172ac930
MD5: 0551f10503369f12cd975468bff6d16a
MD5: 1127390826a9409f6fd7ad99c4d4af18
Once executed, a, sampled, malware, phones, back, to, the, following, C&C server:
hxxp://144.76.70.213
hxxp://joyappstech.biz - 136.243.240.229
We'll, continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.
Monday, May 16, 2016
Mobile Malware Intercepted, Thousands of Users Affected
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Mobile Malware Hits Google Play, Hundreds of Users Affected
We've, recently, intercepted, yet, another, malicious, campaign, utilizing, Google Play, for, the, purpose, of, serving, malicious, software, to, unsuspecting, users.
In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the cybercriminals, behind, it.
Malicious MD5s known to have participated in the campaign:
MD5: 3e57ef2802977c3c852a94bab131c84b
Known C&C servers, part, of, the, campaign:
hxxp://localbitcoinsfast.com - 198.105.215.251
hxxp://newdesigns2016.biz - 190.97.166.230
Once executed, the, sample, phones, back, to, the, following, C&C server:
hxxp://netspendexpress.biz - 68.71.49.24
Known to have phoned back to the same malicious C&C server IP (198.105.215.251), are, also, the, following, malicious, MD5s:
MD5: c1b3912711dceab2cfb86f920eb69919
Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://drone.hosterbox.com (68.71.49.24; 68.71.49.25; 142.4.12.128)
Known malicious MD5s, known, to, have, phoned, back, to, the, same C&C server IP (68.71.49.24):
MD5: 7453f9445512e48357d91491b0e32134
MD5: 138c9475d4dc80185d4d3dd612c89d50
MD5: 2be0a8f626430d6c3c9588b55253ef95
We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.
In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the cybercriminals, behind, it.
Malicious MD5s known to have participated in the campaign:
MD5: 3e57ef2802977c3c852a94bab131c84b
Known C&C servers, part, of, the, campaign:
hxxp://localbitcoinsfast.com - 198.105.215.251
hxxp://newdesigns2016.biz - 190.97.166.230
Once executed, the, sample, phones, back, to, the, following, C&C server:
hxxp://netspendexpress.biz - 68.71.49.24
Known to have phoned back to the same malicious C&C server IP (198.105.215.251), are, also, the, following, malicious, MD5s:
MD5: c1b3912711dceab2cfb86f920eb69919
Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://drone.hosterbox.com (68.71.49.24; 68.71.49.25; 142.4.12.128)
Known malicious MD5s, known, to, have, phoned, back, to, the, same C&C server IP (68.71.49.24):
MD5: 7453f9445512e48357d91491b0e32134
MD5: 138c9475d4dc80185d4d3dd612c89d50
MD5: 2be0a8f626430d6c3c9588b55253ef95
We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Mobile Malware Intercepted, Thousands of Users Affected
We've recently intercepted a new mobile malware, variant, targeting, users, internationally, and exposing, their, devices, to, a, multi-tude, of malicious, software.
In this post, we'll profile, the campaign, provide malicious MD5s, expose, the infrastructure, behind, it, and discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.
Sample malicious MD5s used in the campaign:
MD5: 4f1696cc06bdab9508ba3434edab2f49
MD5: 15ef763ba561eb91b5790906505f0f79
MD5: 890dfd6b50b7ca870ceb04762725b8a6
MD5: 4a3b68aeb96ef0f26f855f6afb688a3c
MD5: c729ce2babce74998726257f167da62e
MD5: 3db50821ff074a70dcbc5c31c0a78e14
Once executed, a sample, malware, phones back to the following C&C server:
hxxp://alfabrong.eu/data/id=39759ac6-0898-424b-9e0d-790edfaa700e - 5.101.117.79; 5.187.4.15
Known to have responded to the same malicious C&C server (5.101.117.79) are also the following malicious domains:
hxxp://bugstracking.xyz
hxxp://bugstrucking.xyz
hxxp://ssd850pro.pw
hxxp://forclonabster.eu
hxxp://bugtracking.biz
hxxp://directplaytds.com
hxxp://forclonabster.xyz
hxxp://alfabrong.eu
hxxp://innotion.pw
Known to have responded to the same malicious C&C server (5.187.4.15) are also the following malicious C&C servers:
hxxp://alfabrong.eu
hxxp://hyperlabs.biz
hxxp://nkprus.ru
hxxp://programmiandroid.org
We'll continue monitoring the campaign, and, will, post, updates, as, soon, as, new, developments, take, place.
In this post, we'll profile, the campaign, provide malicious MD5s, expose, the infrastructure, behind, it, and discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.
Sample malicious MD5s used in the campaign:
MD5: 4f1696cc06bdab9508ba3434edab2f49
MD5: 15ef763ba561eb91b5790906505f0f79
MD5: 890dfd6b50b7ca870ceb04762725b8a6
MD5: 4a3b68aeb96ef0f26f855f6afb688a3c
MD5: c729ce2babce74998726257f167da62e
MD5: 3db50821ff074a70dcbc5c31c0a78e14
Once executed, a sample, malware, phones back to the following C&C server:
hxxp://alfabrong.eu/data/id=39759ac6-0898-424b-9e0d-790edfaa700e - 5.101.117.79; 5.187.4.15
Known to have responded to the same malicious C&C server (5.101.117.79) are also the following malicious domains:
hxxp://bugstracking.xyz
hxxp://bugstrucking.xyz
hxxp://ssd850pro.pw
hxxp://forclonabster.eu
hxxp://bugtracking.biz
hxxp://directplaytds.com
hxxp://forclonabster.xyz
hxxp://alfabrong.eu
hxxp://innotion.pw
Known to have responded to the same malicious C&C server (5.187.4.15) are also the following malicious C&C servers:
hxxp://alfabrong.eu
hxxp://hyperlabs.biz
hxxp://nkprus.ru
hxxp://programmiandroid.org
We'll continue monitoring the campaign, and, will, post, updates, as, soon, as, new, developments, take, place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Mobile Malware Hits Google Play, Hundreds of Users Affected
We've recently, intercepted, yet, another, mobile, malware, variant, affecting, Google Play, with, the, cybercriminals, behind, it, exposing, its, users, to, a, multi-tude, of, malicious, software.
In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.
Malicious MD5s used in the campaign:
MD5: 7f55e0b91f5151328e779a3a425fc241
MD5: 91139d1dfa5df1f18c7f40192b2c49ce
Once executed, a, sample, phones, back, to, the, following, C&C, server:
hxxp://mob-stats.com - 5.149.252.2
Known C&C server, used, in, the, campaign:
hxxp://update-sys-android.com/upd.php - 192.99.99.186
Once executed, a, sample, malware, phones, back, to, the, following, C&C, servers:
hxxp://counter.wapstart.ru - 185.127.149.76; 81.19.95.17
hxxp://goalez.com - 91.219.195.3; 91.219.194.43; 91.219.194.8
Known to have phoned back to the same C&C server (185.127.149.76; 81.19.95.17), are, also, the, following, malicious, MD5s:
MD5: c8afecd653d4b0b7ea48de13d6001a31
MD5: bfdb43b0f44a986c2cb495c38746cd23
Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://kingwar.mgates.ru - 148.251.154.17
hxxp://counter.wapstart.ru - 185.127.149.76
Known, to, have, phoned, back, to, the, same, malicious, C&C, server (91.219.195.3), are, also, the following, malicious, MD5s:
MD5: 3ad15daf656a06bf850ea6973192ae47
MD5: 117b8362a54ece041307a136aceeb92c
MD5: 4dbdfaf3e8f5a09a7a4b82024f1c1072
MD5: 1521e73bb153f31015ab037f979602bc
MD5: 25318484bab66e0e8762c9fc5a1f888d
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://forces.may-trade.ru - 185.82.216.58
hxxp://plusfiles.890m.com - 91.219.195.3
Known to have been downloaded from the same malicious C&C server IP (91.219.194.8) are also the following malicious MD5s:
MD5: 31ad2a5a5d02e6c5e55817386b8eec01
MD5: 0815607c938c4f2088569be34ff57141
MD5: f629111b34e8e4d97ee26d2c6b19db96
MD5: 29d87de6b476fc1a873962ae04bbe206
MD5: a27158c55555ff2953e0a54a9996713d
Known to have phoned back to the same malicious C&C server IP (91.219.194.43), are, also, the, following, malicious, MD5s:
MD5: 76dd60b9f406be3b808db6fca2d856ff
MD5: ad33371a2495a0f9236c988f7024edb1
Once executed, a, sample, malware, phones, back, to, the, following, C&C server IPs:
hxxp://mu.sanek.com - 208.73.211.168
hxxp://muforum.info - 91.219.194.43
hxxp://best-hoster-group.ru - 91.219.193.252
hxxp://best-hoster.ru - 91.219.193.252
hxxp://freeller.net - 91.219.193.254
hxxp://hostagent.ru - 77.222.40.254
hxxp://ksdnewr.com - 192.64.147.242
We'll continue, monitoring, the, campaign, and post, updates, as soon, as new, developments, take, place.
In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.
Malicious MD5s used in the campaign:
MD5: 7f55e0b91f5151328e779a3a425fc241
MD5: 91139d1dfa5df1f18c7f40192b2c49ce
Once executed, a, sample, phones, back, to, the, following, C&C, server:
hxxp://mob-stats.com - 5.149.252.2
Known C&C server, used, in, the, campaign:
hxxp://update-sys-android.com/upd.php - 192.99.99.186
Once executed, a, sample, malware, phones, back, to, the, following, C&C, servers:
hxxp://counter.wapstart.ru - 185.127.149.76; 81.19.95.17
hxxp://goalez.com - 91.219.195.3; 91.219.194.43; 91.219.194.8
Known to have phoned back to the same C&C server (185.127.149.76; 81.19.95.17), are, also, the, following, malicious, MD5s:
MD5: c8afecd653d4b0b7ea48de13d6001a31
MD5: bfdb43b0f44a986c2cb495c38746cd23
Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://kingwar.mgates.ru - 148.251.154.17
hxxp://counter.wapstart.ru - 185.127.149.76
Known, to, have, phoned, back, to, the, same, malicious, C&C, server (91.219.195.3), are, also, the following, malicious, MD5s:
MD5: 3ad15daf656a06bf850ea6973192ae47
MD5: 117b8362a54ece041307a136aceeb92c
MD5: 4dbdfaf3e8f5a09a7a4b82024f1c1072
MD5: 1521e73bb153f31015ab037f979602bc
MD5: 25318484bab66e0e8762c9fc5a1f888d
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://forces.may-trade.ru - 185.82.216.58
hxxp://plusfiles.890m.com - 91.219.195.3
Known to have been downloaded from the same malicious C&C server IP (91.219.194.8) are also the following malicious MD5s:
MD5: 31ad2a5a5d02e6c5e55817386b8eec01
MD5: 0815607c938c4f2088569be34ff57141
MD5: f629111b34e8e4d97ee26d2c6b19db96
MD5: 29d87de6b476fc1a873962ae04bbe206
MD5: a27158c55555ff2953e0a54a9996713d
Known to have phoned back to the same malicious C&C server IP (91.219.194.43), are, also, the, following, malicious, MD5s:
MD5: 76dd60b9f406be3b808db6fca2d856ff
MD5: ad33371a2495a0f9236c988f7024edb1
Once executed, a, sample, malware, phones, back, to, the, following, C&C server IPs:
hxxp://mu.sanek.com - 208.73.211.168
hxxp://muforum.info - 91.219.194.43
hxxp://best-hoster-group.ru - 91.219.193.252
hxxp://best-hoster.ru - 91.219.193.252
hxxp://freeller.net - 91.219.193.254
hxxp://hostagent.ru - 77.222.40.254
hxxp://ksdnewr.com - 192.64.147.242
We'll continue, monitoring, the, campaign, and post, updates, as soon, as new, developments, take, place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Malicious Campaign Affects Hundreds of Web Sites, Thousands of Users Affected
We've recently intercepted, a currently, circulating, malicious, campaign, affecting, hundreds, of Web sites, and exposing, users, to, a, multi-tude, of, malicious, software.
In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.
Malicious URLs used in the campaign:
hxxp://default7.com - 199.48.227.25
hxxp://test246.com - 54.208.99.166
hxxp://test0.com - 72.52.4.119
hxxp://distinctfestive.com - 54.208.99.166
hxxp://ableoccassion.com - 54.208.99.166
Sample malware used in the campaign:
MD5: 9854f14ca653ee7c6bf6506d823f7371
Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://intva31.homelandcustom.info (52.6.18.250)
Known to have phoned back to the same malicious C&C server IP (54.208.99.166), are, also, the, following, malicious, MD5s:
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://ii55.net (69.172.201.153)
hxxp://rwai.net (54.208.99.166)
Known to have phoned back to the same malicious C&C server IP (69.172.201.153) are also the following malicious MD5s:
MD5: 5979f69be8b6716c0832b6831c398914
MD5: a27083ff19b187cbc64644bc10d2af11
MD5: b9306bb08ac502c7bcaf3d7e0cd9d846
MD5: cd34980dda700d07b93eef7910a2a8be
MD5: b708860e7962b10e26568c9b037765df
Known to have phoned back to the same malicious C&C server IP (54.208.99.166) are also the following malicious MD5s:
MD5: 9854f14ca653ee7c6bf6506d823f7371
MD5: 90a88230d5b657ced3b2d71162a33cff
MD5: 70465233d93aa88868d7091454592a80
MD5: f8e21525c6848f45e4ab77aee05f0a28
Related malicious MD5s known to have phoned back to the same malicious C&C server (54.208.99.166):
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def
We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.
Malicious URLs used in the campaign:
hxxp://default7.com - 199.48.227.25
hxxp://test246.com - 54.208.99.166
hxxp://test0.com - 72.52.4.119
hxxp://distinctfestive.com - 54.208.99.166
hxxp://ableoccassion.com - 54.208.99.166
Sample malware used in the campaign:
MD5: 9854f14ca653ee7c6bf6506d823f7371
Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://intva31.homelandcustom.info (52.6.18.250)
Known to have phoned back to the same malicious C&C server IP (54.208.99.166), are, also, the, following, malicious, MD5s:
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://ii55.net (69.172.201.153)
hxxp://rwai.net (54.208.99.166)
Known to have phoned back to the same malicious C&C server IP (69.172.201.153) are also the following malicious MD5s:
MD5: 5979f69be8b6716c0832b6831c398914
MD5: a27083ff19b187cbc64644bc10d2af11
MD5: b9306bb08ac502c7bcaf3d7e0cd9d846
MD5: cd34980dda700d07b93eef7910a2a8be
MD5: b708860e7962b10e26568c9b037765df
Known to have phoned back to the same malicious C&C server IP (54.208.99.166) are also the following malicious MD5s:
MD5: 9854f14ca653ee7c6bf6506d823f7371
MD5: 90a88230d5b657ced3b2d71162a33cff
MD5: 70465233d93aa88868d7091454592a80
MD5: f8e21525c6848f45e4ab77aee05f0a28
Related malicious MD5s known to have phoned back to the same malicious C&C server (54.208.99.166):
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def
We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)