Historical OSINT - Haiti-themed Blackhat SEO Campaign Serving Scareware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, spreading, malicious, software, largely, relying, on, a, pre-defined, set, of, compromised, hosts, for, the, purpose, of, spreading, malicious, software, further, expanding, a, specific, botnet's, infected, population, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, infected, hosts, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

In, this, post, we'll, profile, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, affected, Web, sites:
hxxp://austinluce.co.uk
hxxp://naukatanca.co.uk
hxxp://truenorthinnovation.co.uk
hxxp://robsonsofwolsingham.co.uk
hxxp://daviddewphotography.co.uk

Sample, URL, redirection, chain:
hxxp://sciencefirst.com/?red=haiti-earthquake-donate
    - hxxp://otsosute.freehostia.com/c.html
        - hxxp://scan-now24.com/go.php?id=2022&key=4c69e59ac&d=1

Sample, URL, redirection, chain:
hxxp://lipsticpi.ru/sm/r.php
    - hxxp://uscaau.com/back.php
        - hxxp://sekuritylistsite.com/hitin.php?land=20&affid=94801
            - hxxp://mypremiumantyspywarepill.com/hitin.php?land=20&affid=94801
                - hxxp://mypremiumantyspywarepill.com/index.php?affid=94801

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: ebc956abadefdac794ebcd1898ea07cf

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: d65a5d1ab98bd690dccd07cb6eebcba3

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mypremiumantyspywarepill.com/in.php?affid=94801
hxxp://greatnorthwill.com/?mod=vv&i=1&id=11-18

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://getholidaypresent0.com - 204.12.225.83
hxxp://getholidaypresent2.com
hxxp://getholidaypresent3.com
hxxp://scan-now22.com
hxxp://scan-now23.com
hxxp://scan-now24.com
hxxp://santaclaus4.com
hxxp://getholidaypresent5.com
hxxp://getholidaypresent7.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://freeantyviruspillblog.com - 213.163.91.240
hxxp://newgoodantyspywarepill.com
hxxp://mypremiumantyspywarepill.com
hxxp://freegoodantyviruspill.com
hxxp://freeantyspywarepillshop.com
hxxp://thevirustoolbox.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Zeus and Client-Side Exploit Serving Facebook Phishing Campaign Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercrimianals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, thousands, of, newly, affected, users, globally, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, botnet's, population, largely, relying, on, the, utilization, of, affiliate-based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, impersonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, type, of, fraudulent, revenue, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, exploitation, chain:
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
    - hxxp://wqdfr.salefale.com/index.php - 62.193.127.197
        - hxxp://spain.salefale.com/index.php

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://salefale.com - 112.137.165.114
    - hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru
       
Sample, detection, rate, for, the, malicious, executable:
MD5: e96c8d23e3b64d79e5e134a9633d6077
MD5: 19d9cc4d9d512e60f61746ef4c741f09

Once, executed, a, sample, malware, phones back to:
hxxp://makotoro.com

Related, malicious, C&C, server, IPs, known, to, have, participated, in, the, campaign:
hxxp://91.201.196.99
hxxp://91.201.196.77
hxxp://91.201.196.101
hxxp://91.201.196.35
hxxp://91.201.196.75
hxxp://91.201.196.76
hxxp://91.201.196.38
hxxp://91.201.196.34
hxxp://91.201.196.37

Related, malicious, C&C, server, IPs (212.175.173.88), known, to, have, participated, in, the, campaign:
hxxp://downloads.fileserversa.org
hxxp://downloads.fileserversc.org
hxxp://downloads.fileserversd.org
hxxp://downloads.portodrive.org
hxxp://downloads.fileserversj.org
hxxp://downloads.fileserversk.org
hxxp://downloads.fileserversm.org
hxxp://downloads.fileserversn.org
hxxp://downloads.fileserverso.org
hxxp://downloads.fileserversq.org
hxxp://downloads.fileserversr.org
hxxp://auth.facebook.com.megavids.org
hxxp://auth.facebook.com.fileserversl.com
hxxp://auth.facebook.com.legomay.com
hxxp://auth.facebook.com.crymyway.com
hxxp://auth.facebook.com.portodrive.net
hxxp://auth.facebook.com.modavedis.net
hxxp://auth.facebook.com.migpix.net
hxxp://auth.facebook.com.legomay.net
hxxp://auth.facebook.com.crymyway.net
hxxp://downloads.megavids.org
hxxp://downloads.regzavids.org
hxxp://downloads.vedivids.org
hxxp://downloads.restpictures.org
hxxp://downloads.modavedis.org
hxxp://downloads.fileserverst.org
hxxp://downloads.fileserversu.org
hxxp://downloads.regzapix.org
hxxp://downloads.reggiepix.org
hxxp://downloads.migpix.org
hxxp://downloads.restopix.org
hxxp://downloads.legomay.org
hxxp://downloads.vediway.org
hxxp://downloads.compoway.org
hxxp://downloads.restway.org
hxxp://downloads.crymyway.org
hxxp://downloads.fileserversa.com
hxxp://downloads.fileserversb.com
hxxp://downloads.fileserversc.com
hxxp://downloads.fileserversd.com
hxxp://downloads.fileserverse.com
hxxp://downloads.fileserversf.com
hxxp://downloads.fileserversg.com
hxxp://downloads.fileserversh.com
hxxp://downloads.fileserversi.com
hxxp://downloads.fileserversj.com
hxxp://downloads.fileserversk.com
hxxp://downloads.fileserversl.com
hxxp://downloads.fileserversm.com
hxxp://downloads.fileserversn.com
hxxp://downloads.fileserverso.com
hxxp://downloads.fileserversp.com
hxxp://downloads.fileserversq.com
hxxp://downloads.fileserversr.com
hxxp://downloads.regzavids.com
hxxp://downloads.vedivids.com
hxxp://downloads.restpictures.com
hxxp://downloads.modavedis.com
hxxp://downloads.fileserverss.com
hxxp://downloads.fileserverst.com
hxxp://downloads.fileserversu.com
hxxp://downloads.regzapix.com
hxxp://downloads.reggiepix.com
hxxp://downloads.migpix.com
hxxp://downloads.legomay.com
hxxp://downloads.vediway.com
hxxp://downloads.compoway.com
hxxp://downloads.crymyway.com
hxxp://downloads.fileserversa.net
hxxp://downloads.fileserversb.net
hxxp://downloads.fileserversc.net
hxxp://downloads.fileserversd.net
hxxp://downloads.fileserverse.net
hxxp://downloads.portodrive.net
hxxp://downloads.fileserversf.net
hxxp://downloads.fileserversg.net
hxxp://downloads.fileserversh.net
hxxp://downloads.fileserversi.net
hxxp://downloads.fileserversj.net
hxxp://downloads.fileserversk.net
hxxp://downloads.fileserversl.net
hxxp://downloads.fileserversm.net
hxxp://downloads.fileserversn.net
hxxp://downloads.fileserverso.net
hxxp://downloads.fileserversp.net
hxxp://downloads.fileserversq.net
hxxp://downloads.fileserversr.net
hxxp://downloads.regzavids.net
hxxp://downloads.vedivids.net
hxxp://downloads.tastyfiles.net
hxxp://downloads.restpictures.net
hxxp://downloads.modavedis.net
hxxp://downloads.fileserverss.net
hxxp://downloads.fileserverst.net
hxxp://downloads.fileserversu.net
hxxp://downloads.regzapix.net
hxxp://downloads.reggiepix.net
hxxp://downloads.migpix.net
hxxp://downloads.legomay.net
hxxp://downloads.vediway.net
hxxp://downloads.compoway.net
hxxp://downloads.restway.net
hxxp://downloads.crymyway.net

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection

In, a, cybercrime, dominated, by, fraudulent, propositions, historical, OSINT, remains, a, crucial, part, in, the, process, of, obtaining, actionable. intelligence, further, expanding, a, fraudulent, infrastructure, for, the, purpose, of, establishing, a, direct, connection, with, the, individuals, behind, it. Largely, relying, on, a, set, of, tactics, techniques, and, procedures, cybercriminals, continue, further, expanding, their, fraudulent, infrastructure, successfully, affecting, hunreds, of, thousands, of, users, globally, further, earning, fraudulent, revenue, in, the, process, of, committing, fraudulent, activity, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

In, this, post, we'll, discuss, a, black, hat, SEO (search engine optimization), campaign, intercepted, in, 2009, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, successfully, establishing, a, direct, connection, with, the, Koobface, gang.

The, Koobface, gang, having, successfully, suffered, a, major, take, down, efforts, thanks, to, active, community, and, ISP (Internet Service Provider), cooperation, has, managed, to, successfully, affect, a, major, proportion, of, major, social, media, Web, sites, including, Facebook, and, Twitter, for, the, purpose, of, further, spreading, the, malicious, software, served, by, the, Koobface, gang, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, fake, security, software, and, the, reliance, on, a, fraudulent, affiliate-network, based, type, of, monetizing, scheme.

Largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, including, social, media, propagation, black, hat, SEO (search engine optimization), and, client-side, exploits, the, Koobface, gang, has, managed, to, successfully, affect, hundreds, of, thousands, of, users, globally, successfully, populating, social, media, networks, such, as, Facebook, and, Twitter, with, rogue, and, bogus, content, for, the, purpose, of, spreading, malicious, software, and, earning, fraudulent, revenue, in, the, process, largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, affiliate-network, based, traffic, monetizing, scheme.

Let's, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, with, the, Koobface, gang, and, the, Koobface, botnet's, infrastructure.

Sample URL, redirection, chain:
hxxp://flash.grywebowe.com/elin5885/?x=entry:entry091109-071901; -> http://alicia-witt.com/elin1619/?x=entry:entry091112-185912 -> hxxp://indiansoftwareworld.com/index.php?affid=31700 - 213.163.89.56

Sample, detection, rate, for, a, malicious, executable:MD5: bd7419a376f9526719d4251a5dab9465


Sample, URL, redirection, chain, leading, to, client-side, exploits:
hxxp://loomoom.in/counter.js - 64.20.53.84 - the front page says "We are under DDOS attack. Try later".
hxxp://firefoxfowner.cn/?pid=101s06&sid=977111 -> hxxp://royalsecurescana.com/scan1/?pid=101s6&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZT0xMjUxNMkNPAhN

Sample, detection, rate, for, a, malicious, executable:
MD5: a91a1bb995e999f27ffc5d9aa0ac2ba2

Once, executed, a, sample, malware, phones, back, to:
hxxp://systemcoreupdate.com/download/timesroman.tif - 213.136.83.234

Sample, URL, redirection, chain:
hxxp://oppp.in/counter.js - 64.20.53.83 - the same message is also left "We are under DDOS attack. Try later"
hxxp://johnsmith.in/counter.js - 64.20.53.86
hxxp://gamotoe.in/counter.js
hxxp://polofogoma.in/counter.js
hxxp://jajabin.in/counter.js
hxxp://dahaloho.in/counter.js
hxxp://gokreman.in/counter.js
hxxp://freeblogcounter2.com/counter.js
hxxp://lahhangar.in/counter.js
hxxp://galorobap.in/counter.js

Sample, directory, structure, for, the, black, hat, SEO (search engine optimization), campaign:
hxxp://images/include/bmblog
hxxp://bmblog/category/art/
hxxp://images/style/bmblog
hxxp://photos/archive/bmblog/
hxxp://templates/img/bmblog
hxxp://phpsessions/bmblog
hxxp://Index_archivos/img/bmblog/
hxxp://bmblog/category/hahahahahah/
hxxp://gallery/include/bmblog

Sample, malicious, domains, participating, in, the, campaign:
pcmedicalbilling.com - Email: sophiawrobertson@pookmail.com
securitytoolnow.com - Email: ronaldmpappas@dodgit.com
securitytoolsclick.net - Email: ruthdtrafton@dodgit.com
security-utility.net - Email: richardrmccullough@trashymail.com

Historically on the same IP were parked the following, now responding to 91.212.107.37 domains:
online-spyware-remover.biz - Email: robertsimonkroon@gmail.com
online-spyware-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.biz  - Email: robertsimonkroon@gmail.com
spyware-online-remover.com - Email: robertsimonkroon@gmail.com
spyware-online-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.net - Email: robertsimonkroon@gmail.com
spyware-online-remover.org - Email: robertsimonkroon@gmail.com
tubepornonline.biz - Email: robertsimonkroon@gmail.com
tubepornonline.org - Email: robertsimonkroon@gmail.com

Sample, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://antyspywarestore.com/index.php?affid=90400
hxxp://newsecuritytools.net/index.php?affid=90400 - 78.129.166.11 - Email: joyomcdermott@gmail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 0feffd97ffe3ecc875cfe44b73f5653b
MD5: a0d9d3127509272369f05c94ab2acfc9

Naturally, it gets even more interesting, in particular the fact the very same robertsimonkroon@gmail.com used to register the domains historically parked at the IP that is currently hosting the scareware domains part of the massive blackhat SEO campaign -- the very same domains (hxxp://firefoxfowner.cn), were also in circulation on Koobface infected host, in a similar fashion when the domains used in the New York Times malvertising campaign were simultaneously used in blackhat SEO campaigns managed by the Koobface gang -- have not only been seen in July's scareware campaigns -- but also, has been used to register actual domains used as a download locations for the scareware campaigns part of the Koobface botnet's scareware business model.

Parked, at, the, same, malicious, IP (91.212.107.37), are, also, the, following, malicious, domains:
hxxp://free-web-download.com
hxxp://web-free-download.com
hxxp://iqmediamanager.com
hxxp://oesoft.eu
hxxp://unsoft.eu
hxxp://losoft.eu
hxxp://tosoft.eu
hxxp://kusoft.eu

Sample, detection, rate, for, a, malicious, executable:
MD5: 29ff816c7e11147bb74570c28c4e6103
MD5: e59b66eb1680c4f195018b85e6d8b32b
MD5: b34593d884a0bc7a5adb7ab9d3b19a2c

The overwhelming evidence of underground multi-tasking performed by the Koobface gang, it's connections to money mule recruitment scams, high profile malvertising attacks, and current market share leader in blackhat SEO campaigns, made, the, group, a, prominent, market, leader, within, the, cybercrime, ecosystem, having, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, earning, hundreds, of, thousands, in, fraudulent, revenue, in, the, process.

Related posts:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign

Historical OSINT - Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign

There's no such thing as free porn, unless there are client-side, exploits, served.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, end, users, into, clicking, on, malware-serving, client-side, exploits, embedded, content, for, the, purpose, of, affecting, a, socially, engineered, user''s, host, further, monetizing, access, by, participating, in, a, rogue, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, malicious, URL, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/HytucztXRs.html? -> hxxp://aboutg.dothome.co.kr/bbs/theme_1_1_1.php -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=6 -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=14 -> hxxp://meganxoxo.com - 74.222.13.2 - associated, name, servers: ns1.tube310.info; ns2.tube310.info - 74.222.13.24

Parked there (74.222.13.2) are also:
hxxp://e-leaderz.com - Email: seoproinc@gmail.com
hxxp://babes4you.info - 74.222.13.25
hxxp://tubexxxx.info
hxxp://my-daddy.info - 74.222.13.25

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://eroticahaeven.info
hxxp://freehotbabes.info
hxxp://freepornportal.info
hxxp://hot-babez.info
hxxp://sex-sexo.info
hxxp://tube310.info
hxxp://tube323.info

The exploitation structure is as follows:
hxxp://meganxoxo.com/xox/go.php?sid=6 -> hxxp://kibristkd.org.tr/hasan-ikizer/index01.php -> hxxp://fd1a234sa.com/js - 79.135.152.26 -> hxxp://asf356ydc.com/qual/index.php - CVE-2008-2992; CVE-2009-0927; CVE-2010-0886 -> hxxp://asf356ydc.com/qual/52472f502b9688d3326a32ed5ddd5d2c.js ->  hxxp://asf356ydc.com/qual/abe9c321312b206bffa798ef9d5b6a9b.php?uid=206369 -> hxxp://188.243.231.39/public/qual.jar ->  hxxp://asf356ydc.com/qual/load.php/0a3584217553d6fccbd74cfb73e954b6?forum=thread_id -> hxxp://asf356ydc.com/download/stat.php -> hxxp://asf356ydc.com/download/load/load.exe

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886
    - hxxp://jfkweb.chez.com/bud2.html
        - hxxp://jfkweb.chez.com/4.html
            - hxxp://wemhkr3t4z.com/qual/load/myexebr.exe
                - hxxp://asf356ydc.com/download/index.php
                    - hxxp://89.248.111.71/qual/load.php?forum=jxp&ql
                        - hxxp://asf356ydc.com/qual/index.php

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://qual/10964108e3afab081ed1986cde437202.js
hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php?spn=2&uid=213393&
hxxp://qual/index.php?browser_version=6.0&uid=213393&browser=MSIE&spn=2

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://download/banner.php?spl=javat
hxxp://download/j1_ke.jar
hxxp://download/j2_93.jar

parked on 89.248.111.71, AS45001, Interdominios_ono Grupo Interdominios S.A.
wemhkr3t4z.com - Email: fole@fox.net - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
hxxp://alhatester.com/cp/file.exe - 204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 208.73.211.247; 208.73.211.249; 208.73.211.246; 208.73.211.233; 208.73.211.238; 208.73.211.208

Known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs, are, also, the, following, malicious, MD5s:
MD5: 89fb419120d1443e86d37190c8f42ae8
MD5: 3194e6282b2e51ed4ef186ce6125ed73
MD5: 7f42da8b0f8542a55e5560e86c4df407
MD5: f8bdc841214ae680a755b2654995895e
MD5: ed8062e152ccbe14541d50210f035299

Once, executed, a, sample, malware (MD5: 89fb419120d1443e86d37190c8f42ae8), phones, back, to, the, following, C&C, server, IPs:
hxxp://gremser.eu
hxxp://bibliotecacenamec.org.ve
hxxp://fbpeintures.com
hxxp://postgil.com
hxxp://verum1.home.pl
hxxp://przedwislocze.internetdsl.pl
hxxp://iskurders.webkursu.net
hxxp://pennthaicafe.com.au
hxxp://motherengineering.com
hxxp://krupoonsak.com

Once, executed, a, sample, malware (MD5: 3194e6282b2e51ed4ef186ce6125ed73), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://get.enomenalco.club
hxxp://promos-back.peerdlgo.info
hxxp://get.cdzhugashvili.bid
hxxp://doap.ctagonallygran.bid
hxxp://get.gunnightmar.club
hxxp://huh.adowableunco.bid
hxxp://slibby.ineddramatiseo.bid

Once, executed, a, sample, malware (MD5: 7f42da8b0f8542a55e5560e86c4df407), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://acemoglusucuklari.com.tr
hxxp://a-bring.com
hxxp://tn69abi.com
hxxp://gim8.pl
hxxp://sso.anbtr.com

Once, executed, a, sample, malware (MD5: f8bdc841214ae680a755b2654995895e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.secdls.com
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com
hxxp://api.v2.sslsecure4.com
hxxp://api.v2.sslsecure5.com
hxxp://api.v2.sslsecure6.com
hxxp://api.v2.sslsecure7.com
hxxp://api.v2.sslsecure8.com

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://v00d00.org/nod32/grabber.exe - - 67.215.238.77; 67.215.255.139; 184.168.221.87

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (67.215.238.77):
MD5: 1233c86d3ab0081b69977dbc92f238d0

Known, to, have, responded, to, the, same, malicious, IPs, are, also, the, following, malicious, domains:
hxxp://blog.symantecservice37.com
hxxp://agoogle.in
hxxp://adv.antivirup.com
hxxp://cdind.antivirup.com

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://v00d00.org/nod32/update.php

Known, to, have, responded, to, the, same, malicious, IPs (67.215.255.139), are, also, the, following, malicious, domains:
hxxp://lenovoserve.trickip.net
hxxp://proxy.wikaba.com
hxxp://think.jkub.com
hxxp://upgrate.freeddns.com
hxxp://webproxy.sendsmtp.com
hxxp://yote.dellyou.com
hxxp://lostself.dyndns.info
hxxp://dellyou.com
hxxp://mtftp.freetcp.com
hxxp://ftp.adobe.acmetoy.com
hxxp://timeout.myvnc.com
hxxp://fashion.servehalflife.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (67.215.255.139):
MD5: e76aa56b5ba3474dda78bf31ebf1e6c0
MD5: 4de5540e450e3e18a057f95d20e3d6f6
MD5: 346a605c60557e22bf3f29a61df7cd21
MD5: ae9fefda2c6d39bc1cec36cdf6c1e6c4
MD5: da84f1d6c021b55b25ead22aae79f599

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (184.168.221.87), are, also, the, following, malicious, domains:
hxxp://teltrucking.com
hxxp://capecoraldining.org
hxxp://carsforsaletoronto.com
hxxp://joeyboca.com
hxxp://meeraamacids.com
hxxp://orangepotus.com
hxxp://palmerhardware.com
hxxp://railroadtohell.com

Related, malicious, MD5s, known, to, have, phoned, back, the, same, malicious, C&C, server, IPs (184.168.221.87):MD5: 037f8120323f2ddff3c806185512538c
MD5: 44f0e8fe53a3b489cb5204701fa1773d
MD5: 8a053e8d3e2eafc27be9738674d4d5b0
MD5: 9efc79cd75d23070735da219c331fe4d
MD5: ed81b9f1b72e31df1040ccaf9ed4393f

Once, executed, a, sample, malware (MD5: 037f8120323f2ddff3c806185512538c), phones, back, to, the, following, C&C, server, IPs:
hxxp://porno-kuba.net/emo/ld.php?v=1&rs=1819847107&n=1&uid=1

Once, executed, a, sample, malware, (MD5: 44f0e8fe53a3b489cb5204701fa1773d), phones, back, to, the, following, C&C, server, IPs:
hxxp://mhc.ir
hxxp://naphooclub.com
hxxp://mdesigner.ir
hxxp://nazarcafe.com
hxxp://meandlove.com
hxxp://nakhonsawangames.com
hxxp://mevlanacicek.com
hxxp://meeraprabhu.com
hxxp://micr.ae
hxxp://myhyderabadads.com
hxxp://cup-muangsuang.net

Sample, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://portinilwo.com/nhjq/n09230945.asp
    - hxxp://portinilwo.com/botpanel/sell2.jpg
        - hxxp://portinilwo.com/boty.dat
            - hxxp://91.188.60.161/botpanel/sell2.jpg
                - hxxp://91.188.60.161/botpanel/ip.php

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
asf356ydc.com - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, domains, known, to, have, participated, in, the, campaign:
asf356ydc.co
kaljv63s.com
sadkajt357.com

We'll, continue, monitoring, the, fraudulent, infrastructure, and, post, updates, as, soon, as, new, developments, take, place.