In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, malicious, releases, successfully, generating, hundreds, of, thousands, of, fraudulent, revenue, while, populating, their, botnet's, infected, population, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.
We've, recently, intercepted, a, currently, active, malvertising, campaign, affecting, FoxNews, successfully, enticing, users, into, executing, malicious, software, on, the, the, affected, PCs, with, the, cybercriminals, behind, it, successfully, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.
In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Sample, URL, redirection, chain:
hxxp://toppromooffer.com/vsm/index.html - 85.17.254.158; 69.43.161.174
- hxxp://78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 - (78.47.132.222)
- hxxp://redirectclicks.com/?accs=845&tid=338 - 69.172.201.153; 176.74.176.178; 64.95.64.194
- hxxp://http://redirectclicks.com/?accs=845&tid=339
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://truconv.com - 78.46.88.202
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (78.46.88.202):
MD5: 473e3615795609a091a2f2d3d1be2d00
MD5: 9e51c29682a6059b9b636db8bf7dcc25
MD5: 08a50ebcaa471cd45b3561c33740136d
MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1
MD5: fcdd2790dd5b1898ef8ee29092dca757
Once, executed, a, sample, malware (MD5: 473e3615795609a091a2f2d3d1be2d00), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yaskiya.cyberfight.de - 78.46.88.202
Once, executed, a, sample, malware (MD5: 9e51c29682a6059b9b636db8bf7dcc25), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://myweb111111.go.3322.org
hxxp://35free.net - 5.61.39.56
hxxp://newsoft1.go.3322.org
hxxp://newsoft11.go.3322.org
Once, executed, a, sample, malware (MD5: 08a50ebcaa471cd45b3561c33740136d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://darthvader.dyndns.tv
hxxp://www12.subdomain.com - 78.46.88.202
Once, executed, a, sample, malware (MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://tundeghanawork.co.gp - 78.46.88.202
Once, executed, a, sample, malware (MD5: fcdd2790dd5b1898ef8ee29092dca757), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsoft.go.3322.org - 221.130.179.36
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://users6.nofeehost.com - 67.208.91.110
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: c9ca43032633584ff2ae4e4d7442f123
MD5: a099766f448acd6b032345dfd8c5491d
MD5: da39ccb40b1c80775e0aa3ab7cefb4b0
MD5: 85750b93319bd2cf57e445e1b4850b08
MD5: e521b31eb97d6d25e3d165f2fe9ca3ba
Once, executed, a, sample, malware (MD5: c9ca43032633584ff2ae4e4d7442f123), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.tokoholapisa.com - 54.229.133.176
hxxp://down2load.net - 69.172.201.153
hxxp://cdn.download2013.net - 185.152.65.38
Once, executed, a, sample, malware (MD5: a099766f448acd6b032345dfd8c5491d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (176.74.176.178):
MD5: 116d07294fb4b78190f44524145eb200
MD5: f9e71f66e3aae789b245638a00b951a8
MD5: 1d6d4a64a9901985b8a005ea166df584
MD5: acfa1a5f290c7dd4859b56b49be41038
MD5: b63fd04a8cdf69fb7215a70ccd0aef27
Once, executed, a, sample, malware (MD5: 116d07294fb4b78190f44524145eb200), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.on86.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178
Once, executed, a, sample, malware (MD5: f9e71f66e3aae789b245638a00b951a8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.linkbyte.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178
Once, executed, a, sample, malware (MD5: 1d6d4a64a9901985b8a005ea166df584), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.pnmchgameserver.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178
Once, executed, a, sample, malware (MD5: acfa1a5f290c7dd4859b56b49be41038), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.97dn.com - 45.125.35.85
hxxp://www.97wg.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178
Once, executed, a, sample, malware (MD5: b63fd04a8cdf69fb7215a70ccd0aef27), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pajak.yogya.com - 69.172.201.153
hxxp://www.yogya.com
hxxp://return.uk.uniregistry.com - 176.74.176.178
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (64.95.64.194):
MD5: 7ca6214e3b75bc1f7a41aef3267afc29
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freshtravel.net - 184.168.221.36
hxxp://experiencetravel.net - 217.174.248.145
hxxp://freshyellow.net
hxxp://experienceyellow.net
hxxp://freshclose.net
hxxp://experienceclose.net
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.43.161.174):
MD5: 674fca39caf18320e5a0e5fc45527ba4
MD5: 7017a26b53bc0402475d6b900a6c98ae
MD5: 0b61f6dfaddd141a91c65c7f290b9358
MD5: 4d5bc6b69db093824aa905137850e883
MD5: 201dee0da7b7807808d681510317ab59
Once, executed, a, sample, malware (MD5: 674fca39caf18320e5a0e5fc45527ba4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://aahydrogen.com - 208.73.210.214
hxxp://greatinstant.net
hxxp://ginsdirect.net
hxxp://autouploaders.net - 185.53.177.9
Once, executed, a, sample, malware (MD5: 7017a26b53bc0402475d6b900a6c98ae), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://w.wfetch.com - 69.43.161.174
hxxp://ww1.w.wfetch.com - 72.52.4.90
Once, executed, a, sample, malware (MD5: 4d5bc6b69db093824aa905137850e883), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://greattaby.com - 69.43.161.174
hxxp://ww41.greattaby.com - 141.8.224.79
Once, executed, a, sample, malware (MD5: 201dee0da7b7807808d681510317ab59), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://layer-ads.de - 69.43.161.174
Sample, URL, redirection, chain:
hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 204.11.56.45; 204.11.56.26; 208.73.210.215; 208.73.211.246; 82.98.86.178
- hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc-sst&l=370&f=cs_3506417142&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM - 208.91.197.46; 204.11.56.48; 204.11.56.45; 204.11.56.26; 63.156.206.202; 63.149.176.12
- hxxp://easywebchecklive.com/1/fileslist.js - 94.247.2.215
- hxxp://78.47.132.222/a12/index2.php
- hxxp://78.47.132.221/a12/pdf.php?u=i_7_0
- hxxp://78.47.132.221/a12/aff_12.exe?u=i_7_0&spl=4
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs (208.91.197.46):
MD5: b13f1af8fc426e350df11565dcf281e8
MD5: a189b3334fbd9cd357aedff22c672e9c
MD5: da53b068538ff03e2fc136c7d0816e39
MD5: ec08a877817c749597396e6b34b88e78
MD5: b9e7bf23de901280e62fd68090b5b8fa
Once, executed, a, sample, malware (MD5: b13f1af8fc426e350df11565dcf281e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.sslsecure1.com - 193.166.255.171
hxxp://staticrr.paleokits.net - 205.251.219.192
hxxp://dtrack.secdls.com
hxxp://staticrr.sslsecure1.com
Once, executed, a, sample, malware (MD5: a189b3334fbd9cd357aedff22c672e9c), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://staticrr.paleokits.net - 54.230.11.231
hxxp://staticrr.sslsecure1.com - 193.166.255.171
hxxp://staticrr.sslsecure2.com
hxxp://staticrr.sslsecure3.com - 208.91.197.46
Once, executed, a, sample, malware (MD5: ec08a877817c749597396e6b34b88e78), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://skyworldent.com
hxxp://solitaireinfo.com
hxxp://speedholidays.com - 206.221.179.26
Once, executed, a, sample, malware (MD5: b9e7bf23de901280e62fd68090b5b8fa), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com - 193.166.255.171
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com - 208.91.197.46
Related, malicious MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 969601cbf069a849197289e042792419
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Thursday, January 05, 2017
Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scareware
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware - Part Two
In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's. infected, population, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.
We've, recently, intercepted, a, currently, active, malicious, black, hat, SEO (search engine optimization), type, of, malicious, campaign, serving, malicious, software, to, unsuspecting, users, further, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.
In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://notice-of-unreported-income-email.donatehalf.com
hxxp://911-pictures.jewishreference.com
hxxp://911-pictures.dpakman91.com
hxxp://9-11-quotes.midweekpolitics.com
Sample, URL, redirection, chain:
hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237
- hxxp://trivet.gmgroupenterprises.com/?trivettrivetgmgroupenterprisescom.swf
- hxxp://vpizdutebygugol.xorg.pl/go/ - 193.203.99.111
- hxxp://vpizdutebygugol.xorg.pl/go4/
- hxxp://http://free-checkpc.com/l/d709f38e78s84y76u - 193.169.12.5
- hxxp://safe-fileshere.com/s/w58238e9a6dh76k73r/setup.exe - 193.169.12.5
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (193.203.99.111):
MD5: b761960b60f2e5617b4da2e303969ff1
MD5: a27ae350b9d29b13749b14e376a00b52
MD5: adbad83fadc017d60972efa65eb3c230
MD5: b1323d4c7e1f6455701d49621edfb545
MD5: c166767c8aa7a8eee0d12a6d9646b3e8
Once, executed, a, sample, malware (MD5: b761960b60f2e5617b4da2e303969ff1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111
Once, executed, a, sample, malware (MD5: a27ae350b9d29b13749b14e376a00b52), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://gwg.xorg.pl - 193.203.99.111
Once, executed, a, sample, malware (MD5: adbad83fadc017d60972efa65eb3c230), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://htu.xorg.pl - 193.203.99.111
Once, executed, a, sample, malware (MD5: b1323d4c7e1f6455701d49621edfb545), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://htu.xorg.pl - 193.203.99.111
Once, executed, a, sample, malware (MD5: c166767c8aa7a8eee0d12a6d9646b3e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111
Sample, detection, rate, for, a, sample, malicious, executable:
MD5: 7df300b01243a42b4ddff724999cd4f7
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://updatepcnow.com - 208.73.211.249
hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (208.73.211.249):
MD5: 940be22f37e30c90d9fded842c23b24d
MD5: ef29c61908f678f313aa298343845175
MD5: 47f5002a0b9d312f28822d92a3962c81
MD5: ba83653117a6196d8b2a52fb168b8142
MD5: f29209f1ca6c4666207ea732c1f32978
Once, executed, a, sample, malware (MD5: 940be22f37e30c90d9fded842c23b24d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://softonic-analytics.net - 46.28.209.74
hxxp://superscan.sd.en.softonic.com - 46.28.209.70
hxxp://www.ledyazilim.com - 213.128.83.163
Once, executed, a, sample, malware (MD5: ef29c61908f678f313aa298343845175), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ksandrafashion.com - 208.73.211.173
hxxp://www.lafyeri.com
hxxp://kulppasur.com
Once, executed, a, sample, malware (MD5: 47f5002a0b9d312f28822d92a3962c81), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php
Once, executed, a sample, malware (MD5: ba83653117a6196d8b2a52fb168b8142), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://mhc.ir - 82.99.218.195
hxxp://naphooclub.com - 208.73.211.173
hxxp://mdesigner.ir - 176.9.98.58
Once, executed, a, sample, malware (MD5: f29209f1ca6c4666207ea732c1f32978), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (50.63.202.54):
MD5: 45497b47a6df2f6216b4c4bebc572dd3
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: 08db02c9873c0534656901d5e9501f46
MD5: 830b22b4a0520d1b46a493f03a6a0a66
MD5: 5ee1bfa766f367393782972718d4e82f
Once, executed, a, sample, malware (MD5: 45497b47a6df2f6216b4c4bebc572dd3), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz - 195.157.15.100
Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49
Once, executed, a, sample, malware (MD5: 08db02c9873c0534656901d5e9501f46), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://musicbroke.net - 195.22.28.210
Once, executed, a, sample, malware (MD5: 830b22b4a0520d1b46a493f03a6a0a66), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
Once, executed, a, sample, malware (MD5: 5ee1bfa766f367393782972718d4e82f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (54.85.196.8):
MD5: 05288748ddccf2e5fedef5d9e8218fef
MD5: 08936ff676b062a87182535bce23d901
MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7
MD5: 8a7e330ad88dcb4ced3e5e843424f85f
MD5: bf3d996376663feaea6031b1114eb714
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://graves111.net - 64.86.17.47 - Email: gertrudeedickens@text2re.com
hxxp://lending10.com
hxxp://adriafin.com
hxxp://7sevenseas.com
hxxp://ironins.com
hxxp://trdatasft.com
hxxp://omeoqka.cn
hxxp://trustshield.cn
hxxp://capide.cn
hxxp://tds-soft.comewithus.cn
hxxp://graves111.net
hxxp://reversfor5.net
hxxp://limestee.net
hxxp://landlang.net
hxxp://langlan.net
hxxp://limpopos.net
hxxp://clarksinfact.net
Sample, URL, redirection, chain:
hxxp://checkvirus-zone.com - 64.86.16.7 - Email: gertrudeedickens@text2re.com
- hxxp://checkvirus-zone.com/?p=
Sample, detection, rate, for, a, sample, malicious, executable:
MD5: b157106188c2debab5d2f1337c708e35
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pencil-netwok.com/?act=fb&1=1&2=0&3= - 204.11.56.48; 204.11.56.45; 209.222.14.3; 208.73.210.215; 208.73.211.152; 204.13.160.107
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 3c3346426923504571f81caffdac698d
MD5: ad4244794693b41c775b324c4838982a
MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e
MD5: 0526944bfb43b14d8f72fd184cd8c259
MD5: 29932b0cb61011ffc4834c3b7586d956
Once, executed, a, sample, malware (MD5: 3c3346426923504571f81caffdac698d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.76.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
Once, executed, a, sample, malware (MD5: ad4244794693b41c775b324c4838982a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://banboon.com - 204.11.56.48
hxxp://bdb.com.my - 103.4.7.143
hxxp://baulaung.org - 52.28.249.128
Once, executed, a, sample, malware (MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cubingapi.com - 204.11.56.48
hxxp://error.cubingapi.com - 204.11.56.48
Once, executed, a, sample, malware (MD5: 0526944bfb43b14d8f72fd184cd8c259), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.77.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
Once, executed, a, sample, malware (MD5: 29932b0cb61011ffc4834c3b7586d956), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
hxxp://rms365x24.com - 166.78.145.90
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, soon, as, new, developments, take, place.
We've, recently, intercepted, a, currently, active, malicious, black, hat, SEO (search engine optimization), type, of, malicious, campaign, serving, malicious, software, to, unsuspecting, users, further, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.
In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://notice-of-unreported-income-email.donatehalf.com
hxxp://911-pictures.jewishreference.com
hxxp://911-pictures.dpakman91.com
hxxp://9-11-quotes.midweekpolitics.com
Sample, URL, redirection, chain:
hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237
- hxxp://trivet.gmgroupenterprises.com/?trivettrivetgmgroupenterprisescom.swf
- hxxp://vpizdutebygugol.xorg.pl/go/ - 193.203.99.111
- hxxp://vpizdutebygugol.xorg.pl/go4/
- hxxp://http://free-checkpc.com/l/d709f38e78s84y76u - 193.169.12.5
- hxxp://safe-fileshere.com/s/w58238e9a6dh76k73r/setup.exe - 193.169.12.5
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (193.203.99.111):
MD5: b761960b60f2e5617b4da2e303969ff1
MD5: a27ae350b9d29b13749b14e376a00b52
MD5: adbad83fadc017d60972efa65eb3c230
MD5: b1323d4c7e1f6455701d49621edfb545
MD5: c166767c8aa7a8eee0d12a6d9646b3e8
Once, executed, a, sample, malware (MD5: b761960b60f2e5617b4da2e303969ff1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111
Once, executed, a, sample, malware (MD5: a27ae350b9d29b13749b14e376a00b52), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://gwg.xorg.pl - 193.203.99.111
Once, executed, a, sample, malware (MD5: adbad83fadc017d60972efa65eb3c230), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://htu.xorg.pl - 193.203.99.111
Once, executed, a, sample, malware (MD5: b1323d4c7e1f6455701d49621edfb545), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://htu.xorg.pl - 193.203.99.111
Once, executed, a, sample, malware (MD5: c166767c8aa7a8eee0d12a6d9646b3e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111
Sample, detection, rate, for, a, sample, malicious, executable:
MD5: 7df300b01243a42b4ddff724999cd4f7
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://updatepcnow.com - 208.73.211.249
hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (208.73.211.249):
MD5: 940be22f37e30c90d9fded842c23b24d
MD5: ef29c61908f678f313aa298343845175
MD5: 47f5002a0b9d312f28822d92a3962c81
MD5: ba83653117a6196d8b2a52fb168b8142
MD5: f29209f1ca6c4666207ea732c1f32978
Once, executed, a, sample, malware (MD5: 940be22f37e30c90d9fded842c23b24d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://softonic-analytics.net - 46.28.209.74
hxxp://superscan.sd.en.softonic.com - 46.28.209.70
hxxp://www.ledyazilim.com - 213.128.83.163
Once, executed, a, sample, malware (MD5: ef29c61908f678f313aa298343845175), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ksandrafashion.com - 208.73.211.173
hxxp://www.lafyeri.com
hxxp://kulppasur.com
Once, executed, a, sample, malware (MD5: 47f5002a0b9d312f28822d92a3962c81), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php
Once, executed, a sample, malware (MD5: ba83653117a6196d8b2a52fb168b8142), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://mhc.ir - 82.99.218.195
hxxp://naphooclub.com - 208.73.211.173
hxxp://mdesigner.ir - 176.9.98.58
Once, executed, a, sample, malware (MD5: f29209f1ca6c4666207ea732c1f32978), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (50.63.202.54):
MD5: 45497b47a6df2f6216b4c4bebc572dd3
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: 08db02c9873c0534656901d5e9501f46
MD5: 830b22b4a0520d1b46a493f03a6a0a66
MD5: 5ee1bfa766f367393782972718d4e82f
Once, executed, a, sample, malware (MD5: 45497b47a6df2f6216b4c4bebc572dd3), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz - 195.157.15.100
Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49
Once, executed, a, sample, malware (MD5: 08db02c9873c0534656901d5e9501f46), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://musicbroke.net - 195.22.28.210
Once, executed, a, sample, malware (MD5: 830b22b4a0520d1b46a493f03a6a0a66), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
Once, executed, a, sample, malware (MD5: 5ee1bfa766f367393782972718d4e82f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (54.85.196.8):
MD5: 05288748ddccf2e5fedef5d9e8218fef
MD5: 08936ff676b062a87182535bce23d901
MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7
MD5: 8a7e330ad88dcb4ced3e5e843424f85f
MD5: bf3d996376663feaea6031b1114eb714
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://graves111.net - 64.86.17.47 - Email: gertrudeedickens@text2re.com
hxxp://lending10.com
hxxp://adriafin.com
hxxp://7sevenseas.com
hxxp://ironins.com
hxxp://trdatasft.com
hxxp://omeoqka.cn
hxxp://trustshield.cn
hxxp://capide.cn
hxxp://tds-soft.comewithus.cn
hxxp://graves111.net
hxxp://reversfor5.net
hxxp://limestee.net
hxxp://landlang.net
hxxp://langlan.net
hxxp://limpopos.net
hxxp://clarksinfact.net
Sample, URL, redirection, chain:
hxxp://checkvirus-zone.com - 64.86.16.7 - Email: gertrudeedickens@text2re.com
- hxxp://checkvirus-zone.com/?p=
Sample, detection, rate, for, a, sample, malicious, executable:
MD5: b157106188c2debab5d2f1337c708e35
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pencil-netwok.com/?act=fb&1=1&2=0&3= - 204.11.56.48; 204.11.56.45; 209.222.14.3; 208.73.210.215; 208.73.211.152; 204.13.160.107
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 3c3346426923504571f81caffdac698d
MD5: ad4244794693b41c775b324c4838982a
MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e
MD5: 0526944bfb43b14d8f72fd184cd8c259
MD5: 29932b0cb61011ffc4834c3b7586d956
Once, executed, a, sample, malware (MD5: 3c3346426923504571f81caffdac698d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.76.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
Once, executed, a, sample, malware (MD5: ad4244794693b41c775b324c4838982a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://banboon.com - 204.11.56.48
hxxp://bdb.com.my - 103.4.7.143
hxxp://baulaung.org - 52.28.249.128
Once, executed, a, sample, malware (MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cubingapi.com - 204.11.56.48
hxxp://error.cubingapi.com - 204.11.56.48
Once, executed, a, sample, malware (MD5: 0526944bfb43b14d8f72fd184cd8c259), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.77.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
Once, executed, a, sample, malware (MD5: 29932b0cb61011ffc4834c3b7586d956), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
hxxp://rms365x24.com - 166.78.145.90
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, soon, as, new, developments, take, place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)