Monday, May 29, 2017

Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies

Remember, the, Russian, Business, Network, and, the, New, Media, Malware, Gang?

It's, been, several, years, since, I, last, posted, an, update, regarding, the, group's, activities, including, the, direct, establishing, of, a, direct, connection, between, the, Russian, Business, Network, the, New, Media, Malware, gang, including, a, variety, of, high, profile, Web, site, compromise, campaigns.

What's, particularly, interesting, about, the, group's, activities, is, the, fact, that, back, in, 2007, the, group's, activities, used, to, dominate, the, threat, landscape, in, a, targeted, fashion, including, the, active, utilization, of, client-side, exploits, and, the, active, exploitation, of, legitimate, Web, sites, successfully, positioning, the, group, including, the, Russian, Business, Network, as, a, leading, provider, of, malicious, activities, online, leading, to, a, series, of, analyses, successfully, detailing, the, activities, of, the, group, including, the, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, Storm, Worm, botnet.

In, this, post, I'll, provide, a, detailed, analysis, of, the, group's, activities, discuss, in, the, depth, the, tactics, techniques, and, procedures, (TTPs), of, the, group, including, a, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, direct, compromise, of, a, series, of, high, profile, Web, site, compromise, campaigns.

Having, successfully, tracked, down, and, profiled, the, group's, activities, for, a, period, of, several, years, and, based, on, the, actionable, intelligence, provided, regarding, the, group's, activities, we, can, easily, establish, a, direct, connection, between, the, New, Media, Malware, Gang, and, the, Russian, Business, Network, including, a, series, of, high, profile, Web, site, compromise, campaigns.

Key Summary Points:
- RBN Connection, New Media Malware Gang connection - "ai siktir" "Die()", money mule recruitment, money laundering of virtual currency
- Actionable CYBERINT data to assist law enforcement, academics and the private sector in ongoing or past cybercrime investigations
- Complete domain portfolios registered up to the present day using the same emails used to register the malicious domains during 2007-2009 to assist law enforcement, academics and the private sector in catching up with their malicious activities over the years
- Detailed analysis of each and every campaign's domain portfolios (up to present day) further dissecting the fraudulent schemes launched by the same cybercriminals that embedded malware on the embassies' web sites
- Complete IP Hosting History for each and every of the malicious domains/command and control servers during the time of the attack
 - The "Big Picture" detailing the inter-connections between the campaigns, with historical OSINT data pointing to the "New Media Malware Gang", back then customers of the Russian Business Network

Let's, profile, the, group's, activities, including, a, direct, establishing, of, a, connection, between, the, Russian, Business, Network, the, New, Media, Malware, Gang, and, the, Storm, Worm, botnet.

In, 2007, I, profiled, the, direct, compromise, of, the, Syrian, Embassy, in, London, including, a, related, compromise of, the, USAID.gov compromised, malware and exploits served, the, U.S Consulate St. Petersburg Serving Malware, Bank of India Serving Malware, French Embassy in Libya Serving Malware, Ethiopian Embassy in Washington D.C Serving Malware, Embassy of India in Spain Serving Malware, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, detailing, the, malicious, activities, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

Let's profile, the, campaigns, and, discuss, in, depth, the, direct, connection, between, the, group's, activities, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

sicil.info - on 2007-09-26 during the time of the attack, the domain was registered using the srvs4you@gmail.com email. The domain name first appeared online on 2006-06-10 with an IP 213.186.33.24. On 2007-07-11, it changed IPs to 203.121.79.71, followed by another change on 2008-01-06 to 202.75.38.150, another change on 2008-05-06 to 203.186.128.154, yet another change on 2008-05-18 to 190.183.63.103, and yet another change on 2008-07-27 to 190.183.63.56.

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (sicil.info):
MD5: 4802db20da46fca2a1896d4c983b13ba
MD5: f9434d86ef2959670b73a79947b0f4d2
MD5: 32dba64ae55e7bb4850e27274da42d1b
MD5: cd6a7ff6388fbd94b7ee9cdc88ca8f4d
MD5: 57dff9e8154189f0a09fb62450decac6

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (sicil.info), are, also, the, following, malicious, domains:
hxxp://144.217.69.62
hxxp://63.246.128.71
hxxp://207.150.177.28
hxxp://66.111.47.62
hxxp://66.111.47.4
hxxp://66.111.47.8

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (213.186.33.24):
MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb
MD5: 95cc3a0243aa050243ab858794c1d221
MD5: cc63d67282789e03469f2e6520c6de80
MD5: 3829506c454b86297d2828077589cbf8
MD5: 1e18b17149899d55d3625d47135a22a7

Once, executed, a, sample, malware (MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ioasis.org - 208.112.115.36
hxxp://polyhedrusgroup.com - 143.95.229.33
hxxp://espoirsetvie.com - 213.186.33.24
hxxp://ladiesdehaan.be - 185.59.17.113
hxxp://chonburicoop.net - 27.254.96.151
hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48

Related posts: Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (0ki.ru; 89.179.174.156):
MD5: cd33ea55b2d13df592663f18e6426921
MD5: 8e0c7757b82d14b988afac075e8ed5dc
MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012
MD5: e513a1b25e59670f777398894dfe41b6
MD5: 0fad43c03d80a1eb3a2c1ae9e9a6c9ed
MD5: 6e1b789f0df30ba0798fbc47cb1cec1c
MD5: 9f02232ed0ee609c8db1b98325beaa94

Once, executed, a, sample, malware (MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012), phones, back, to, the, following, C&C, server, IPs:
hxxp://lordofthepings.ru (173.254.236.159)
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz
hxxp://ladyhaha.xyz
hxxp://porkhalal.site
hxxp://rihannafap.site
hxxp://bieberfans.top
hxxp://runands.top
hxxp://frontlive.net
hxxp://offerlive.net
hxxp://frontserve.net
hxxp://offerserve.net
hxxp://hanghello.ru
hxxp://hanghello.net
hxxp://septemberhello.net
hxxp://hangmine.net
hxxp://septembermine.net
hxxp://hanglive.net
hxxp://wrongserve.ru
hxxp://wrongserve.net
hxxp://madelive.net

Once, executed, a, sample, malware (MD5: e513a1b25e59670f777398894dfe41b6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardlive.ru
hxxp://yardlive.net
hxxp://musiclive.net - 141.8.225.124
hxxp://yardserve.net
hxxp://musicserve.net - 185.53.177.20
hxxp://wenthello.net
hxxp://spendhello.ru
hxxp://wentmine.net
hxxp://spendmine.net
hxxp://spendhello.net
hxxp://joinlive.net
hxxp://wentserve.ru
hxxp://hanghello.net
hxxp://joinhello.net

hxxp://x12345.org - 46.4.22.145

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (miron555.org):
MD5: 0e423596c502c1e28cce0c98df2a2b6d
MD5: e75d92defb11afe50a8cc51dfe4fb6ee
MD5: adcedd763f541e625f91030ee4de7c19
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 0e423596c502c1e28cce0c98df2a2b6d

Over the years (up to present day) srvs4you@gmail.com is also known to have been used to register the following domains:
hxxp://10lann10.org
hxxp://24cargo.net
hxxp://ace-assist.biz
hxxp://activation-confirm.com
hxxp://adwoords.net
hxxp://alert-careerbuilder.com
hxxp://annebehnert.info
hxxp://apollo-services.net
hxxp://appolage.org
hxxp://auctions-ukash.com
hxxp://bbcfinancenews.com
hxxp://bestgreatoffers.org
hxxp://blackbird-registration.com
hxxp://bloomborg.biz
hxxp://businessproc1.com
hxxp://bussolutionsinc.org
hxxp://calisto-trading.com
hxxp://calisto-trading.net
hxxp://calisto-trading.org
hxxp://candy-country.com
hxxp://casheq.com
hxxp://cfca-usa.com
hxxp://cfodaily.biz
hxxp://citizenfinancial.net
hxxp://citylending.net
hxxp://clean2mail.com
hxxp://confirm-activation.com
hxxp://consultingwiz.org
hxxp://courierusa-online.com
hxxp://cristhmasx.com
hxxp://d-stanley.net
hxxp://dariazacherl.info
hxxp://des-group.com
hxxp://digital-investment-projects.com
hxxp://dns4your.net
hxxp://dvasuka.com
hxxp://easy-midnight.com
hxxp://easy-transfer.biz
hxxp://easymidnight.com
hxxp://ecareerstyle.com
hxxp://ecnoho.com
hxxp://efinancialnews.biz
hxxp://eluxuryauctions.com
hxxp://elx-ltd.net
hxxp://elx-trading.org
hxxp://elxltd.net
hxxp://emoney-ex.com
hxxp://epsincorp.net
hxxp://equitrust.org
hxxp://erobersteng.com
hxxp://erxlogistics.com
hxxp://esdeals.com
hxxp://estemaniaks.com
hxxp://eu-bis.com
hxxp://eu-cellular.com
hxxp://eubiz.org
hxxp://euwork.org
hxxp://expressdeal.info
hxxp://ezado.net
hxxp://fairwaylending.org
hxxp://fan-gaming.org
hxxp://fcinternatonal1.com
hxxp://fidelitylending.net
hxxp://financial-forbes.com
hxxp://financialnews-us.net
hxxp://firstcapitalgroup.org
hxxp://freemydns.org
hxxp://fremontlending.net
hxxp://fresh-solutions-mail.com
hxxp://fresh-solutions.us
hxxp://garnantfoundation.com
hxxp://gazenvagen.com
hxxp://globerental.com
hxxp://googmail.biz
hxxp://i-expertadvisor.com
hxxp://icebart.com
hxxp://icqdosug.com
hxxp://iesecurityupdates.com
hxxp://indigo-consulting.org
hxxp://indigo-job-with-us.com
hxxp://indigojob.com
hxxp://indigovacancies.com
hxxp://inncoming.com
hxxp://ivsentns.com
hxxp://iwiwlive.net
hxxp://iwiwonline.net
hxxp://jobs-in-eu.org
hxxp://kelermaket.com
hxxp://kklfnews.com
hxxp://knses.com
hxxp://komodok.com
hxxp://krdns.biz
hxxp://ksfcnews.com
hxxp://ksfcradio.com
hxxp://ktes314.org
hxxp://lda-import.com
hxxp://legal-solutions.org
hxxp://lgcareer.com
hxxp://lgtcareer.com
hxxp://librarysp.com
hxxp://littlexz.com
hxxp://mariawebber.org
hxxp://megamule.net
hxxp://moneycnn.biz
hxxp://njnk.net
hxxp://ns4ur.net
hxxp://nytimesnews.biz
hxxp://o2cash.net
hxxp://offsoftsolutions.com
hxxp://pcpro-tbstumm.com
hxxp://perfect-investments.org
hxxp://progold-inc.biz
hxxp://protectedsession.com
hxxp://razsuka.com
hxxp://reutors.biz
hxxp://rushop.us
hxxp://science-and-trade.com
hxxp://secure-operations.org
hxxp://securesitinngs.com
hxxp://servicessupport.biz
hxxp://sessionprotected.com
hxxp://sicil.info
hxxp://sicil256.info
hxxp://simple-investments-mail.org
hxxp://simple-investments.net
hxxp://simple-investments.org
hxxp://sp3library.com
hxxp://speeduserhost.com
hxxp://storempire.com
hxxp://tas-corporation.com
hxxp://tas-corporation.net
hxxp://tascorporation.net
hxxp://topixus.net
hxxp://tsrcorp.net
hxxp://u-file.org
hxxp://ukashauction.net
hxxp://ultragame.org
hxxp://unitedfinancegroup.org
hxxp://vanessakoepp.org
hxxp://verymonkey.com
hxxp://vesa-group.com
hxxp://vesa-group.net
hxxp://vipvipns.net
hxxp://vipvipns.org
hxxp://wondooweria.com
hxxp://wondoowerka.com
hxxp://wootpwnseal.com
hxxp://worldeconomist.biz
hxxp://wumtt-westernunion.com
hxxp://xsoftwares.com
hxxp://xxx2008xxx.com
hxxp://yourcashlive.com
hxxp://yourlive.biz
hxxp://yourmule.com

On 2008-09-25 0ki.ru was registered using the kseninkopetr@nm.ru email. The same email address is not known to have been used to register any additional domains.

On 2008-06-19 x12345.org was registered using the xix.x12345@yahoo.com email. On 2007-09-10 the domain use to respond to 66.36.243.97, then on 2007-11-13 it changed IPs to 58.65.236.10, following another change on 2008-05-06 to 203.186.128.154. No other domains are known to have been registered using the same email address.

On 2007-06-07, miron555.org was registered using the mironbot@gmail.com email, followed by another registration email change on 2008-02-12 to nepishite555suda@gmail.com. On 2007-04-24, the domain responded to 75.126.4.163. It then changed IPs on 2007-05-09 to 203.121.71.165, followed by another change on 2007-06-08 to 58.65.239.247, yet another change on 2007-07-15 to 58.65.239.10, another change on 2007-08-19 to 58.65.239.66, more IP changes on 2007-09-03 to 217.170.77.210, and yet another change on 2007-09-18 to 88.255.90.138.

Historically (up to present day), mironbot@gmail.com is also known to have been used to register the following domains:
hxxp://24-7onlinepharmacy.net
hxxp://bestmoviesonline.info
hxxp://brightstonepharma.com
hxxp://deapotheke.com
hxxp://dozor555.info
hxxp://my-traff.cn
hxxp://pharmacyit.net
hxxp://trffc.org
hxxp://trffc3.ru
hxxp://xmpharm.com

In, 2008, I, profiled, the, direct, compromise, of, The Dutch Embassy in Moscow Serving Malware, further, detailing, the, malicious, and, activity, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, direct, compromise, of, the, Embassy's Web, site.

On 2009-03-04, lmifsp.com was registered using the redemption@snapnames.com email. On 2007-11-30, it used to respond to 68.178.194.64, then on 2008-12-01 it changed IPs to 68.178.232.99.

In, 2008, I, profiled, the, direct, compromise, of, Embassy of Brazil in India Compromised, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

hxxp://google-analyze.com - 87.118.118.193

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (google-analyze.com - 87.118.118.193):
MD5: 2bcb74c95f30e3741210c0de0c1b406f

On 2008-10-15, traff.asia was registered using the traffon@gmail.com email.

On 2008-06-19, google-analyze.com was registered using the incremental@list.ru email. On 2007-12-21 it responded to 66.36.241.153, then it changed IPs on 2007-12-22 to 66.36.231.94, followed by another change on 2008-02-03 to 79.135.166.74, then to 195.5.116.251 on 2008-03-16, to 70.84.133.34 on 2008-07-31, followed by yet another change to 216.195.59.77 on 2008-09-15.

On 2008-08-05, google-analystic.net, is, known, to, have, responded, to, 212.117.163.162, and, was registered using the abusecentre@gmail.com email. On 2008-04-11 it used to respond to 64.28.187.84, it then changed IPS to 85.255.120.195 on 2008-08-03, followed by another change on 2008-08-10 to 85.255.120.194, then to 85.255.120.197 on 2008-09-07, to 69.50.161.117 on 2008-09-14, then to 66.98.145.18 on 2008-10-11, followed by another change on 2008-10-25 to 209.160.67.56.

On 2008-11-11, beshragos.com was registered using the migejosh@yahoo.com email. On 2008-11-11 it used to respond to 79.135.187.38.

In, 2009, I, profiled, the, direct, compromise, of, Ethiopian Embassy in Washington D.C Serving Malware, further, detailing, the, group's, activities, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On 2009-01-19, 1tvv.com is, known, to, have, responded, to, 69.172.201.153; 66.96.161.140; 122.10.52.139; 122.10.18.138; 67.229.44.15; 74.200.250.130; 69.170.135.92; 64.74.223.38, and, was registered using the mogensen@fontdrift.com email.

On 2005-08-27, the domain (1tvv.com) is, known, to, have, responded to 198.65.115.93, then on 2006-05-12 to 204.13.161.31, with yet another IP change on 2010-04-08 to 216.240.187.145, followed by yet another change on 2010-06-02 to 69.43.160.145, then on 2010-07-25 to 69.43.160.145.

On 2010-01-04, trafficinc.ru was registered using the auction@r01.ru email.

On 2009-03-01, trafficmonsterinc.ru was registered using the trafficmonsterinc.ru@r01-service.ru email.

On 2009-05-02, us18.ru, is, known, to, have, responded, to, 109.70.26.37; 185.12.92.229; 109.70.26.36, and, was registered using the belyaev_andrey@inbox.ru email.

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0b545cd12231d0a4239ce837cd371166
MD5: dae41c862130daebcff0e463e2c30e50
MD5: 601806c0a01926c2a94558148764797a
MD5: 45f97cd8df4448bbe073a38c264ef93f
MD5: 94aeba45e6fb4d17baa4989511e321b3

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: 4e0ce2f9f92ac5193c2a383de6015523
MD5: a38d47fcfdaf14372cea3de850cf487d
MD5: 014d2f1bae3611e016f96a37f98fd4b7
MD5: daad60cb300101dc05d2ff922966783b
MD5: 0a775110077e2c583be56e5fb3fa4f09

Once, executed, a, sample, malware (MD5: 4e0ce2f9f92ac5193c2a383de6015523), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.66.160
hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100
hxxp://sso.anbtr.com - 195.22.28.222

Once, executed, a, sample, malware (MD5: a38d47fcfdaf14372cea3de850cf487d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ledyazilim.com - 213.128.83.163
hxxp://ksandrafashion.com - 166.78.145.90
hxxp://lafyeri.com - 69.172.201.153
hxxp://kulppasur.com - 52.28.249.128
hxxp://toalladepapel.com.ar

hxxp://trafficinc.ru, is, known, to, have, responded, to, 222.73.91.203

hxxp://trafficmonsterinc.ru, is, known, to, have, responded, to, 178.208.83.7; 178.208.83.27; 91.203.4.112

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: ce4e2e12ee16d5bde67a3dc2e3da634b
MD5: 4423e04fb3616512bf98b5a565fccdd7
MD5: 33f890c294b2ac89d1ee657b94e4341d
MD5: 1c5096c3ce645582dd18758fe523840a
MD5: 1efae0b0cb06faacae46584312a12504

Once, executed, a, sample, malware (MD5: ce4e2e12ee16d5bde67a3dc2e3da634b), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://rms-server.tektonit.ru - 109.234.156.179
hxxp://365invest.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 4423e04fb3616512bf98b5a565fccdd7), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://topstat.mcdir.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 33f890c294b2ac89d1ee657b94e4341d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cadretest.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 1c5096c3ce645582dd18758fe523840a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.65.161
hxxp://testtrade.ru - 178.208.83.7
hxxp://chicostara.com - 91.142.252.26

In, 2009, I, profiled, the, direct, compromise, of Embassy of India in Spain Serving Malware, further, detailing, the, malicious, activity, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On 2008-09-07, msn-analytics.net was registered using the palfreycrossvw@gmail.com email. On 2007-06-17 it used to respond to 82.98.235.50, it then changed IPs on 2008-09-07 to 58.65.234.9, followed by another change on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 2009-12-29, and to 85.249.229.195 on 2010-03-09.

On 2008-07-10, pinoc.org was registered using the 4ykakabra@gmail.com email. On 2008-07-10 it responded to 58.65.234.9, it then changed IPs on 2008-08-17 to 91.203.92.13, followed by another change on 2008-08-24 to 58.65.234.9, followed by yet another change to 208.73.210.76 on 2009-10-03, and yet another change on 2009-10-06 to 96.9.186.245.

On 2008-09-20, wsxhost.net was registered using the palfreycrossvw@gmail.com email. On 2008-09-20 wsxhost.net responded to 58.65.234.9, it then changed IPs on 2008-12-22 to 202.73.57.6, followed by another change on 2009-05-18 to 202.73.57.11, yet another change on 2009-06-22 to 92.38.0.66, then to 91.212.198.116 on 2009-07-06, yet another change on 2009-08-17 to 210.51.187.45, then to 210.51.166.239 on 2009-08-25, and finally to 213.163.89.54 on 2009-09-05.

On 2008-06-29 google-analyze.cn was registered using the johnvernet@gmail.com email.

Historically (up to present day) johnvernet@gmail.com is known to have registered the following domains:
hxxp://baidustatz.com
hxxp://edcomparison.com
hxxp://google-analyze.org
hxxp://google-stat.com
hxxp://kolkoman.com
hxxp://m-analytics.net
hxxp://pinalbal.com
hxxp://pornokman.com
hxxp://robokasa.com
hxxp://rx-white.com
hxxp://sig4forum.com
hxxp://thekapita.com
hxxp://visittds.com

msn-analytics.net, is, known, to, have, responded, to, 216.157.88.21; 85.17.25.214; 216.157.88.22; 85.17.25.215; 85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: eb95798965a18e7844f4c969803fbaf8
MD5: 106b6e80be769fa4a87560f82cd24b57
MD5: 519a9f1cb16399c515723143bf7ff0d0
MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5
MD5: 613e8c31edf4da1b8f8de9350a186f41

Once, executed, a, sample, malware (MD5: eb95798965a18e7844f4c969803fbaf8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://thinstall.abetterinternet.com - 85.17.25.214
hxxp://survey-winner.net - 94.229.72.117
hxxp://survey-winner.net - 208.91.196.145
hxxp://comedy-planet.com

Once, executed, a, sample, malware (MD5: 106b6e80be769fa4a87560f82cd24b57), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147

Once, executed, a, sample, malware (MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://followfortieth.net
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147

pinoc.org, is, known, to, have, responded, to, 103.224.212.222; 185.53.179.24; 185.53.179.9; 185.53.177.10; 188.40.174.81; 46.165.247.18; 178.162.184.130

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 000125b0d0341fc078c7bdb5b7996f9e
MD5: b3bbeaca85823d5c47e36959b286bb22
MD5: 4faa9445394ba4edf73dd67e239bcbca
MD5: 9f3b9de8a3e7cd8ee2d779396799b17a
MD5: 38d07b2a1189eb1fd64296068fbaf08a

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://static.greatappsdownload.com - 54.230.187.48
hxxp://ww1.os.onlineapplicationsdownloads.com - 91.195.241.80
hxxp://os2.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://ww1.os2.onlineapplicationsdownloads.com - 91.195.241.80

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://errors.myserverstat.com - 103.224.212.222

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://scripts.dlv4.com - 103.224.212.222
hxxp://ww38.scripts.dlv4.com - 185.53.179.29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://complaintsboard.com - 208.100.35.85
hxxp://7ew8gov.firoli-sys.com - 103.224.212.222
hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234
hxxp://q8x3kb.wwwmediahosts.com - 204.11.56.48

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newworldorderreport.com - 50.63.202.29
hxxp://69jh93.firoli-sys.com - 103.224.212.222
hxxp://bpvv11ndq5.wwwmediahosts.com - 204.11.56.48
hxxp://0dbhwuja.hdmediastore.com - 45.33.9.234

wsxhost.net, is, known, to, have, responded, to, 184.168.221.45; 50.63.202.82; 69.43.161.172

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 117036e5a7b895429e954f733e0acada
MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be
MD5: 6e330742d22c5a5e99e6490de65fabd6
MD5: f1c9cd766817ccf55e30bb8af97bfdbb
MD5: 7f4145bc211089d9d3c666078c35cf3d

Once, executed, a, sample, malware (MD5: 117036e5a7b895429e954f733e0acada), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://amacweb.org
hxxp://superaffiliatehookup.com
hxxp://germanamericantax.com
hxxp://lineaidea.it
hxxp://speedysalesletter.com

Once, executed, a, sample, malware (MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://allstatesdui.com - 50.63.202.36
hxxp://wellingtontractorparts.com - 72.167.232.158
hxxp://amacweb.org - 160.16.211.99
hxxp://nctcogic.org - 207.150.212.74

Once, executed, a, sample, malware (MD5: 6e330742d22c5a5e99e6490de65fabd6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://santele.be - 176.62.170.69
hxxp://fever98radio.com - 141.8.224.93
hxxp://brushnpaint.com - 74.220.219.132
hxxp://jameser.com - 54.236.195.15
hxxp://hillsdemocrat.com - 67.225.168.30

Once, executed, a, sample, malware (MD5: f1c9cd766817ccf55e30bb8af97bfdbb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://afterpeace.net - 195.38.137.100
hxxp://sellhouse.net - 184.168.221.45

Once, executed, a, sample, malware (MD5: 7f4145bc211089d9d3c666078c35cf3d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://forcerain.net
hxxp://afterrain.net - 50.63.202.43)
hxxp://forcerain.ru
hxxp://forceheld.net

google-analyze.cn, is, known, to, have, responded, to, 103.51.144.81; 184.105.178.89; 65.19.157.235; 124.16.31.146; 123.254.111.190; 103.232.215.140; 103.232.215.147; 205.164.14.78; 50.117.116.117; 50.117.120.254; 205.164.24.45; 50.117.116.205; 50.117.122.90; 184.105.178.84; 50.117.116.204

Related malicious MD5s known to have phoned back to the same malicious C&C, server, IPs:
MD5: df05460b5e49cbba275f6d5cbd936d1d
MD5: 7732ffcf2f4cf1d834b56df1f9d815c9
MD5: 615eb515da18feb2b87c0fb5744411ac
MD5: 24fec5b3ac1d20e61f2a3de95aeb177c
MD5: 348eed9b371ddb2755eb5c2bfaa782ee

On 2008-08-27, yahoo-analytics.net was registered using the fuadrenalray@gmail.com email.

- google-analyze.org - Email: johnvernet@gmail.com - on, 2008-07-09, google-analyze.org , is, known, to, have, responded, to, 58.65.234.9, followed, by, a, hosting, change, on, 2008-08-17, with, google-analyze.org, responding, to, 91.203.92.13, followed, by, another, hosting, change, on, 2008-08-24, with, google-analyze.org, responding, to, 202.73.57.6.

- qwehost.com - Email: 4ykakabra@gmail.com - on, 2009-05-18, qwehost.com, is, known, to, have, responded, to, 202.73.57.11, followed, by, a, hosting, change, to, 202.73.57.11, followed, by, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 210.51.187.45.

- zxchost.com - Email: 4ykakabra@gmail.com - on, 2009-03-02, zxchost.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-25, pointing, to, 210.51.166.239.

- odile-marco.com - Email: OdileMarcotte@gmail.com - on, 2009-05-18, odile-marco.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 91.212.198.116.

- edcomparison.com - Email: johnvernet@gmail.com - on, 2009-05-18, edcomparison.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13,  this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 210.51.187.45.

- fuadrenal.com - Email: fuadrenalRay@gmail.com - on, 2009-01-26, fuadrenal.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, time, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.

- rx-white.com - Email: johnvernet@gmail.com - on, 2009-05-18, rx-white.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.

In, 2009, I, profiled, the, direct, compromise, of, Embassy of Portugal in India Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2009-03-30, ntkrnlpa.info, is, known, to, have, responded, to, 83.68.16.6. Related, domains, known, to, have, participated, in, the, same, campaign - betstarwager.cn; ntkrnlpa.cn.

In, 2007, I, profiled, the, direct, compromise, of, French Embassy in Libya Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2008-11-05, tarog.us (Email: bobby10@mail.zp.ua), used, to, respond, to, 67.210.13.94, followed, by, a, hosting, change, on, 2009-03-02, pointing, to, 208.73.210.121. Related, domains, known, to, have, participated, in, the, campaign: fernando123.ws; winhex.org - Email: ipspec@gmail.com

On, 2007-02-18, winhex.org, used, to, respond, to, 195.189.247.56, followed, by, a, hosting, change, on, 2007-03-03, pointing, to, 89.108.85.97, followed, by, yet, another, hosting, change, on, 2007-04-29, this, time, pointing, to, 203.121.71.165, followed, by, yet, another, hosting, change, on, 2007-08-19, this, time, pointing, to, 69.41.162.77.

On, 2007-11-23, kjlksjwflk.com (Email: sflgjlkj45@yahoo.com), used, to, respond, to, 58.65.239.114, followed, by, a, hosting, change, on, 2009-02-16, pointing, to, 38.117.90.45, followed, by, yet, another, hosting, change, on, 2009-03-09, this, time, pointing, to, 216.188.26.235.

In, 2009, I, profiled, the, direct, compromise, of, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Related, domains, known, to, have, participated, in, the, campaign:
- hxxp://filmlifemusicsite.cn; hxxp://promixgroup.cn; hxxp://betstarwager.cn; hxxp://clickcouner.cn

In, 2009, I, profiled, the, direct, compromise, of, USAID.gov compromised, malware and exploits served, further, establishing, a, direct, connection, between, the, gang's, activities, and, the, New, Media, Malware, Gang.

Related, domains, known, to, have, participated, in, the, campaign:
hxxp://should-be.cn - Email: admin@brut.cn; hxxp://orderasia.cn; hxxp://fileuploader.cn

In, 2007, I, profiled, the, direct, compromise, of, U.S Consulate St. Petersburg Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2007-08-31, verymonkey.com (Email: srvs4you@gmail.com), used, to, respond, to, 212.175.23.114, followed, by, a, hosting, change, on, 2007-09-07, pointing, to, 209.123.181.185, followed, by, yet, another, hosting, change, on, 2007-09-27, this, time, pointing, to, 88.255.90.50, followed, by, yet, another, hosting, change, on, 2008-11-11, this, time, pointing, to, 216.188.26.235.

What's, particularly, interested, about, the, gang's, activities, is, the, fact, that, back, in 2007, the, group, pioneered, for, the, first, time, the, utilization, of, Web, malware, exploitation, kits, further, utilizing, the, infrastructure, of, the, Russian, Business, Network, successfully, launching, a, multi-tude, of, malicious, campaigns, further, spreading, malicious, software, further, utilizing, the, infrastructure, of, the, Russian, Business, Network.

Related posts:
Syrian Embassy in London Serving Malware
USAID.gov compromised, malware and exploits served
U.S Consulate St. Petersburg Serving Malware
Bank of India Serving Malware
French Embassy in Libya Serving Malware
The Dutch Embassy in Moscow Serving Malware
Ethiopian Embassy in Washington D.C Serving Malware
Embassy of India in Spain Serving Malware
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware