Monday, May 29, 2017

New Mobile Malware Spotted in the Wild, Hundreds of Users Affected

We've, recently, intercepted, a, currently, circulating, malicious, mobile, malware, potentially, compromising, the, confidentiality, availability, and, integrity, of, the, compromised, devices, further, spreading, malicious, software, on, the, affected, devices, with, the, cybercriminals, behind, it, potentially, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, revenue, sharing, scheme.

In, this, post, we'll, provide, actionable, intelligence, about, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, further, expand, the, malicious, infrastructure, behind, the, campaign, successfully, exposing, the, malicious, actors, behind, it.

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 12e6971511705b7396e4399ac46854f9
MD5: e7d6fef2f1b23cf39a49771eb277e697

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://61.160.234.133/date/getDate
hxxp://g.10086.cn/gamecms/wap/game/wyinfo/700144311000?channelId=12068000
hxxp://ccinchina.com
hxxp://117.135.133.9/source/appsource/15035916BaiduBrowser_Android_2-3-28-6_1000934d.apk?imei=
hxxp://117.135.131.9/push_4/push.action?imei=value
hxxp://61.160.242.35/pro_5/pro.action

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (61.160.234.133)
MD5: ec125a741919574b7de29889845fe648
MD5: 695db5f40c02fa4eaeda76882de6c1f8
MD5: 3281f34e42483b8a32f7a66dfed5a548
MD5: ccd0a5805a82fdccb3ebdbdc95b432e8
MD5: 07950552ddf728685b943254f390778d

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://agoldcomm.plat96.com
hxxp://push7.devopenserv.com
hxxp://cloud6.uuserv10.com

g.10086.cn, is, known, to, have, responded, to, 112.4.19.33; 221.181.195.141; 58.68.142.6; 180.150.163.149; 58.68.142.188; 58.68.142.203; 60.217.242.152; 58.68.142.232; 60.217.242.151; 112.90.217.110; 58.68.142.182; 58.68.142.183; 60.217.232.201; 58.68.142.237;59.151.7.195

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 15ddafe1b32dc0b476cdaac92cc3ea12
MD5: 60e7caba4395c77f88c72103aa3c14e2
MD5: 9c692a6b2fc5b0d9f468ce1a110bd296
MD5: 2beae563023a37559c3d0e2da577c517
MD5: d9f63c321e345b2b1c91a1259003cfed
MD5: 07950552ddf728685b943254f390778d

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://log6.devopenserv.com - 211.151.167.51
hxxp://cloud6.devopenserv.com
hxxp://pus7.devopenserv.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 37845effed5d773252f129bd3fce588a
MD5: 08beb447853aae8655f77ddc16a5766b
MD5: 16147ec72345631cc345af69b2640578
MD5: 4fcedf07023619b21358c259d11a90cb
MD5: ab36173205aa7aeb713956b1f9ec7b26

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://down.devopenserv.com
hxxp://cloud.devopenserv.com
hxxp://ck6.devopenserv.com
hxxp://rck6.devopenserv.com
hxxp://img14.devopenserv.com
hxxp://dl8.devopenserv.com
hxxp://dl14.devopenserv.com
hxxp://cloud6.devopenserv.com
hxxp://push7.devopenserv.com
hxxp://dp3.devopenserv.com
hxxp://cloud2.devopenserv.com
hxxp://ck2.devopenserv.com
hxxp://dp2.devopenserv.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.