We've, recently, intercepted, a, currently, circulating, malicious, mobile, malware, potentially, compromising, the, confidentiality, availability, and, integrity, of, the, compromised, devices, further, spreading, malicious, software, on, the, affected, devices, with, the, cybercriminals, behind, it, potentially, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, revenue, sharing, scheme.
In, this, post, we'll, provide, actionable, intelligence, about, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, further, expand, the, malicious, infrastructure, behind, the, campaign, successfully, exposing, the, malicious, actors, behind, it.
Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 12e6971511705b7396e4399ac46854f9
MD5: e7d6fef2f1b23cf39a49771eb277e697
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://61.160.234.133/date/getDate
hxxp://g.10086.cn/gamecms/wap/game/wyinfo/700144311000?channelId=12068000
hxxp://ccinchina.com
hxxp://117.135.133.9/source/appsource/15035916BaiduBrowser_Android_2-3-28-6_1000934d.apk?imei=
hxxp://117.135.131.9/push_4/push.action?imei=value
hxxp://61.160.242.35/pro_5/pro.action
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (61.160.234.133)
MD5: ec125a741919574b7de29889845fe648
MD5: 695db5f40c02fa4eaeda76882de6c1f8
MD5: 3281f34e42483b8a32f7a66dfed5a548
MD5: ccd0a5805a82fdccb3ebdbdc95b432e8
MD5: 07950552ddf728685b943254f390778d
Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://agoldcomm.plat96.com
hxxp://push7.devopenserv.com
hxxp://cloud6.uuserv10.com
g.10086.cn, is, known, to, have, responded, to, 112.4.19.33; 221.181.195.141; 58.68.142.6; 180.150.163.149; 58.68.142.188; 58.68.142.203; 60.217.242.152; 58.68.142.232; 60.217.242.151; 112.90.217.110; 58.68.142.182; 58.68.142.183; 60.217.232.201; 58.68.142.237;59.151.7.195
Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 15ddafe1b32dc0b476cdaac92cc3ea12
MD5: 60e7caba4395c77f88c72103aa3c14e2
MD5: 9c692a6b2fc5b0d9f468ce1a110bd296
MD5: 2beae563023a37559c3d0e2da577c517
MD5: d9f63c321e345b2b1c91a1259003cfed
MD5: 07950552ddf728685b943254f390778d
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://log6.devopenserv.com - 211.151.167.51
hxxp://cloud6.devopenserv.com
hxxp://pus7.devopenserv.com
Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 37845effed5d773252f129bd3fce588a
MD5: 08beb447853aae8655f77ddc16a5766b
MD5: 16147ec72345631cc345af69b2640578
MD5: 4fcedf07023619b21358c259d11a90cb
MD5: ab36173205aa7aeb713956b1f9ec7b26
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://down.devopenserv.com
hxxp://cloud.devopenserv.com
hxxp://ck6.devopenserv.com
hxxp://rck6.devopenserv.com
hxxp://img14.devopenserv.com
hxxp://dl8.devopenserv.com
hxxp://dl14.devopenserv.com
hxxp://cloud6.devopenserv.com
hxxp://push7.devopenserv.com
hxxp://dp3.devopenserv.com
hxxp://cloud2.devopenserv.com
hxxp://ck2.devopenserv.com
hxxp://dp2.devopenserv.com
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.