We've recently, intercepted, a
currently, circulating, malicious, spam, campaign, affecting,
hundreds, of users, globally, potentially, exposing, the,
confidentiality, availability, and, integrity, of, their, devices,
to, a, multi-tude, of, malicious, software. Largely, relying, on, a,
multi-tude, of social engineering, vectors, the, cybercriminals,
behind, the, campaign, have, managed, to, successfully, impersonate,
Adobe Flash Player, users, into, thinking, that, they're, visiting,
a, legitimate, Web
site, on, their, way, to, infect,
their, devices, relying, on, bogus "Please update Flash on
your device", messages.
Over, the, last, couple, of, years,
we've, been, monitoring, an, increase, in rogue Google Play, type,
of, Android, applications, capable, rogue online Web sites, tricking,
tens, of, thousands, of, users, on, a, daily, basis, into,
installation, rogue, applications, largely, relying, on, a,
multi-tude, of, social engineering, vectors. Next, to, rogue, online,
Web, sites, we've, been, also, actively, monitoring, an, increase,
in, compromised, Web sites, serving, malicious, software,
potentially, exposing, the, confidentiality, availability, and,
integrity, of, their, devices, to, a, multi-tude, of, malicious,
software. We've, been, also, busy, monitoring, an, increase, in,
ongoing, monetizing, of, hijacked, traffic, type, of, underground,
market, traffic, exchanges, with, more, cybercriminals, successfully,
monetizing, the, hijacked, traffic, while, earning, fraudulent,
revenue, in the, process.
In, this, post, we'll, profile, the,
malicious, campaign, provide, actionable, intelligence, on, the,
infrastructure, behind, it, and, discuss, in-depth, the, tactics,
techniques, and, procedures, of, the, cybercriminals, behind, it.
Related malicious MD5s known to have
participated in the campaign:
MD5: 288ad03cc9788c0855d446e34c7284ea
Related malicious URLS known to have
participated in the campaign:
hxxp://brutaltube4mobile.com -
37.1.200.202
hxxp://xxxvideotube.org - 5.45.112.27;
37.140.192.196; 184.82.244.166
Known to have responded to the same
malicious C&C server IP (37.1.200.202), are, also, the following
malicious domains:
hxxp://nudism-nudist.com
hxxp://yumail.site
hxxp://hot-images.xyz
hxxp://nudism-klub.com
hxxp://nudism-nudist.com
hxxp://family-naturism.org
hxxp://teen-nudism.com
hxxp://family-naturism.net
hxxp://teen-media.net
hxxp://01hosting.biz
hxxp://jp-voyeur.com
hxxp://link-protector.biz
hxxp://brutaltube4mobile.com
hxxp://adobeupdate.org
hxxp://australiamms.com
hxxp://brutaltube4mobile.com
hxxp://donttreadonmike.com
hxxp://german-torrent.com
hxxp://fondazion.com
hxxp://derechosmadre.org
hxxp://torsearch.net
hxxp://4mytelecharger55.net
hxxp://4mytelecharger66.net
hxxp://fondazion.net
hxxp://fondazion.org
hxxp://sevajug.org
hxxp://defilez2.net
hxxp://downloadfrance22.com
hxxp://derechosmadretierra.org
Related malicious MD5s, known, to,
have, phoned, back, to, the, same, C&C server IPs
(brutaltube4mobile.com - 37.1.200.202):
MD5: 18327d619484112f81dc7da4169ba088
MD5: 090f7349fef4e1624393383e145d5982
MD5: d2e3d9d0e599cfce1af8b2777c3a071a
Related malicious MD5s known to have
phoned back to the same C&C server IP (xxxvideotube.org -
5.45.112.27; 37.140.192.196; 184.82.244.166):
MD5: 288ad03cc9788c0855d446e34c7284ea
Once executed a sample malware
phones back to the following C&C server IPs:
hxxp://5.196.121.148
Related malicious MD5s known to have
phoned back to the same C&C server IP (5.196.121.148):
MD5: 7bef1c5e0dcf5f6fd152c0723993e378
MD5: 10e6c3f050b24583abf708d6afb34db2
MD5: 5a122660a3d54d9221500224f103d7b0
Thanks, to, the, overall, availability,
of, mobile, affiliate, network, type, of, monetization, vectors, we,
expect, to, continue, observing, an, increase, in, mobile, malware,
type, of, fraudulent, and, rogue, Web sites, serving, malicious,
software, to, unsuspecting, users, internationally.
We'll, continue, monitoring, the,
market, segment, for, mobile, malware, and, post, updated, as, soon,
as, new, developments, take, place.