Powered by Blogger.
RSS

Joining Team Astalavista - Stay Tuned!

Dear blog readers I wanted to let everyone know that I will be shortly joining Team Astalavista - The World's Most Popular Information Security Portal acting a Managing Director following a successful career as Managing Director through 2003-2006 where I used to maintain a highly informative and educational Security Newsletter featuring exclusive content and security interviews (Security Interviews 2004/2005 - Part 1; Security Interviews 2004/2005 - Part 2; Security Interviews 2004/2005 - Part 3) with people from the Scene including daily content moderation successfully re-positioning the portal as the World's Most Popular Information Security Portal.

How you can help? Consider making a modest donation to ensure a proper and smooth launch of the portal. The donation and sponsorship will go to ensure that the launch is properly empowered with the necessary tools to ensure a smooth launch.

Stay tuned!

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Pay-Per-Exploit Acquisition Vulnerability Programs - Pros and cons?

As ZERODIUM starts paying premium rewards to security researchers to acquire their previously unreported zero-day exploits affecting multiple operating systems software and/or devices a logical question emerges in the context of the program's usefulness the potential benefits including potential vulnerabilities within the actual acquisition process - how would the program undermine the security industry and what would be the eventual outcome for the security researcher in terms of fueling growth in the cyber warfare market segment?

In this post I'll discuss the market segment for pay-per-exploit acquisition programs and discuss in-depth the current exploit-acquisition methodology utilized by different vendors and provide in-depth discussion on various over-the-counter acquisition methodologies applied by malicious attackers on their way to monetize access to malware-infected hosts while compromising the confidentiality availability and integrity of the targeted host including an active discussion on the ongoing and potential weaponization of zero day vulnerabilities int the context of today's cyber warfare world.

Having greatly realized the potential of acquiring zero day vulnerabilities for the purpose of actively exploiting end users malicious actors have long been aware of the over-the-counter acquisition market model further enhancing their capabilities when launching malicious campaigns. Among the most widely spread myth about zero day vulnerabilities is the fact that zero day vulnerabilities arethe primary growth factor of the cybercrime ecosystem further resulting in a multi-tude of malicious activity targeting end users.

With vendors continuing to establish the foundations for active vulnerability and exploit acquisition programs third-party vendors and research organizations continue successfully disintermediating the vendor's major vulnerability and exploit acquisition programs successfully resulting in the launch and establishment of third-party services and products further populating the security-industry with related products and services potentially acquiring "know-how" and relevant vulnerability and exploit information from major vendors further launching related companies and services potentially empowering third-party researchers vendors and individuals including nation-state actors with potential weaponization capabilities potentially leading to successful target-acquisition practices on behalf of third-party researchers and individuals.


Becoming a target in the widespread context of third-party vendors and researchers might not be the wisest approach when undermining potential research and in-house research and benchmarking activities in terms of evaluating and responding to vulnerabilities and exploits. Vendors looking for ways to efficiently improve the overall security and product performance in terms of security should consider basic internal benchmarking practices and should also consider a possible incentive-based type of vulnerability and exploit reward-type of revenue-sharing program potentially rewarding company employees and researchers with the necessary tools and incentives to find and discover and report security vulnerabilities and exploits.

Something else worth pointing out in terms of vulnerability research and exploit discovery is a process which can be best described as the life-cycle of a zero day vulnerability and exploit which can be best described as a long-run process utilized by malicious and fraudulent actors successfully utilizing client-side exploits for the purpose of successfully dropping malicious software on the hosts of the targeted victims which often rely on outdated and patched vulnerabilities and the overall misunderstanding that zero day vulnerabilities and exploits are the primary growth factor of the security-industry and will often rely on the fact that end users and enterprises are often unaware of the basic fact that cybercriminals often rely on outdated and patched vulnerabilities successfully targeting thousands of users globally on a daily basis.

What used to be a market-segment dominated by DIY (do-it-yourself) exploit and malware-generating tools is today's modern market-segment dominated by Web malware-exploitation kits successfully affecting thousands of users globally on a daily basis. In terms of Web-malware exploitation kits among the most common misconceptions regarding the utilization of such type of kits is the fact that the cybercriminals behind it rely on newly discovered exploits and vulnerabilities which in fact rely on outdated and already patched security vulnerabilities and exploits for the purposes of successfully enticing thousands of users globally into falling victim into social-engineering driven malicious and fraudulent campaigns.

Despite the evident usefulness from a malicious actor's point of view when launching malicious campaigns malicious actors continue utilizing outdated vulnerabilities for the purpose of launching malicious campaigns further utilizing a multi-tude of social engineering attack vectors to enhance the usefulness of the exploitation vector. Another crucial aspect of the pay-per-exploit acquisition vulnerability model is, the reliance on outdated and unpatchted vulnerabilities for the purpose of launching malicious campaigns further relying on the basic fact that on the majority of occasions end users fail to successfully update their third-party applications often exposing themselves to a variety of successful malicious campaigns utilizing outdated and unpatched vulnerabilities.

We expect to continue observing an increase in the pay-per-exploit acquisition model with, related acquisition model participants continuing to acquire vulnerabilities further fueling growth into the market segment. We expect that malicious actors will adequately respond through over-the-counter acquisition models including the utilization of outdated and unpatched vulnerabilities. End users are advised to continue ensuring that their third-party applications are updated to build a general security awareness and to ensure that they're running a fully patched antivirus solution.

Consider going through the following related posts:
Researchers spot new Web malware exploitation kit
Web malware exploitation kits updated with new Java exploit
Which are the most commonly observed Web exploits in the wild?
Report: Patched vulnerabilities remain prime exploitation vector
Report: malicious PDF files becoming the attack vector of choice
Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
56 percent of enterprise users using vulnerable Adobe Reader plugins
Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
Report: malicious PDF files becoming the attack vector of choice
Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
56 percent of enterprise users using vulnerable Adobe Reader plugins
Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts
Secunia: popular security suites failing to block exploits
37 percent of users browsing the Web with insecure Java versions
Which are the most commonly observed Web exploits in the wild?
Report: Malicious PDF files comprised 80 percent of all exploits for 2009
Secunia: Average insecure program per PC rate remains high

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

HIstorical OSINT - Malicious Economies of Scale - The Emergence of Efficient Platforms for Exploitation - 2007

Dear blog readers it's been several years since I last posted a quality update following my 2010 disappearance. As it's been quite a significant period of time since I last posted a quality update I feel it's about time I post an quality update by detailing the Web Malware Exploitation market segment circa 2007 prior to my visit to the GCHQ as an independent contractor with the Honeynet Project.

In this post I'll discuss the rise of Web malware exploitation kits circa 2007 and offer in-depth discussion on the current and emerging tactics techniques and procedures (TTPs) of the cybercriminals behind it. With cybercriminals continuing to actively rely on the exploitation of patched and outdated vulnerabilities and with end users continuing to actively utilize unpatched and outdated third-party software it shouldn't be surprising that today's botnets remain relatively easy to generate and orchestrate for the purpose of committing financial fraud.

Malicious Economies of Scale literally means utilizing attack techniques and exploitation approaches to efficiently, yet cost and time effectively, infect or abuse as many victims as possible, in a combination with an added layer of improved metrics on the success of the campaigns. What are the most popular web exploitation kits that malicious parties use to achieve this? Which are the most popular vulnerabilities used in the majority of the kits? What are the most popular techniques for embedding malware? This white paper will outline this efficiency-centered attack model, and will cover web application vulnerabilities, client-side vulnerabilities, malvertising and black hat SEO (search engine optimization).

An overview of the threats posed by rising number of malware embedded sites, with a discussion of the exploitation techniques and kits used, as well as detailed summaries of all the high-profile such attacks during 2007.

01. Reaching the Efficiency Scale Through a Diverse Set of Exploited Vulnerabilities

2007 was the year in which client-side vulnerabilities significantly replaced server-side ones as the preferred choice of malicious attackers on their way to achieve the highest possible attack success rate, while keeping their investment in terms of know-how and personal efforts to the minimum. Among the most successful such attacks during 2007 was Storm Worm, the perfect example that the use of outdated and already patched vulnerabilities can result in aggregating the world’s largest botnet according to industry and independent researchers’ estimates. By itself, this attack technique is in direct contradiction with the common wisdom that zero day vulnerabilities are more dangerous than already patched ones, however, the gang behind Storm Worm quickly envisioned this biased statement as false, and by standardizing the exploitation process with the help of outdated vulnerabilities achieved an enormous success.

Years ago, whenever, a vulnerability was found and exploit code released in the wild, malicious attackers used to quickly released a do-it-yourself exploitation kit to take advantage of a single exploit only. Nowadays, that’s no longer the case, since by using a single exploit whether an outdated, or zero day one, they’re significantly limiting the probability for a successful attack, and therefore the more diverse and served on-the-fly is the set of exploits used in an attack, the higher would the success rate be.

What was even more interesting to monitor during 2007, was the rise of high-profile sites serving malware, and the decline of malware coming from bogus ones. From the Massive Embedded Malware Attack at a large Italian ISP to the Bank of India, the Syrian Embassy in the U.K, the U.S Consulate in St. Petersburg, China’s CSIRT, Possibility Media’s entire portfolio of E-zines, to the French government’s site related to Lybia, these trusted web sites were all found to serve malware though an embedded link pointing back to the attacker’s malicious server. Let’s clarify what malicious economies of scale means, and how do they do it.

02. What is malicious economies of scale, and how is it achieved?

Malicious economies of scale is a term I coined in 2007 to summarize the ongoing trend of efficiently attacking online users, by standardizing the exploitation process, and by doing so, not just lowering the entry barriers into the process of exploiting a large number of users, but also, maintaining a rather static success rate of infections. Malicious economies of scale is the efficient way by which a large number of end users get infected, or have their online abused, with the malicious parties maintaining a static attack model. It’s perhaps more important to also describe how is the process achieved at the first place? The first strategy applied has to do with common sense in respect to the most popular software applications present at the end user’s end, and the first touch-point in this case would be the end user’s Internet browser.

Having its version easily detected and exploit served, one that’s directly matching the vulnerable version, is among the web exploitation kits main functionalities. Let’s continue with the second strategy, namely to increase the probability of success. As I’ve already pointed out, do-it-yourself single vulnerability exploiting tools matured into web exploitation malware kits, now backed up with a diverse set of exploits targeting different client-side applications, which in this case is the process of increasing the probability of successful infection. The third strategy has to do with attracting the traffic to the malicious server, that as I’ve already discussed is already automatically set to anticipate the upcoming flood of users and serve the malware through exploiting client-side software vulnerabilities on their end. This is mainly done through exploiting remote file inclusion vulnerabilities within the high-profile targets, or through remotely exploitable web application vulnerabilities to basically embed a single line of code, or an obfuscated javascript that when deobfuscated will load the malicious URL in between loading the legitimate site.

Popular Malware Embedded Attack Tactics

This part of the article will briefly describe some of the most common attack tactics malicious parties use to embed links to their malicious servers on either high-profile sites, or any other site with a high pagerank, something they’ve started measuring as of recently according to threat intell assessment on an automated system to embed links based on a site’s popularity.

  • The “pull” Approach – Blackhat SEO, Harnessing the Trusted Audience of a Hacked Site
In this tactic, malicious parties entirely rely on the end users to reach their malicious server, compared to the second tactic of “pushing” the malicious links to them. This is primarily accomplished through the use of Blackhat SEO tools generating junk content with the idea to successfully attract search engine traffic for popular queries, thus infecting anyone who visits the site, who often appear within the first twenty search results. The second “pull” approach such tactic is harnessing the already established trust of a site such as major news portal for instance, and by embedding a link to automatically load on the portal, have the users actually “pull” the malware for themselves
  • The “push” Approach – Here’s Your Malware Embedded Link
The “push” approach’s success relies in its simple logic, with end users still worrying about downloading or clicking on email attachments given the overall lack of understanding on how to protect from sites serving malware, it’s logical to consider that basically sending a link which once visited will automatically infect the visitor though exploiting a client-side vulnerability, actually works. Storm Worm is the perfect example, and to demonstrate what malicious economies of scale means once again, it’s worth mentioning Storm’s approach of having an already infected host act as an infection vector itself, compared to its authors having to register multiple domains and change them periodically. The result is malware embedded links exploiting client-side vulnerabilities in the form of an IP address, in this case an already infected host that’s now aiming to infect another one
  • Automatically Exploiting Web Application Vulnerabilities – Mass SQL Injection Attacks
As I’ve already pointed out, malicious parties are not just efficiently scanning for remotely exploitable web application vulnerabilities or looking for ways to remotely include files on any random host, they’ve started putting efforts into analyzing the page rank, and overall popularity of a site they could exploit. This prioritizing of the sites to be used for a “pull” tactic is aiming to achieve the highest possible success rate by targeting a high-trafficked site, where even though the attack can be detected, the “window of opportunity” while the users were also accessing the malicious server could be far more beneficial than having a permanent malware link on a less popular site for an indefinite period of time.
  • Malicious Advertisements - Malvertising
Among the most popular traffic acquisition tactics nowadays remain the active utilization of legitimate Web properties for the purpose of socially engineering an ad network provider into featuring a specific malware-serving advertising at the targeted Web site including active Web site compromise for the purpose of injecting rogue and malicious ads on the targeted host.

Related posts:
  • Buying Access to Hacked Cpanels or Web Servers
Thanks to a vibrant DIY (do-it-yourself) Web malware exploitation kit culture including the active utilization of various DIY Web site exploitation and malware-generating cybercriminals continue actively utilizing stolen and compromised accounting data for the purpose of injecting malicious scripts on the targeted host further compromising the confidentiality availability and integrity of the targeted host.
  • Harvesting accounting data from malware infected hosts
Having an administrator access to a domains portfolio, or any type of access though a web application backdoor or direct FTP/SSH, has reached its commercial level a long time ago. In fact, differentiated pricing applies in this case, on the basis of a site’s page rank, whereas I’ve stumbled upon great examples of “underground goods liquidity” as a process, where access to a huge domains portfolio though a hacked Cpanels is being offered for cents with the seller’s main concern that cents are better than nothing, nothing in the sense that she may loose access to the Cpanel before its being sold and thus ends up with nothing. Now, let’s discuss the most popular malware exploitation kits currently in the wild.

The Most Popular Web Malware Exploitation Kits

Going into detail about the most common vulnerabilities used in the multitude of web malware exploitation kits could be irrelevant from the perspective of their current state of “modularity”, that is, once the default installation of the kit contains a rather modest set of exploits, the possibility to add new exploits to be used has long reached the point’n’click stage. Even worse, localizing the kits to different languages further contributes to their easy of use and acceptance on a large scale, just as is their open source nature making it easy for coders to use a successful kit’s modules as a foundation for a new one – something’s that’s happening already, namely the different between a copycat kit and an original coded from scratch one. Among the most popular malware kits remain :
  • A Brief Overview of MPack, IcePack, Zunker, Advanced Pack and Fire Pack
During 2007, Mpack emerged as the most popular malware exploitation kit. Originally available for purchase, by the time copies of the kit started leaking out, anyone from a script kiddie to a pragmatic attacker have obtained copy of it. Mpack’s main strength is that of its well configured default installation, which in a combination with a rather modest, but then again, modular set of exploits included, as well as its point’n’click level of sophistication automatically turned it into the default malware kit. Mpack’s malware kit has been widely used on nearly all of the high-profile malware embedded attacks during 2007, however, its popularity resulted in way too much industry attention towards its workings, and therefore, malicious parties starting coming up with new kits, still using Mpack as the foundation at least from a theoretical perspective.

The list is endless, the Nuclear Malware kit, Metaphisher, old version of the WebAttacker and the Rootlauncher kit, with the latest and most advanced innovation named the Random JS Exploitation Kit. Compared to the previous one, this one is going a step beyond the usual centralized malicious server.

With malicious parties now interested in controlling as much infected hosts with as little effort as possible, client-side vulnerabilities will continue to be largely abused in an efficient way thought web malware exploitation kits in 2008. The events that took place during 2007, clearly demonstrate the pragmatic attack approaches malicious parties started applying, namely realizing that an outdated but unpatched on a large scale vulnerability is just as valuable as a zero day one.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and malicious software also known as scareware.

In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://ozeqiod.cn?uid=213 - redirector - 64.86.25.201 - hxxp://bexwuq.cn

Sample URL redirection chain:
hxxp://ymarketcoms.cn/?pid=123

Related malicious domains known to have responded to the same malicious C&C server IPs (64.86.25.201):
hxxp://bombas101.com
hxxp://trhtrtrbtrtbtb.com
hxxp://opensearch-zone.com
hxxp://imaera.cn
hxxp://ariexa.cn
hxxp://ozeqiod.cn
hxxp://ariysle.cn
hxxp://ajegif.cn
hxxp://adiyki.cn
hxxp://acaisek.cn
hxxp://yvamuer.cn
hxxp://protectinstructor.cn
hxxp://blanshinblansh.net
hxxp://kostinporest.net

Related malicious domains known to have participated in the campaign:
hxxp://azikyxa.cn
hxxp://befaqki.cn
hxxp://ataini.cn
hxxp://atoycri.cn
hxxp://bimpuj.cn
hxxp://bekajop.cn
hxxp://bexwuq.cn
hxxp://azywoax.cn
hxxp://azaijy.cn

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - A Diversified Portfolio of Fake Security Software Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another malicious and fraudulent domain portfolio serving a variety of fake security software also known as scareware potentially exposing hundreds of thousands of users to a variety of fake security software with the cybercriminals behind the campaign potentially earning fraudulent revenue largely relying on the utilization of an affiliate-network based type of revenue-sharing scheme.

Related malicious domains known to have participated in the campaign:
hxxp://50virus-scanner.com
hxxp://700virus-scanner.com
hxxp://antivirus-test66.com
hxxp://antivirus200scanner.com
hxxp://antivirus600scanner.com
hxxp://antivirus800scanner.com
hxxp://antivirus900scanner.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://inetproscan031.com
hxxp://internet-scan020.com
hxxp://novirus-scan00.com
hxxp://stopvirus-scan11.com
hxxp://stopvirus-scan13.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan33.com
hxxp://virus66scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://antivirus-scan200.com
hxxp://antispy-scan200.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://antivirus-scan400.com
hxxp://antispy-scan400.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://antivirus-scan600.com
hxxp://antispy-scan600.com
hxxp://antivirus-scan700.com
hxxp://antispy-scan700.com
hxxp://av-scanner700.com
hxxp://antispy-scan800.com
hxxp://antivirus-scan900.com
hxxp://novirus-scan00.com
hxxp://stop-virus-010.com
hxxp://spywarescan010.com

Related malicious domains known to have participated in the campaign:
hxxp://antispywarehelp010.com
hxxp://internet-scan020.com
hxxp://internet-scanner020.com
hxxp://insight-scan20.com
hxxp://internet-scanner030.com
hxxp://stop-virus-040.com
hxxp://internet-scan040.com
hxxp://insight-scan40.com
hxxp://internet-scan050.com
hxxp://internet-scanner050.com
hxxp://insight-scan60.com
hxxp://stop-virus-070.com
hxxp://internet-scan070.com
hxxp://internet-scanner070.com
hxxp://insight-scan80.com
hxxp://stop-virus-090.com
hxxp://internet-scan090.com
hxxp://internet-scanner090.com
hxxp://insight-scan90.com
hxxp://antispywarehelpk0.com
hxxp://inetproscan001.com
hxxp://novirus-scan01.com
hxxp://spyware-stop01.com
hxxp://antivirus-inet01.com
hxxp://stopvirus-scan11.com
hxxp://inetproscan031.com
hxxp://novirus-scan31.com
hxxp://antivirus-inet31.com
hxxp://novirus-scan41.com
hxxp://antivirus-inet41.com
hxxp://antivirus-inet51.com
hxxp://inetproscan061.com
hxxp://novirus-scan61.com

Related malicious domains known to have participated in the campaign:
hxxp://inetproscan081.com
hxxp://novirus-scan81.com
hxxp://inetproscan091.com
hxxp://spyware-stopb1.com
hxxp://spyware-stopm1.com
hxxp://spyware-stopn1.com
hxxp://spyware-stopz1.com
hxxp://antispywarehelp002.com
hxxp://antispywarehelp022.com
hxxp://novirus-scan22.com
hxxp://antispywarehelpk2.com
hxxp://insight-scanner2.com
hxxp://spywarescan013.com
hxxp://stopvirus-scan13.com
hxxp://novirus-scan33.com
hxxp://stopvirus-scan33.com
hxxp://antispywarehelp004.com
hxxp://antispywarehelpk4.com
hxxp://spywarescan015.com
hxxp://novirus-scan55.com
hxxp://insight-scanner5.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan66.com
hxxp://antispywarehelpk6.com
hxxp://spywarescan017.com
hxxp://insight-scanner7.com
hxxp://antispywarehelp008.com
hxxp://spywarescan018.com
hxxp://stopvirus-scan18.com
hxxp://novirus-scan88.com
hxxp://stopvirus-scan88.com
hxxp://antivirus-test88.com
hxxp://antispywarehelpk8.com
hxxp://insight-scanner8.com
hxxp://insight-scanner9.com

Related malicious domains known to have participated in the campaign:
hxxp://10scanantispyware.com
hxxp://20scanantispyware.com
hxxp://30scanantispyware.com
hxxp://60scanantispyware.com
hxxp://80scanantispyware.com
hxxp://2scanantispyware.com
hxxp://3scanantispyware.com
hxxp://5scanantispyware.com
hxxp://7scanantispyware.com
hxxp://8scanantispyware.com
hxxp://spyware200scan.com
hxxp://spyware500scan.com
hxxp://spyware800scan.com
hxxp://spyware880scan.com
hxxp://50virus-scanner.com
hxxp://90virus-scanner.com
hxxp://antivirus900scanner.com
hxxp://antivirus10scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://net001antivirus.com
hxxp://net011antivirus.com
hxxp://net111antivirus.com
hxxp://net021antivirus.com
hxxp://net-02antivirus.com
hxxp://net222antivirus.com
hxxp://net-04antivirus.com
hxxp://net-05antivirus.com
hxxp://net-07antivirus.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - A Diversified Portfolio of Fake Security Software

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent porfolio of fake security software also known as scareware potentially enticing hundreds of thousands of users to a multi-tude of malicious software with the cybercriminals behind the campaign potentially earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate network-based type of revenue sharing scheme.

Related malicious domains known to have participated in the campaign:
hxxp://thebest-antivirus00.com - 91.212.226.203; 94.228.209.195
hxxp://virusscannerpro0.com
hxxp://lightandfastscanner01.com
hxxp://thebest-antivirus01.com
hxxp://thebestantivirus01.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://thebest-antivirus11.com
hxxp://antispyware-module1.com
hxxp://antispywaremodule1.com
hxxp://antivirus-toolsr1.com
hxxp://thebest-antivirus1.com
hxxp://thebest-antivirusx1.com
hxxp://thebestantivirus02.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://lightandfastscanner22.com
hxxp://prosecureprotection2.com
hxxp://virusscannerpro2.com
hxxp://antivirus-toolsr2.com
hxxp://thebest-antivirusx2.com
hxxp://thebestantivirus03.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://antispyware-module3.com
hxxp://antispywaremodule3.com
hxxp://virusscannerpro3.com
hxxp://windowsantivirusserver3.com
hxxp://thebest-antivirusx3.com
hxxp://thebestantivirus04.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://antispyware-scann4.com
hxxp://antivirus-toolsr4.com
hxxp://thebest-antivirusx4.com
hxxp://thebestantivirus05.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://thebest-antivirusx5.com
hxxp://remove-spyware-16.com
hxxp://lightandfastscanner66.com
hxxp://antispywaremodule6.com
hxxp://antispyware-module7.com
hxxp://antispywaremodule7.com
hxxp://antivirus-toolsr7.com
hxxp://antispyware-scann8.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antispyware-module9.com
hxxp://antispywaremodule9.com
hxxp://antispyware-scann9.com
hxxp://virusscannerpro9.com
hxxp://antivirus-toolsr9.com
hxxp://thebest-antivirus9.com
hxxp://antiviruspro1scan.com
hxxp://antiviruspro2scan.com
hxxp://antiviruspro7scan.com
hxxp://antiviruspro8scan.com
hxxp://antiviruspro9scan.com
hxxp://antispyware6sacnner.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://prosecureprotection2.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://windowsantivirusserver3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antivirus-toolsr9.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com

Related malicious domains known to have participated in the campaign:
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://run-virusscanner4.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com

Related malicious domains known to have participated in the campaign:
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com

Related malicious domains known to have participated in the campaign:
hxxp://anti-virus-system0.com
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://perform-antivirus-scan-1.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://antivirus-system1.com
hxxp://performspywarescan1.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://antivirus-scanner-3.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://gloriousantivirus2014.com
hxxp://run-virusscanner4.com
hxxp://smart-pcscanner05.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://perform-virus-scan5.com
hxxp://perform-antivirus-scan-6.com
hxxp://antivirus-scanner-6.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://antivirus-scan-server6.com
hxxp://perform-antivirus-scan-7.com
hxxp://perform-antivirus-test-7.com
hxxp://antivirus-win-system7.com
hxxp://antivirus-for-pc-8.com

Related malicious domains known to have participated in the campaign:
hxxp://perform-antivirus-scan-8.com
hxxp://perform-antivirus-test-8.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://perform-antivirus-test-9.com
hxxp://perform-virus-scan9.com
hxxp://antispywareinfo9.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
hxxp://antispyware06scan.com
hxxp://antispywareinfo9.com
hxxp://antivirus-for-pc-2.com
hxxp://antivirus-for-pc-4.com
hxxp://antivirus-for-pc-6.com
hxxp://antivirus-for-pc-8.com
hxxp://antiviruspro8scan.com
hxxp://extra-antivirus-scan1.com
hxxp://extra-security-scanb1.com
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
hxxp://super-scanner-2004.com
hxxp://top-rateanrivirus0.com
hxxp://topantimalware-scanner7.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2008 and I've recently stumbled upon a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into falling victim into fake security software also known as scareware including a variety of dropped fake codecs largely relying on the acquisition of legitimate traffic through active blackhat SEO campaigns in this particular case various North Korea news including Mike Tyson's daughter themed campaigns.

Related malicious domains and redirectors known to have participated in the campaign:
hxxp://fi97.net
hxxp://is-the-boss.com - Email: dantsr@gmail.com

Related malicious domains known to have participated in the campaign:
hxxp://north-korea-news.moviegator.us

Related malicious domains known to have participated in the campaign:
hxxp://petrenko.biz

Related malicious domains known to have participated in the campaign:
hxxp://teensxporn.com - 66.197.165.41 - Email: robertxssmith@googlemail.com
hxxp://aprettygirls.com
hxxp://analporntube.com
hxxp://tuexxxteen.com
hxxp://1tubexxx.com
hxxp://teenboobstube.com
hxxp://tubexxxteen.com

Related rogue YouTube accounts known to have participated in the campaign:
hxxp://www.youtube.com/user/afohebac5ar
hxxp://www.youtube.com/user/irufupol0op

Related malicious domains known to have participated in the campaign:
hxxp://get-mega-tube.com - 216.240.143.7
hxxp://get-mega-tube.com
hxxp://my-flare-tube.com
hxxp://best-crystal-tube.com
hxxp://powerful-tube.com
hxxp://cheery-tube-portal.com
hxxp://jazzy-tubs.com
hxxp://video-tube-dot.com
hxxp://my-tube-show.com

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://mgjmnfgbdfb.com/fff9999.php
hxxp://mgjmnfgbdfb.com/eee9999.php

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://imageempires.com/perce/9dc0266f8077f4b2cd9411ed48ecdda988af00003b1280c47e899830c09969686e8ccfe804c2a7ce5/c0a/perce.jpg
hxxp://imagescolor.com/item/adb0765f302764425d74c12df84cbd29185f9070bb2230a42e0958e050299908de1c5f0844c2579e3/20c/item.gif
hxxp://picturehappiness.com/werber/207/216.jpg
hxxp://archiveexefiles09.com/file.exe

Related malicious URLs known to have participated in the campaign:
hxxp://archiveexefiles09.com/softwarefortubeview.45016.exe

Related malicious URLs known to have participated in the campaign:
hxxp://archiveexefiles09.com - 91.212.65.54
hxxp://exefilesstorage.com
hxxp://exearchstortage.com
hxxp://grandfilesstore.com
hxxp://arch-grandsoftarchive.com
hxxp://hex-programmers.com
hxxp://kir-fileplanet.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Spamvertized Swine Flu Domains - Part Two

It's 2010 and I've recently came across to a currently active diverse portfolio of Swine Flu related domains further enticing users into interacting with rogue and malicious content.

In this post I'll profile and expose a currently active malicious domains portfolio currently circulating in the wild successfully involved in an ongoing variety of Swine Flu malicious spam campaigns and will provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://pehwitew.cn - 58.17.3.44; 58.20.140.5; 220.248.167.126; 60.191.221.116; 110.52.6.252

Related name servers known to have participated in the campaign:
hxxp://ns6.plusspice.com - 110.52.6.252
hxxp://ns2.morewhole.com
hxxp://ns2.extolshare.com
hxxp://ns2.pridesure.com
hxxp://ns2.swellwise.com
hxxp://ns4.boostwise.com
hxxp://ns6.maxitrue.com
hxxp://ns4.sharezeal.com
hxxp://ns2.extolcalm.com
hxxp://ns4.humortan.com
hxxp://ns2.joysheer.com
hxxp://ns2.zestleads.com
hxxp://ns4.fizzleads.com
hxxp://ns4.maxigreat.com
hxxp://ns4.spicyrest.com
hxxp://ns4.hardyzest.com
hxxp://ns2.resttrust.com
hxxp://ns2.alertwow.com
hxxp://ns2.savetangy.com
hxxp://ns4.lovetangy.com
hxxp://ns2.coyrosy.com

Related malicious domains known to have participated in the campaign:
hxxp://jihpuyab.cn
hxxp://dabwedib.cn
hxxp://jehrawob.cn
hxxp://lacgidub.cn
hxxp://fektiyub.cn
hxxp://qucmolac.cn
hxxp://xopfekec.cn
hxxp://gamfesec.cn
hxxp://xokdemic.cn
hxxp://papxunic.cn
hxxp://jiqlosic.cn
hxxp://liynaloc.cn
hxxp://womrifuc.cn
hxxp://picduluc.cn
hxxp://feqtawuc.cn
hxxp://becfuzuc.cn
hxxp://ximnusad.cn
hxxp://limyoxed.cn
hxxp://cokgozed.cn
hxxp://qursehod.cn
hxxp://pimfilod.cn
hxxp://zofxitod.cn
hxxp://pehdiwod.cn
hxxp://ruvvabud.cn
hxxp://japwolud.cn
hxxp://qolqaqaf.cn
hxxp://tacreyaf.cn
hxxp://rajvufef.cn
hxxp://hiwjadif.cn
hxxp://pejjenif.cn
hxxp://hakyabof.cn
hxxp://rijgihag.cn
hxxp://pipgaqag.cn
hxxp://jaxkewag.cn
hxxp://cikqumog.cn
hxxp://tircodug.cn
hxxp://juryaqug.cn
hxxp://yawfadah.cn
hxxp://yabtudah.cn
hxxp://qifhihah.cn
hxxp://xeyselah.cn
hxxp://cotmetah.cn
hxxp://bulmitah.cn
hxxp://tegbejih.cn
hxxp://tuymokih.cn
hxxp://modqopoh.cn
hxxp://qejpoduh.cn
hxxp://xajsomuh.cn
hxxp://wisziruh.cn
hxxp://maypajej.cn
hxxp://tivhikej.cn
hxxp://holmayej.cn
hxxp://dabtizej.cn
hxxp://koyxuwij.cn
hxxp://romxebuj.cn
hxxp://hilzuluj.cn
hxxp://zulfavuj.cn
hxxp://vojhowuj.cn
hxxp://daldukak.cn
hxxp://rakvirak.cn
hxxp://fimresak.cn
hxxp://zepyosak.cn
hxxp://tovpiwak.cn
hxxp://raqhizak.cn
hxxp://salhibik.cn
hxxp://xonzulik.cn
hxxp://jezwutik.cn
hxxp://lungodok.cn
hxxp://qeytakok.cn
hxxp://weswukuk.cn
hxxp://lawmamuk.cn
hxxp://xomhoruk.cn
hxxp://zitkowuk.cn
hxxp://hoyzexuk.cn
hxxp://cutholal.cn
hxxp://jidtecel.cn
hxxp://jovmuhil.cn
hxxp://guxdipil.cn
hxxp://kujkuwil.cn
hxxp://kojvifol.cn
hxxp://zitgohol.cn
hxxp://cosxotol.cn
hxxp://wahwoxol.cn
hxxp://siqsayol.cn 
hxxp://pipwoqul.cn
hxxp://zilfumam.cn
hxxp://fokvidem.cn
hxxp://vamhefem.cn
hxxp://hipxetem.cn
hxxp://hasrozem.cn
hxxp://yovbafim.cn
hxxp://zutgaqim.cn
hxxp://kamnorim.cn
hxxp://nussotim.cn
hxxp://yiblegom.cn
hxxp://vorteyom.cn
hxxp://mokgupum.cn
hxxp://xennesum.cn
hxxp://feshivum.cn
hxxp://nakcaban.cn
hxxp://yaxxokan.cn
hxxp://qikciqan.cn
hxxp://gagsuran.cn
hxxp://bopxuran.cn
hxxp://giwduvan.cn
hxxp://gixreqin.cn
hxxp://leccatin.cn
hxxp://jollipon.cn
hxxp://vuzlopon.cn
hxxp://butkoxon.cn
hxxp://falyewun.cn
hxxp://noscajap.cn
hxxp://xirqocep.cn
hxxp://daqdohep.cn
hxxp://wokvarep.cn
hxxp://hoggudip.cn
hxxp://heqfavip.cn
hxxp://jowrewip.cn
hxxp://cimqiqop.cn
hxxp://cibqobup.cn
hxxp://zijreyup.cn
hxxp://tosnabaq.cn
hxxp://tochekaq.cn
hxxp://cosmoqaq.cn
hxxp://zavnusaq.cn
hxxp://vufsaqeq.cn
hxxp://dagligiq.cn
hxxp://wugjaziq.cn
hxxp://fepsuwoq.cn
hxxp://pombeyoq.cn
hxxp://dokcokuq.cn
hxxp://diwsutuq.cn
hxxp://sayjumar.cn
hxxp://jidxurer.cn
hxxp://qalhiyir.cn
hxxp://goqtoqor.cn
hxxp://gaxdavor.cn
hxxp://kazqikas.cn
hxxp://piskeces.cn
hxxp://qamhadis.cn
hxxp://wifdixis.cn
hxxp://hejhelos.cn
hxxp://hedwimos.cn
hxxp://kerrucus.cn
hxxp://forhalus.cn
hxxp://fesnupus.cn
hxxp://lanzuhat.cn
hxxp://kadmepat.cn
hxxp://potzoyat.cn
hxxp://jupkevet.cn
hxxp://xagmiqit.cn
hxxp://woxjatit.cn
hxxp://gukpuxit.cn
hxxp://dubpacut.cn
hxxp://nifbihut.cn
hxxp://qunkofav.cn
hxxp://vippogav.cn
hxxp://rimjulav.cn
hxxp://kemhenav.cn
hxxp://gutziqav.cn
hxxp://gipbilev.cn
hxxp://kaxcidiv.cn
hxxp://xajwawov.cn
hxxp://rejcoyov.cn
hxxp://jogsuduv.cn
hxxp://lamfoguv.cn
hxxp://daxtohuv.cn
hxxp://mihwuxuv.cn
hxxp://hiwjuhaw.cn
hxxp://gohkijaw.cn
hxxp://tuwqetaw.cn
hxxp://lacjebew.cn
hxxp://vodrubew.cn
hxxp://pehwitew.cn
hxxp://yezxewew.cn
hxxp://yuvsobow.cn
hxxp://yodmapow.cn
hxxp://qotpobuw.cn
hxxp://megrafuw.cn
hxxp://zamponuw.cn
hxxp://kotzequw.cn
hxxp://yudmaruw.cn
hxxp://hamqiruw.cn
hxxp://siwwawuw.cn
hxxp://veqniwuw.cn
hxxp://bepnudax.cn
hxxp://jehfefax.cn
hxxp://boxjokex.cn
hxxp://yoclerex.cn
hxxp://guzjacix.cn
hxxp://mexcekix.cn
hxxp://kibtixix.cn
hxxp://conyixix.cn
hxxp://famlojox.cn
hxxp://jizwalox.cn
hxxp://dahhowox.cn
hxxp://zicquvtx.cn
hxxp://cavxujux.cn
hxxp://voqnolux.cn

Known to have responded to the same malicious IP (60.191.221.123) are also the following malicious domains:
hxxp://vitsulob.cn
hxxp://jahnivub.cn
hxxp://wipviyub.cn
hxxp://gokbulac.cn
hxxp://bedqaqac.cn
hxxp://suvnuqac.cn
hxxp://wukcilec.cn
hxxp://lukbolec.cn
hxxp://juhfaqic.cn
hxxp://mixwiqic.cn
hxxp://qikloric.cn
hxxp://halgiyic.cn
hxxp://jocvoloc.cn
hxxp://gugmikad.cn
hxxp://zoqvulad.cn
hxxp://zokdoled.cn
hxxp://daxlated.cn
hxxp://cahnubid.cn
hxxp://cufxuhod.cn
hxxp://libsorod.cn
hxxp://vopqatod.cn
hxxp://cebvoyod.cn
hxxp://lansocud.cn
hxxp://zohpakud.cn
hxxp://hekwasud.cn
hxxp://niknuvud.cn
hxxp://meymuhaf.cn
hxxp://nigkojef.cn
hxxp://bazmoyef.cn
hxxp://roszadif.cn
hxxp://sapmofif.cn
hxxp://kudxodof.cn
hxxp://pefkipof.cn
hxxp://xoqresof.cn
hxxp://fipxevof.cn
hxxp://quyzeluf.cn
hxxp://xujyeruf.cn
hxxp://xenpikeg.cn
hxxp://tafwohig.cn
hxxp://kowtuhig.cn
hxxp://dinpisig.cn
hxxp://teryuvig.cn
hxxp://funcizig.cn
hxxp://ciytamog.cn
hxxp://jemsowog.cn 
hxxp://kiqzijug.cn
hxxp://pulfaxug.cn
hxxp://wojlabah.cn
hxxp://belzejah.cn
hxxp://pefdovah.cn
hxxp://xijsameh.cn
hxxp://racridih.cn
hxxp://rewfahih.cn
hxxp://vihxujih.cn
hxxp://qujvosih.cn
hxxp://figqacuh.cn
hxxp://xohmoluh.cn
hxxp://jicniwuh.cn
hxxp://kapxuraj.cn
hxxp://jubjavaj.cn
hxxp://bidkuqej.cn
hxxp://jarvixej.cn
hxxp://qinzidij.cn
hxxp://zagzafij.cn
hxxp://merjuwij.cn
hxxp://weqbujuj.cn
hxxp://gucdaluj.cn
hxxp://modxowuj.cn
hxxp://tobponak.cn
hxxp://tacjujek.cn
hxxp://fumliqek.cn
hxxp://wavfebik.cn
hxxp://xizqibik.cn
hxxp://focnigik.cn
hxxp://biqmipik.cn
hxxp://zowcoqik.cn
hxxp://fexsitik.cn
hxxp://qebdevik.cn
hxxp://xolkisok.cn
hxxp://kuqwuwok.cn
hxxp://gunwonuk.cn
hxxp://hewquvuk.cn
hxxp://gunbaqal.cn
hxxp://seysixal.cn
hxxp://zaymamel.cn
hxxp://weznohil.cn
hxxp://keczakil.cn
hxxp://wawberol.cn
hxxp://naftemul.cn
hxxp://sedbonam.cn
hxxp://velwapam.cn
hxxp://zinzutam.cn
hxxp://nudgixam.cn 
hxxp://mibpabem.cn
hxxp://yolbaqem.cn
hxxp://fogduqem.cn
hxxp://qawtotem.cn
hxxp://qalfusim.cn
hxxp://kocguwim.cn
hxxp://zishikom.cn
hxxp://kozpipom.cn
hxxp://loblahum.cn
hxxp://winbomum.cn
hxxp://jakmezum.cn
hxxp://taglolan.cn
hxxp://suznuwan.cn
hxxp://jekwazan.cn
hxxp://toxmijen.cn
hxxp://nikguzen.cn
hxxp://dedmewin.cn
hxxp://jebvuwun.cn
hxxp://tupsikap.cn
hxxp://dudsuzap.cn
hxxp://yessafep.cn
hxxp://danxenep.cn
hxxp://leklidip.cn
hxxp://duklimip.cn
hxxp://yevnurip.cn
hxxp://virrotip.cn
hxxp://lalyezop.cn
hxxp://jaztecup.cn
hxxp://gokbehup.cn
hxxp://cuqyirup.cn
hxxp://gajvizup.cn
hxxp://cahwikaq.cn
hxxp://xeqbelaq.cn
hxxp://xicbamaq.cn
hxxp://qofqoneq.cn
hxxp://givxuyeq.cn
hxxp://gonganiq.cn
hxxp://vijsoziq.cn
hxxp://bignijoq.cn
hxxp://jejroxoq.cn
hxxp://culfunuq.cn
hxxp://qevxayuq.cn
hxxp://merwosar.cn
hxxp://loxvafer.cn
hxxp://cawnamir.cn
hxxp://wocyorir.cn
hxxp://tokhador.cn
hxxp://yuznisor.cn
hxxp://vamtator.cn
hxxp://gojligur.cn
hxxp://vukqejur.cn
hxxp://fewxopur.cn
hxxp://wukwoxur.cn
hxxp://bavyoxur.cn
hxxp://jegdufas.cn
hxxp://rillefes.cn
hxxp://niwwages.cn
hxxp://comrames.cn
hxxp://rohfapes.cn
hxxp://lehredis.cn
hxxp://jepniwos.cn
hxxp://lexxedus.cn
hxxp://xuljuhus.cn
hxxp://levgepat.cn
hxxp://modhewet.cn
hxxp://kawlozet.cn
hxxp://bufsofit.cn
hxxp://gekloyit.cn
hxxp://tercifot.cn
hxxp://yughaqut.cn
hxxp://surfabav.cn
hxxp://yutbevav.cn
hxxp://mowvahev.cn
hxxp://tuwcexev.cn
hxxp://liqfimiv.cn
hxxp://pefxamuv.cn
hxxp://goqdexuv.cn
hxxp://fozlubaw.cn
hxxp://yuxcizaw.cn
hxxp://mevvubew.cn
hxxp://nuzzuhew.cn
hxxp://dibkicow.cn
hxxp://lobrakow.cn
hxxp://vuksirow.cn
hxxp://samnuvow.cn
hxxp://jizlotuw.cn
hxxp://buzgikax.cn
hxxp://jawcesax.cn
hxxp://qatvegex.cn
hxxp://gegfejex.cn
hxxp://cigxekex.cn
hxxp://kejjobox.cn
hxxp://yosbucox.cn
hxxp://kelmogox.cn
hxxp://jeqyuzox.cn
hxxp://jocxebux.cn
hxxp://tawcizux.cn
hxxp://kittokay.cn
hxxp://seryusay.cn
hxxp://nocbusey.cn
hxxp://semfihiy.cn
hxxp://xotgajiy.cn
hxxp://sarvujiy.cn
hxxp://gicmosiy.cn
hxxp://fulpaziy.cn
hxxp://cunzumoy.cn

Related malicious name servers known to have participated in the campaign:
hxxp://ns2.boostaroma.com - 110.52.6.252
hxxp://ns2.okultra.com
hxxp://ns2.swellfab.com
hxxp://ns2.shehead.com
hxxp://ns2.atbread.com
hxxp://ns2.treatglad.com
hxxp://ns2.plumbold.com
hxxp://ns2.callold.com
hxxp://up2.thicksend.com
hxxp://ns6.zestkind.com
hxxp://ns2.burnround.com
hxxp://ns2.witproud.com
hxxp://ns2.fizznice.com
hxxp://ns6.plusspice.com
hxxp://up2.humaneagree.com
hxxp://ns2.adorewee.com
hxxp://ns4.kindable.com
hxxp://ns2.prideable.com
hxxp://ns2.cuddlyhumble.com
hxxp://ns2.ablewhole.com
hxxp://ns2.quickwhole.com
hxxp://ns2.plumpwhole.com
hxxp://up2.begancome.com
hxxp://up2.sizeplane.com
hxxp://up2.colonytype.com
hxxp://ns6.prizeaware.com
hxxp://ns2.pridesure.com
hxxp://ns2.toophrase.com
hxxp://ns2.loyalrise.com
hxxp://up2.pathuse.com
hxxp://ns2.dimplechaste.com
hxxp://ns2.welltrue.com
hxxp://ns2.ziptrue.com
hxxp://ns2.silverwe.com
hxxp://ns2.calmprize.com
hxxp://ns2.firmrich.com
hxxp://ns2.activeinch.com
hxxp://ns2.cookmulti.com
hxxp://ns2.wellmoral.com
hxxp://ns2.peakswell.com
hxxp://ns2.posewill.com
hxxp://ns2.droolcool.com
hxxp://up2.cuddlypoem.com
hxxp://ns2.loyalcalm.com
hxxp://ns2.extolcalm.com
hxxp://ns2.radiothan.com
hxxp://up2.persontrain.com
hxxp://ns2.awardfun.com
hxxp://ns4.zealreap.com
hxxp://ns2.piousreap.com
hxxp://ns2.firstreap.com
hxxp://ns2.grandzap.com
hxxp://ns2.royalzap.com
hxxp://ns6.ablezip.com
hxxp://ns2.zapeager.com
hxxp://up2.blockfather.com
hxxp://ns2.breezycorner.com
hxxp://ns2.donewater.com
hxxp://ns2.listenflower.com
hxxp://ns2.dimplechair.com
hxxp://up2.yardcolor.com
hxxp://ns4.fizzleads.com
hxxp://up2.finestgrass.com
hxxp://ns2.prizebeats.com
hxxp://ns4.maxigreat.com
hxxp://ns2.flairtreat.com
hxxp://up2.tingleflat.com
hxxp://ns6.proudquiet.com
hxxp://ns2.morequiet.com
hxxp://ns2.droolplanet.com
hxxp://up2.giftedunit.com
hxxp://ns2.solarwit.com
hxxp://ns2.ropemeant.com
hxxp://ns2.paradiseobedient.com
hxxp://ns4.paradiseobedient.com
hxxp://up2.minealert.com
hxxp://ns4.spicyrest.com
hxxp://ns4.alertjust.com
hxxp://ns2.resttrust.com
hxxp://ns2.pagefew.com
hxxp://ns2.multiaglow.com
hxxp://ns2.objectallow.com
hxxp://ns2.alertwow.com
hxxp://ns2.alivejuicy.com
hxxp://ns2.restjuicy.com
hxxp://ns2.funcomfy.com
hxxp://ns2.solarcomfy.com
hxxp://ns2.prizetangy.com
hxxp://ns2.wholehappy.com
hxxp://ns2.prideeasy.com
hxxp://ns2.suddeneasy.com
hxxp://ns2.treatrosy.com
hxxp://ns2.earlytwenty.com

Related malicious domains known to have participated in the campaign:
hxxp://xiskizop.cn - 58.17.3.44; 60.191.239.189; 203.93.208.86 - hxxp://ns5.prizeaware.com; hxxp://ns1.grandzap.com; hxxp://ns3.alertjust.com

Related malicious domains known to have participated in the campaigns:
hxxp://xancefab.cn
hxxp://busgihab.cn
hxxp://putcojab.cn
hxxp://nizvonab.cn
hxxp://bulpapab.cn
hxxp://laztoqab.cn
hxxp://varsesab.cn
hxxp://pahdeheb.cn
hxxp://wiqponeb.cn
hxxp://rutfuseb.cn
hxxp://zacniyeb.cn
hxxp://beblelib.cn
hxxp://gahvosib.cn
hxxp://rigzowib.cn
hxxp://bacnaxib.cn
hxxp://pexyufob.cn
hxxp://sowgugob.cn
hxxp://buhbulob.cn
hxxp://ciybufub.cn
hxxp://xoddimub.cn
hxxp://nugtaqub.cn
hxxp://buvkuzub.cn
hxxp://fikqebac.cn
hxxp://pevremac.cn
hxxp://qokbasac.cn
hxxp://patmebec.cn
hxxp://kuntigec.cn
hxxp://jolcekec.cn
hxxp://wihjorec.cn
hxxp://fixruyec.cn
hxxp://gospozec.cn
hxxp://batrijic.cn
hxxp://rebzomic.cn
hxxp://loqrupic.cn
hxxp://diqhaqic.cn
hxxp://bohkoqic.cn
hxxp://beszesic.cn
hxxp://tuzhovic.cn
hxxp://hesyuvic.cn
hxxp://kovhewic.cn
hxxp://lufreyic.cn
hxxp://noxrazic.cn
hxxp://lefviboc.cn
hxxp://fodcuboc.cn
hxxp://pevhihoc.cn
hxxp://widlajoc.cn
hxxp://zocwoloc.cn
hxxp://janpupoc.cn
hxxp://mefbuqoc.cn
hxxp://hujqezoc.cn
hxxp://capjebuc.cn
hxxp://befqacuc.cn
hxxp://socjujuc.cn
hxxp://qivbiruc.cn
hxxp://tuxbaxuc.cn
hxxp://tidsuyuc.cn
hxxp://kapdacad.cn
hxxp://lagfagad.cn
hxxp://japtugad.cn
hxxp://bechumad.cn
hxxp://holceqad.cn
hxxp://bectusad.cn
hxxp://tabzuwad.cn
hxxp://rednezad.cn
hxxp://megzizad.cn
hxxp://forvafed.cn
hxxp://hojliged.cn
hxxp://fuxcexed.cn
hxxp://baxpuxed.cn
hxxp://lugjized.cn
hxxp://lewdozed.cn
hxxp://hiszedid.cn
hxxp://buyquhid.cn
hxxp://wovyokid.cn
hxxp://yojvimid.cn
hxxp://widxixid.cn
hxxp://yovxoxid.cn
hxxp://reywufod.cn
hxxp://hubzahod.cn
hxxp://qapzekod.cn
hxxp://falxalod.cn
hxxp://yiznunod.cn
hxxp://towqotod.cn
hxxp://loxlayod.cn
hxxp://rockozod.cn
hxxp://johmabud.cn
hxxp://muvyucud.cn
hxxp://vattehud.cn
hxxp://fuytejud.cn
hxxp://kenyilud.cn
hxxp://cibsarud.cn
hxxp://najsatud.cn
hxxp://xibwazud.cn
hxxp://laztafaf.cn
hxxp://piynosaf.cn
hxxp://yelpidef.cn
hxxp://yagtudef.cn
hxxp://levxifef.cn
hxxp://povxajef.cn
hxxp://hetbetef.cn
hxxp://hudvotef.cn
hxxp://hemfowef.cn
hxxp://coqvazef.cn
hxxp://yawhojif.cn
hxxp://muvcewif.cn
hxxp://xadgobof.cn
hxxp://baxwuhof.cn
hxxp://wijtekof.cn
hxxp://sknqikof.cn
hxxp://mussiqof.cn
hxxp://gegwasof.cn
hxxp://xangesof.cn
hxxp://wumdewof.cn
hxxp://hoqtayof.cn
hxxp://kiyvayof.cn
hxxp://cufdicuf.cn
hxxp://gotbucuf.cn
hxxp://gexzehuf.cn
hxxp://cepceluf.cn
hxxp://gepleluf.cn
hxxp://tefhosuf.cn
hxxp://xaqqivuf.cn
hxxp://wubfezuf.cn
hxxp://panrozuf.cn
hxxp://nadvofag.cn
hxxp://yawjehag.cn
hxxp://zeltimag.cn
hxxp://misgaqag.cn
hxxp://noxyaxag.cn
hxxp://sunluxag.cn
hxxp://bozhoceg.cn
hxxp://dawqefeg.cn
hxxp://locfemeg.cn
hxxp://mivlaneg.cn
hxxp://vaqxiseg.cn
hxxp://gesyateg.cn
hxxp://kumweteg.cn
hxxp://jefpaveg.cn
hxxp://lilyegig.cn
hxxp://janweqig.cn
hxxp://diwjusig.cn
hxxp://sohmiwig.cn
hxxp://rimmazig.cn
hxxp://tirpedog.cn
hxxp://jamguhog.cn
hxxp://bejfakog.cn
hxxp://bebyolog.cn
hxxp://kixmamog.cn
hxxp://tofyeqog.cn
hxxp://kojxuqog.cn
hxxp://puqtabug.cn
hxxp://suszibug.cn
hxxp://ciwracug.cn
hxxp://nahbugug.cn
hxxp://gaygokug.cn
hxxp://seygoqug.cn
hxxp://helqasug.cn
hxxp://tockesug.cn
hxxp://jipqevug.cn
hxxp://rewnowug.cn
hxxp://nazxefah.cn
hxxp://hofkagah.cn
hxxp://coszegah.cn
hxxp://vojyojah.cn
hxxp://nihwalah.cn
hxxp://yojzatah.cn
hxxp://buvsutah.cn
hxxp://hulgadeh.cn
hxxp://nibzofeh.cn
hxxp://xickeqeh.cn
hxxp://kapmereh.cn
hxxp://regyaveh.cn
hxxp://lizpazeh.cn
hxxp://lujpobih.cn
hxxp://xozyecih.cn
hxxp://telhetih.cn
hxxp://dussadoh.cn
hxxp://lerbenoh.cn
hxxp://yokveqoh.cn
hxxp://hafgoqoh.cn
hxxp://gagkiroh.cn
hxxp://teftebuh.cn
hxxp://fitsofuh.cn
hxxp://ziwvomuh.cn
hxxp://fazlenuh.cn
hxxp://gazkinuh.cn
hxxp://dutmivuh.cn
hxxp://zukdayuh.cn
hxxp://busgayuh.cn
hxxp://nohpobaj.cn
hxxp://qusdumaj.cn
hxxp://wizdaqaj.cn
hxxp://wuwbeqaj.cn
hxxp://girzidej.cn
hxxp://vespifej.cn
hxxp://ceszegej.cn
hxxp://juqbumej.cn
hxxp://xuxmanej.cn

Related malicious name servers known to have participated in the campaign:
hxxp://ns1.quvzipda.com - 193.165.209.3
hxxp://ns1.syquskezaja.com
hxxp://ns1.mnysiwugpa.com
hxxp://ns1.uzfayxlob.com
hxxp://ns1.umkeihfub.com
hxxp://ns1.diethealthworld.com
hxxp://ns2.diethealthworld.com
hxxp://ns1.pillshopstore.com
hxxp://ns2.pillshopstore.com
hxxp://ns1.ixcopvudeg.com
hxxp://ns1.cuzatpih.com
hxxp://ns1.fondukoiwi.com
hxxp://ns1.zevmyxhyhl.com
hxxp://ns1.pecsletoil.com
hxxp://ns1.havputviwl.com
hxxp://ns1.icuhzapyl.com
hxxp://ns1.ollectimon.com
hxxp://ns1.calpuwhup.com
hxxp://ns1.miacohder.com
hxxp://ns1.rjycbaswes.com
hxxp://ns1.tlyldihkis.com
hxxp://ns2.bestfreepills.com
hxxp://ns2.storehealthpills.com
hxxp://ns1.medspillsdiscounts.com
hxxp://ns1.ribormolu.com
hxxp://ns1.sluxjagvyw.com
hxxp://ns1.marttabletsrx.com
hxxp://ns1.zirremeaby.com
hxxp://ns1.xioduvvejy.com
hxxp://ns1.tmypheatvy.com
hxxp://ns1.zurmeigguz.com
hxxp://ns1.pendyxconvam.net
hxxp://ns1.mevkybmomu.net
hxxp://ns1.wutvymnu.net
hxxp://ns1.atquackephix.net
hxxp://ns1.gneqwyapuz.net
hxxp://ns1.az6.ru
hxxp://ns1.compmegastore.ru
hxxp://ns1.wearcompstore.ru
hxxp://ns1.compnetstore.ru
hxxp://ns1.seaportative.ru
hxxp://ns1.webshopmag.ru
hxxp://ns2.webshopmag.ru
hxxp://ns1.markettradersmag.ru
hxxp://ns1.storeonlinecomp.ru
hxxp://ns1.livingmagcomp.ru
hxxp://ns1.magcompdirect.ru
hxxp://ns1.storemycompdirect.ru

Related malicious domains known to have participated in the campaigns:
hxxp://hyuljavmyca.com - 212.174.200.111
hxxp://rjiofnida.com
hxxp://lubetokbufa.com
hxxp://homhylvega.com
hxxp://syquskezaja.com
hxxp://kriwmikib.com
hxxp://rhuwcugniob.com
hxxp://fonrasetlid.com
hxxp://rycnyrfikre.com
hxxp://tonlijwe.com
hxxp://mefcyqwef.com
hxxp://lorcowurayf.com
hxxp://ubeuhroqug.com
hxxp://fadjybzih.com
hxxp://ghaknikfehi.com
hxxp://ksoknadsi.com
hxxp://fondukoiwi.com
hxxp://reixvyklick.com
hxxp://qworjulnenk.com
hxxp://svozquzrel.com
hxxp://pecsletoil.com
hxxp://havputviwl.com
hxxp://pendyxconvam.com
hxxp://whapzintaon.com
hxxp://ollectimon.com
hxxp://japyebawn.com
hxxp://xovtemfajo.com
hxxp://shymumoufjo.com
hxxp://calpuwhup.com
hxxp://iescehqucr.com
hxxp://thepillcorner.com
hxxp://kvirincyofr.com
hxxp://iecoqwecs.com

hxxp://syquskezaja.com - 200.204.57.187
hxxp://cuzatpih.com
hxxp://ollectimon.com
hxxp://sluxjagvyw.com
hxxp://xioduvvejy.com
hxxp://nravsaelvi.net
hxxp://pendyxconvam.net
hxxp://mevkybmomu.net
hxxp://atquackephix.net
hxxp://gneqwyapuz.net

Related malicious domains known to have participated in the campaign:
hxxp://tovpuveb.cn
hxxp://risregib.cn
hxxp://sapwopub.cn
hxxp://kutwuzub.cn
hxxp://dijmigac.cn
hxxp://davzunic.cn
hxxp://cuwlicoc.cn
hxxp://hinkizad.cn
hxxp://tiwkicid.cn
hxxp://giddehid.cn
hxxp://qehmujid.cn
hxxp://jadyoxid.cn
hxxp://yipxakud.cn
hxxp://qophepud.cn
hxxp://nawfusud.cn
hxxp://xohpebaf.cn
hxxp://yilqobaf.cn
hxxp://gelkinef.cn
hxxp://zigconef.cn
hxxp://vasgotef.cn
hxxp://gitmufif.cn
hxxp://pujxatof.cn
hxxp://tagcafuf.cn
hxxp://joywehuf.cn
hxxp://xoggunuf.cn
hxxp://pezpipuf.cn
hxxp://gugfequf.cn
hxxp://kattowuf.cn
hxxp://rosmicag.cn
hxxp://nagnuteg.cn
hxxp://fohjedig.cn
hxxp://hijderig.cn
hxxp://dittomog.cn
hxxp://zubwefah.cn
hxxp://fodpohah.cn
hxxp://sehviwah.cn
hxxp://hifkuneh.cn
hxxp://bidfecih.cn
hxxp://wuxmulih.cn
hxxp://beqwacoh.cn
hxxp://qukvimoh.cn
hxxp://vasxavoh.cn
hxxp://salxaxoh.cn
hxxp://labyocaj.cn
hxxp://zigxadij.cn
hxxp://hixkanij.cn
hxxp://zixkitoj.cn
hxxp://zijzoguj.cn
hxxp://yiwzuluj.cn
hxxp://survuruj.cn
hxxp://feftuqak.cn
hxxp://ziscawak.cn
hxxp://wacpowek.cn
hxxp://segjinuk.cn
hxxp://viqfizuk.cn
hxxp://qawgegal.cn
hxxp://loqfogal.cn
hxxp://sihwohal.cn
hxxp://babtakal.cn
hxxp://nagnemel.cn
hxxp://ribwegil.cn
hxxp://watpiyil.cn
hxxp://goxmabul.cn
hxxp://siwkecul.cn
hxxp://selzimul.cn
hxxp://qakwivul.cn
hxxp://bedvuyul.cn
hxxp://fiddozul.cn
hxxp://joldokim.cn
hxxp://foztokim.cn
hxxp://woklahum.cn
hxxp://gavsanum.cn
hxxp://kejrupum.cn
hxxp://hagjatum.cn
hxxp://xumfuzum.cn
hxxp://mafcocan.cn
hxxp://geqkedan.cn
hxxp://fumhasan.cn
hxxp://zosqinen.cn
hxxp://nonzinen.cn
hxxp://tahyedin.cn
hxxp://niyyurin.cn
hxxp://wokmison.cn
hxxp://nekmerun.cn
hxxp://gebzevun.cn
hxxp://dizxohap.cn
hxxp://wirzovap.cn
hxxp://cobyizip.cn
hxxp://sokwimop.cn
hxxp://digjipop.cn
hxxp://qagtohup.cn
hxxp://wodkepaq.cn
hxxp://kuqqavaq.cn
hxxp://vogyafeq.cn
hxxp://qokyaziq.cn
hxxp://gelmaloq.cn
hxxp://rikxeduq.cn
hxxp://mifzoyuq.cn
hxxp://jitmekar.cn
hxxp://zedbeper.cn
hxxp://qoyrifir.cn
hxxp://rerbogir.cn
hxxp://nexyutir.cn
hxxp://yuvwobor.cn
hxxp://raddijor.cn
hxxp://rehciror.cn
hxxp://jowqasor.cn
hxxp://wotrisor.cn
hxxp://tinselur.cn
hxxp://sacvakes.cn
hxxp://xonlefis.cn
hxxp://sehwukos.cn
hxxp://torxupos.cn
hxxp://yujzidus.cn
hxxp://dejzezat.cn
hxxp://gunjivet.cn
hxxp://hecfocav.cn
hxxp://yuxdiqav.cn
hxxp://guysogiv.cn
hxxp://tebziniv.cn
hxxp://dedsupov.cn
hxxp://genwsxov.cn
hxxp://xaycozuv.cn
hxxp://fojgoraw.cn
hxxp://suwsozaw.cn
hxxp://hudwuhew.cn
hxxp://momzuhew.cn
hxxp://pibwokiw.cn
hxxp://lacfimiw.cn
hxxp://jubduriw.cn
hxxp://talcuviw.cn
hxxp://xavgubow.cn
hxxp://zovcofow.cn
hxxp://qopzubax.cn
hxxp://dogqodax.cn
hxxp://jimjakax.cn
hxxp://ricnafex.cn
hxxp://nadlewex.cn
hxxp://mokcegox.cn
hxxp://getkixox.cn
hxxp://wucpulux.cn
hxxp://dalpobay.cn
hxxp://refhagay.cn
hxxp://jusyadey.cn
hxxp://reqpijey.cn
hxxp://vebzaqiy.cn
hxxp://sejtogoy.cn
hxxp://yecnaquy.cn
hxxp://xufguyuy.cn
hxxp://puktunaz.cn
hxxp://zaztuvaz.cn
hxxp://sixbufiz.cn
hxxp://nofdowiz.cn
hxxp://cuvxoqoz.cn
hxxp://yugkiwuz.cn

Related malicious domains known to have participated in the campaign:
hxxp://columnultra.com - 58.17.3.41
hxxp://milkhold.com
hxxp://eagerboard.com
hxxp://yesonlynoun.com
hxxp://differdo.com
hxxp://seemlykeep.com
hxxp://seemnear.com
hxxp://modernbut.com

Related malicious domains known to have participated in the campaign:
hxxp://litgukab.cn
hxxp://xojyupab.cn
hxxp://ritlarab.cn
hxxp://qeqyukeb.cn
hxxp://fedpijib.cn
hxxp://xumlodob.cn
hxxp://kozgewob.cn
hxxp://fajnahec.cn
hxxp://nedsicic.cn
hxxp://hertuqic.cn
hxxp://linrudoc.cn
hxxp://gilqufuc.cn
hxxp://lijwituc.cn
hxxp://loqbaxuc.cn
hxxp://camxezuc.cn
hxxp://foyxolad.cn
hxxp://bapvusad.cn
hxxp://wokmeyad.cn
hxxp://yizqosed.cn
hxxp://vivwiwef.cn
hxxp://percaqof.cn
hxxp://cepceluf.cn
hxxp://paqhizuf.cn
hxxp://vorvivag.cn
hxxp://maynixeg.cn
hxxp://mujyumig.cn
hxxp://coyrekog.cn
hxxp://xetvetih.cn
hxxp://mugyujuh.cn
hxxp://supsizuh.cn
hxxp://bixtakaj.cn
hxxp://lanmixej.cn
hxxp://worxezej.cn
hxxp://tikgepij.cn
hxxp://yatsanak.cn
hxxp://tucgosak.cn
hxxp://hihnuwak.cn
hxxp://qilfadek.cn
hxxp://zibsitik.cn
hxxp://xetmojok.cn
hxxp://yelsecuk.cn
hxxp://confowuk.cn
hxxp://pozzoxuk.cn
hxxp://savhixal.cn
hxxp://nudtaqel.cn
hxxp://keptavol.cn
hxxp://berqufam.cn
hxxp://wuqrulam.cn
hxxp://goftiwam.cn
hxxp://vowcajem.cn
hxxp://rizfinim.cn
hxxp://jetgekom.cn
hxxp://letjucun.cn
hxxp://wivwiqap.cn
hxxp://duccesap.cn
hxxp://zamyisap.cn
hxxp://ranpovep.cn
hxxp://kucdawep.cn
hxxp://limjapip.cn
hxxp://ciggecop.cn
hxxp://ziybelop.cn
hxxp://yakquyeq.cn
hxxp://borremiq.cn
hxxp://vuzwesuq.cn
hxxp://rosvocor.cn
hxxp://hakdugas.cn
hxxp://kabmebes.cn
hxxp://purhuves.cn
hxxp://gopmocis.cn
hxxp://cabziqis.cn
hxxp://pomzonos.cn
hxxp://zojvapus.cn
hxxp://nobfemat.cn
hxxp://ritcubav.cn
hxxp://bibbikev.cn
hxxp://daslulev.cn
hxxp://naczoduv.cn
hxxp://betjoqiw.cn
hxxp://yoqlamow.cn
hxxp://jawjeqow.cn
hxxp://zijmivuw.cn
hxxp://dupqozuw.cn
hxxp://fatnudax.cn
hxxp://defrogax.cn
hxxp://kalyahax.cn
hxxp://toztipax.cn
hxxp://gecfopax.cn
hxxp://wuqzubex.cn
hxxp://hexpadix.cn
hxxp://luhnukox.cn
hxxp://vecbibey.cn
hxxp://dimgecey.cn
hxxp://fammuvey.cn
hxxp://zepfabiy.cn
hxxp://gewvamiy.cn
hxxp://pekzariy.cn
hxxp://pixkinaz.cn
hxxp://mecqulez.cn
hxxp://yubreliz.cn
hxxp://juvmeriz.cn
hxxp://mafcixiz.cn
hxxp://butlezoz.cn
hxxp://xisqapuz.cn
hxxp://jihkohab.cn
hxxp://litgukab.cn
hxxp://xojyupab.cn
hxxp://ritlarab.cn
hxxp://qancabeb.cn
hxxp://xaqkabeb.cn
hxxp://qeqyukeb.cn
hxxp://bobhoneb.cn
hxxp://fedpijib.cn
hxxp://kozgewob.cn
hxxp://mirlacub.cn
hxxp://jokrogub.cn
hxxp://qupbihac.cn
hxxp://viqnijac.cn
hxxp://bucdawac.cn
hxxp://latzoyac.cn
hxxp://ferkogec.cn
hxxp://qujqugec.cn
hxxp://fajnahec.cn
hxxp://saybilec.cn
hxxp://yaxxosec.cn
hxxp://nedsicic.cn
hxxp://cimhijic.cn
hxxp://hertuqic.cn
hxxp://linrudoc.cn
hxxp://mahhekoc.cn
hxxp://pegvijuc.cn
hxxp://camxezuc.cn
hxxp://kossehad.cn
hxxp://bapvusad.cn
hxxp://coffebed.cn
hxxp://xadjeqid.cn
hxxp://pehxarid.cn
hxxp://maknohod.cn
hxxp://yujhaqod.cn
hxxp://vevteyod.cn
hxxp://rinmumud.cn
hxxp://xuldeyud.cn
hxxp://fedrujaf.cn
hxxp://nugnosaf.cn
hxxp://koxpelef.cn
hxxp://tecyatef.cn
hxxp://hemfowef.cn
hxxp://pavlegif.cn
hxxp://percaqof.cn
hxxp://sizkeyof.cn
hxxp://zugkucuf.cn
hxxp://rijhuhuf.cn
hxxp://cepceluf.cn
hxxp://paqhizuf.cn
hxxp://xowjicag.cn
hxxp://dofpalag.cn
hxxp://hujrulag.cn
hxxp://maxtayag.cn
hxxp://qekvoceg.cn
hxxp://vazwureg.cn
hxxp://pilpuweg.cn
hxxp://wedruweg.cn
hxxp://cexkezeg.cn
hxxp://mujyumig.cn
hxxp://wintabog.cn
hxxp://nuzmohog.cn
hxxp://coyrekog.cn
hxxp://tubvuxog.cn
hxxp://zavdahug.cn
hxxp://yukpikug.cn
hxxp://muwsikeh.cn
hxxp://pecculeh.cn
hxxp://rafniteh.cn
hxxp://nukfijih.cn
hxxp://xetvetih.cn
hxxp://tikbacoh.cn
hxxp://zikwufuh.cn
hxxp://mugyujuh.cn
hxxp://hijbumuh.cn
hxxp://wubxayuh.cn
hxxp://quntoyuh.cn
hxxp://supsizuh.cn
hxxp://techegaj.cn
hxxp://bixtakaj.cn
hxxp://wuwbeqaj.cn
hxxp://caqhiqaj.cn
hxxp://lijzarej.cn
hxxp://lanmixej.cn
hxxp://jutzuzej.cn
hxxp://betkawij.cn
hxxp://mumrojoj.cn
hxxp://wulkukoj.cn
hxxp://selqetuj.cn
hxxp://zuvbowuj.cn
hxxp://sevpohak.cn
hxxp://qusvilak.cn
hxxp://qowrirak.cn
hxxp://tucgosak.cn
hxxp://bajhukek.cn
hxxp://qeyzecik.cn
hxxp://pijridik.cn
hxxp://yecgajik.cn
hxxp://tovboqik.cn
hxxp://sirrotik.cn
hxxp://pomzexik.cn
hxxp://nopvafok.cn
hxxp://xetmojok.cn
hxxp://fuqzuxok.cn
hxxp://xajkimuk.cn
hxxp://confowuk.cn
hxxp://pozzoxuk.cn
hxxp://vufmikal.cn
hxxp://korkusal.cn
hxxp://yasdaxal.cn
hxxp://nibnupel.cn
hxxp://nudtaqel.cn
hxxp://zivwirel.cn
hxxp://facjacil.cn
hxxp://qaqdidil.cn
hxxp://zirmidil.cn
hxxp://pivteqil.cn
hxxp://mutzomol.cn
hxxp://bahfosol.cn
hxxp://kajvatol.cn
hxxp://keptavol.cn
hxxp://mevvuqul.cn
hxxp://berqufam.cn
hxxp://zihwujam.cn
hxxp://jormofem.cn
hxxp://vowcajem.cn
hxxp://yawyibim.cn
hxxp://mibyumim.cn
hxxp://pabfakom.cn
hxxp://jetgekom.cn
hxxp://xolkizom.cn
hxxp://mujsikum.cn
hxxp://moynukan.cn
hxxp://ranfelan.cn
hxxp://kayjamen.cn
hxxp://kudcedon.cn
hxxp://getwison.cn
hxxp://givjivon.cn
hxxp://faykirun.cn
hxxp://zebxaxun.cn
hxxp://coclecap.cn
hxxp://texnipap.cn
hxxp://humyipap.cn
hxxp://duccesap.cn
hxxp://zamyisap.cn
hxxp://lunyicep.cn
hxxp://ranpovep.cn
hxxp://yifkebip.cn
hxxp://yiryemip.cn
hxxp://mowmoqip.cn
hxxp://wozhihop.cn
hxxp://mefrexop.cn
hxxp://qidyubup.cn
hxxp://qidjohup.cn
hxxp://lotjolup.cn
hxxp://dirdotup.cn
hxxp://memqowaq.cn
hxxp://civvufeq.cn
hxxp://bobfiliq.cn
hxxp://borremiq.cn
hxxp://singuroq.cn
hxxp://qudjuvoq.cn
hxxp://vuzwesuq.cn
hxxp://nuvmotuq.cn
hxxp://zohcidar.cn
hxxp://rentumar.cn
hxxp://fipzaqar.cn
hxxp://siqcatar.cn
hxxp://sagvitar.cn
hxxp://luqsiger.cn
hxxp://zuyxewer.cn
hxxp://jagnuyer.cn
hxxp://ruhbulir.cn
hxxp://sityeyir.cn
hxxp://rosvocor.cn
hxxp://julxapor.cn
hxxp://rixlupur.cn
hxxp://jutfisur.cn
hxxp://fabmotur.cn
hxxp://bukpuzur.cn
hxxp://pozsigas.cn
hxxp://hakdugas.cn
hxxp://lokzihas.cn
hxxp://mukkebes.cn
hxxp://mijpedes.cn
hxxp://conzakes.cn
hxxp://fodbemes.cn
hxxp://maqpumes.cn
hxxp://purhuves.cn
hxxp://hohgibis.cn
hxxp://kezyubis.cn
hxxp://gopmocis.cn
hxxp://soqsedis.cn
hxxp://defdoris.cn
hxxp://pomzonos.cn
hxxp://lanhovus.cn

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Yet Another Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2010 and I've recently came across to a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns.

In this post I'll provide actionable intelligence on the infrastructure behind the campaign.

Related malicious domains known to have participated in the campaign:
hxxp://globals-advers.com
hxxp://alldiskscheck300.com
hxxp://multisearch1.com
hxxp://myfreespace3.com
hxxp://hottystars.com
hxxp://multilang1.com
hxxp://3gigabytes.com
hxxp://drivemedirect.com
hxxp://globala2.com
hxxp://teledisons.com
hxxp://theworldnews5.com
hxxp://virtualblog5.com
hxxp://grander5.com
hxxp://5starsblog.com
hxxp://globalreds.com
hxxp://global-advers.com
hxxp://ratemyblog1.com
hxxp://greatvideo3.com
hxxp://beginner2009.com
hxxp://fastwebway.com
hxxp://blazervips.com
hxxp://begin2009.com
hxxp://megatradetds0.com
hxxp://securedonlinewebspace.com
hxxp://proweb-info.com
hxxp://security-www-clicks.com
hxxp://updatedownloadlists.com
hxxp://styleonlyclicks.cn
hxxp://informationgohere.com
hxxp://world-click-service.com
hxxp://secutitypowerclicks.cn
hxxp://securedclickuser.cn/
hxxp://slickoverview.com
hxxp://viewyourclicks.com
hxxp://clickwww2.com
hxxp://clickadsystem.com
hxxp://becomepoweruser.cn
hxxp://clickoverridesystem.cn

Related malicious domains known to have participated in the campaign:
hxxp://protecteduser.cn
hxxp://internetprotectedweb.com/
hxxp://clicksadssystems.com
hxxp://whereismyclick.cn
hxxp://trustourclicks.cn
hxxp://goldenstarclick.cn
hxxp://defendedsystemuser.cn

Related malicious domains known to have participated in the campaign:
hxxp://drivemedirect.com
hxxp://virtualblog5.com
hxxp://fastwebway.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2010 and I've recently intercepted a currently active malicious and fraudulent blakchat SEO campaign successfully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns.

In this post I'll profile the infrastructure behind the campaign and provide actionable intelligence on the infrastructure behind it.

Sample URL redirection chain:
hxxp://noticexsummary.com/re.php?lnk=1203597664 - 87.255.55.231
- hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677 - 66.207.172.196
= hxxps://secure-signupway.com/promo/join.aspx?siteid=3388

Related malicious domains known to have participated in the campaign:
hxxp://noticexsummary.com/

Related malicious domains known to have participated in the campaign:
hxxp://online-tv-on-your-pc.com/p2/index.asp?aff=11680&camp=unsub

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Yet Another Massive Blackhat SEO Campaign Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another diverse portfolio of blackhat SEO domains this time serving rogue security software also known as scareware to unsuspecting users with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type of revenue sharing scheme.

In this post I'll profile the infrastructure behind the campaign and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://arnalduatis.com
hxxp://batistaluciano.com
hxxp://bethemedia.net
hxxp://bride-beautiful.com
hxxp://burgessandsons.com
hxxp://carolinacane.com
hxxp://caulfieldband.com
hxxp://improvenewark.com
hxxp://marsmellow.info
hxxp://noodlesonline.com
hxxp://queenslumber.com
hxxp://thesolidwoodflooringcompany.com
hxxp://wirelessexpertise.com
hxxp://bigbangexpress.com
hxxp://bioresonantie.net
hxxp://clubipg.com
hxxp://djdior.com
hxxp://djektoyz.com
hxxp://getraenkepool.com
hxxp://hartmanpescar.com
hxxp://hetkaashuis.com
hxxp://menno.info
hxxp://pianoaccompanistcompetition.com
hxxp://soundwitness.org
hxxp:/strijkvrij.com

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Profiling a Portfolio of Active 419-Themed Scams

It's 2010 and I've recently decided to provide actionable intelligence on a variety of 419-themed scams in particular the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community with the necessary data to track down and prosecute the malicious actors behind these campaigns.

Related malicious and fraudulent emails known to have participated in the campaign:
david_ikemba@supereme-loan-finance.com - 96.24.14.4
charles.maynard1@gmx.com - 218.31.134.111
mr.karimahmed2004@msn.com - 41.203.231.82
fedexdelivryservices@yahoo.com.hk - 89.187.142.72
chevrondisbursement@hotmail.com - 41.138.182.245
mrslindahilldesk00000@hotmail.co.uk - 41.138.188.45
natt.westt@live.com - 115.242.40.142
google11anniversary2010@live.com - 115.240.21.112
barjamessmith@qatar.io - 115.242.94.153
delata_ecobank@web2mail.com - 202.58.64.18
junhuan9@yahoo.cn - 68.190.243.51
fairlandindustryltd@mail.ru - 41.138.190.213
shkhougal@aol.com - 80.35.222.9
jamestimeswel@rogers.com - 203.170.192.4
alimubarakhm@hotmail.com - 115.134.5.245
godwinemefiele2010@hotmail.com - 41.211.229.65
skyebankplclagosnigera@gmail.com, skyebankplclagosnigera@zapak.com - 41.138.178.241
contact.alcchmb@sify.com - 116.206.153.50
officelottery94@yahoo.com.hk - 124.122.145.226
kadamluk@live.com - 41.217.65.14
garycarsonuk@w.cn - 220.225.213.221
stella_willson48@yahoo.co.uk - 82.196.5.120
trustlink@w.cn - 87.118.82.8
george201009@hotmail.com - 59.120.137.197
drmannsurmuhtarrr_155@yahoo.cn, mrstreasurecollinnsss@gmail.com - 82.114.78.222

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang

It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network.

In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind including the direction establishment of a direct connection between the gang's activities and a well-known Russian Business Network customer.

Related malicious domains known to have participated in the campaign:
hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166

Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones back to the following malicious C&C server IPs:
hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsimonkroon@gmail.com

Known domains known to have responded to the same malicious C&C server IPs:
hxxp://aahsdvsynrrmwnbmpklb.cn
hxxp://dlukhonqzidfpphkbjpb.cn
hxxp://barykcpveiwsgexkitsg.cn
hxxp://bfichgfqjqrtkwrsegoj.cn
hxxp://dhbomnljzgiardzlzvkp.cn

Once executed a sample malware phones back to the following malicious C&C service IPs:
hxxp://xmiueftbmemblatlwsrj.cn
hxxp://urodinam.net - which is a well known Koobface 1.0 C&C server domain IP also seen in the "Mass DreamHost Sites Compromise" exclusively profiled in this post.
hxxp://xmiueftbmemblatlwsrj.cn

Once executed a sample malware MD5: 66dc85ad06e4595588395b2300762660; MD5: 91944c3ae4a64c478bfba94e9e05b4c5 phones back to the following malicious C&C server IPs:
hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and observed in related analysis regarding the mass Embassy Web site compromise throughout 2007 and 2009.

Successfully dropping the following malicious Koobface MD5 hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe

Related malicious MD5s (MD known to have participated in the campaign:
MD5: 66dc85ad06e4595588395b2300762660
MD5: 8282ea8e92f40ee13ab716daf2430145

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://tehnocentr.chita.ru/.sys
hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild - Part Two

It's 2008 and I've recently came across to a massive black hat SEO campaign successfully enticing users into falling victim into fraudulent and malicious scareware-serving campaign. In this post I'll provide actionable intelligence on the infrastructure behind it.

Related malicious domains and redirectors known to have participated in the campaign:
hxxp://msh-co.com
hxxp://incubatedesign.com
hxxp://incubatedesign.com
hxxp://lancemissionart.com
hxxp://audioboxstudios.com
hxxp://hwhitecustomhomes.com
hxxp://indobestroof.com
hxxp://in-prague.com
hxxp://hvmpglobalconsulting.com
hxxp://indierthanthou.com
hxxp://huckleberryroad.com
hxxp://indiepoprockhop.com
hxxp://indianfriends.org
hxxp://hwhitecustomhomes.com
hxxp://husuzem.com
hxxp://husuzem.com
hxxp://seankobuk.com
hxxp://in-led.net
hxxp://pellaiowahomes.com
hxxp://i-leadzsite.com
hxxp://seankobuk.com
hxxp://i4z.com
hxxp://in-prague.com
hxxp://tmnttoys.com
hxxp://hulshizer.com
hxxp://audioboxstudios.com
hxxp://msh-co.com
hxxp://i-leadzsite.com
hxxp://hulshizer.com
hxxp://msh-co.com
hxxp://indierthanthou.com
hxxp://neighborhoodnursingcare.com
hxxp://i4004.net
hxxp://ndiepoprockhop.com
hxxp://pugzor.net
hxxp://indiepoprockhop.com
hxxp://in-turkey.info
hxxp://hwhitecustomhomes.com
hxxp://salsaspice.com
hxxp://calidogrocks.com
hxxp://incubatedesign.com
hxxp://iac-tokyo.org
hxxp://huckleberryroad.com
hxxp://in-prague.com
hxxp://hulshizer.com
hxxp://neighborhoodnursingcare.com
hxxp://indigo.earthman.ca
hxxp://backyardcreations.org
hxxp://uraband.com
hxxp://huckleberryroad.com
hxxp://indobestroof.com
hxxp://indiepoprockhop.com
hxxp://iac-tokyo.org
hxxp://indiansexhq.com
hxxp://calidogrocks.com
hxxp://the-flooring-connection.com
hxxp://pugzor.net
hxxp://the-flooring-connection.com
hxxp://in-prague.com
hxxp://iac-tokyo.org
hxxp://humordehoy.com
hxxp://msh-co.com
hxxp://pellaiowahomes.com
hxxp://salsaspice.com
hxxp://lancemissionart.com
hxxp://incubatedesign.com
hxxp://iac-tokyo.org
hxxp://tmnttoys.com
hxxp://in-prague.com
hxxp://backyardcreations.org
hxxp://the-flooring-connection.com
hxxp://sasm.net
hxxp://indefenseof.com
hxxp://uraband.com
hxxp://i-need-a-websitedesigned.com
hxxp://hwhitecustomhomes.com
hxxp://scottiesautobody.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS