Historical OSINT - Gumblar Botnet Infects Thousands of Sites Serves Adobe Flash Exploits

According to security researchers the Gumblar botnet is making a comeback successfully affecting thousands of users globally potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious client-side exploits serving domains further dropping malicious software on the affected hosts.

In this post we'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Malicious URLs known to have participated in the campaign:
hxxp://ncenterpanel.cn/php/unv3.php
hxxp://ncenterpanel.cn/php/p31.php

Related malicious MD5s known to have participated in the campaign:
MD5: 3f5b905c86d4dcaab9c86eddff1e02c7

MD5: 61461d9c9c1954193e5e0d4148a81a0c
MD5: 65cd1da3d4cc0616b4a0d4a862a865a6
MD5: 7de29e5e10adc5d90296785c89aeabce

Sample URL redirection chain:
hxxp://gumblar.cn/rss/?id - 71.6.202.216 - Email: cuitiankai@googlemail.comi
hxxp://gumblar.cn/rss/?id=2
hxxp://gumblar.cn/rss/?id=3

Related malicious domains known to have participated in the campaign:
hxxp://martuz.cn - 95.129.145.58

With Gumblar making a come-back it's becoming evident that cybercriminals continuing utilizing the usual set of malicious and fraudulent tactics for the purpose of spreading malicious software and affecting hundreds of thousands of legitimate Web sites in a cost-effective and efficient way.

We'll continue monitoring the campaign and post updates and post updates as soon as new developments take place.