It's 2008 and I've recently spotted a currently circulating malicious and fraudulent scareware-serving malicious domain portfolio which I'll expose in this post with the idea to share actionable threat intelligence with the security community further exposing and undermining the cybercrime ecosystem the way we know it potentially empowering security researchers and third-party vendors with the necessary data to stay ahead of current and emerging threats.
Related malicious domains known to have participated in the campaign:
hxxp://50virus-scanner.com
hxxp://700virus-scanner.com
hxxp://antivirus-test66.com
hxxp://antivirus200scanner.com
hxxp://antivirus600scanner.com
hxxp://antivirus800scanner.com
hxxp://antivirus900scanner.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://inetproscan031.com
hxxp://internet-scan020.com
hxxp://novirus-scan00.com
hxxp://stopvirus-scan11.com
hxxp://stopvirus-scan13.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan33.com
hxxp://virus66scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://antivirus-scan200.com
hxxp://antispy-scan200.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://antivirus-scan400.com
hxxp://antispy-scan400.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://antivirus-scan600.com
hxxp://antispy-scan600.com
hxxp://antivirus-scan700.com
hxxp://antispy-scan700.com
hxxp://av-scanner700.com
hxxp://antispy-scan800.com
hxxp://antivirus-scan900.com
hxxp://novirus-scan00.com
hxxp://stop-virus-010.com
hxxp://spywarescan010.com
hxxp://antispywarehelp010.com
hxxp://internet-scan020.com
hxxp://internet-scanner020.com
hxxp://insight-scan20.com
hxxp://internet-scanner030.com
hxxp://stop-virus-040.com
hxxp://internet-scan040.com
hxxp://insight-scan40.com
hxxp://internet-scan050.com
hxxp://internet-scanner050.com
hxxp://insight-scan60.com
hxxp://stop-virus-070.com
hxxp://internet-scan070.com
hxxp://internet-scanner070.com
hxxp://insight-scan80.com
hxxp://stop-virus-090.com
hxxp://internet-scan090.com
hxxp://internet-scanner090.com
hxxp://insight-scan90.com
hxxp://antispywarehelpk0.com
hxxp://inetproscan001.com
hxxp://novirus-scan01.com
hxxp://spyware-stop01.com
hxxp://antivirus-inet01.com
hxxp://stopvirus-scan11.com
hxxp://inetproscan031.com
hxxp://novirus-scan31.com
hxxp://antivirus-inet31.com
hxxp://novirus-scan41.com
hxxp://antivirus-inet41.com
hxxp://antivirus-inet51.com
hxxp://inetproscan061.com
hxxp://novirus-scan61.com
hxxp://inetproscan081.com
hxxp://novirus-scan81.com
hxxp://inetproscan091.com
hxxp://spyware-stopb1.com
hxxp://spyware-stopm1.com
hxxp://spyware-stopn1.com
hxxp://spyware-stopz1.com
hxxp://antispywarehelp002.com
hxxp://antispywarehelp022.com
hxxp://novirus-scan22.com
hxxp://antispywarehelpk2.com
hxxp://insight-scanner2.com
hxxp://spywarescan013.com
hxxp://stopvirus-scan13.com
hxxp://novirus-scan33.com
hxxp://stopvirus-scan33.com
hxxp://antispywarehelp004.com
hxxp://antispywarehelpk4.com
hxxp://spywarescan015.com
hxxp://novirus-scan55.com
hxxp://insight-scanner5.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan66.com
hxxp://antispywarehelpk6.com
hxxp://spywarescan017.com
hxxp://insight-scanner7.com
hxxp://antispywarehelp008.com
hxxp://spywarescan018.com
hxxp://stopvirus-scan18.com
hxxp://novirus-scan88.com
hxxp://stopvirus-scan88.com
hxxp://antivirus-test88.com
hxxp://antispywarehelpk8.com
hxxp://insight-scanner8.com
hxxp://insight-scanner9.com
hxxp://10scanantispyware.com
hxxp://20scanantispyware.com
hxxp://30scanantispyware.com
hxxp://60scanantispyware.com
hxxp://80scanantispyware.com
hxxp://2scanantispyware.com
hxxp://3scanantispyware.com
hxxp://5scanantispyware.com
hxxp://7scanantispyware.com
hxxp://8scanantispyware.com
hxxp://spyware200scan.com
hxxp://spyware500scan.com
hxxp://spyware800scan.com
hxxp://spyware880scan.com
hxxp://50virus-scanner.com
hxxp://90virus-scanner.com
hxxp://antivirus900scanner.com
hxxp://antivirus10scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://net001antivirus.com
hxxp://net011antivirus.com
hxxp://net111antivirus.com
hxxp://net021antivirus.com
hxxp://net-02antivirus.com
hxxp://net222antivirus.com
hxxp://net-04antivirus.com
hxxp://net-05antivirus.com
hxxp://net-07antivirus.com
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Saturday, October 20, 2018
Historical OSINT - Massive Scareware Dropping Campaign Spotted in the Wild
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
HIstorical OSINT - Latvian ISPs, Scareware, and the Koobface Gang Connection
It's 2010 and we've recently stumbled upon yet another malicious and fraudulent campaign courtesy of the Koobface gang actively serving fake security software also known as scareware to a variety of users with the majority of malicious software conveniently parked within 79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio of fake security software.
In this post, I'll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.
Sample malware known to have participated in the campaign:
installer.1.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef - Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40 (22.50%)
Related malicious phone back C&C server IPs:
hxxp://av-plusonline.org/install/avplus.dll
hxxp://av-plusonline.org/cb/real.php?id=
Related malicious MD5s known to have participated in the campaign:
avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39%)
It's gets even more interesting as hxxp://fast-payments.com - 91.188.59.27 is parked within Koobface botnet's 1.0 phone back locations (hxxp://urodinam.net) and is also hosted within the same netblock at 91.188.59.10.
Sample related malicious URLs known to have participated in the campaign:
hxxp://urodinam.net/33t.php?stime=125558
- hxxp://91.188.59.10/opa.exe -MD5: d4aacc8d01487285be564cbd3a4abc76 - Downloader.VB.7.S; Mal/Koobface-B - Result: 10/40 (25%)
Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://aburvalg.com/new1.php - 64.27.0.237
- hxxp://fucking-tube.net
The following domains use it as a name server:
hxxp://ns1.addedantivirus.com
Related malicius domains known to have responded to the same malicious name server:
hxxp://antiviralpluss.org
hxxp://antivirspluss.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://pretection-page.org
hxxp://sys-mesage.org
hxxp://av-plus-online.org
hxxp://av-plusonline.org
hxxp://avplus-online.org
hxxp://avplusonline.org
hxxp://avplussonline.org
hxxp://protecmesages.org
hxxp://protect-mesagess.org
hxxp://protectmesages.org
hxxp://protectmesagess.org
hxxp://protectmessages.org
hxxp://avplus24support.com
hxxp://searchwebway4.com
hxxp://searchwebway5.com
hxxp://searchwebway10.com
hxxp://searchwebway9.com
hxxp://searchwebway6.com
Related malicious URLs known to have participated in the campaign:
hxxp://avplus-online.org/buy.php?id=
- hxxp://fast-payments.com/index.php?prodid=antivirplus_02_01&afid=
Related malicious domains known to have participated in the campaign:
hxxp://antiviruspluss.org
hxxp://avplusscanner.org
hxxp://protection-messag.org
hxxp://antivirs-pluss.org
hxxp://antiviru-pluss.org
hxxp://antivirus-p1uss.org
hxxp://protection-mesage.org
hxxp://sysstem-mesage.org
hxxp://system-message.org
hxxp://antiviral-pluss.org
hxxp://av-onlinescanner.org
hxxp://avonlinescanner.org
hxxp://avonlinescannerr.org
hxxp://avp-scanner.org
hxxp://avp-scannerr.org
hxxp://avp-sscaner.org
hxxp://avp-sscannerr.org
hxxp://avplscaner-online.org
hxxp://avplscanerr-online.org
hxxp://avplsscannerr.org
hxxp://avplus-scanerr.org
hxxp://online-protection.org
hxxp://antivirupluss.org
hxxp://syssmessage.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://av-scanally.org
hxxp://av-scaner-online.org
hxxp://av-scaner-online3k.org
hxxp://av-scaner-onlineband.org
hxxp://av-scaner-onlinebody.org
hxxp://av-scaner-onlinebuzz.org
hxxp://av-scaner-onlinecabin.org
hxxp://av-scaner-onlinecrest.org
hxxp://av-scaner-onlinefolk.org
hxxp://av-scaner-onlineplan.org
hxxp://av-scaner-onlinesite.org
hxxp://iav-scaner-online.org
hxxp://netav-scaner-online.org
hxxp://techav-scaner-online.org
hxxp://antivirspluss.org
hxxp://sys-mesage.org
hxxp://antiviralpluss.org
hxxp://pretection-page.org
hxxp://av-scaner-onlinefairy.org
hxxp://av-scaner-onlinegrinder.org
hxxp://av-scaner-onlinehistory.org
hxxp://av-scaner-onlineicity.org
hxxp://av-scaner-onlinemachine.org
hxxp://av-scaner-onlinepeople.org
hxxp://av-scaner-onlineretort.org
hxxp://av-scaner-onlinereview.org
hxxp://av-scaner-onlinetopia.org
hxxp://directav-scaner-online.org
hxxp://expertav-scaner-online.org
hxxp://orderav-scaner-online.org
hxxp://speedyav-scaner-online.org
hxxp://thriftyav-scaner-online.org
hxxp://timesav-scaner-online.org
hxxp://411online-scanner-free.org
hxxp://dynaonline-scanner-free.org
hxxp://fastonline-scanner-free.org
hxxp://homeonline-scanner-free.org
hxxp://online-scanner-freebin.org
hxxp://online-scanner-freebuy.org
hxxp://online-scanner-freelook.org
hxxp://online-scanner-freemap.org
hxxp://online-scanner-freemeet.org
hxxp://online-scanner-freesite.org
hxxp://online-scanner-freetent.org
hxxp://online-scanner-freeu.org
hxxp://online-scanner-freevolt.org
hxxp://onlinescannerfree.org
hxxp://av-plus-online.org
hxxp://protecmesages.org
hxxp://av-onlicity.org
hxxp://av-online-scanner.org
hxxp://av-online-scannerbid.org
hxxp://av-online-scannercrest.org
hxxp://av-online-scannerfolk.org
hxxp://av-online-scannergate.org
hxxp://av-online-scannerland.org
hxxp://av-online-scannerpc.org
hxxp://av-online-scannersite.org
hxxp://av-online-scannerweek.org
hxxp://av-online-scannerwing.org
hxxp://infoav-online-scanner.org
hxxp://shopav-online-scanner.org
hxxp://theav-online-scanners.org
hxxp://avplus-online.org
hxxp://protectmesages.org
hxxp://av-scaner.org
hxxp://av-scaners.org
hxxp://av-scanner.org
hxxp://av-scanners.org
hxxp://avplussonline.org
hxxp://avscaner.org
hxxp://avscaners.org
hxxp://avscanner.org
hxxp://avscanners.org
hxxp://eav-scaner.org
hxxp://eav-scaners.org
hxxp://eav-scanner.org
hxxp://eav-scanners.org
hxxp://myav-scaner.org
hxxp://myav-scaners.org
hxxp://myav-scanner.org
hxxp://myav-scanners.org
hxxp://protectmessages.org
hxxp://avplusonline.org
hxxp://av-plusonline.org
hxxp://protect-mesagess.org
We'll continue monitoring the campaign and post updates as soon as new developments take place.
In this post, I'll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.
Sample malware known to have participated in the campaign:
installer.1.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef - Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40 (22.50%)
Related malicious phone back C&C server IPs:
hxxp://av-plusonline.org/install/avplus.dll
hxxp://av-plusonline.org/cb/real.php?id=
Related malicious MD5s known to have participated in the campaign:
avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39%)
It's gets even more interesting as hxxp://fast-payments.com - 91.188.59.27 is parked within Koobface botnet's 1.0 phone back locations (hxxp://urodinam.net) and is also hosted within the same netblock at 91.188.59.10.
Sample related malicious URLs known to have participated in the campaign:
hxxp://urodinam.net/33t.php?stime=125558
- hxxp://91.188.59.10/opa.exe -MD5: d4aacc8d01487285be564cbd3a4abc76 - Downloader.VB.7.S; Mal/Koobface-B - Result: 10/40 (25%)
Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://aburvalg.com/new1.php - 64.27.0.237
- hxxp://fucking-tube.net
The following domains use it as a name server:
hxxp://ns1.addedantivirus.com
Related malicius domains known to have responded to the same malicious name server:
hxxp://antiviralpluss.org
hxxp://antivirspluss.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://pretection-page.org
hxxp://sys-mesage.org
hxxp://av-plus-online.org
hxxp://av-plusonline.org
hxxp://avplus-online.org
hxxp://avplusonline.org
hxxp://avplussonline.org
hxxp://protecmesages.org
hxxp://protect-mesagess.org
hxxp://protectmesages.org
hxxp://protectmesagess.org
hxxp://protectmessages.org
hxxp://avplus24support.com
hxxp://searchwebway4.com
hxxp://searchwebway5.com
hxxp://searchwebway10.com
hxxp://searchwebway9.com
hxxp://searchwebway6.com
Related malicious URLs known to have participated in the campaign:
hxxp://avplus-online.org/buy.php?id=
- hxxp://fast-payments.com/index.php?prodid=antivirplus_02_01&afid=
Related malicious domains known to have participated in the campaign:
hxxp://antiviruspluss.org
hxxp://avplusscanner.org
hxxp://protection-messag.org
hxxp://antivirs-pluss.org
hxxp://antiviru-pluss.org
hxxp://antivirus-p1uss.org
hxxp://protection-mesage.org
hxxp://sysstem-mesage.org
hxxp://system-message.org
hxxp://antiviral-pluss.org
hxxp://av-onlinescanner.org
hxxp://avonlinescanner.org
hxxp://avonlinescannerr.org
hxxp://avp-scanner.org
hxxp://avp-scannerr.org
hxxp://avp-sscaner.org
hxxp://avp-sscannerr.org
hxxp://avplscaner-online.org
hxxp://avplscanerr-online.org
hxxp://avplsscannerr.org
hxxp://avplus-scanerr.org
hxxp://online-protection.org
hxxp://antivirupluss.org
hxxp://syssmessage.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://av-scanally.org
hxxp://av-scaner-online.org
hxxp://av-scaner-online3k.org
hxxp://av-scaner-onlineband.org
hxxp://av-scaner-onlinebody.org
hxxp://av-scaner-onlinebuzz.org
hxxp://av-scaner-onlinecabin.org
hxxp://av-scaner-onlinecrest.org
hxxp://av-scaner-onlinefolk.org
hxxp://av-scaner-onlineplan.org
hxxp://av-scaner-onlinesite.org
hxxp://iav-scaner-online.org
hxxp://netav-scaner-online.org
hxxp://techav-scaner-online.org
hxxp://antivirspluss.org
hxxp://sys-mesage.org
hxxp://antiviralpluss.org
hxxp://pretection-page.org
hxxp://av-scaner-onlinefairy.org
hxxp://av-scaner-onlinegrinder.org
hxxp://av-scaner-onlinehistory.org
hxxp://av-scaner-onlineicity.org
hxxp://av-scaner-onlinemachine.org
hxxp://av-scaner-onlinepeople.org
hxxp://av-scaner-onlineretort.org
hxxp://av-scaner-onlinereview.org
hxxp://av-scaner-onlinetopia.org
hxxp://directav-scaner-online.org
hxxp://expertav-scaner-online.org
hxxp://orderav-scaner-online.org
hxxp://speedyav-scaner-online.org
hxxp://thriftyav-scaner-online.org
hxxp://timesav-scaner-online.org
hxxp://411online-scanner-free.org
hxxp://dynaonline-scanner-free.org
hxxp://fastonline-scanner-free.org
hxxp://homeonline-scanner-free.org
hxxp://online-scanner-freebin.org
hxxp://online-scanner-freebuy.org
hxxp://online-scanner-freelook.org
hxxp://online-scanner-freemap.org
hxxp://online-scanner-freemeet.org
hxxp://online-scanner-freesite.org
hxxp://online-scanner-freetent.org
hxxp://online-scanner-freeu.org
hxxp://online-scanner-freevolt.org
hxxp://onlinescannerfree.org
hxxp://av-plus-online.org
hxxp://protecmesages.org
hxxp://av-onlicity.org
hxxp://av-online-scanner.org
hxxp://av-online-scannerbid.org
hxxp://av-online-scannercrest.org
hxxp://av-online-scannerfolk.org
hxxp://av-online-scannergate.org
hxxp://av-online-scannerland.org
hxxp://av-online-scannerpc.org
hxxp://av-online-scannersite.org
hxxp://av-online-scannerweek.org
hxxp://av-online-scannerwing.org
hxxp://infoav-online-scanner.org
hxxp://shopav-online-scanner.org
hxxp://theav-online-scanners.org
hxxp://avplus-online.org
hxxp://protectmesages.org
hxxp://av-scaner.org
hxxp://av-scaners.org
hxxp://av-scanner.org
hxxp://av-scanners.org
hxxp://avplussonline.org
hxxp://avscaner.org
hxxp://avscaners.org
hxxp://avscanner.org
hxxp://avscanners.org
hxxp://eav-scaner.org
hxxp://eav-scaners.org
hxxp://eav-scanner.org
hxxp://eav-scanners.org
hxxp://myav-scaner.org
hxxp://myav-scaners.org
hxxp://myav-scanner.org
hxxp://myav-scanners.org
hxxp://protectmessages.org
hxxp://avplusonline.org
hxxp://av-plusonline.org
hxxp://protect-mesagess.org
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - Massive Blackhat SEO Campaign Courtesy of the Koobface Gang Spotted in the Wild
It's 2010 and I've recently stumbled upon yet another massive blackhat SEO campaign courtesy of the Koobface gang successfully exposing hundreds of thousands of users to a multi-tude of malicious software.
In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tactics techniques and procedures of the cybercriminals behind it.
Sample domains known to have participated in the campaign:
hxxp://jhpegdueeunz.55fast.com
hxxp://vzhusyeeaubk.55fast.com
hxxp://cvzizliiustw.55fast.com
hxxp://zetaswuiouax.55fast.com
hxxp://shzopfioarpd.55fast.com
hxxp://nqpubruioeat.55fast.com
hxxp://krrepteievdr.55fast.com
hxxp://gtoancoiuyqv.55fast.com
hxxp://felopfooaydk.55fast.com
hxxp://dknejxaeozjb.55fast.com
hxxp://ljperwaaoxjs.55fast.com
hxxp://hxmagxaeulbn.55fast.com
hxxp://mueombooikgp.55fast.com
hxxp://gluezneoolhs.55fast.com
hxxp://ptpodseeanvk.55fast.com
hxxp://jgdeyraoojdr.55fast.com
hxxp://kjsetqaoojdr.55fast.com
hxxp://kvuelveuicmn.55fast.com
hxxp://ywoamnooikfp.55fast.com
hxxp://dnkopgioawss.55fast.com
hxxp://qjtepyaoigts.55fast.com
hxxp://fdsudpeeewam.55fast.com
hxxp://qumobxoiigst.55fast.com
hxxp://fkvahzaeibbz.55fast.com
hxxp://lxxikhiuutwm.55fast.com
hxxp://meboczoiikgy.55fast.com
hxxp://mevoxliiidyq.55fast.com
hxxp://hxvoysaoozhp.55fast.com
hxxp://wiaabcoookfs.55fast.com
hxxp://wlbatgeeiohc.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://narezxaauggf.55fast.com
hxxp://gdsetqaoocks.55fast.com
hxxp://ptxihhiiihpq.55fast.com
hxxp://ramilhueamxg.55fast.com
hxxp://vvnoxliiigsp.55fast.com
hxxp://ywweypeaeemz.55fast.com
hxxp://rqqetweeupwn.55fast.com
hxxp://fprewmaoojpn.55fast.com
hxxp://kbmahjiiigpw.55fast.com
hxxp://romozjuuurov.55fast.com
hxxp://tmxufseaacks.55fast.com
hxxp://viaegjiooeun.55fast.com
hxxp://znmasdiiicbc.55fast.com
hxxp://gdbiczooaoaw.55fast.com
hxxp://boqegkooouom.55fast.com
hxxp://xncoxloiiwrm.55fast.com
hxxp://flxowreuuhkb.55fast.com
hxxp://zzkihgiuupwb.55fast.com
hxxp://gxcobmeeuvls.55fast.com
hxxp://wygimweuizxz.55fast.com
hxxp://winowmeaoxhy.55fast.com
hxxp://hhpewmaoidtm.55fast.com
hxxp://nemoxloiixlh.55fast.com
hxxp://bvbowvooigtq.55fast.com
hxxp://pgmassuiixvx.55fast.com
hxxp://vbxoxkiiijst.55fast.com
hxxp://clnobhaoobzf.55fast.com
hxxp://proawnaoozxf.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://romwrpueerr.007gb.com
hxxp://rtperweaauux.5nxs.com
hxxp://prougpeeabzd.hostevo.com
hxxp://stwermoiigwc.10fast.net
hxxp://znmasdiiicbc.55fast.com
hxxp://gjxotyuuobmv.007sites.com
Sample malicious domains known to have participated in the campaign:
hxxp://dpfujhiuijhd.hostevo.com
hxxp://gfhizliiikjd.hostevo.com
hxxp://driozkuueqic.hostevo.com
hxxp://rrkihfuuuspr.hostevo.com
hxxp://xzkikhueeivf.hostevo.com
hxxp://trqawmaookgp.hostevo.com
hxxp://hggudseuerqn.hostevo.com
hxxp://phveflaeulmn.hostevo.com
hxxp://cvxiljiuuyrm.hostevo.com
hxxp://fdseffuueqiv.hostevo.com
hxxp://dsteyraaaxgr.hostevo.com
hxxp://pfjocbeuiznb.hostevo.com
hxxp://ccziljiuurab.hostevo.com
Sample malicious domains known to have participated in the campaign:
hxxp://jgfuspeeeauc.hostevo.com
hxxp://grioxhueoxlf.hostevo.com
hxxp://dpdilkiiihfy.hostevo.com
hxxp://miuonbaoifwv.hostevo.com
hxxp://fpteymoiuqmj.hostevo.com
hxxp://dyoovziuebvj.hostevo.com
hxxp://rpdojzaaesgg.hostevo.com
hxxp://zzkuhguuewib.hostevo.com
hxxp://bqyunruiaecw.hostevo.com
hxxp://sruoljiuurqb.hostevo.com
hxxp://stratreaaebk.hostevo.com
hxxp://kjsetwaookdt.hostevo.com
hxxp://prougpeeabzd.hostevo.com
hxxp://nrfitdioaoyd.hostevo.com
hxxp://cxligdueewoc.hostevo.com
hxxp://tqaawmaoamvj.hostevo.com
hxxp://qunoxliiifyw.hostevo.com
hxxp://zkfusteaanch.hostevo.com
hxxp://qumobcooozjf.hostevo.com
hxxp://sqqawmaaamvj.hostevo.com
hxxp://klguyraoojdr.hostevo.com
hxxp://fspespueeiez.hostevo.com
hxxp://sjcadjoaepfh.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://sjcadjoaepfh.55fast.com
hxxp://pkbadlaeujcv.55fast.com
hxxp://vnvocziiifst.55fast.com
hxxp://wauanbooikfy.55fast.com
hxxp://yovikdeaanch.55fast.com
hxxp://jvuelvaeukcc.55fast.com
hxxp://lkgufpeeaunz.55fast.com
hxxp://kjfufseeeiml.55fast.com
hxxp://bmmoxliiifdt.55fast.com
hxxp://nqtuxneuixbb.55fast.com
hxxp://wioabnaoikfp.55fast.com
hxxp://ssdikzaaaiiq.55fast.com
hxxp://rwaammaaeowm.55fast.com
hxxp://ljifsueaumz.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://lljifsueaumz.55fast.com
hxxp://nbzigpeaoksq.55fast.com
hxxp://mvjufraoidqb.55fast.com
hxxp://hgdupraoisqc.55fast.com
hxxp://khdudseeeauc.55fast.com
hxxp://fspetwaaabxh.55fast.com
hxxp://tqoavxoiidyq.55fast.com
hxxp://xeaubwuiardg.55fast.com
hxxp://nbvoncooolhp.55fast.com
hxxp://wexigpaoambl.55fast.com
hxxp://klhuggiuufdt.55fast.com
hxxp://dxwetteoigst.55fast.com
hxxp://glvashoaeygj.55fast.com
hxxp://xmoejcaeujxc.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://jfsfkfuueqw.007gb.com
hxxp://bbxcimoiify.007gb.com
hxxp://ljgjxkueewi.007gb.com
hxxp:///xzkgkguueaa.007gb.com
hxxp://wmhjvkuaabj.007gb.com
hxxp://yqbzmciuupt.007gb.com
hxxp://lvxvieaoizj.007gb.com
hxxp://srnvuioookf.007gb.com
hxxp://melhlhueeqe.007gb.com
hxxp://lkhjclueuwa.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://lkhjclueuwa.007gb.com
hxxp://bvgsfyaooxh.007gb.com
hxxp://xbkhceeuifd.007gb.com
hxxp://ywncmvoiojf.007gb.com
hxxp://kjptpwaaacl.007gb.com
hxxp://gpmcumooavx.007gb.com
hxxp://dpwnaioookf.007gb.com
hxxp://stqnaiaoihd.007gb.com
hxxp://fspygfuuerq.007gb.com
hxxp://wbgtsyeaamb.007gb.com
hxxp://fprmwoaaavl.007gb.com
hxxp://mmxlnvoiijd.007gb.com
hxxp://vvllnmooocl.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://vvllnmooocl.007gb.com
hxxp://zlgsgpeaabz.007gb.com
hxxp://ccjfxleeewq.007gb.com
hxxp://cvhfjguueqi.007gb.com
hxxp://lhprsraaack.007gb.com
hxxp://razzbciiupt.007gb.com
hxxp://rancoeooozh.007gb.com
hxxp://muczimoooxh.007gb.com
hxxp://tphotdioetdf.hostevo.com
hxxp://vvxifpeaocks.hostevo.com
hxxp://jjhillooolhf.hostevo.com
hxxp://bzxixliiudpr.hostevo.com
hxxp://xmvovxooozhp.hostevo.com
hxxp://proocziuuprm.hostevo.com
hxxp://qebovziuuswb.hostevo.com
hxxp://xzhusteaabzs.hostevo.com
hxxp://bbbovxiuifyq.hostevo.com
Sample malicious domains known to have participated in the campaign:
hxxp://dpretqaoocjy.hostevo.com
hxxp://ywaaqbaoozjs.5nxs.com
hxxp://fsyepteaaenl.5nxs.com
hxxp://jhgufpeeeaic.5nxs.com
hxxp://dsterqaaoczg.5nxs.com
hxxp://rivilhueeiuc.5nxs.com
hxxp://znouxneuaayd.5nxs.com
hxxp://kkgijguueonh.5nxs.com
hxxp://khsamvooihdt.5nxs.com
hxxp://nncikgueaflg.5nxs.com
hxxp://fdpixnaaaoiv.5nxs.com
hxxp://zzzikhiiihfy.5nxs.com
hxxp://sqaayteaaimz.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://tquambooilhs.5nxs.com
hxxp://gdtaqboiojdt.5nxs.com
hxxp://queoxliuudtq.5nxs.com
hxxp://vbcokloiikhs.5nxs.com
hxxp://raoadpiuigst.5nxs.com
hxxp://qevijfueeibj.5nxs.com
hxxp://kjlicvoooncj.5nxs.com
hxxp://sroavlueeixd.5nxs.com
hxxp://xxlijkiuuyqm.5nxs.com
hxxp://vvcijreaaenl.5nxs.com
hxxp://zzkigdueurab.5nxs.com
hxxp://zxkigdueeoel.5nxs.com
hxxp://tqoanvooijfy.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://wnxufpeaaevj.5nxs.com
hxxp:///ptaamboiihsw.5nxs.com
hxxp://vbxijhueurix.5nxs.com
hxxp://fpkijxiiidox.5nxs.com
hxxp://streqwaooxcg.5nxs.com
hxxp://ptyewmaoolgy.5nxs.com
hxxp://hgyeqboiihpw.5nxs.com
hxxp://cxjijgueeaez.5nxs.com
hxxp://woeobvoiihdt.5nxs.com
hxxp://bcxixjueuqmj.5nxs.com
hxxp://mmvobxoiihdr.5nxs.com
hxxp://prqawnaoozgy.5nxs.com
hxxp://xzkugsueeunk.5nxs.com
hxxp://vvbovxiiidym.5nxs.com
hxxp://qinozkiuidyw.5nxs.com
hxxp://tpdumweuughh.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://tpdumweuughh.5nxs.com
hxxp://zkfudpeaaech.5nxs.com
hxxp://vvcijfueeamk.5nxs.com
hxxp://jkhihdiuuypw.5nxs.com
hxxp://womancoiuyav.5nxs.com
hxxp://sfkoyfooepgh.5nxs.com
hxxp://zzhetqaooxkd.5nxs.com
hxxp://czjudyeaacjp.5nxs.com
hxxp://gssudpeaaecg.5nxs.com
hxxp://wiuobvooozjp.5nxs.com
hxxp://twaamnaookhd.5nxs.com
hxxp://bbvocloiigsr.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://dspugduuuytm.5nxs.com
hxxp://kljigdueeqic.5nxs.com
hxxp://gpioxhuuutav.5nxs.com
hxxp://wouavcooiyil.5nxs.com
hxxp://mevoxliuuyrm.5nxs.com
hxxp://xvcocxoiojfy.5nxs.com
hxxp://zljudyeaaunl.5nxs.com
hxxp://woaabcoiusst.5nxs.com
hxxp://dppudpeeewmh.5nxs.com
hxxp://zzhustueequk.5nxs.com
hxxp://quboczoiolgd.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://kdwetmoiuics.5nxs.com
hxxp://jgfudseeerqb.5nxs.com
hxxp://qunolhueeonx.5nxs.com
hxxp://khdusyeaaeez.5nxs.com
hxxp://bvcikgueequx.5nxs.com
hxxp://xzjupteaovzg.5nxs.com
hxxp://rmludpueoebj.5nxs.com
hxxp://pfyupteeeauz.5nxs.com
hxxp://qqreqnoeewhs.5nxs.com
hxxp://ysfuyraaaczs.5nxs.com
hxxp://ljdudyeaamcj.5nxs.com
hxxp://vbvovziiustm.5nxs.com
hxxp://gffugdueeibz.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://bnjdzkiuuyw.007gb.com
hxxp://dpppdpeeeii.007gb.com
hxxp://zzfdhdeeeoe.007gb.com
hxxp://hhhhzciuusa.007gb.com
hxxp://dpmlbkiuuta.007gb.com
hxxp://ccgsgpeaaev.007gb.com
hxxp://vbzxecoiuso.007gb.com
hxxp://nbkfhdeaack.007gb.com
hxxp://bmvcaoeeaoe.007gb.com
hxxp://xchfggiuewq.007gb.com
hxxp://jgypgpeaoxh.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://jgypgpeaoxh.007gb.com
hxxp://hdstpraoojd.007gb.com
hxxp://nnkkvziiigh.007gb.com
hxxp://qwyduquuoeo.007gb.com
hxxp://jhgdkzooobn.007gb.com
hxxp://ljyqweoiihf.007gb.com
hxxp://xzfdfsueaux.007gb.com
hxxp://kjfhzjueeae.007gb.com
hxxp://tanbuoeaanb.007gb.com
hxxp://rammooaaocx.007gb.com
hxxp://gsmxmlueoht.007gb.com
hxxp://xxjgkguueuu.007gb.com
hxxp://jgppfpeeaev.007gb.com
hxxp://xzfpfpeaozh.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://khsphdueaev.007gb.com
hxxp://wabnieoiikg.007gb.com
hxxp://rojshgeoisw.007gb.com
hxxp://zlhffgueaec.007gb.com
hxxp://quxxmnoiokd.007gb.com
hxxp://rpsdkzoeeqq.007gb.com
hxxp://rozfksaoiht.007gb.com
hxxp://vvzkcviiuru.007gb.com
hxxp://ptgdghueedq.007gb.com
hxxp://xvjhcliuufi.007gb.com
hxxp://ywqntweaeqo.007gb.com
hxxp://mubwqaaaoxl.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://quzjlgueeib.007gb.com
hxxp://fdyttteeaou.007gb.com
hxxp://xxjggseeeom.007gb.com
hxxp://robvimoiikg.007gb.com
hxxp://hgspsyeeanx.007gb.com
hxxp://nbzkckueein.007gb.com
hxxp://syfdgmoiipy.007gb.com
hxxp://nmkjzjueequ.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://nmkjzjueequ.007gb.com
hxxp://ytwqyteaaen.007gb.com
hxxp://kgdfkhuuuyq.007gb.com
hxxp://zbcvieaoocc.007gb.com
hxxp://sywrdpeeeie.007gb.com
hxxp://prnmwaaaamm.007gb.com
hxxp://djddhfuuilc.007gb.com
hxxp://wibnuboiusw.007gb.com
hxxp://muclmboiigd.007gb.com
hxxp://vvlkevoiidy.007gb.com
hxxp://xhprrteaaun.007gb.com
hxxp://bncvoeaaauu.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://ravhzluuewo.007gb.com
hxxp://gsywptaaabz.007gb.com
hxxp://xxkzbcoiijd.007gb.com
hxxp://mevirwaaovlf.hostevo.com
hxxp://roboxloiihdt.007sites.com
hxxp://rauonbooozkf.007sites.com
hxxp://ywiatreeewam.007sites.com
hxxp://nxfetmaoolfr.007sites.com
hxxp://gkmelbeuoear.007sites.com
hxxp://mmcigsueeexg.007sites.com
hxxp://vxxiljoioxxg.10fast.net
hxxp://jgsuspeeeaic.10fast.net
hxxp://qenocxiiihsr.10fast.net
hxxp://lklilliiigdt.10fast.net
hxxp://hgdepreaamzs.10fast.net
Sample malicious domains known to have participated in the campaign:
hxxp://gffupteaaebj.10fast.net
hxxp:///kljigfuuugfp.10fast.net
hxxp://raianvoiokgy.10fast.net
hxxp://rtqerqeaamcg.10fast.net
hxxp://gfdugdeaavls.10fast.net
hxxp://ddterboiugsr.10fast.net
hxxp://jgpewnoiihpq.10fast.net
hxxp://kjfpfseeeqo.007gb.com
hxxp://wubcmciuuya.007gb.com
hxxp://quzkxvooift.007gb.coml
hxxp://nblhlheaaum.007gb.com
hxxp://cclxnciuupq.007gb.com
hxxp://nbhkckueeib.007gb.com
hxxp://hgddxliuudp.007gb.com
hxxp://winilhueuwiz.10fast.net
hxxp://queocliuupqv.10fast.net
hxxp://gdtaqboiihhs.10fast.net
hxxp://bbvovbaaancg.10fast.net
hxxp://fpramvoiiftm.10fast.net
hxxp://fjliljiiizhp.10fast.net
hxxp://gspedpeeeiel.10fast.net
Sample malicious domains known to have participated in the campaign:
hxxp://fssukjaoanbx.5nxs.com
hxxp://ptaawviuuppw.5nxs.com
hxxp://llxozkoiikdq.5nxs.com
hxxp://kkkijguuuquz.5nxs.com
hxxp://womobciiiftn.5nxs.com
hxxp://vvcikgueequl.5nxs.com
hxxp://zzzoxcooozzl.5nxs.com
hxxp://wuuocziuupwn.5nxs.com
hxxp://hfyeqnoiiftm.5nxs.com
hxxp://sttewboookgy.5nxs.com
hxxp://ghhusteaozgt.5nxs.com
hxxp://fjzoqtuuukiw.5nxs.com
hxxp://muuaqciueomz.5nxs.com
hxxp://fsfugduuutav.5nxs.com
hxxp://jgdeywaoocks.5nxs.com
hxxp://raniljuuurix.5nxs.com
hxxp://pabikhueamcg.5nxs.com
hxxp://gsteqbooikdr.5nxs.com
hxxp://llhugfuuerab.5nxs.com
hxxp://dspeyyeeeauv.5nxs.com
hxxp://xzkixhuaoczg.5nxs.com
hxxp://rouawmaaammz.5nxs.com
hxxp://kxlijjiuuspt.5nxs.com
hxxp://xzliljiuifyw.5nxs.com
hxxp://vvvilhiueqac.5nxs.com
hxxp://tovikhiiufdt.5nxs.com
hxxp://ttretreeuhgs.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://ypserreeuytq.5nxs.com
hxxp://xxzijkiiikkf.5nxs.com
hxxp://bvzoknaoigpm.5nxs.com
hxxp://nnxihduuutqv.5nxs.com
hxxp://muzidyeeeevh.5nxs.com
hxxp://tpdufhiiidrn.5nxs.com
hxxp://ffpupteeeaqd.5nxs.com
hxxp://bbxigseeolpm.5nxs.com
hxxp://gsdugpeaeibj.5nxs.com
hxxp://pwteyyeaamcg.5nxs.com
hxxp://zxcoljiiigpw.5nxs.com
hxxp://bmacxoiixjs.5nxs.com
hxxp://twqawmaooczf.5nxs.com
hxxp://bbrartuauhjh.5nxs.com
hxxp://dtiolhueeexd.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://gdduhgiiikhd.5nxs.com
hxxp://ryquhfuuuypr.5nxs.com
hxxp://sfhijkiuusrn.5nxs.com
hxxp://staennaoolgy.5nxs.com
hxxp://vvvoczooolzg.5nxs.com
hxxp://bmnokgueequz.5nxs.com
hxxp://proocxoiigds.5nxs.com
hxxp://ptwepwaoozht.5nxs.com
hxxp://fsdufpeeeovg.5nxs.com
hxxp://dtlidwoiuyoz.5nxs.com
hxxp://kvyamboiuhsr.5nxs.com
hxxp://kvmardioetyp.5nxs.com
hxxp://taniljueuwul.5nxs.com
hxxp://jvnartuuixvx.5nxs.com
hxxp://qubijgiuutac.5nxs.com
Sample malicious domains known to have participated in the campaigns:
hxxp://qebocziuidfy.10fast.net
hxxp://gffudpeeeauc.10fast.net
hxxp://vbjustaiurox.10fast.net
hxxp://jgyuptaoutic.10fast.net
hxxp://lkhighueeevk.10fast.net
hxxp://ptpudreeeobz.10fast.net
hxxp://meeambaooxls.10fast.net
hxxp://yrreyraaovld.10fast.net
hxxp://kkdutwaoobzd.10fast.net
hxxp://czxitbouuquz.10fast.net
hxxp://lvbovnaoozjp.10fast.net
hxxp://wiiambaookdt.10fast.net
hxxp://zxkijgueaecg.10fast.net
hxxp://ywqawqaoovzh.10fast.net
hxxp://gzoukwuuizbv.10fast.net
hxxp://roiabcoiigpq.10fast.net
hxxp://vvlufseaavld.10fast.net
hxxp://hgpusyeaamxg.10fast.net
hxxp://kkkikziiifyq.10fast.net
hxxp://dtqaczoiuswb.10fast.net
hxxp://llzozxoiigpw.10fast.net
hxxp://nmcijkiuuobg.10fast.net
hxxp://mnxijliuusrm.10fast.net
hxxp://quuanbooikfy.10fast.net
hxxp://xxzijhuueuex.10fast.net
hxxp://gsyepyeaaubk.10fast.net
hxxp://tqoaqmaoigsr.10fast.net
hxxp://cvbocziiikgp.10fast.net
hxxp://gdyepteaancj.10fast.net
Sample malicious domains known to have participated in the campaign:
hxxp://qibocziuewuz.10fast.net
hxxp://qrkargoaatsf.10fast.net
hxxp://zzdeymaoifyq.10fast.net
hxxp://noeancoiutac.10fast.net
hxxp://qunovnaaammb.10fast.net
hxxp://gffugdeeeibk.10fast.net
hxxp://cmvijsueenls.10fast.net
hxxp://tqaeryeaanxj.10fast.net
hxxp://xmuambiiifyt.10fast.net
hxxp://cvnanneeesff.10fast.net
hxxp://muuaqbooolfy.10fast.net
hxxp://qimacvaaetyr.10fast.net
hxxp://vxfutqaoihsw.10fast.net
hxxp://ywreyruuuhhg.10fast.net
hxxp://fdteyteeeoel.10fast.net
hxxp://ywianvoiupwc.10fast.net
hxxp://zlgeyraoobls.10fast.net
hxxp://zkhujdeaojpm.10fast.net
hxxp://kjfufduuutqm.10fast.net
hxxp://xxjudpueewiz.10fast.net
hxxp://rooewmeaamcg.10fast.net
hxxp://hffugdueeink.10fast.net
hxxp://xmcoxzoiikkd.10fast.net
hxxp://lllizkuiifyq.10fast.net
hxxp://xmuapsuiovnb.10fast.net
hxxp://tquanvoiuyqv.10fast.net
hxxp://kvnartuuujlk.10fast.net
hxxp://lllikhioozjf.10fast.net
hxxp://yrreypeeamck.10fast.net
hxxp://glhihfueaeck.10fast.net
Sample malicious domains known to have participate in the campaign:
hxxp://goadult.info/go.php?sid=13 -> -> hxxp://goadult.info/go.php?sid=9 -> -> hxxp://r2606.com/go/?pid=30937 -> which is a well known Koobface 1.0 command and control server domain.
Related malicious redirectors known to have participated in the campaign:
hxxp://goadult.info - 78.109.28.16 - tech@goadult.info
hxxp://go1go.net - 174.36.214.32 - tech@go1go.net
hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info
In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tactics techniques and procedures of the cybercriminals behind it.
Sample domains known to have participated in the campaign:
hxxp://jhpegdueeunz.55fast.com
hxxp://vzhusyeeaubk.55fast.com
hxxp://cvzizliiustw.55fast.com
hxxp://zetaswuiouax.55fast.com
hxxp://shzopfioarpd.55fast.com
hxxp://nqpubruioeat.55fast.com
hxxp://krrepteievdr.55fast.com
hxxp://gtoancoiuyqv.55fast.com
hxxp://felopfooaydk.55fast.com
hxxp://dknejxaeozjb.55fast.com
hxxp://ljperwaaoxjs.55fast.com
hxxp://hxmagxaeulbn.55fast.com
hxxp://mueombooikgp.55fast.com
hxxp://gluezneoolhs.55fast.com
hxxp://ptpodseeanvk.55fast.com
hxxp://jgdeyraoojdr.55fast.com
hxxp://kjsetqaoojdr.55fast.com
hxxp://kvuelveuicmn.55fast.com
hxxp://ywoamnooikfp.55fast.com
hxxp://dnkopgioawss.55fast.com
hxxp://qjtepyaoigts.55fast.com
hxxp://fdsudpeeewam.55fast.com
hxxp://qumobxoiigst.55fast.com
hxxp://fkvahzaeibbz.55fast.com
hxxp://lxxikhiuutwm.55fast.com
hxxp://meboczoiikgy.55fast.com
hxxp://mevoxliiidyq.55fast.com
hxxp://hxvoysaoozhp.55fast.com
hxxp://wiaabcoookfs.55fast.com
hxxp://wlbatgeeiohc.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://narezxaauggf.55fast.com
hxxp://gdsetqaoocks.55fast.com
hxxp://ptxihhiiihpq.55fast.com
hxxp://ramilhueamxg.55fast.com
hxxp://vvnoxliiigsp.55fast.com
hxxp://ywweypeaeemz.55fast.com
hxxp://rqqetweeupwn.55fast.com
hxxp://fprewmaoojpn.55fast.com
hxxp://kbmahjiiigpw.55fast.com
hxxp://romozjuuurov.55fast.com
hxxp://tmxufseaacks.55fast.com
hxxp://viaegjiooeun.55fast.com
hxxp://znmasdiiicbc.55fast.com
hxxp://gdbiczooaoaw.55fast.com
hxxp://boqegkooouom.55fast.com
hxxp://xncoxloiiwrm.55fast.com
hxxp://flxowreuuhkb.55fast.com
hxxp://zzkihgiuupwb.55fast.com
hxxp://gxcobmeeuvls.55fast.com
hxxp://wygimweuizxz.55fast.com
hxxp://winowmeaoxhy.55fast.com
hxxp://hhpewmaoidtm.55fast.com
hxxp://nemoxloiixlh.55fast.com
hxxp://bvbowvooigtq.55fast.com
hxxp://pgmassuiixvx.55fast.com
hxxp://vbxoxkiiijst.55fast.com
hxxp://clnobhaoobzf.55fast.com
hxxp://proawnaoozxf.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://romwrpueerr.007gb.com
hxxp://rtperweaauux.5nxs.com
hxxp://prougpeeabzd.hostevo.com
hxxp://stwermoiigwc.10fast.net
hxxp://znmasdiiicbc.55fast.com
hxxp://gjxotyuuobmv.007sites.com
Sample malicious domains known to have participated in the campaign:
hxxp://dpfujhiuijhd.hostevo.com
hxxp://gfhizliiikjd.hostevo.com
hxxp://driozkuueqic.hostevo.com
hxxp://rrkihfuuuspr.hostevo.com
hxxp://xzkikhueeivf.hostevo.com
hxxp://trqawmaookgp.hostevo.com
hxxp://hggudseuerqn.hostevo.com
hxxp://phveflaeulmn.hostevo.com
hxxp://cvxiljiuuyrm.hostevo.com
hxxp://fdseffuueqiv.hostevo.com
hxxp://dsteyraaaxgr.hostevo.com
hxxp://pfjocbeuiznb.hostevo.com
hxxp://ccziljiuurab.hostevo.com
Sample malicious domains known to have participated in the campaign:
hxxp://jgfuspeeeauc.hostevo.com
hxxp://grioxhueoxlf.hostevo.com
hxxp://dpdilkiiihfy.hostevo.com
hxxp://miuonbaoifwv.hostevo.com
hxxp://fpteymoiuqmj.hostevo.com
hxxp://dyoovziuebvj.hostevo.com
hxxp://rpdojzaaesgg.hostevo.com
hxxp://zzkuhguuewib.hostevo.com
hxxp://bqyunruiaecw.hostevo.com
hxxp://sruoljiuurqb.hostevo.com
hxxp://stratreaaebk.hostevo.com
hxxp://kjsetwaookdt.hostevo.com
hxxp://prougpeeabzd.hostevo.com
hxxp://nrfitdioaoyd.hostevo.com
hxxp://cxligdueewoc.hostevo.com
hxxp://tqaawmaoamvj.hostevo.com
hxxp://qunoxliiifyw.hostevo.com
hxxp://zkfusteaanch.hostevo.com
hxxp://qumobcooozjf.hostevo.com
hxxp://sqqawmaaamvj.hostevo.com
hxxp://klguyraoojdr.hostevo.com
hxxp://fspespueeiez.hostevo.com
hxxp://sjcadjoaepfh.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://sjcadjoaepfh.55fast.com
hxxp://pkbadlaeujcv.55fast.com
hxxp://vnvocziiifst.55fast.com
hxxp://wauanbooikfy.55fast.com
hxxp://yovikdeaanch.55fast.com
hxxp://jvuelvaeukcc.55fast.com
hxxp://lkgufpeeaunz.55fast.com
hxxp://kjfufseeeiml.55fast.com
hxxp://bmmoxliiifdt.55fast.com
hxxp://nqtuxneuixbb.55fast.com
hxxp://wioabnaoikfp.55fast.com
hxxp://ssdikzaaaiiq.55fast.com
hxxp://rwaammaaeowm.55fast.com
hxxp://ljifsueaumz.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://lljifsueaumz.55fast.com
hxxp://nbzigpeaoksq.55fast.com
hxxp://mvjufraoidqb.55fast.com
hxxp://hgdupraoisqc.55fast.com
hxxp://khdudseeeauc.55fast.com
hxxp://fspetwaaabxh.55fast.com
hxxp://tqoavxoiidyq.55fast.com
hxxp://xeaubwuiardg.55fast.com
hxxp://nbvoncooolhp.55fast.com
hxxp://wexigpaoambl.55fast.com
hxxp://klhuggiuufdt.55fast.com
hxxp://dxwetteoigst.55fast.com
hxxp://glvashoaeygj.55fast.com
hxxp://xmoejcaeujxc.55fast.com
Sample malicious domains known to have participated in the campaign:
hxxp://jfsfkfuueqw.007gb.com
hxxp://bbxcimoiify.007gb.com
hxxp://ljgjxkueewi.007gb.com
hxxp:///xzkgkguueaa.007gb.com
hxxp://wmhjvkuaabj.007gb.com
hxxp://yqbzmciuupt.007gb.com
hxxp://lvxvieaoizj.007gb.com
hxxp://srnvuioookf.007gb.com
hxxp://melhlhueeqe.007gb.com
hxxp://lkhjclueuwa.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://lkhjclueuwa.007gb.com
hxxp://bvgsfyaooxh.007gb.com
hxxp://xbkhceeuifd.007gb.com
hxxp://ywncmvoiojf.007gb.com
hxxp://kjptpwaaacl.007gb.com
hxxp://gpmcumooavx.007gb.com
hxxp://dpwnaioookf.007gb.com
hxxp://stqnaiaoihd.007gb.com
hxxp://fspygfuuerq.007gb.com
hxxp://wbgtsyeaamb.007gb.com
hxxp://fprmwoaaavl.007gb.com
hxxp://mmxlnvoiijd.007gb.com
hxxp://vvllnmooocl.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://vvllnmooocl.007gb.com
hxxp://zlgsgpeaabz.007gb.com
hxxp://ccjfxleeewq.007gb.com
hxxp://cvhfjguueqi.007gb.com
hxxp://lhprsraaack.007gb.com
hxxp://razzbciiupt.007gb.com
hxxp://rancoeooozh.007gb.com
hxxp://muczimoooxh.007gb.com
hxxp://tphotdioetdf.hostevo.com
hxxp://vvxifpeaocks.hostevo.com
hxxp://jjhillooolhf.hostevo.com
hxxp://bzxixliiudpr.hostevo.com
hxxp://xmvovxooozhp.hostevo.com
hxxp://proocziuuprm.hostevo.com
hxxp://qebovziuuswb.hostevo.com
hxxp://xzhusteaabzs.hostevo.com
hxxp://bbbovxiuifyq.hostevo.com
Sample malicious domains known to have participated in the campaign:
hxxp://dpretqaoocjy.hostevo.com
hxxp://ywaaqbaoozjs.5nxs.com
hxxp://fsyepteaaenl.5nxs.com
hxxp://jhgufpeeeaic.5nxs.com
hxxp://dsterqaaoczg.5nxs.com
hxxp://rivilhueeiuc.5nxs.com
hxxp://znouxneuaayd.5nxs.com
hxxp://kkgijguueonh.5nxs.com
hxxp://khsamvooihdt.5nxs.com
hxxp://nncikgueaflg.5nxs.com
hxxp://fdpixnaaaoiv.5nxs.com
hxxp://zzzikhiiihfy.5nxs.com
hxxp://sqaayteaaimz.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://tquambooilhs.5nxs.com
hxxp://gdtaqboiojdt.5nxs.com
hxxp://queoxliuudtq.5nxs.com
hxxp://vbcokloiikhs.5nxs.com
hxxp://raoadpiuigst.5nxs.com
hxxp://qevijfueeibj.5nxs.com
hxxp://kjlicvoooncj.5nxs.com
hxxp://sroavlueeixd.5nxs.com
hxxp://xxlijkiuuyqm.5nxs.com
hxxp://vvcijreaaenl.5nxs.com
hxxp://zzkigdueurab.5nxs.com
hxxp://zxkigdueeoel.5nxs.com
hxxp://tqoanvooijfy.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://wnxufpeaaevj.5nxs.com
hxxp:///ptaamboiihsw.5nxs.com
hxxp://vbxijhueurix.5nxs.com
hxxp://fpkijxiiidox.5nxs.com
hxxp://streqwaooxcg.5nxs.com
hxxp://ptyewmaoolgy.5nxs.com
hxxp://hgyeqboiihpw.5nxs.com
hxxp://cxjijgueeaez.5nxs.com
hxxp://woeobvoiihdt.5nxs.com
hxxp://bcxixjueuqmj.5nxs.com
hxxp://mmvobxoiihdr.5nxs.com
hxxp://prqawnaoozgy.5nxs.com
hxxp://xzkugsueeunk.5nxs.com
hxxp://vvbovxiiidym.5nxs.com
hxxp://qinozkiuidyw.5nxs.com
hxxp://tpdumweuughh.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://tpdumweuughh.5nxs.com
hxxp://zkfudpeaaech.5nxs.com
hxxp://vvcijfueeamk.5nxs.com
hxxp://jkhihdiuuypw.5nxs.com
hxxp://womancoiuyav.5nxs.com
hxxp://sfkoyfooepgh.5nxs.com
hxxp://zzhetqaooxkd.5nxs.com
hxxp://czjudyeaacjp.5nxs.com
hxxp://gssudpeaaecg.5nxs.com
hxxp://wiuobvooozjp.5nxs.com
hxxp://twaamnaookhd.5nxs.com
hxxp://bbvocloiigsr.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://dspugduuuytm.5nxs.com
hxxp://kljigdueeqic.5nxs.com
hxxp://gpioxhuuutav.5nxs.com
hxxp://wouavcooiyil.5nxs.com
hxxp://mevoxliuuyrm.5nxs.com
hxxp://xvcocxoiojfy.5nxs.com
hxxp://zljudyeaaunl.5nxs.com
hxxp://woaabcoiusst.5nxs.com
hxxp://dppudpeeewmh.5nxs.com
hxxp://zzhustueequk.5nxs.com
hxxp://quboczoiolgd.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://kdwetmoiuics.5nxs.com
hxxp://jgfudseeerqb.5nxs.com
hxxp://qunolhueeonx.5nxs.com
hxxp://khdusyeaaeez.5nxs.com
hxxp://bvcikgueequx.5nxs.com
hxxp://xzjupteaovzg.5nxs.com
hxxp://rmludpueoebj.5nxs.com
hxxp://pfyupteeeauz.5nxs.com
hxxp://qqreqnoeewhs.5nxs.com
hxxp://ysfuyraaaczs.5nxs.com
hxxp://ljdudyeaamcj.5nxs.com
hxxp://vbvovziiustm.5nxs.com
hxxp://gffugdueeibz.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://bnjdzkiuuyw.007gb.com
hxxp://dpppdpeeeii.007gb.com
hxxp://zzfdhdeeeoe.007gb.com
hxxp://hhhhzciuusa.007gb.com
hxxp://dpmlbkiuuta.007gb.com
hxxp://ccgsgpeaaev.007gb.com
hxxp://vbzxecoiuso.007gb.com
hxxp://nbkfhdeaack.007gb.com
hxxp://bmvcaoeeaoe.007gb.com
hxxp://xchfggiuewq.007gb.com
hxxp://jgypgpeaoxh.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://jgypgpeaoxh.007gb.com
hxxp://hdstpraoojd.007gb.com
hxxp://nnkkvziiigh.007gb.com
hxxp://qwyduquuoeo.007gb.com
hxxp://jhgdkzooobn.007gb.com
hxxp://ljyqweoiihf.007gb.com
hxxp://xzfdfsueaux.007gb.com
hxxp://kjfhzjueeae.007gb.com
hxxp://tanbuoeaanb.007gb.com
hxxp://rammooaaocx.007gb.com
hxxp://gsmxmlueoht.007gb.com
hxxp://xxjgkguueuu.007gb.com
hxxp://jgppfpeeaev.007gb.com
hxxp://xzfpfpeaozh.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://khsphdueaev.007gb.com
hxxp://wabnieoiikg.007gb.com
hxxp://rojshgeoisw.007gb.com
hxxp://zlhffgueaec.007gb.com
hxxp://quxxmnoiokd.007gb.com
hxxp://rpsdkzoeeqq.007gb.com
hxxp://rozfksaoiht.007gb.com
hxxp://vvzkcviiuru.007gb.com
hxxp://ptgdghueedq.007gb.com
hxxp://xvjhcliuufi.007gb.com
hxxp://ywqntweaeqo.007gb.com
hxxp://mubwqaaaoxl.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://quzjlgueeib.007gb.com
hxxp://fdyttteeaou.007gb.com
hxxp://xxjggseeeom.007gb.com
hxxp://robvimoiikg.007gb.com
hxxp://hgspsyeeanx.007gb.com
hxxp://nbzkckueein.007gb.com
hxxp://syfdgmoiipy.007gb.com
hxxp://nmkjzjueequ.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://nmkjzjueequ.007gb.com
hxxp://ytwqyteaaen.007gb.com
hxxp://kgdfkhuuuyq.007gb.com
hxxp://zbcvieaoocc.007gb.com
hxxp://sywrdpeeeie.007gb.com
hxxp://prnmwaaaamm.007gb.com
hxxp://djddhfuuilc.007gb.com
hxxp://wibnuboiusw.007gb.com
hxxp://muclmboiigd.007gb.com
hxxp://vvlkevoiidy.007gb.com
hxxp://xhprrteaaun.007gb.com
hxxp://bncvoeaaauu.007gb.com
Sample malicious domains known to have participated in the campaign:
hxxp://ravhzluuewo.007gb.com
hxxp://gsywptaaabz.007gb.com
hxxp://xxkzbcoiijd.007gb.com
hxxp://mevirwaaovlf.hostevo.com
hxxp://roboxloiihdt.007sites.com
hxxp://rauonbooozkf.007sites.com
hxxp://ywiatreeewam.007sites.com
hxxp://nxfetmaoolfr.007sites.com
hxxp://gkmelbeuoear.007sites.com
hxxp://mmcigsueeexg.007sites.com
hxxp://vxxiljoioxxg.10fast.net
hxxp://jgsuspeeeaic.10fast.net
hxxp://qenocxiiihsr.10fast.net
hxxp://lklilliiigdt.10fast.net
hxxp://hgdepreaamzs.10fast.net
Sample malicious domains known to have participated in the campaign:
hxxp://gffupteaaebj.10fast.net
hxxp:///kljigfuuugfp.10fast.net
hxxp://raianvoiokgy.10fast.net
hxxp://rtqerqeaamcg.10fast.net
hxxp://gfdugdeaavls.10fast.net
hxxp://ddterboiugsr.10fast.net
hxxp://jgpewnoiihpq.10fast.net
hxxp://kjfpfseeeqo.007gb.com
hxxp://wubcmciuuya.007gb.com
hxxp://quzkxvooift.007gb.coml
hxxp://nblhlheaaum.007gb.com
hxxp://cclxnciuupq.007gb.com
hxxp://nbhkckueeib.007gb.com
hxxp://hgddxliuudp.007gb.com
hxxp://winilhueuwiz.10fast.net
hxxp://queocliuupqv.10fast.net
hxxp://gdtaqboiihhs.10fast.net
hxxp://bbvovbaaancg.10fast.net
hxxp://fpramvoiiftm.10fast.net
hxxp://fjliljiiizhp.10fast.net
hxxp://gspedpeeeiel.10fast.net
Sample malicious domains known to have participated in the campaign:
hxxp://fssukjaoanbx.5nxs.com
hxxp://ptaawviuuppw.5nxs.com
hxxp://llxozkoiikdq.5nxs.com
hxxp://kkkijguuuquz.5nxs.com
hxxp://womobciiiftn.5nxs.com
hxxp://vvcikgueequl.5nxs.com
hxxp://zzzoxcooozzl.5nxs.com
hxxp://wuuocziuupwn.5nxs.com
hxxp://hfyeqnoiiftm.5nxs.com
hxxp://sttewboookgy.5nxs.com
hxxp://ghhusteaozgt.5nxs.com
hxxp://fjzoqtuuukiw.5nxs.com
hxxp://muuaqciueomz.5nxs.com
hxxp://fsfugduuutav.5nxs.com
hxxp://jgdeywaoocks.5nxs.com
hxxp://raniljuuurix.5nxs.com
hxxp://pabikhueamcg.5nxs.com
hxxp://gsteqbooikdr.5nxs.com
hxxp://llhugfuuerab.5nxs.com
hxxp://dspeyyeeeauv.5nxs.com
hxxp://xzkixhuaoczg.5nxs.com
hxxp://rouawmaaammz.5nxs.com
hxxp://kxlijjiuuspt.5nxs.com
hxxp://xzliljiuifyw.5nxs.com
hxxp://vvvilhiueqac.5nxs.com
hxxp://tovikhiiufdt.5nxs.com
hxxp://ttretreeuhgs.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://ypserreeuytq.5nxs.com
hxxp://xxzijkiiikkf.5nxs.com
hxxp://bvzoknaoigpm.5nxs.com
hxxp://nnxihduuutqv.5nxs.com
hxxp://muzidyeeeevh.5nxs.com
hxxp://tpdufhiiidrn.5nxs.com
hxxp://ffpupteeeaqd.5nxs.com
hxxp://bbxigseeolpm.5nxs.com
hxxp://gsdugpeaeibj.5nxs.com
hxxp://pwteyyeaamcg.5nxs.com
hxxp://zxcoljiiigpw.5nxs.com
hxxp://bmacxoiixjs.5nxs.com
hxxp://twqawmaooczf.5nxs.com
hxxp://bbrartuauhjh.5nxs.com
hxxp://dtiolhueeexd.5nxs.com
Sample malicious domains known to have participated in the campaign:
hxxp://gdduhgiiikhd.5nxs.com
hxxp://ryquhfuuuypr.5nxs.com
hxxp://sfhijkiuusrn.5nxs.com
hxxp://staennaoolgy.5nxs.com
hxxp://vvvoczooolzg.5nxs.com
hxxp://bmnokgueequz.5nxs.com
hxxp://proocxoiigds.5nxs.com
hxxp://ptwepwaoozht.5nxs.com
hxxp://fsdufpeeeovg.5nxs.com
hxxp://dtlidwoiuyoz.5nxs.com
hxxp://kvyamboiuhsr.5nxs.com
hxxp://kvmardioetyp.5nxs.com
hxxp://taniljueuwul.5nxs.com
hxxp://jvnartuuixvx.5nxs.com
hxxp://qubijgiuutac.5nxs.com
Sample malicious domains known to have participated in the campaigns:
hxxp://qebocziuidfy.10fast.net
hxxp://gffudpeeeauc.10fast.net
hxxp://vbjustaiurox.10fast.net
hxxp://jgyuptaoutic.10fast.net
hxxp://lkhighueeevk.10fast.net
hxxp://ptpudreeeobz.10fast.net
hxxp://meeambaooxls.10fast.net
hxxp://yrreyraaovld.10fast.net
hxxp://kkdutwaoobzd.10fast.net
hxxp://czxitbouuquz.10fast.net
hxxp://lvbovnaoozjp.10fast.net
hxxp://wiiambaookdt.10fast.net
hxxp://zxkijgueaecg.10fast.net
hxxp://ywqawqaoovzh.10fast.net
hxxp://gzoukwuuizbv.10fast.net
hxxp://roiabcoiigpq.10fast.net
hxxp://vvlufseaavld.10fast.net
hxxp://hgpusyeaamxg.10fast.net
hxxp://kkkikziiifyq.10fast.net
hxxp://dtqaczoiuswb.10fast.net
hxxp://llzozxoiigpw.10fast.net
hxxp://nmcijkiuuobg.10fast.net
hxxp://mnxijliuusrm.10fast.net
hxxp://quuanbooikfy.10fast.net
hxxp://xxzijhuueuex.10fast.net
hxxp://gsyepyeaaubk.10fast.net
hxxp://tqoaqmaoigsr.10fast.net
hxxp://cvbocziiikgp.10fast.net
hxxp://gdyepteaancj.10fast.net
Sample malicious domains known to have participated in the campaign:
hxxp://qibocziuewuz.10fast.net
hxxp://qrkargoaatsf.10fast.net
hxxp://zzdeymaoifyq.10fast.net
hxxp://noeancoiutac.10fast.net
hxxp://qunovnaaammb.10fast.net
hxxp://gffugdeeeibk.10fast.net
hxxp://cmvijsueenls.10fast.net
hxxp://tqaeryeaanxj.10fast.net
hxxp://xmuambiiifyt.10fast.net
hxxp://cvnanneeesff.10fast.net
hxxp://muuaqbooolfy.10fast.net
hxxp://qimacvaaetyr.10fast.net
hxxp://vxfutqaoihsw.10fast.net
hxxp://ywreyruuuhhg.10fast.net
hxxp://fdteyteeeoel.10fast.net
hxxp://ywianvoiupwc.10fast.net
hxxp://zlgeyraoobls.10fast.net
hxxp://zkhujdeaojpm.10fast.net
hxxp://kjfufduuutqm.10fast.net
hxxp://xxjudpueewiz.10fast.net
hxxp://rooewmeaamcg.10fast.net
hxxp://hffugdueeink.10fast.net
hxxp://xmcoxzoiikkd.10fast.net
hxxp://lllizkuiifyq.10fast.net
hxxp://xmuapsuiovnb.10fast.net
hxxp://tquanvoiuyqv.10fast.net
hxxp://kvnartuuujlk.10fast.net
hxxp://lllikhioozjf.10fast.net
hxxp://yrreypeeamck.10fast.net
hxxp://glhihfueaeck.10fast.net
Sample malicious domains known to have participate in the campaign:
hxxp://goadult.info/go.php?sid=13 -> -> hxxp://goadult.info/go.php?sid=9 -> -> hxxp://r2606.com/go/?pid=30937 -> which is a well known Koobface 1.0 command and control server domain.
Related malicious redirectors known to have participated in the campaign:
hxxp://goadult.info - 78.109.28.16 - tech@goadult.info
hxxp://go1go.net - 174.36.214.32 - tech@go1go.net
hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
HIstorical OSINT - PhishTube Twitter Broadcast Impersonated Scareware Serving Twitter Accounts Circulating
This summary is not available. Please
click here to view the post.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - Hundreds of Bogus Bebo Accounts Serving Malware
It's 2010 and I've recently intercepted a wide-spread Bebo malicious malware-serving campaign successfully enticing users into interacting with the fraudulent and malicious content potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.
Sample malicious domains known to have participated in the campaign:
hxxp://boss.gozbest.net/xd.html - 216.32.83.110
hxxp://tafficbots.com/in.cgi?6
hxxp://bolapaqir.com/in.cgi?2
hxxp://mybig-porn.com/promo4/?aid=1339
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Sample malicious domains known to have participated in the campaign:
hxxp://boss.gozbest.net/xd.html - 216.32.83.110
hxxp://tafficbots.com/in.cgi?6
hxxp://bolapaqir.com/in.cgi?2
hxxp://mybig-porn.com/promo4/?aid=1339
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - Chinese Government Sites Serving Malware
It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it.
Compromised Chinese government Web site:
hxxp://nynews.gov.cn
Sample malicious domains known to have participated in the campaign:
hxxp://game1983.com/index.htm
hxxp://sp.070808.net/23.htm
hxxp://higain-hitech.com/mm/index.html
Currently affected Chinese government Web sites:
hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191
hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm
hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Compromised Chinese government Web site:
hxxp://nynews.gov.cn
Sample malicious domains known to have participated in the campaign:
hxxp://game1983.com/index.htm
hxxp://sp.070808.net/23.htm
hxxp://higain-hitech.com/mm/index.html
Currently affected Chinese government Web sites:
hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191
hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm
hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - Calling Zeus Home
Remember ZeuS? The infamous crimeware-in-the-middle exploitation kit? In this post I'll provide historical OSINT on various ZeuS-themed malicious and fraudulent campaigns intercepted throughout 2008 and provide actionable intelligence on the infrastructure behind the campaign.
Related malicious domains known to have participated in the campaign:
hxxp://myxaxa.com/z/cfg.bin
hxxp://dokymentu.info/zeus/cfg.bin
hxxp://online-traffeng.com/zeus/cfg.bin
hxxp://malwaremodel.biz/zeus/cfg.bin
hxxp://giftcardsbox.com/web/cfg.bin
hxxp://d0rnk.com/cfg.bin
hxxp://rfs-group.net/cool/cfg.bin
hxxp://62.176.16.19/11/cfg.bin
hxxp://81.95.149.74/demo/cfg.bin
hxxp://66.235.175.5/.cs/cfg.bin
hxxp://208.72.169.152/web/cfg.bin
hxxp://antispyware-protection.com/web/cfg.bin
hxxp://s0s1.net/web/cfg.bin
hxxp://208.72.169.151/admin/cfg.bin
hxxp://1ntr0.com/zuzu/cfg.bin
hxxp://88.255.90.170/bt/fiz/cfg.bin
hxxp://58.65.235.4/web/conf/cfg.bin
hxxp://forgoogleonly.cn/open/cfg.bin
hxxp://194.1.152.172/11/cfg.bin
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Related malicious domains known to have participated in the campaign:
hxxp://myxaxa.com/z/cfg.bin
hxxp://dokymentu.info/zeus/cfg.bin
hxxp://online-traffeng.com/zeus/cfg.bin
hxxp://malwaremodel.biz/zeus/cfg.bin
hxxp://giftcardsbox.com/web/cfg.bin
hxxp://d0rnk.com/cfg.bin
hxxp://rfs-group.net/cool/cfg.bin
hxxp://62.176.16.19/11/cfg.bin
hxxp://81.95.149.74/demo/cfg.bin
hxxp://66.235.175.5/.cs/cfg.bin
hxxp://208.72.169.152/web/cfg.bin
hxxp://antispyware-protection.com/web/cfg.bin
hxxp://s0s1.net/web/cfg.bin
hxxp://208.72.169.151/admin/cfg.bin
hxxp://1ntr0.com/zuzu/cfg.bin
hxxp://88.255.90.170/bt/fiz/cfg.bin
hxxp://58.65.235.4/web/conf/cfg.bin
hxxp://forgoogleonly.cn/open/cfg.bin
hxxp://194.1.152.172/11/cfg.bin
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - A Diverse Portfolio of Fake Security Software
In this post I'll profile a currently circulating circa 2008 malicious and fraudulent scareware-serving campaign successfully enticing users into interacting with rogue and fraudulent fake security software with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type of revenue-sharing scheme.
Related malicious domains known to have participated in the campaign:
hxxp://globals-advers.com
hxxp://alldiskscheck300.com
hxxp://multisearch1.com
hxxp://myfreespace3.com
hxxp://hottystars.com
hxxp://multilang1.com
hxxp://3gigabytes.com
hxxp://drivemedirect.com
hxxp://globala2.com/soft.php
hxxp://teledisons.com
hxxp://theworldnews5.com
hxxp://virtualblog5.com
hxxp://grander5.com
hxxp://5starsblog.com
hxxp://globalreds.com
hxxp://global-advers.com
hxxp://ratemyblog1.com
hxxp://greatvideo3.com
hxxp://beginner2009.com
hxxp://fastwebway.com
hxxp://blazervips.com
hxxp://begin2009.com
hxxp://megatradetds0.com
hxxp://securedonlinewebspace.com
hxxp://proweb-info.com
hxxp://security-www-clicks.com
hxxp://updatedownloadlists.com
hxxp://styleonlyclicks.cn
hxxp://informationgohere.com
hxxp://world-click-service.com
hxxp://secutitypowerclicks.cn
hxxp://securedclickuser.cn
hxxp://slickoverview.com
hxxp://viewyourclicks.com
hxxp://clickwww2.com
hxxp://clickadsystem.com
hxxp://becomepoweruser.cn
hxxp://clickoverridesystem.cn
Related malicious domains known to have participated in the campaign:
hxxp://protecteduser.cn
hxxp://internetprotectedweb.com
hxxp://clicksadssystems.com
hxxp://whereismyclick.cn/
hxxp://trustourclicks.cn
hxxp://goldenstarclick.cn
hxxp://defendedsystemuser.cn
Related malicious domains known to have participated in the campaign:
hxxp://drivemedirect.com
hxxp://virtualblog5.com
hxxp://fastwebway.com
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Related malicious domains known to have participated in the campaign:
hxxp://globals-advers.com
hxxp://alldiskscheck300.com
hxxp://multisearch1.com
hxxp://myfreespace3.com
hxxp://hottystars.com
hxxp://multilang1.com
hxxp://3gigabytes.com
hxxp://drivemedirect.com
hxxp://globala2.com/soft.php
hxxp://teledisons.com
hxxp://theworldnews5.com
hxxp://virtualblog5.com
hxxp://grander5.com
hxxp://5starsblog.com
hxxp://globalreds.com
hxxp://global-advers.com
hxxp://ratemyblog1.com
hxxp://greatvideo3.com
hxxp://beginner2009.com
hxxp://fastwebway.com
hxxp://blazervips.com
hxxp://begin2009.com
hxxp://megatradetds0.com
hxxp://securedonlinewebspace.com
hxxp://proweb-info.com
hxxp://security-www-clicks.com
hxxp://updatedownloadlists.com
hxxp://styleonlyclicks.cn
hxxp://informationgohere.com
hxxp://world-click-service.com
hxxp://secutitypowerclicks.cn
hxxp://securedclickuser.cn
hxxp://slickoverview.com
hxxp://viewyourclicks.com
hxxp://clickwww2.com
hxxp://clickadsystem.com
hxxp://becomepoweruser.cn
hxxp://clickoverridesystem.cn
Related malicious domains known to have participated in the campaign:
hxxp://protecteduser.cn
hxxp://internetprotectedweb.com
hxxp://clicksadssystems.com
hxxp://whereismyclick.cn/
hxxp://trustourclicks.cn
hxxp://goldenstarclick.cn
hxxp://defendedsystemuser.cn
Related malicious domains known to have participated in the campaign:
hxxp://drivemedirect.com
hxxp://virtualblog5.com
hxxp://fastwebway.com
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)