Thursday, February 07, 2019

Historical OSINT - "I Know Who DDoS-ed Georgia and Bobbear.co.uk Last Summer"

Appreciate my rhetoric. In this post I'll provide actionable intelligence on a key DDoS for hire service that was primarily used in the Russia vs Georgia Cyber Attacks circa 2009 including the DDoS attack against Bobbear.co.uk.

Related actionable intelligence on the campaign:
hxxp://setx.in - Email: info@antiddos.eu - setx.mail@gmail.com - hxxp://httpdoc.info - hxxp://fakamaza.info. The last one with the email address "team@russia-vs-georgia.org" in the WHOIS info.

Related malicious URLs known to have participated in the campaign:
hxxp://cxim.inattack.ru/www7/www/auth.php

Related malicious URLs known to have participated in the campaign:
hxxp://h278666y.net/main/load.exe
hxxp://h278666y.net/www/auth.php

Related malicious MD5s known to have participated in the campaign:
MD5: 34413180d372a9e66d0d59baf0244b8f
MD5: 42e4bbd47d322ec563c86c636c3f10b9
MD5: ed36b42fac65236a868e707ee540c015
MD5: c9fa1c95ab4ec1c1d46abe5445fb41e4

hxxp://cxim.inattack.ru/www3/www/
hxxp://i.clusteron.ru/bstatus.php

Related malicious URLs known to have participated in the campaign:
hxxp://svdrom.cn

Related malicious URLs known to have participated in the campaign:
hxxp://203.117.111.52/www7/www/getcfg.php

Related malicious domains known to have participated in the campaign:
hxxp://cxim.inattack.ru/www2/www/stat.php
hxxp://cxim.inattack.ru/www3/www/stat.php
hxxp://cxim.inattack.ru/www4/www/stat.php
hxxp://cxim.inattack.ru/www5/www/stat.php
hxxp://cxim.inattack.ru/www6/www/stat.php
hxxp://finito.fi.funpic.org/black/stat.php
hxxp://logartos.org/forum/stat.php - 195.24.78.242
hxxp://weberror.cn/be1/stat.php
hxxp://prosto.pizdos.net/_lol/stat.php
hxxp://h278666y.net/www/stat.php - 72.233.60.254