Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, April 22, 2019

Flashpoint Intel Official Web Site Serving Malware - An Analysis

UPDATE: Flashpoint Intel issued a response to my research.

UPDATE: SCMagazine picked up the story.

UPDATE: Anti-Malware.name picked up the story.

UPDATE: EnterpriseTimes picked up the story

UPDATE: Rambler News picked up the story.

It appears that Flashpoint's official Web site is currently embedded with malware-serving malicious script potentially exposing its visitors to a multi-tude of malicious software.

Original malicious URL hosting location:
hxxp://www.flashpoint-intel.com/404javascript.js
hxxp://www.flashpoint-intel.com/404testpage4525d2fdc

Related malicious URL redirection chain:
hxxp://www.flashpoint-intel.com -> hxxp://destinywall.org/redirect?type=555 - ; hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm_medium=7710edb9b -> hxxp://search.plutonium.icu/?utm_term=66793697539 -> hxxp://search.plutonium.icu/proc.php?37ba8df02c6d -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f -> hxxp://circultural.com/v/c3937168-5def-11e9-b07a -> hxxp://3daa61.circultural.com/l/8c579bd6-2433-11e

Second sample URL redirection chain:
hxxp://www.flashpoint-intel.com/ -> hxxp://destinywall.org/redirect?type=555& -> hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm_medium=7710edb9b -> hxxp://search.plutonium.icu/?utm_term=66793698655 -> hxxp://search.plutonium.icu/proc.php?123dd67462ec -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f -> hxxp://circultural.com/v/d45c2e40-5def-11e9-bd47

Related legitimate URL known to have participated in the campaign:
hxxp://boards.greenhouse.io/flashpoint/jobs/4125871002?gh_jid=4125871002

Related malicious URL redirection chain:
hxxp://unanimous.live/ - 104.28.24.233- hxxp://jsc.adskeeper.co.uk/a/d/adw.toolbar.com.333699.js
hxxp://destinywall.org/redirect?type=555& - 176.123.9.53 -> hxxp://ermoyen.tk/index/?4831537102803 - 37.230.116.105

Related malicious URLs known to have participated in the campaign:
hxxp://oussercondition.tk/index/?4831537102803
hxxp://testify.newsfeed.support/esuznxifqk?c=15&amp
hxxp://impress.newsfeed.support/esuznxifqk?c=20&amp

hxxp://minently.com/RnSda/rDN3/ojdn/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e?qDo=MS_WW_AGG_Desktop&subid=6679367743860375570&ext1=1608
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd2lUHCfkQjLfPyHo_ZayrHiuU?ori=6x&ex=6&pbi=5cb1e1a50b08e2.738349245
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd2lRfKJxF0KvzyETF1t74kzXE?ori=6x&ex=6&pbi=5cb1e1ac8e8cd8.865930185 - 205.147.93.131
hxxp://search.plutonium.icu/?utm_term=6679367743860375570&clickverify=1&utm_content=fdc2c69a9 - 99.198.108.198
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd1kUSXfhYjK_7yHXZI1b-Xzt8?ori=6x&ex=6&pbi=5cb1e2e0ebe9a2.271109695 - 205.147.93.131
hxxp://click.monetizer-return.com/?utm_medium=f0b5c66dbbca0c7df1803313f76c9a781d4f8
e57 - 198.143.165.221
hxxp://play.superlzpre.com/red/?code=RY6GVO6HT5VM&a=6679370333725656167&pubid=1608 - 217.13.124.95

Related malicious domains known to have participated in the campaign:
hxxp://destinywall.org - 176.123.9.53
hxxp://hellofromhony.org
hxxp://hellofromhony.com
hxxp://thebiggestfavoritemake.com
hxxp://destinywall.org
hxxp://verybeatifulpear.com
hxxp://strangefullthiggngs.com
hxxp://stopenumarationsz.com

Related malicious and fraudulent IPs known to have participated in the campaign:
hxxp://onwardinated.com - 52.85.88.105; 52.85.88.202; 52.85.88.224; 52.85.88.151; 52.85.58.244; 52.85.58.217 ; 52.85.58.236 ; 52.85.58.52
hxxp://205.147.93.131
hxxp://99.198.108.198
hxxp://217.13.124.95
hxxp://143.204.247.69
hxxp://143.204.214.90

Related malicious MD5s known to have participated in the campaign:
MD5: b28e98bb6ed0e0af8ec7a2d47ca6b053
MD5: f0dfab9f9a1a7e5dc8c00222292e401e
MD5: 6b986d4bc5475af102bfff4d28a5cf50
MD5: e963ed9b5c052d02c972e449142f7946
MD5: 7dee4f221d3b3779301f4b38061d6992

Related malicious MD5s known to have participated in the campaign:
MD5: 30f6d6bd507317dbcf1708edc449c970
MD5: 437cfb417c5a6e7fc3d446dcd35203fc
MD5: e1fd735fdf97cc734ec46d2b33aac8bf
MD5: b37b7d221526faa8ffbea52626e5ac87
MD5: 821a00b057a9fabe670174eab4b28e77

Related malicious MD5s known to have participated in the campaign:
MD5: 0bb4e038ce1fecb88be583d776cfa4a0
MD5: 7197f433b0d269848ae1d1e957a9b858
MD5: 1d72d5255bd2450fb04a7a2c68ff87bd
MD5: b3722ade8c3ee908b6f82ae81ae2d748
MD5: 89ddddb5b3a88ef3d6da57c72197e0cc
MD5: 6a490bbd341db8033ec86fc771f24926
MD5: b52d0377b2f741dd20e17dfad3ca58aa
MD5: 813e84f9bd30eed6390f5ce806916f2a
MD5: 81810b6e4c89c03260a6bac4a16ef3ba
MD5: c9cb7f2ea5b8a16f4fb4246825e8a3de

Related malicious and fraudulent URLs known to have participated in the campaign:
hxxp://notifymepush.info
hxxp://101newssubspush.info
hxxp://Bestofnewssubspush.info
hxxp://Burningpush.info
hxxp://Checkadvisefriends.info
hxxp://Checksayfriends.info
hxxp://Checksuefriends.info
hxxp://Conewssubspush.info
hxxp://Enewssubspush.info
hxxp://Examinenotifyfriends.]info
hxxp://Gonewssubspush.info
hxxp://Hitnewssubspush.info
hxxp://Inewssubspush.info
hxxp://Inspectnotifyfriends.info
hxxp://Justnewssubspush.info
hxxp://Livenewssubspush.info
hxxp://Metanewssubspush.info
hxxp://Newnewssubspush.info
hxxp://Notifymepush.info
hxxp://Nunewssubspush.info
hxxp://Pushmeandtouchme.info
hxxp://Scannotifyfriends.info
hxxp://Searchnotifyfriends.info
hxxp://Testnotifyfriends.info
hxxp://Thentouchme.info
hxxp://Topnewssubspush.info
hxxp://Touchthenpush.info
hxxp://Trynewssubspush.info
hxxp://Upnewssubspush.info
hxxp://Usenotifyfriends.info
hxxp://Wenewssubspush.info

Related malicious and fraudulent domains known to have responded to 109.234.39.160:
hxxp://ivreprsident.tk
hxxp://uvrirordre.tk
hxxp://offriractivit.tk
hxxp://ermoyen.tk
hxxp://iterrisque.tk
hxxp://derchef.tk
hxxp://echance.tk
hxxp://terminerespace.tk
hxxp://rofiterami.tk
hxxp://evenirweb.tk
hxxp://nviterinformation.tk
hxxp://xemple.tk
hxxp://isercarte.tk
hxxp://airelaisserquestion.tk
hxxp://derimage.tk
hxxp://alsoutenirdomaine.tk
hxxp://arderplan.tk
hxxp://rsentermonde.tk
hxxp://marquerexprience.tk
hxxp://germatire.tk
hxxp://rerlivre.tk
hxxp://ngersource.tk
hxxp://voyercasino.tk
hxxp://onctionnerfrance.tk
hxxp://raliserpage.tk
hxxp://nterespace.tk
hxxp://ectuerpartie.tk
hxxp://erguerre.tk
hxxp://nnatrevaleur.tk
hxxp://fierargent.tk
hxxp://irmertravers.tk
hxxp://dcidertemps.tk
hxxp://irebase.tk
hxxp://inerpied.tk
hxxp://limiterprsident.tk
hxxp://resteraffaire.tk
hxxp://laisserloi.tk
hxxp://treterre.tk
hxxp://iresuite.tk
hxxp://tenirair.tk
hxxp://rganiserargent.tk
hxxp://nelchoisirhistoire.tk
hxxp://grertte.tk
hxxp://oncernerpriode.tk
hxxp://ncerchoix.tk
hxxp://mpagnercas.tk
hxxp://permesure.tk
hxxp://urirproduit.tk
hxxp://relieu.tk
hxxp://sderplan.tk
hxxp://prparerchance.tk
hxxp://hergestion.tk
hxxp://disposerpouvoir.tk
hxxp://isirtat.tk
hxxp://dercoup.tk
hxxp://frersource.tk
hxxp://suivreobjet.tk
hxxp://itteranne.tk
hxxp://anisertude.tk
hxxp://pparatrecouleur.tk
hxxp://trouverplaisir.tk
hxxp://sterenfant.tk
hxxp://ttervente.tk
hxxp://ntirgestion.tk
hxxp://rouverdveloppement.tk
hxxp://nnelfalloirchoix.tk
hxxp://merdemande.tk
hxxp://nnellireapplication.tk
hxxp://ercoup.tk
hxxp://tgrertte.tk
hxxp://moyen.tk
hxxp://duirecorps.tk
hxxp://rerespecterministre.tk
hxxp://mposerconseil.tk
hxxp://nnatrevaleur.tk
hxxp://choisirfemme.tk
hxxp://nsidreran.tk
hxxp://rderdomaine.tk
hxxp://nuerweb.tk
hxxp://attrecentre.tk
hxxp://raiterbesoin.tk
hxxp://leresprit.tk
hxxp://ontenirforme.tk
hxxp://nirfonction.tk
hxxp://chergroupe.tk
hxxp://rtte.tk
hxxp://epied.tk
hxxp://erparis.tk
hxxp://liserpouvoir.tk
hxxp://rtagertype.tk
hxxp://reconnatrefemme.tk

Related malicious and fraudulent domains known to have responded to 37.230.116.105:
hxxp://lpoursuivretat.tk
hxxp://gycazyuge.tk
hxxp://optygyty.tk
hxxp://hurevente.tk
hxxp://kofojok.tk
hxxp://expliopjipn.tk
hxxp://nijiscy.tk
hxxp://mprendreauteur.tk
hxxp://vertravers.tk
hxxp://truirefrance.tk
hxxp://lokodasre.tk
hxxp://prendrecorps.tk
hxxp://iokoivefikolf.tk
hxxp://hudabertee.tk
hxxp://larereffet.tk
hxxp://husanuie.tk
hxxp://pocokie.tk
hxxp://gysazatre.tk
hxxp://ssurercentre.tk
hxxp://iperuvre.tk
hxxp://ferfreau.tk
hxxp://poserscurit.tk
hxxp://jidytzae.tk
hxxp://jikogyda.tk
hxxp://tirsystme.tk
hxxp://thermesure.tk
hxxp://plaisijir.tk
hxxp://tyferet.tk
hxxp://irefrance.tk
hxxp://sedkorlor.tk
hxxp://serfille.tk
hxxp://ruiyrgion.tk
hxxp://permettretravers.tk
hxxp://lpouruiretat.tk
hxxp://fournirplupart.tk
hxxp://roposergenre.tk
hxxp://tircadre.tk
hxxp://reconnatrechef.tk
hxxp://oiril.tk
hxxp://enterguerre.tk
hxxp://irvaleur.tk
hxxp://irsocit.tk
hxxp://hugersoir.tk
hxxp://jokofasa.tk
hxxp://gyrecersa.tk
hxxp://ekotyfereen.tk
hxxp://kosazagerr.tk
hxxp://ioterexu.tk
hxxp://voirirguerre.tk
hxxp://stermain.tk
hxxp://kokofete.tk
hxxp://uiregy.tk
hxxp://lodokiv.tk
hxxp://nedfuheihg.tk
hxxp://koduhutr.tk
hxxp://husadere.tk
hxxp://gytedexen.tk
hxxp://jisazabyt.tk
hxxp://potycerer.tk
hxxp://lopotyre.tk
hxxp://huqerwerite.tk
hxxp://rtircouleur.tk
hxxp://tirhujmort.tk
hxxp://huderesen.tk
hxxp://expliqueren.tk
hxxp://uihytyf.tk
hxxp://ikiryve.tk
hxxp://jisazajic.tk
hxxp://hudasarete.tk
hxxp://potijife.tk
hxxp://lsejikog.tk
hxxp://gytlsentirsite.tk
hxxp://tiosuivremillion.tk
hxxp://kojerconseil.tk
hxxp://okinterlien.tk
hxxp://tenterargent.tk
hxxp://eordre.tk
hxxp://onterami.tk
hxxp://vrirvente.tk
hxxp://nerbesoin.tk
hxxp://nertiko.tk
hxxp://geolorge.tk
hxxp://gyvercherdroit.tk
hxxp://bokosabe.tk
hxxp://lsjifferde.tk
hxxp://dyjursite.tk
hxxp://lopofibut.tk
hxxp://cevoirguerre.tk
hxxp://atteindreair.tk
hxxp://ardermillion.tk
hxxp://koiterplace.tk
hxxp://travaillersite.tk
hxxp://cuperquipe.tk
hxxp://ferdplaisir.tk
hxxp://lsentirsite.tk
hxxp://tsuivremillion.tk
hxxp://eciotersystme.tk
hxxp://ortercration.tk
hxxp://koeioijfgel.tk
hxxp://ituerexemple.tk
hxxp://olravaillersant.tk
hxxp://poloeioijfgel.tk
hxxp://pliquerformation.tk
hxxp://tsortirgouvernement.tk
hxxp://vkojrguerre.tk
hxxp://kijiirraison.tk
hxxp://ndreterme.tk
hxxp://iterplace.tk
hxxp://oposerprojet.tk
hxxp://ldclarerplace.tk
hxxp://permort.tk

Related malicious and fraudulent domains known to have participated in the campaign (138.68.113.179; 172.64.196.39; 172.64.197.39; 104.27.170.199; 104.27.171.199):
hxxp://click.newsfeed.support
hxxp://soprano.newsfeed.support
hxxp://clarify.newsfeed.support
hxxp://theater.newsfeed.support
hxxp://impress.newsfeed.support
hxxp://urgency.newsfeed.support
hxxp://thinker.newsfeed.support
hxxp://glasses.newsfeed.support
hxxp://qualify.newsfeed.support
hxxp://warning.newsfeed.support
hxxp://scandal.newsfeed.support
hxxp://minimum.newsfeed.support
hxxp://general.newsfeed.support
hxxp://glimpse.newsfeed.support
hxxp://extreme.newsfeed.support
hxxp://officer.newsfeed.support
hxxp://silence.newsfeed.support
hxxp://capital.newsfeed.support
hxxp://voucher.newsfeed.support
hxxp://dentist.newsfeed.support

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com