Monday, April 22, 2019

Flashpoint Intel Official Web Site Serving Malware - An Analysis

UPDATE: Flashpoint Intel issued a response to my research.

UPDATE: SCMagazine picked up the story.

UPDATE: Anti-Malware.name picked up the story.

UPDATE: EnterpriseTimes picked up the story

UPDATE: Rambler News picked up the story.

It appears that Flashpoint's official Web site is currently embedded with malware-serving malicious script potentially exposing its visitors to a multi-tude of malicious software.



Original malicious URL hosting location:
hxxp://www.flashpoint-intel.com/404javascript.js
hxxp://www.flashpoint-intel.com/404testpage4525d2fdc

Related malicious URL redirection chain:
hxxp://www.flashpoint-intel.com -> hxxp://destinywall.org/redirect?type=555 - ; hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm_medium=7710edb9b -> hxxp://search.plutonium.icu/?utm_term=66793697539 -> hxxp://search.plutonium.icu/proc.php?37ba8df02c6d  -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f -> hxxp://circultural.com/v/c3937168-5def-11e9-b07a -> hxxp://3daa61.circultural.com/l/8c579bd6-2433-11e


Second sample URL redirection chain:
hxxp://www.flashpoint-intel.com/ -> hxxp://destinywall.org/redirect?type=555&  -> hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm_medium=7710edb9b -> hxxp://search.plutonium.icu/?utm_term=66793698655 -> hxxp://search.plutonium.icu/proc.php?123dd67462ec -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f  -> hxxp://circultural.com/v/d45c2e40-5def-11e9-bd47

Related legitimate URL known to have participated in the campaign:
hxxp://boards.greenhouse.io/flashpoint/jobs/4125871002?gh_jid=4125871002

Related malicious URL redirection chain:
hxxp://unanimous.live/ - 104.28.24.233- hxxp://jsc.adskeeper.co.uk/a/d/adw.toolbar.com.333699.js
hxxp://destinywall.org/redirect?type=555& - 176.123.9.53 -> hxxp://ermoyen.tk/index/?4831537102803 - 37.230.116.105

Related malicious URLs known to have participated in the campaign:
hxxp://oussercondition.tk/index/?4831537102803
hxxp://testify.newsfeed.support/esuznxifqk?c=15&amp
hxxp://impress.newsfeed.support/esuznxifqk?c=20&amp


hxxp://minently.com/RnSda/rDN3/ojdn/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e?qDo=MS_WW_AGG_Desktop&subid=6679367743860375570&ext1=1608
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd2lUHCfkQjLfPyHo_ZayrHiuU?ori=6x&ex=6&pbi=5cb1e1a50b08e2.738349245
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd2lRfKJxF0KvzyETF1t74kzXE?ori=6x&ex=6&pbi=5cb1e1ac8e8cd8.865930185 - 205.147.93.131
hxxp://search.plutonium.icu/?utm_term=6679367743860375570&clickverify=1&utm_content=fdc2c69a9 - 99.198.108.198
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd1kUSXfhYjK_7yHXZI1b-Xzt8?ori=6x&ex=6&pbi=5cb1e2e0ebe9a2.271109695 - 205.147.93.131
hxxp://click.monetizer-return.com/?utm_medium=f0b5c66dbbca0c7df1803313f76c9a781d4f8
e57 - 198.143.165.221
hxxp://play.superlzpre.com/red/?code=RY6GVO6HT5VM&a=6679370333725656167&pubid=1608 - 217.13.124.95


Related malicious domains known to have participated in the campaign:
hxxp://destinywall.org - 176.123.9.53
hxxp://hellofromhony.org
hxxp://hellofromhony.com
hxxp://thebiggestfavoritemake.com
hxxp://destinywall.org
hxxp://verybeatifulpear.com
hxxp://strangefullthiggngs.com
hxxp://stopenumarationsz.com

Related malicious and fraudulent IPs known to have participated in the campaign:
hxxp://onwardinated.com - 52.85.88.105; 52.85.88.202; 52.85.88.224; 52.85.88.151; 52.85.58.244; 52.85.58.217 ; 52.85.58.236 ; 52.85.58.52
hxxp://205.147.93.131
hxxp://99.198.108.198
hxxp://217.13.124.95
hxxp://143.204.247.69
hxxp://143.204.214.90


Related malicious MD5s known to have participated in the campaign:
MD5: b28e98bb6ed0e0af8ec7a2d47ca6b053
MD5: f0dfab9f9a1a7e5dc8c00222292e401e
MD5: 6b986d4bc5475af102bfff4d28a5cf50
MD5: e963ed9b5c052d02c972e449142f7946
MD5: 7dee4f221d3b3779301f4b38061d6992

Related malicious MD5s known to have participated in the campaign:
MD5: 30f6d6bd507317dbcf1708edc449c970
MD5: 437cfb417c5a6e7fc3d446dcd35203fc
MD5: e1fd735fdf97cc734ec46d2b33aac8bf
MD5: b37b7d221526faa8ffbea52626e5ac87
MD5: 821a00b057a9fabe670174eab4b28e77


Related malicious MD5s known to have participated in the campaign:
MD5: 0bb4e038ce1fecb88be583d776cfa4a0
MD5: 7197f433b0d269848ae1d1e957a9b858
MD5: 1d72d5255bd2450fb04a7a2c68ff87bd
MD5: b3722ade8c3ee908b6f82ae81ae2d748
MD5: 89ddddb5b3a88ef3d6da57c72197e0cc
MD5: 6a490bbd341db8033ec86fc771f24926
MD5: b52d0377b2f741dd20e17dfad3ca58aa
MD5: 813e84f9bd30eed6390f5ce806916f2a
MD5: 81810b6e4c89c03260a6bac4a16ef3ba
MD5: c9cb7f2ea5b8a16f4fb4246825e8a3de

Related malicious and fraudulent URLs known to have participated in the campaign:
hxxp://notifymepush.info
hxxp://101newssubspush.info
hxxp://Bestofnewssubspush.info
hxxp://Burningpush.info
hxxp://Checkadvisefriends.info
hxxp://Checksayfriends.info
hxxp://Checksuefriends.info
hxxp://Conewssubspush.info
hxxp://Enewssubspush.info
hxxp://Examinenotifyfriends.]info
hxxp://Gonewssubspush.info
hxxp://Hitnewssubspush.info
hxxp://Inewssubspush.info
hxxp://Inspectnotifyfriends.info
hxxp://Justnewssubspush.info
hxxp://Livenewssubspush.info
hxxp://Metanewssubspush.info
hxxp://Newnewssubspush.info
hxxp://Notifymepush.info
hxxp://Nunewssubspush.info
hxxp://Pushmeandtouchme.info
hxxp://Scannotifyfriends.info
hxxp://Searchnotifyfriends.info
hxxp://Testnotifyfriends.info
hxxp://Thentouchme.info
hxxp://Topnewssubspush.info
hxxp://Touchthenpush.info
hxxp://Trynewssubspush.info
hxxp://Upnewssubspush.info
hxxp://Usenotifyfriends.info
hxxp://Wenewssubspush.info

Related malicious and fraudulent domains known to have responded to 109.234.39.160:
hxxp://ivreprsident.tk
hxxp://uvrirordre.tk
hxxp://offriractivit.tk
hxxp://ermoyen.tk
hxxp://iterrisque.tk
hxxp://derchef.tk
hxxp://echance.tk
hxxp://terminerespace.tk
hxxp://rofiterami.tk
hxxp://evenirweb.tk
hxxp://nviterinformation.tk
hxxp://xemple.tk
hxxp://isercarte.tk
hxxp://airelaisserquestion.tk
hxxp://derimage.tk
hxxp://alsoutenirdomaine.tk
hxxp://arderplan.tk
hxxp://rsentermonde.tk
hxxp://marquerexprience.tk
hxxp://germatire.tk
hxxp://rerlivre.tk
hxxp://ngersource.tk
hxxp://voyercasino.tk
hxxp://onctionnerfrance.tk
hxxp://raliserpage.tk
hxxp://nterespace.tk
hxxp://ectuerpartie.tk
hxxp://erguerre.tk
hxxp://nnatrevaleur.tk
hxxp://fierargent.tk
hxxp://irmertravers.tk
hxxp://dcidertemps.tk
hxxp://irebase.tk
hxxp://inerpied.tk
hxxp://limiterprsident.tk
hxxp://resteraffaire.tk
hxxp://laisserloi.tk
hxxp://treterre.tk
hxxp://iresuite.tk
hxxp://tenirair.tk
hxxp://rganiserargent.tk
hxxp://nelchoisirhistoire.tk
hxxp://grertte.tk
hxxp://oncernerpriode.tk
hxxp://ncerchoix.tk
hxxp://mpagnercas.tk
hxxp://permesure.tk
hxxp://urirproduit.tk
hxxp://relieu.tk
hxxp://sderplan.tk
hxxp://prparerchance.tk
hxxp://hergestion.tk
hxxp://disposerpouvoir.tk
hxxp://isirtat.tk
hxxp://dercoup.tk
hxxp://frersource.tk
hxxp://suivreobjet.tk
hxxp://itteranne.tk
hxxp://anisertude.tk
hxxp://pparatrecouleur.tk
hxxp://trouverplaisir.tk
hxxp://sterenfant.tk
hxxp://ttervente.tk
hxxp://ntirgestion.tk
hxxp://rouverdveloppement.tk
hxxp://nnelfalloirchoix.tk
hxxp://merdemande.tk
hxxp://nnellireapplication.tk
hxxp://ercoup.tk
hxxp://tgrertte.tk
hxxp://moyen.tk
hxxp://duirecorps.tk
hxxp://rerespecterministre.tk
hxxp://mposerconseil.tk
hxxp://nnatrevaleur.tk
hxxp://choisirfemme.tk
hxxp://nsidreran.tk
hxxp://rderdomaine.tk
hxxp://nuerweb.tk
hxxp://attrecentre.tk
hxxp://raiterbesoin.tk
hxxp://leresprit.tk
hxxp://ontenirforme.tk
hxxp://nirfonction.tk
hxxp://chergroupe.tk
hxxp://rtte.tk
hxxp://epied.tk
hxxp://erparis.tk
hxxp://liserpouvoir.tk
hxxp://rtagertype.tk
hxxp://reconnatrefemme.tk


Related malicious and fraudulent domains known to have responded to 37.230.116.105:
hxxp://lpoursuivretat.tk
hxxp://gycazyuge.tk
hxxp://optygyty.tk
hxxp://hurevente.tk
hxxp://kofojok.tk
hxxp://expliopjipn.tk
hxxp://nijiscy.tk
hxxp://mprendreauteur.tk
hxxp://vertravers.tk
hxxp://truirefrance.tk
hxxp://lokodasre.tk
hxxp://prendrecorps.tk
hxxp://iokoivefikolf.tk
hxxp://hudabertee.tk
hxxp://larereffet.tk
hxxp://husanuie.tk
hxxp://pocokie.tk
hxxp://gysazatre.tk
hxxp://ssurercentre.tk
hxxp://iperuvre.tk
hxxp://ferfreau.tk
hxxp://poserscurit.tk
hxxp://jidytzae.tk
hxxp://jikogyda.tk
hxxp://tirsystme.tk
hxxp://thermesure.tk
hxxp://plaisijir.tk
hxxp://tyferet.tk
hxxp://irefrance.tk
hxxp://sedkorlor.tk
hxxp://serfille.tk
hxxp://ruiyrgion.tk
hxxp://permettretravers.tk
hxxp://lpouruiretat.tk
hxxp://fournirplupart.tk
hxxp://roposergenre.tk
hxxp://tircadre.tk
hxxp://reconnatrechef.tk
hxxp://oiril.tk
hxxp://enterguerre.tk
hxxp://irvaleur.tk
hxxp://irsocit.tk
hxxp://hugersoir.tk
hxxp://jokofasa.tk
hxxp://gyrecersa.tk
hxxp://ekotyfereen.tk
hxxp://kosazagerr.tk
hxxp://ioterexu.tk
hxxp://voirirguerre.tk
hxxp://stermain.tk
hxxp://kokofete.tk
hxxp://uiregy.tk
hxxp://lodokiv.tk
hxxp://nedfuheihg.tk
hxxp://koduhutr.tk
hxxp://husadere.tk
hxxp://gytedexen.tk
hxxp://jisazabyt.tk
hxxp://potycerer.tk
hxxp://lopotyre.tk
hxxp://huqerwerite.tk
hxxp://rtircouleur.tk
hxxp://tirhujmort.tk
hxxp://huderesen.tk
hxxp://expliqueren.tk
hxxp://uihytyf.tk
hxxp://ikiryve.tk
hxxp://jisazajic.tk
hxxp://hudasarete.tk
hxxp://potijife.tk
hxxp://lsejikog.tk
hxxp://gytlsentirsite.tk
hxxp://tiosuivremillion.tk
hxxp://kojerconseil.tk
hxxp://okinterlien.tk
hxxp://tenterargent.tk
hxxp://eordre.tk
hxxp://onterami.tk
hxxp://vrirvente.tk
hxxp://nerbesoin.tk
hxxp://nertiko.tk
hxxp://geolorge.tk
hxxp://gyvercherdroit.tk
hxxp://bokosabe.tk
hxxp://lsjifferde.tk
hxxp://dyjursite.tk
hxxp://lopofibut.tk
hxxp://cevoirguerre.tk
hxxp://atteindreair.tk
hxxp://ardermillion.tk
hxxp://koiterplace.tk
hxxp://travaillersite.tk
hxxp://cuperquipe.tk
hxxp://ferdplaisir.tk
hxxp://lsentirsite.tk
hxxp://tsuivremillion.tk
hxxp://eciotersystme.tk
hxxp://ortercration.tk
hxxp://koeioijfgel.tk
hxxp://ituerexemple.tk
hxxp://olravaillersant.tk
hxxp://poloeioijfgel.tk
hxxp://pliquerformation.tk
hxxp://tsortirgouvernement.tk
hxxp://vkojrguerre.tk
hxxp://kijiirraison.tk
hxxp://ndreterme.tk
hxxp://iterplace.tk
hxxp://oposerprojet.tk
hxxp://ldclarerplace.tk
hxxp://permort.tk


Related malicious and fraudulent domains known to have participated in the campaign (138.68.113.179; 172.64.196.39; 172.64.197.39; 104.27.170.199; 104.27.171.199):
hxxp://click.newsfeed.support
hxxp://soprano.newsfeed.support
hxxp://clarify.newsfeed.support
hxxp://theater.newsfeed.support
hxxp://impress.newsfeed.support
hxxp://urgency.newsfeed.support
hxxp://thinker.newsfeed.support
hxxp://glasses.newsfeed.support
hxxp://qualify.newsfeed.support
hxxp://warning.newsfeed.support
hxxp://scandal.newsfeed.support
hxxp://minimum.newsfeed.support
hxxp://general.newsfeed.support
hxxp://glimpse.newsfeed.support
hxxp://extreme.newsfeed.support
hxxp://officer.newsfeed.support
hxxp://silence.newsfeed.support
hxxp://capital.newsfeed.support
hxxp://voucher.newsfeed.support
hxxp://dentist.newsfeed.support