Saturday, May 04, 2019

Exposing Yet Another Currently Active Fraudulent and Malicious Pro-Hamas Online Infastructure

Love them or hate them - the ubiquitous beautiful girl utilizing fake bogus and rogue Facebook accounts scam campaign courtesy of Hamas targeting Israeli soldiers has to come to an end.

In this post I'll provide actionable intelligence on a currently active Pro-Hamas malicious and fraudulent infrastructure and will discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and will offer in-depth perspective on a currently active Pro-Hamas hosting provider - "Nepras for Media & IT" which is basically a legitimate front-end company currently involved in a variety of Pro-Hamas malicious and fraudulent malware-serving and propaganda spreading online infrastructure provider directly related to yet another Pro-Hamas franchise - "Modern Tech Corp".

Sample Facebook Profile Names involved in the campaign:
Elianna Amer
Aitai Yosef
Karen Cohen
Amit Cohen
Loren Ailan
Verena Sonner
Lina Kramer

Sample profile photos of Pro-Hamas fake and rogue Facebook accounts:










Sample malicious and fraudulent URL known to have participated in the campaign:
hxxp://apkpkg.com/android/?product=yeecallpro - 50.63.202.43; 50.87.148.131; 50.63.202.56

Related malicious MD5s known to have participated in the campaign:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://goldncup.com
hxxp://glancelove.com - 204.11.56.48; 198.54.117.1; 198.54.117.198; 198.54.117.200; 198.54.117.197; 192.64.118.163
hxxp://autoandroidup.website
hxxp://mobilestoreupdate.website
hxxp://updatemobapp.website

Related malicious IPs known to have participated in the campaign:
hxxp://107.175.144.26
hxxp://192.64.114.147

Related malicious MD5s known to have participated in the campaign:
MD5: 4f9383ae4d0285aeb86e56797f3193f7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent phone-back C&C server IPs:
hxxp://endpointup.com/update/upfolder/updatefun.php
hxxp://droidback.com/pockemon/squirtle/functions.php

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://androidbak.com
hxxp://droidback.com
hxxp://endpointup.com
hxxp://siteanalysto.com
hxxp://goodydaddy.com

Related emails known to have participated in the campaign:
info@palgoal.ps
support@nepras.com
mtcg@mtcgaza.com

Related fraudulent and malicious domains known to have been registered using the same email - info@palgoal.ps:
hxxp://7qlp.com
hxxp://all-in1.net
hxxp://androidmobgate.com
hxxp://arabstonight.com
hxxp://collectrich.com
hxxp://krmalk.com
hxxp://motionsgraphic.com
hxxp://orchidcollege.com
hxxp://paltrainers.org
hxxp://rosomat.net
hxxp://stikerscloud.com

Related fraudulent and malicious domains known to have been registered using the same email - support@nepras.com:
hxxp://acchd.net
hxxp://ahlulquran.com
hxxp://alalbait.ps
hxxp://alnorhan.com
hxxp://alowini.com
hxxp://alresalah.news
hxxp://alshibl.com
hxxp://alwanbook.com
hxxp://arqamschools.com
hxxp://azarcnc.com
hxxp://boxmarket.org
hxxp://bstcover.com
hxxp://caades.org
hxxp://detour-bs.com
hxxp://driverup2date.com
hxxp://drmazen.com
hxxp://drmazen.ps
hxxp://eta-water.com
hxxp://fares-alarab.com
hxxp://feker.net
hxxp://fekerjaded.net
hxxp://fekerjaded.com
hxxp://gaza-health.com
hxxp://gcstv.tv
hxxp://hairgenomics.com
hxxp://idco.center
hxxp://islamicbl.com
hxxp://khaledjuma.net
hxxp://kingtoys.ps
hxxp://learningoutcome.net
hxxp://lemaghi.com
hxxp://lsugaza.org
hxxp://mailsinfo.net
hxxp://majallaa.com
hxxp://manara.ps
hxxp://mobilyapp.com
hxxp://mtsc.tech
hxxp://nepras.net
hxxp://nepras.ps
hxxp://nsms.ps
hxxp://osamaalnajjar.com
hxxp://osratyorg.com
hxxp://panorama-pvs.com
hxxp://pay2earn.net
hxxp://pharmahome.net
hxxp://saqacc.com
hxxp://saudifame.com
hxxp://scc-online.net
hxxp://sondooq.net
hxxp://syada.org
hxxp://takafulsys.com
hxxp://taqat.work
hxxp://taqat.jobs
hxxp://technologylotus.com
hxxp://thoraya.net
hxxp://vgsat.com
hxxp://yabous.net
hxxp://yourav.net

Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://googlemapsservice.com
hxxp://lipidgenomics.com
hxxp://akalgroup.net
hxxp://rami-kerenawi.com
hxxp://bestyleperfumes.com
hxxp://azarcnc.com
hxxp://go-2web.com
hxxp://jettafood.com
hxxp://mushtahatours.com
hxxp://pal4news.net
hxxp://pcr-shate.com
hxxp://saqacc.com
hxxp://shahidvideo.com
hxxp://shop8d.net
hxxp://spermgenomics.com
hxxp://tawjihips.com
hxxp://vidioarb.com
hxxp://yourav.net
hxxp://yourdialerpal.com
hxxp://freedombeacon.info
hxxp://neprastest.info
hxxp://nirmaali.com
hxxp://zaibaq-hearing.com
hxxp://bramgsoft.com
hxxp://hairgenomics.com
hxxp://dietgenomix.com
hxxp://arcadialanguages.com
hxxp://himoudco.com
hxxp://moltkaa.com
hxxp://toyoorjanna.com
hxxp://facebootshe.com
hxxp://facebootshe.net
hxxp://somoood.com
hxxp://alnorhan.com
hxxp://alwatantoday.net
hxxp://elianali.com
hxxp://sspal.net
hxxp://hi-galaxy.com
hxxp://youthn.net
hxxp://gmamalaysia.com
hxxp://cbspgaza.com
hxxp://madarikmedia.com
hxxp://website-testnew.com
hxxp://childworldsociety.com
hxxp://netmarketpal.net
hxxp://albwwaba.com
hxxp://saudib.info
hxxp://pwaha.com
hxxp://smilymedia.com
hxxp://ftyatalghad.com
hxxp://coldymedia.com
hxxp://kh-alsendawy.com
hxxp://scoutsyalla.com
hxxp://almofker.com
hxxp://rawnaqmedia.net
hxxp://pro-stud.com
hxxp://shawa-plast.com
hxxp://eta-water.com
hxxp://host4tech.net
hxxp://fekerjaded.com
hxxp://audioodrivers.com
hxxp://trsanweb.com
hxxp://3almpro.com
hxxp://neprasweb.info
hxxp://thaqefnafsak.net
hxxp://newpal21.com
hxxp://ads4market.net
hxxp://qcpalestineforum.net
hxxp://alothmanx.com
hxxp://detourbs.com
hxxp://engash.com
hxxp://anafenyx.com
hxxp://dar-pal.com
hxxp://loyal-hands.com
hxxp://sahabacomplex.net
hxxp://logintest.info
hxxp://mapartnr.com
hxxp://hejazeceramics.com
hxxp://gazaapeal.com
hxxp://tawzzef.com
hxxp://gazaappeal.com
hxxp://oqpizza.com
hxxp://arqamschools.com
hxxp://nafhacenter.com
hxxp://halaalmasry.com
hxxp://q9polls.com
hxxp://q8-polls.com
hxxp://palalghadschool.com
hxxp://servesni.com
hxxp://rose2020.com
hxxp://km-pal.com
hxxp://cfpalestine.com
hxxp://ipad2me.com
hxxp://arabsdownload.com
hxxp://projectsinturkey.com
hxxp://newmassa.com
hxxp://charitysys.info
hxxp://nepraswebsite.com
hxxp://iquds.com
hxxp://yabous.net
hxxp://appsapkandroid.us
hxxp://alltech4arab.com
hxxp://hadaf.info
hxxp://plmedgroup.com
hxxp://modhish.net
hxxp://mltaka.com
hxxp://ajelapp.com
hxxp://khmap.com
hxxp://cupsport.net
hxxp://arshdnytech.com
hxxp://gmaedu.net
hxxp://lemaghi.com
hxxp://creativityjob.com
hxxp://imes-group.net
hxxp://rawnaqmedia.com
hxxp://alwanbook.com
hxxp://fifafoot.com
hxxp://sportarabs.com
hxxp://el-qalam.com
hxxp://bawadirsoft.com
hxxp://palalghad-school.com
hxxp://mixedwork.com
hxxp://plmedgroup.com
hxxp://alowini.com
hxxp://detour-bs.com
hxxp://earningoutcome.net
hxxp://shahedcom.com
hxxp://sport-kora.com
hxxp://torathshop.com
hxxp://newsolararabian.com
hxxp://h3sk.com
hxxp://gh-gaza91.com
hxxp://watanps.com
hxxp://mobilyapp.com
hxxp://nfs-pal.com
hxxp://yousef123.com
hxxp://alhato.com
hxxp://alyawmpress.net
hxxp://technologylotus.com
hxxp://qavalues.com
hxxp://ask2play.net
hxxp://hamasld.com
hxxp://bhscfood.com
hxxp://nmanews.com
hxxp://ifcdoha4.com
hxxp://sparkpowerco.net
hxxp://archour.com
hxxp://nmanews.net
hxxp://academy-uk.net
hxxp://turkey-gate.com
hxxp://learningoutcome.net
hxxp://smattrix.com
hxxp://eradaa.net
hxxp://paltoday.com
hxxp://sugar-salt.net
hxxp://boutiqobasket.com
hxxp://ethadalpadia.com
hxxp://fonoungallery.com
hxxp://fonoungallery.com
hxxp://smattrix.com
hxxp://gazawiit.com
hxxp://alfarisnt.com
hxxp://lama-film.net

Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://lovemagazineofficial.com
hxxp://masmo7.com
hxxp://mnwrna.com
hxxp://androidbak.com
hxxp://fastdroidmob.com
hxxp://treestower.com
hxxp://aymanjoda.com
hxxp://advflameco.com
hxxp://mahmoudzuaiter.com
hxxp://libyatoda.com
hxxp://mtcpal.com
hxxp://khfamilies.com
hxxp://ch2t0.com
hxxp://dwratcom.com
hxxp://faker4.com
hxxp://orubah.com
hxxp://orchidcollege.com
hxxp://yasser-arafat.com
hxxp://wf-hall.com
hxxp://maharaty.net
hxxp://addoja.net
hxxp://arb10.com
hxxp://ajel-news.com
hxxp://rosomat.net
hxxp://sahifty.net
hxxp://looktik.com
hxxp://pstent.com
hxxp://newsmagasine.com
hxxp://gazass.com
hxxp://dooownloads.com
hxxp://androidmobgate.com
hxxp://koora-fast.com
hxxp://fitlifee.com
hxxp://share-crowd.com

Related domains registered using the "Modern Tech Corp" Pro-Hamas fraudulent and malicious infrastructure:
hxxp://atfalocom.com
hxxp://bopfile.com
hxxp://djadet.com
hxxp://ecsrs.com
hxxp://egp-gaza.com
hxxp://infoocean.net
hxxp://katakeety.com
hxxp://katakeety.net
hxxp://linefood.com
hxxp://mtcpal.net
hxxp://nawrastv.net
hxxp://shobbaik.com
hxxp://tashbik.biz
hxxp://tashbik.com
hxxp://vansac-english.com
hxxp://woodrom.com
hxxp://alfareeq.info
hxxp://tashbik.info
hxxp://cashbacksave.com
hxxp://nerab.com
hxxp://download4android.com
hxxp://altartosi.net
hxxp://fostanews.com
hxxp://silverdai.com
hxxp://selhelou.com
hxxp://albassam-co.com
hxxp://almanar-studio.com
hxxp://facekooora.com
hxxp://holylandcar.com
hxxp://qneibi.com
hxxp://shaheen-flower.com
hxxp://strong-k.com
hxxp://pioneerfoodco.com
hxxp://sinokrotex.com
hxxp://zawiaa.net
hxxp://amwwal.com
hxxp://abuamra.com
hxxp://madridista-arab.com
hxxp://donia-fm.com
hxxp://donia-fm.net
hxxp://lmasatfnya.com
hxxp://dolphinexpress1.com
hxxp://dolphinexpress1.info
hxxp://dolphinexpress1.net
hxxp://radiosurif.com
hxxp://sahaba-radio.com
hxxp://odmint.com
hxxp://ylapin.com
hxxp://ylapin.net
hxxp://mypage-pro.com
hxxp://mohdsheikh.com
hxxp://altelbany.com
hxxp://dolphinariumtours.com
hxxp://artsofali.com
hxxp://menalmuheetlelkhaleej.com
hxxp://alghaidaa.com
hxxp://ajwad-marble.com
hxxp://istakbel.com
hxxp://istaqbel.com
hxxp://istaqbil.com
hxxp://istaqbl.com
hxxp://istqbl.com
hxxp://estakbel.com
hxxp://estaqbel.com
hxxp://estaqbil.com
hxxp://estaqbl.com
hxxp://estqbl.com
hxxp://massrefy.com
hxxp://massrify.com
hxxp://amwwaly.com
hxxp://amwwaly.info
hxxp://amwwaly.net
hxxp://nawrastv.com
hxxp://stepcrm.com
hxxp://imraish.com
hxxp://zawiaa.com
hxxp://3la-kefak.com
hxxp://bsaisofamily.com
hxxp://imraish.com

Related malicious MD5s known to have participated in the campaign:
MD5: 10f27d243adb082ce0f842c7a4a3784b01f7248e
MD5: b8237782486a26d5397b75eeea7354a777bff63a
MD5: 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813
MD5: 9b923303f580c999f0fdc25cad600dd3550fe4e0
MD5: 0b58c883efe44ff010f1703db00c9ff4645b59df
MD5: 0a5dc47b06de545d8236d70efee801ca573115e7
MD5: 782a0e5208c3d9e8942b928857a24183655e7470
MD5: 5f71a8a50964dae688404ce8b3fbd83d6e36e5cd
MD5: 03b404c8f4ead4aa3970b26eeeb268c594b1bb47

Related certificates known to have participated in the campaign:
10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6
9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03
44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09
67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A
89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56
B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A

Related malicious MD5s known to have participated in the campaign including C&C phone-back locations:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7 - once executed the sample phones back to the following malcious domain - hxxp://jonalbertwebsite.000webhostapp.com
MD5: 95a782bd8711ac14ad76b068767515d7 - once executed the sample phones back to the following malicious domains - hxxp://107.175.144.26/apps/d/p/op.php -> hxxp://app-measurement.com/config/app/1:487050065789:android:6a899b85b4fafd55?app_instance_id=76d4b711c98c3632398d47cb8d5777a3&platform=android&gmp_version=11200
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313 - once executed the sample phones back to the followin malicious domain - hxxp://192.64.114.147/apps/d/p/op.php
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious MD5s known to have participated in the campaign:
MD5: f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious URL known to have participated in the campaign:
hxxp://bit.ly/2M7E2Zg