In this post I'll provide actionable intelligence on a currently active Pro-Hamas malicious and fraudulent infrastructure and will discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and will offer in-depth perspective on a currently active Pro-Hamas hosting provider - "Nepras for Media & IT" which is basically a legitimate front-end company currently involved in a variety of Pro-Hamas malicious and fraudulent malware-serving and propaganda spreading online infrastructure provider directly related to yet another Pro-Hamas franchise - "Modern Tech Corp".
Sample Facebook Profile Names involved in the campaign:
Elianna Amer
Aitai Yosef
Karen Cohen
Amit Cohen
Loren Ailan
Verena Sonner
Lina Kramer
Sample profile photos of Pro-Hamas fake and rogue Facebook accounts:
Sample malicious and fraudulent URL known to have participated in the campaign:
hxxp://apkpkg.com/android/?product=yeecallpro - 50.63.202.43; 50.87.148.131; 50.63.202.56
Related malicious MD5s known to have participated in the campaign:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91
Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://goldncup.com
hxxp://glancelove.com - 204.11.56.48; 198.54.117.1; 198.54.117.198; 198.54.117.200; 198.54.117.197; 192.64.118.163
hxxp://autoandroidup.website
hxxp://mobilestoreupdate.website
hxxp://updatemobapp.website
Related malicious IPs known to have participated in the campaign:
hxxp://107.175.144.26
hxxp://192.64.114.147
Related malicious MD5s known to have participated in the campaign:
MD5: 4f9383ae4d0285aeb86e56797f3193f7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: 7a9503152b4c8c1ee80ac7daf5405a91
Related malicious and fraudulent phone-back C&C server IPs:
hxxp://endpointup.com/update/upfolder/updatefun.php
hxxp://droidback.com/pockemon/squirtle/functions.php
Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://androidbak.com
hxxp://droidback.com
hxxp://endpointup.com
hxxp://siteanalysto.com
hxxp://goodydaddy.com
Related emails known to have participated in the campaign:
info@palgoal.ps
support@nepras.com
mtcg@mtcgaza.com
Related fraudulent and malicious domains known to have been registered using the same email - info@palgoal.ps:
hxxp://7qlp.com
hxxp://all-in1.net
hxxp://androidmobgate.com
hxxp://arabstonight.com
hxxp://collectrich.com
hxxp://krmalk.com
hxxp://motionsgraphic.com
hxxp://orchidcollege.com
hxxp://paltrainers.org
hxxp://rosomat.net
hxxp://stikerscloud.com
Related fraudulent and malicious domains known to have been registered using the same email - support@nepras.com:
hxxp://acchd.net
hxxp://ahlulquran.com
hxxp://alalbait.ps
hxxp://alnorhan.com
hxxp://alowini.com
hxxp://alresalah.news
hxxp://alshibl.com
hxxp://alwanbook.com
hxxp://arqamschools.com
hxxp://azarcnc.com
hxxp://boxmarket.org
hxxp://bstcover.com
hxxp://caades.org
hxxp://detour-bs.com
hxxp://driverup2date.com
hxxp://drmazen.com
hxxp://drmazen.ps
hxxp://eta-water.com
hxxp://fares-alarab.com
hxxp://feker.net
hxxp://fekerjaded.net
hxxp://fekerjaded.com
hxxp://gaza-health.com
hxxp://gcstv.tv
hxxp://hairgenomics.com
hxxp://idco.center
hxxp://islamicbl.com
hxxp://khaledjuma.net
hxxp://kingtoys.ps
hxxp://learningoutcome.net
hxxp://lemaghi.com
hxxp://lsugaza.org
hxxp://mailsinfo.net
hxxp://majallaa.com
hxxp://manara.ps
hxxp://mobilyapp.com
hxxp://mtsc.tech
hxxp://nepras.net
hxxp://nepras.ps
hxxp://nsms.ps
hxxp://osamaalnajjar.com
hxxp://osratyorg.com
hxxp://panorama-pvs.com
hxxp://pay2earn.net
hxxp://pharmahome.net
hxxp://saqacc.com
hxxp://saudifame.com
hxxp://scc-online.net
hxxp://sondooq.net
hxxp://syada.org
hxxp://takafulsys.com
hxxp://taqat.work
hxxp://taqat.jobs
hxxp://technologylotus.com
hxxp://thoraya.net
hxxp://vgsat.com
hxxp://yabous.net
hxxp://yourav.net
Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://googlemapsservice.com
hxxp://lipidgenomics.com
hxxp://akalgroup.net
hxxp://rami-kerenawi.com
hxxp://bestyleperfumes.com
hxxp://azarcnc.com
hxxp://go-2web.com
hxxp://jettafood.com
hxxp://mushtahatours.com
hxxp://pal4news.net
hxxp://pcr-shate.com
hxxp://saqacc.com
hxxp://shahidvideo.com
hxxp://shop8d.net
hxxp://spermgenomics.com
hxxp://tawjihips.com
hxxp://vidioarb.com
hxxp://yourav.net
hxxp://yourdialerpal.com
hxxp://freedombeacon.info
hxxp://neprastest.info
hxxp://nirmaali.com
hxxp://zaibaq-hearing.com
hxxp://bramgsoft.com
hxxp://hairgenomics.com
hxxp://dietgenomix.com
hxxp://arcadialanguages.com
hxxp://himoudco.com
hxxp://moltkaa.com
hxxp://toyoorjanna.com
hxxp://facebootshe.com
hxxp://facebootshe.net
hxxp://somoood.com
hxxp://alnorhan.com
hxxp://alwatantoday.net
hxxp://elianali.com
hxxp://sspal.net
hxxp://hi-galaxy.com
hxxp://youthn.net
hxxp://gmamalaysia.com
hxxp://cbspgaza.com
hxxp://madarikmedia.com
hxxp://website-testnew.com
hxxp://childworldsociety.com
hxxp://netmarketpal.net
hxxp://albwwaba.com
hxxp://saudib.info
hxxp://pwaha.com
hxxp://smilymedia.com
hxxp://ftyatalghad.com
hxxp://coldymedia.com
hxxp://kh-alsendawy.com
hxxp://scoutsyalla.com
hxxp://almofker.com
hxxp://rawnaqmedia.net
hxxp://pro-stud.com
hxxp://shawa-plast.com
hxxp://eta-water.com
hxxp://host4tech.net
hxxp://fekerjaded.com
hxxp://audioodrivers.com
hxxp://trsanweb.com
hxxp://3almpro.com
hxxp://neprasweb.info
hxxp://thaqefnafsak.net
hxxp://newpal21.com
hxxp://ads4market.net
hxxp://qcpalestineforum.net
hxxp://alothmanx.com
hxxp://detourbs.com
hxxp://engash.com
hxxp://anafenyx.com
hxxp://dar-pal.com
hxxp://loyal-hands.com
hxxp://sahabacomplex.net
hxxp://logintest.info
hxxp://mapartnr.com
hxxp://hejazeceramics.com
hxxp://gazaapeal.com
hxxp://tawzzef.com
hxxp://gazaappeal.com
hxxp://oqpizza.com
hxxp://arqamschools.com
hxxp://nafhacenter.com
hxxp://halaalmasry.com
hxxp://q9polls.com
hxxp://q8-polls.com
hxxp://palalghadschool.com
hxxp://servesni.com
hxxp://rose2020.com
hxxp://km-pal.com
hxxp://cfpalestine.com
hxxp://ipad2me.com
hxxp://arabsdownload.com
hxxp://projectsinturkey.com
hxxp://newmassa.com
hxxp://charitysys.info
hxxp://nepraswebsite.com
hxxp://iquds.com
hxxp://yabous.net
hxxp://appsapkandroid.us
hxxp://alltech4arab.com
hxxp://hadaf.info
hxxp://plmedgroup.com
hxxp://modhish.net
hxxp://mltaka.com
hxxp://ajelapp.com
hxxp://khmap.com
hxxp://cupsport.net
hxxp://arshdnytech.com
hxxp://gmaedu.net
hxxp://lemaghi.com
hxxp://creativityjob.com
hxxp://imes-group.net
hxxp://rawnaqmedia.com
hxxp://alwanbook.com
hxxp://fifafoot.com
hxxp://sportarabs.com
hxxp://el-qalam.com
hxxp://bawadirsoft.com
hxxp://palalghad-school.com
hxxp://mixedwork.com
hxxp://plmedgroup.com
hxxp://alowini.com
hxxp://detour-bs.com
hxxp://earningoutcome.net
hxxp://shahedcom.com
hxxp://sport-kora.com
hxxp://torathshop.com
hxxp://newsolararabian.com
hxxp://h3sk.com
hxxp://gh-gaza91.com
hxxp://watanps.com
hxxp://mobilyapp.com
hxxp://nfs-pal.com
hxxp://yousef123.com
hxxp://alhato.com
hxxp://alyawmpress.net
hxxp://technologylotus.com
hxxp://qavalues.com
hxxp://ask2play.net
hxxp://hamasld.com
hxxp://bhscfood.com
hxxp://nmanews.com
hxxp://ifcdoha4.com
hxxp://sparkpowerco.net
hxxp://archour.com
hxxp://nmanews.net
hxxp://academy-uk.net
hxxp://turkey-gate.com
hxxp://learningoutcome.net
hxxp://smattrix.com
hxxp://eradaa.net
hxxp://paltoday.com
hxxp://sugar-salt.net
hxxp://boutiqobasket.com
hxxp://ethadalpadia.com
hxxp://fonoungallery.com
hxxp://fonoungallery.com
hxxp://smattrix.com
hxxp://gazawiit.com
hxxp://alfarisnt.com
hxxp://lama-film.net
Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://lovemagazineofficial.com
hxxp://masmo7.com
hxxp://mnwrna.com
hxxp://androidbak.com
hxxp://fastdroidmob.com
hxxp://treestower.com
hxxp://aymanjoda.com
hxxp://advflameco.com
hxxp://mahmoudzuaiter.com
hxxp://libyatoda.com
hxxp://mtcpal.com
hxxp://khfamilies.com
hxxp://ch2t0.com
hxxp://dwratcom.com
hxxp://faker4.com
hxxp://orubah.com
hxxp://orchidcollege.com
hxxp://yasser-arafat.com
hxxp://wf-hall.com
hxxp://maharaty.net
hxxp://addoja.net
hxxp://arb10.com
hxxp://ajel-news.com
hxxp://rosomat.net
hxxp://sahifty.net
hxxp://looktik.com
hxxp://pstent.com
hxxp://newsmagasine.com
hxxp://gazass.com
hxxp://dooownloads.com
hxxp://androidmobgate.com
hxxp://koora-fast.com
hxxp://fitlifee.com
hxxp://share-crowd.com
Related domains registered using the "Modern Tech Corp" Pro-Hamas fraudulent and malicious infrastructure:
hxxp://atfalocom.com
hxxp://bopfile.com
hxxp://djadet.com
hxxp://ecsrs.com
hxxp://egp-gaza.com
hxxp://infoocean.net
hxxp://katakeety.com
hxxp://katakeety.net
hxxp://linefood.com
hxxp://mtcpal.net
hxxp://nawrastv.net
hxxp://shobbaik.com
hxxp://tashbik.biz
hxxp://tashbik.com
hxxp://vansac-english.com
hxxp://woodrom.com
hxxp://alfareeq.info
hxxp://tashbik.info
hxxp://cashbacksave.com
hxxp://nerab.com
hxxp://download4android.com
hxxp://altartosi.net
hxxp://fostanews.com
hxxp://silverdai.com
hxxp://selhelou.com
hxxp://albassam-co.com
hxxp://almanar-studio.com
hxxp://facekooora.com
hxxp://holylandcar.com
hxxp://qneibi.com
hxxp://shaheen-flower.com
hxxp://strong-k.com
hxxp://pioneerfoodco.com
hxxp://sinokrotex.com
hxxp://zawiaa.net
hxxp://amwwal.com
hxxp://abuamra.com
hxxp://madridista-arab.com
hxxp://donia-fm.com
hxxp://donia-fm.net
hxxp://lmasatfnya.com
hxxp://dolphinexpress1.com
hxxp://dolphinexpress1.info
hxxp://dolphinexpress1.net
hxxp://radiosurif.com
hxxp://sahaba-radio.com
hxxp://odmint.com
hxxp://ylapin.com
hxxp://ylapin.net
hxxp://mypage-pro.com
hxxp://mohdsheikh.com
hxxp://altelbany.com
hxxp://dolphinariumtours.com
hxxp://artsofali.com
hxxp://menalmuheetlelkhaleej.com
hxxp://alghaidaa.com
hxxp://ajwad-marble.com
hxxp://istakbel.com
hxxp://istaqbel.com
hxxp://istaqbil.com
hxxp://istaqbl.com
hxxp://istqbl.com
hxxp://estakbel.com
hxxp://estaqbel.com
hxxp://estaqbil.com
hxxp://estaqbl.com
hxxp://estqbl.com
hxxp://massrefy.com
hxxp://massrify.com
hxxp://amwwaly.com
hxxp://amwwaly.info
hxxp://amwwaly.net
hxxp://nawrastv.com
hxxp://stepcrm.com
hxxp://imraish.com
hxxp://zawiaa.com
hxxp://3la-kefak.com
hxxp://bsaisofamily.com
hxxp://imraish.com
Related malicious MD5s known to have participated in the campaign:
MD5: 10f27d243adb082ce0f842c7a4a3784b01f7248e
MD5: b8237782486a26d5397b75eeea7354a777bff63a
MD5: 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813
MD5: 9b923303f580c999f0fdc25cad600dd3550fe4e0
MD5: 0b58c883efe44ff010f1703db00c9ff4645b59df
MD5: 0a5dc47b06de545d8236d70efee801ca573115e7
MD5: 782a0e5208c3d9e8942b928857a24183655e7470
MD5: 5f71a8a50964dae688404ce8b3fbd83d6e36e5cd
MD5: 03b404c8f4ead4aa3970b26eeeb268c594b1bb47
Related certificates known to have participated in the campaign:
10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6
9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03
44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09
67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A
89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56
B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A
Related malicious MD5s known to have participated in the campaign including C&C phone-back locations:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7 - once executed the sample phones back to the following malcious domain - hxxp://jonalbertwebsite.000webhostapp.com
MD5: 95a782bd8711ac14ad76b068767515d7 - once executed the sample phones back to the following malicious domains - hxxp://107.175.144.26/apps/d/p/op.php -> hxxp://app-measurement.com/config/app/1:487050065789:android:6a899b85b4fafd55?app_instance_id=76d4b711c98c3632398d47cb8d5777a3&platform=android&gmp_version=11200
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313 - once executed the sample phones back to the followin malicious domain - hxxp://192.64.114.147/apps/d/p/op.php
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91
Related malicious MD5s known to have participated in the campaign:
MD5: f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91
Related malicious URL known to have participated in the campaign:
hxxp://bit.ly/2M7E2Zg
