Saturday, May 04, 2019

Historical OSINT - Profiling the Loads.cc Enterprise

Remember loads.cc? In this post I'll provide actionable intelligence on the popular DDoS for hire service circa 2008 and offer in-depth perspective on the tactics utilized by the gang behind the service for the purpose of earning fraudulent revenue in the process of monetizing access to malware-infected hosts.

Sample malicious and fraudulent infrastructure known to have participated in the campaign:
hxxp://loads.cc - hxxp://ns1.udnska.cn (72.21.52.99), interestingly, hxxp://sateliting.cn is the C&C for hxxp://loads.cc service.

Related malicious and fraudulent URLs known to have participated in the campaign:
hxxp://sateliting.cn/?&v=exp6&lid=1033
hxxp://sateliting.cn/?&v=iron&lid=1033
hxxp://sateliting.cn/?&v=1810kj&lid=1033
hxxp://sateliting.cn/?&v=Loko&lid=1033
hxxp://sateliting.cn/?&v=mporlova&lid=1033
hxxp://satelit-ing.cn/?&v=mporlova&lid=1033
hxxp://sateliting.cn/?&v=gto&lid=1033

Related malicious IPs known to have responded to sateliting.cn:
hxxp://50.117.116.117
hxxp://216.172.154.34
hxxp://50.117.122.90
hxxp://205.164.24.45
hxxp://50.117.116.205
hxxp://50.117.116.204
hxxp://65.19.157.227

Related malicious MD5s known to have participated in the campaign:
MD5: eb0e25f2ac8f50590e3a00dcf766ef02
MD5: 48cf9b8b063715bb53e691da61601a73
MD5: 0b63dc08da40fcaf532847cfa5d9fc12
MD5: 0abaffe7d19c382d6dc94e40b27f199b
MD5: 0844b755c7e26c8051ab23369f720a4b
MD5: 2f3e270c37b48523e3e89ab76a012092