It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent scareware-serving campaign courtesy of the Koobface Gang this time successfully typosquatting my name within its command and control infrastructure.
In this post I'll provide actionable intelligence behind the campaign and will discuss in-depth the infrastructure behind it.
Sample malicious and fraudulent domains known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979
Sample malicious MD5 known to have participated in the campaign:
MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c
Once executed a sample malware phones back to:
hxxp://212.117.160.18/install.php?id=02979
which is basically our dear friends at AS44042 ROOT-AS root eSolutions
Parked at the same IP where Crusade Affiliates continue serving a diverse set of fake security software are also more scareware domains.
It's also worth pointing out that the Koobface gang has recently started typosquatting various domains using my name. Koobface gang is typosquatting my name for registering domains (for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com).
Sunday, May 05, 2019
Historical OSINT - Yet Another Massive Scareware Serving Campaign Courtesy of the Koobface Gang
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com