doremisan7.net?uid=213&pid=3&ttl=319455a3f86 - 67.215.238.189
marketcoms.cn/?pid=123&sid=8ec7ca&uid=213&isRedirected=1 - 91.205.40.5 - Email: JeremyLRademacher@live.com
- MORE REDIRECTORS parked there
browsersafeon.com A 91.205.40.5
online-income2.cn A 91.205.40.5
applestore2.cn A 91.205.40.5
media-news2.cn A 91.205.40.5
clint-eastwood.cn A 91.205.40.5
stone-sour.cn A 91.205.40.5
marketcoms.cn A 91.205.40.5
fashion-news.cn A 91.205.40.5
LEADS TO
http://guard-syszone.net/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJWfZWVilWWenGOIo6THodjXoGJdpqmikpVuaGVvZG1kbV%2FEkKE%3D
206.53.61.73
http://www.virustotal.com/analisis/e664ff540556bcde19bb7eea967016f491bb024c3d66b455d22f1afb7bd36b3e-1256160669
http://yourspywarescan15.com/scan1/?pid=123&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNPAFO - 85.12.24.12
http://www.virustotal.com/analisis/6e28a767b2f067285389758802e81379687f87864ecc85412e022ebe172c01d1-1256160825
Sunday, May 05, 2019
Historical OSINT - Massive Scareware-Serving Campaign Spotted in the Wild
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - Yet Another Massive Scareware-Serving Campaign Courtesy of the Koobface Gang
It's 2010 and I've recently came across to yet another currently active scareware-serving campaign courtesy of the Koobface gang this time successfully introducing a CAPTCHA-breaking module potentially improving the propagation and distribution scale within major social networks.
In this post I'll discuss the campaign and provide actionable intelligence on the infrastructure behind it.
Related malicious domains known to have participated in the campaign:
hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of AS29550 - EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
hxxp://ebeoxuw.cn/?uid=13301
hxxp://ebiezoj.cn/22/?uid=13301
hxxp://goscanhand.com/?uid=13301
hxxp://byxzeq.cn/22/?uid=13301
Sample malicious MD5 known to have participated in the campaign:
MD5: 16575a1d40f745c2e39348c1727b8552
Once executed a sample malware phones back to:
hxxp://in5it.com/download/Ipack.jpg - the actual executable
Related malicious MD5 known to have participated in the campaign:
MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd
Related malicious MD5 known to have participated in the campaign:
MD5: 6262c0cb1459adc8f278136f3cff2777
It's worth pointing out that prior to analyzing the campaign it appears that the Koobface gang has recently introduced a CAPTCHA-breaking module which basically relies on the active outsourcing of the CAPTCHA-breaking process potentially improving the Koobface spreading and propagation effectiveness.
Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe
Sample malicious MD5 known to have participated in the campaign:
MD5: cf9729bf3969df702767f3b9a131ec2c
Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe
Sample malicious MD5 known to have participated in the campaign:
MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e
Once executed a sample phones back to the following C&C server IPs:
hxxp://capthcabreak.com/captcha/?a=get&i=0&v=14 - 67.212.69.230
hxxp://captchastop.com/captcha/?a=get&i=1&v=14 - 67.212.69.230
In this post I'll discuss the campaign and provide actionable intelligence on the infrastructure behind it.
Related malicious domains known to have participated in the campaign:
hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of AS29550 - EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
hxxp://ebeoxuw.cn/?uid=13301
hxxp://ebiezoj.cn/22/?uid=13301
hxxp://goscanhand.com/?uid=13301
hxxp://byxzeq.cn/22/?uid=13301
Sample malicious MD5 known to have participated in the campaign:
MD5: 16575a1d40f745c2e39348c1727b8552
Once executed a sample malware phones back to:
hxxp://in5it.com/download/Ipack.jpg - the actual executable
Related malicious MD5 known to have participated in the campaign:
MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd
Related malicious MD5 known to have participated in the campaign:
MD5: 6262c0cb1459adc8f278136f3cff2777
It's worth pointing out that prior to analyzing the campaign it appears that the Koobface gang has recently introduced a CAPTCHA-breaking module which basically relies on the active outsourcing of the CAPTCHA-breaking process potentially improving the Koobface spreading and propagation effectiveness.
Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe
Sample malicious MD5 known to have participated in the campaign:
MD5: cf9729bf3969df702767f3b9a131ec2c
Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe
Sample malicious MD5 known to have participated in the campaign:
MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e
Once executed a sample phones back to the following C&C server IPs:
hxxp://capthcabreak.com/captcha/?a=get&i=0&v=14 - 67.212.69.230
hxxp://captchastop.com/captcha/?a=get&i=1&v=14 - 67.212.69.230
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - Yet Another Massive Scareware Serving Campaign Courtesy of the Koobface Gang
It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent scareware-serving campaign courtesy of the Koobface Gang this time successfully typosquatting my name within its command and control infrastructure.
In this post I'll provide actionable intelligence behind the campaign and will discuss in-depth the infrastructure behind it.
Sample malicious and fraudulent domains known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979
Sample malicious MD5 known to have participated in the campaign:
MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c
Once executed a sample malware phones back to:
hxxp://212.117.160.18/install.php?id=02979
which is basically our dear friends at AS44042 ROOT-AS root eSolutions
Parked at the same IP where Crusade Affiliates continue serving a diverse set of fake security software are also more scareware domains.
It's also worth pointing out that the Koobface gang has recently started typosquatting various domains using my name. Koobface gang is typosquatting my name for registering domains (for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com).
In this post I'll provide actionable intelligence behind the campaign and will discuss in-depth the infrastructure behind it.
Sample malicious and fraudulent domains known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979
Sample malicious MD5 known to have participated in the campaign:
MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c
Once executed a sample malware phones back to:
hxxp://212.117.160.18/install.php?id=02979
which is basically our dear friends at AS44042 ROOT-AS root eSolutions
Parked at the same IP where Crusade Affiliates continue serving a diverse set of fake security software are also more scareware domains.
It's also worth pointing out that the Koobface gang has recently started typosquatting various domains using my name. Koobface gang is typosquatting my name for registering domains (for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com).
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Astalavista Security Group 2.0 - The Underground - Official Launch Announcement
Dear blog readers, I wanted to let you know that I've recently launched a currently active Indiegogo crowd-funding campaign regarding my favorite working place throughout the 90's - Astalavista Security Group and I wanted to find out whether you might be interested in spreading the word regarding the campaign including a possible donation.
Consider going through the following already published Updates and making a donation:
01. New Update - Official Campaign Announcement
02. New Update - Official Astalavista 2.0 - Press Release Launch
03. New Update - Official Astalavista 2.0 - Statement of Work
04. New Update - Official Astalavista 2.0 - The Big Idea
05. New Update - Official Astalavista 2.0 - The Fanciful Story
Feel free to reach me at dancho.danchev@hush.com
Stay tuned!
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)