Historical OSINT - Georgian Justice Department and Georgia Ministry of Defense Compromised Serving Malware Courtesy of the Kneber Botnet

It's 2010 and I've recently came across to a compromised Georgian Government Ministry of Defense and Ministry of Justice official Web site spreading potentially participating in a wide-spread phishing and malware-serving campaign enticing users into interacting with the rogue U.S Intelligence and U.S Law Enforcement themed emails for the purpose of spreading and dropping malicious software on the targeted host's PC.

Sample malicious URL known to have participated in the campaign abusing common Web Site redirection application vulnerability flaw:

hxxp://www.mod.gov.ge/2007/video/movie.php?l=G&v=%20%3E%20a%20href%20http%3A%2F%2Fofficialweightlosshelp.org%2Fwp-admin%2Freport.zip%20%3EDownload%20%3C%2Fa%3E%20script%3Ewindow.OPEN%20http%3A%2F%2Fofficialweightlosshelp.org%2Fwp-admin%2Freport.zip%20%3C%2Fscript%3E%20#05184916461921807121

Related malicious URLs known to have participated in the campaign:

hxxp://officialweightlosshelp.org/wp-admin/report.zip

Spread URL found within the config:

hxxp://www.adventure-center.net/upload/x.txt - 195.70.48.67

Related compromised malicious URLs known to have participated in the campaign:

hxxp://new.justice.gov.ge/files/Headers/in.txt

hxxp://new.justice.gov.ge/files/Headers/fresh.txt

hxxp://new.justice.gov.ge/files/Headers/rollers1.php

Related MD5s known to have participated in the campaign:

MD5: d0c0a2e6b30f451f69df9e2514ba36f2

MD5: 974a4a516260a4fafb36234897469013

MD5: ecb7304f838efb8e30a21189458b8544

MD5: 81b3bff487fc9a02e10288114fc2b5be

MD5: 234523904033f8dc692c743cbcf5cf2b

MD5: e2fffaffc1064d24e7ea6bab90fd86fc

MD5: 5941c9b5bd567c5baaecc415e453b5c8

MD5: 0ff325365f1d8395322d1ef0525f3b1f

MD5: 4437617b7095ed412f3c663d4b878c30

MD5: eb66a3e11690069b28c38cea926b61d2

MD5: 2b7e4b7c5faf45ebe48df580b63c376b

Known to have participated in the campaign are also the following two domains part of the Hilary Kneber botnet:
hxxp://dnicenter.com - Email: abuseemaildhcp@gmail.com
hxxp://dhsorg.org - Email: hilarykneber@yahoo.com

Related malicious download location URLs known to have participated in the campaign:
hxxp://www.zeropaid.com/bbs/includes/CYBERCAFE.zip
hxxp://rapidshare.com/files/318309046/CYBERCAFE.zip.html
hxxp://www.sendspace.com/file/fmbt01
hxxp://hkcaregroup.com/modlogan/MILSOFT.zip
hxxp://rapidshare.com/files/320369638/MILSOFT.zip.html
hxxp://fcpra.org/downloads/MILSOFT.zip
hxxp://fcpra.org/downloads/winupdate.zip
hxxp://www.sendspace.com/file/tj373l
hxxp://mv.net.md/update/update.zip - 195.22.225.5
hxxp://www.sendspace.com/file/7jmxtq
hxxp://mv.net.md/dsb/DSB.zip
hxxp://www.sendspace.com/file/rdxgzd
hxxp://timingsolution.com/Doc/BULLETIN.zip
hxxp://www.sendspace.com/file/goz3yd
hxxp://dnicenter.com/docs/report.zip
hxxp://dhsorg.org/docs/instructions.zip - 222.122.60.186; 222.122.60.1
hxxp://www.sendspace.com/file/h96uh1
hxxp://depositfiles.com/files/xj1wvamc4
hxxp://tiesiog.puikiai.lt/report.zip
hxxp://somashop.lv/report.zip
hxxp://www.christianrantsen.dk/report.zip
hxxp://enigmazones.eu/report.zip
hxxp://www.christianrantsen.dk/report.zip
hxxp://enigmazones.eu/report.zip

hxxp://gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN.zip
hxxp://quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.zip - 66.147.242.169

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://dhsinfo.info - 218.240.28.34
hxxp://greylogic.info - 218.240.28.34; 218.240.28.4
hxxp://intelfusion.info - 218.240.28.34

hxxp://greylogic.org - 222.122.60.1

Related malicious MD5s known to have participated in the campaign:
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5
MD5: 28c4648f05f46a3ec37d664cee0d84a8

Once executed a sample malware phones back to the following C&C server IPs:
hxxp://from-us-with-love.info - 91.216.141.171
hxxp://from-us-with-love.info/imglov/zmpt4d/n16v18.bin
hxxp://vittles.mobi - 174.132.255.10

hxxp://nicupdate.com - 85.31.97.194

Related malicious and fraudulent IPs known to have participated in the Hilary Kneber botnet campaign:
hxxp://58.218.199.239
hxxp://59.53.91.102
hxxp://60.12.117.147
hxxp://61.235.117.71
hxxp://61.235.117.86
hxxp://61.4.82.216
hxxp://193.104.110.88
hxxp://95.169.186.103
hxxp://222.122.60.186
hxxp://217.23.10.19
hxxp://85.17.144.78
hxxp://200.106.149.171
hxxp://200.63.44.192
hxxp://200.63.46.134
hxxp://91.206.231.189
hxxp://124.109.3.135
hxxp://61.61.20.134
hxxp://91.206.201.14
hxxp://91.206.201.222
hxxp://91.206.201.8
hxxp://216.104.40.218
hxxp://69.197.128.203

Related malicious and fraudulent domains known to have participated in the Hilary Kneber botnet campaign:
hxxp://123.30d5546ce2d9ab37.d99q.cn
hxxp://d99q.cn
hxxp://524ay.cn
hxxp://adcounters.net
hxxp://adobe-config-s3.net
hxxp://mywarworld.cn
hxxp://aqaqaqaq.com
hxxp://avchecker123.com
hxxp://bizelitt.com
hxxp://biznessnews.cn
hxxp://bizuklux.cn
hxxp://fcrazy.com
hxxp://fcrazy.eu
hxxp://boolred.in
hxxp://brans.pl
hxxp://britishsupport.net
hxxp://bulkbin.cn
hxxp://chaujoi.cn
hxxp://checkvirus.net
hxxp://chinaoilfactory.cn
hxxp://chris25project.cn
hxxp://client158.faster-hosting.com
hxxp://cwbnewsonline.cn
hxxp://cxzczxccc.com.cn
hxxp://dasfkjsdsfg.biz
hxxp://dia2.cn
hxxp://digitalinspiration.e37z.cn
hxxp://dolbanov.net
hxxp://dolcegabbana.djbormand.cn
hxxp://djbormand.cn
hxxp://download.sttcounter.cn - 61.61.20.134; 211.95.78.98
hxxp://sttcounter.cn
hxxp://dred3.cn
hxxp://dsfad.in
hxxp://e37z.cn
hxxp://e58z.cn
hxxp://electrofunny.cn
hxxp://electromusicnow.cn
hxxp://elsemon.cn
hxxp://fcrazy.info
hxxp://filemarket.net
hxxp://flo5.cn
hxxp://footballcappers.biz
hxxp://fobsl.cn
hxxp://forum.d99q.cn
hxxp://gamno6.cn
hxxp://gidrasil.cn
hxxp://gifts2010.net
hxxp://ginmap.cn
hxxp://giopnon.cn
hxxp://gksdh.cn
hxxp://glousc.com
hxxp://gnfdt.cn
hxxp://gold-smerch.cn
hxxp://goldenmac.cn
hxxp://google.maniyakat.cn
hxxp://maniyakat.cn
hxxp://greenpl.com
hxxp://grizzli-counter.com
hxxp://grobin1.cn
hxxp://inpanel.cn
hxxp://itmasterz.org
hxxp://iuylqb.cn
hxxp://kaizerr.org
hxxp://keepmeupdated.cn
hxxp://khalej.cn
hxxp://kimosimotuma.cn
hxxp://klaikius.com
hxxp://klitar.cn
hxxp://kolordat482.com
hxxp://kotopes.cn
hxxp://liagand.cn
hxxp://love2coffee.cn
hxxp://majorsoftwareupdate.info
hxxp://marcusmed.com
hxxp://mcount.net
hxxp://mega-counter.com
hxxp://monstersoftware.info
hxxp://morsayniketamere.cn
hxxp://mydailymail.cn
hxxp://mynewworldorder.cn
hxxp://newsdownloads.cn
hxxp://nit99.biz
hxxp://nm.fcrazy.com
hxxp://nmalodbp.com
hxxp://not99.biz
hxxp://online-counter.cn
hxxp://pedersii.net
hxxp://piramidsoftware.info
hxxp://popupserf.cn
hxxp://qaqaqaqa.com
hxxp://qaqaqaqa.net
hxxp://qbxq16.com
hxxp://redlinecompany.ravelotti.cn
hxxp://ravelotti.cn
hxxp://relevant-information.cn

Related Hilary Kneber botnet posts:
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Dissecting the Exploits/Scareware Serving Twitter Spam Campaign
Koobface Botnet Starts Serving Client-Side Exploits

Fake NordVPN Web Site Drops Banking Malware Spotted in the Wild

I've recently came across to a rogue NordVPN web site distributing malicious software potentially exposing NordVPN users to a multi-tude of malicious software further compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

In this post, I'll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Sample malicious URL known to have participated in the campaign:
hxxp://nord-vpn.club - 192.64.119.159; 2.56.215.159

Sample malicious MD5s known to have participated in the campaign:
MD5: 3c24aa2c26e3556194ffd182a4dfaae5a41f
MD5: 7d6c24992eff0d64f19c78f05ea95ae44bc83af1
MD5: d39c320c3a43873db2577b2c9c99d9bf2bdb285c
MD5: d5ed3c70a8d7213ed1b9a124bbc1942e2b8cfeea
MD5: e89efde8ae72857b1542e3ae47f047c54b3d341a
MD5: 59f511ea1e34753f41a75e05de96456ca28f14a7
MD5: 453c428edda0fc01b306cc6f3252893fce9763a7