Sunday, December 13, 2020

Historical OSINT - International Institute For Counter-Terrorism Serving Malware - An Analysis

The International Institute For Counter-Terrorism is known to have served malicious software to its targeted user base back in 2013.

In this post I'll provide actionable intelligence behind the campaign and discuss in-depth the tactics technique and procedures of the cybercriminals behind it.

Sample malicious software client-side exploits serving chain:

hxxp://ict.org.il/js/1.html

Sample malicious MD5 known to have participated in the campaign:

MD5: e29c9a81c204aeb901a7287978cf58db

Once executed the sample drops additional MD5s on the affected host:

MD5: d2354e9ce69985c1f55dbad2837099b8

MD5: 4e1e2b9cd6b5bca2b1b935ddc97f2d7a

Once executed the sample phones back to the following C&C server domain:

hxxp://interfacet.oicp.net - 65.19.141.203

Related malicious domains known to have phoned back to the same C&C server IP (65.19.141.203):

360safeupdate02.gicp.net

ainiyi.oicp.net

akrso.gicp.net

botnet004.gicp.net

botnetdown.gicp.net

caoqihua520.gicp.net

catx.vicp.cc

ciygqn.gicp.net

cn88.5166.info

daihocvn.gicp.net

data.imzone.in

dnfbfz01.gicp.net

ericsson.vicp.cc

getnew.vicp.cc

grandoiltech.eicp.net

haiqing.51vip.biz

interfacet.oicp.net

isacat.gicp.net

iteni.vicp.cc

jinxg999.gicp.net

jiodi.oicp.net

love14789632.oicp.net

lu111111.gicp.net

lululu.vicp.cc

lwtyy.oicp.net

mhkmir.eicp.net

mlhl.vicp.cc

oypp.oicp.net

qqua.51vip.biz

rave.oicp.net

roujisevftp.gicp.net

roujisevftp1.gicp.net

roujisevftp2.gicp.net

sq3431.vicp.cc

wg5173.gicp.net

wsgj.eicp.net

www.96331.com

yanxiannishunyi.gicp.net

yudecai86.gicp.net

Stay tuned!

No comments:

Post a Comment