In this post I'll provide actionable intelligence behind the campaign and discuss in-depth the tactics technique and procedures of the cybercriminals behind it.
Sample malicious software client-side exploits serving chain:
hxxp://ict.org.il/js/1.html
Sample malicious MD5 known to have participated in the campaign:
MD5: e29c9a81c204aeb901a7287978cf58db
Once executed the sample drops additional MD5s on the affected host:
MD5: d2354e9ce69985c1f55dbad2837099b8
MD5: 4e1e2b9cd6b5bca2b1b935ddc97f2d7a
Once executed the sample phones back to the following C&C server domain:
hxxp://interfacet.oicp.net - 65.19.141.203
Related malicious domains known to have phoned back to the same C&C server IP (65.19.141.203):
360safeupdate02.gicp.net
ainiyi.oicp.net
akrso.gicp.net
botnet004.gicp.net
botnetdown.gicp.net
caoqihua520.gicp.net
catx.vicp.cc
ciygqn.gicp.net
cn88.5166.info
daihocvn.gicp.net
data.imzone.in
dnfbfz01.gicp.net
ericsson.vicp.cc
getnew.vicp.cc
grandoiltech.eicp.net
haiqing.51vip.biz
interfacet.oicp.net
isacat.gicp.net
iteni.vicp.cc
jinxg999.gicp.net
jiodi.oicp.net
love14789632.oicp.net
lu111111.gicp.net
lululu.vicp.cc
lwtyy.oicp.net
mhkmir.eicp.net
mlhl.vicp.cc
oypp.oicp.net
qqua.51vip.biz
rave.oicp.net
roujisevftp.gicp.net
roujisevftp1.gicp.net
roujisevftp2.gicp.net
sq3431.vicp.cc
wg5173.gicp.net
wsgj.eicp.net
www.96331.com
yanxiannishunyi.gicp.net
yudecai86.gicp.net
Stay tuned!
No comments:
Post a Comment