Sunday, December 13, 2020

Historical OSINT - A Compilation of Publicly Accessible Web Shells - An Analysis

In this post I'll provide actionable intelligence on some of the currently active publicly accessible IPs which are known to have been hosting publicly accessible web shells for the purpose of empowering the cybercriminals behind the campaigns to establish a direct connection with the server in question potentially resulting in a direct compromise of the server which could further assist in the ongoing monetization of the access for the purpose of hosting blackhat SEO content including malicious software on the compromised server.

Sample known IPs known to have hosted publicly accessible Web shells circa 2013:

http://63.143.52.90/webdav/Kat.php

http://188.39.86.169/webdav/Kat.php

http://71.13.238.29/webdav/Kat.php

http://122.192.68.247/webdav/Kat.php

http://79.136.101.26/webdav/Kat.php

http://218.66.79.138/webdav/Kat.php

http://147.46.53.121/webdav/Kat.php

http://195.70.35.170/webdav/Kat.php

http://202.120.38.4/webdav/Kat.php

http://175.158.191.163/webdav/Greenshell.php

http://177.124.2.30/webdav/Greenshell.php

http://200.165.107.147/webdav/Greenshell.php

http://118.97.18.244/webdav/Greenshell.php

http://175.28.13.160/webdav/Greenshell.php

http://187.76.0.75/webdav/Greenshell.php

http://58.240.239.178/webdav/Greenshell.php

http://202.100.85.103/webdav/Greenshell.php

http://210.175.78.71/webdav/Greenshell.php

http://118.69.245.77/webdav/Greenshell.php

http://69.51.202.235/webdav/Greenshell.php

http://87.106.13.193/webdav/Greenshell.php

http://24.222.37.150/webdav/Greenshell.php

http://200.57.141.91/webdav/Greenshell.php

http://173.56.68.9/webdav/Greenshell.php

http://177.2.129.199/webdav/Greenshell.php

http://202.120.34.5/webdav/Greenshell.php

http://195.70.35.170/webdav/Greenshell.php

http://62.193.248.62/webdav/Greenshell.php

http://131.220.71.150/webdav/Greenshell.php

http://161.53.159.250/webdav/Greenshell.php

http://201.122.73.249/webdav/Greenshell.php

http://201.39.231.190/webdav/Greenshell.php

http://178.18.95.238/webdav/Greenshell.php

http://178.78.114.133/webdav/Greenshell.php

http://41.57.109.245/webdav/Greenshell.php

http://18.172.2.239/webdav/Greenshell.php

http://124.165.225.147/webdav/Greenshell.php

http://84.246.6.172/webdav/Greenshell.php

http://64.47.71.249/webdav/Greenshell.php

http://186.153.123.155/webdav/Greenshell.php

http://103.30.92.130/webdav/Greenshell.php

http://115.249.227.230/webdav/Greenshell.php

http://59.176.124.13/webdav/Greenshell.php

http://114.69.241.42/webdav/Greenshell.php

http://123.18.207.2/webdav/Greenshell.php

http://84.233.143.17/webdav/Greenshell.php

http://193.60.92.220/webdav/Greenshell.php

http://80.154.138.211/webdav/Greenshell.php

http://212.91.233.115/webdav/Greenshell.php

http://210.175.78.71/webdav/Greenshell.php

http://174.37.60.119/webdav/Greenshell.php

http://75.126.69.194/webdav/Greenshell.php

http://147.46.216.176/webdav/Greenshell.php

http://195.243.244.22/webdav/Greenshell.php

http://202.169.30.215/webdav/Greenshell.php

http://193.179.195.125/webdav/Greenshell.php

http://88.179.3.250/webdav/Greenshell.php

http://62.82.100.195/webdav/Greenshell.php

http://212.204.205.48/webdav/Greenshell.php

http://61.120.124.87/webdav/Greenshell.php

http://91.195.163.75/webdav/Greenshell.php

http://212.50.28.194/webdav/Greenshell.php

http://66.60.102.110/webdav/Greenshell.php

http://41.207.95.71/webdav/Greenshell.php

http://87.79.66.248/webdav/Greenshell.php

http://118.70.167.134/webdav/Greenshell.php

http://222.73.18.86/webdav/Greenshell.php

http://118.97.18.244/webdav/Greenshell.php

http://175.28.13.160/webdav/Greenshell.php

http://217.18.195.71/webdav/Greenshell.php

http://200.50.118.40/webdav/Greenshell.php

http://81.169.178.176/webdav/Greenshell.php

http://210.163.224.65/webdav/Greenshell.php

http://175.158.191.163/webdav/Greenshell.php

http://87.98.167.79/webdav/Greenshell.php

http://212.91.233.120/webdav/Greenshell.php

http://69.162.81.116/webdav/Greenshell.php

http://212.16.239.24/webdav/Greenshell.php

http://80.122.103.134/webdav/Greenshell.php

http://68.232.226.42/webdav/Greenshell.php

http://210.173.78.67/webdav/Greenshell.php

http://118.69.245.77/webdav/Greenshell.php

http://202.100.85.103/webdav/Greenshell.php

http://115.119.15.180/webdav/Greenshell.php

http://222.73.18.86/webdav/Kat.php

http://208.115.223.114/webdav/Kat.php

http://83.238.165.202/webdav/Kat.php

http://195.243.244.22/webdav/Kat.php

http://210.163.224.65/webdav/Kat.php

http://120.68.42.163/webdav/Kat.php

http://114.142.147.125/webdav/Kat.php

http://92.39.20.52/webdav/Greenshell.php

http://202.120.51.74/webdav/Greenshell.php

http://222.73.18.86/webdav/Greenshell.php

http://210.47.36.6/webdav/Greenshell.php

http://210.175.78.71/webdav/Greenshell.php

http://212.91.233.115/webdav/Greenshell.php

http://147.46.216.176/webdav/Greenshell.php

http://77.237.1.104/webdav/Greenshell.php

http://82.204.47.109/webdav/Greenshell.php

http://217.92.57.106/webdav/Greenshell.php

http://80.24.82.4/webdav/Greenshell.php

http://194.249.184.130/webdav/Greenshell.php

http://147.46.53.121/webdav/Greenshell.php

http://85.214.39.59/webdav/Greenshell.php

http://74.208.103.227/webdav/Greenshell.php

http://134.206.51.221/webdav/Greenshell.php

http://212.91.233.120/webdav/Greenshell.php

http://220.233.42.100/webdav/Greenshell.php

http://79.125.24.51/webdav/Greenshell.php

http://74.208.161.177/webdav/Greenshell.php

http://195.54.209.152/webdav/Greenshell.php

http://78.8.120.172/webdav/Greenshell.php

http://173.192.69.18/webdav/Greenshell.php

http://212.91.233.119/webdav/Greenshell.php

http://85.111.3.57/webdav/Greenshell.php

http://213.8.91.167/webdav/Greenshell.php

http://218.83.153.18/webdav/Greenshell.php

http://218.16.119.82/webdav/Greenshell.php

http://58.26.163.2/webdav/Greenshell.php

http://109.123.92.158/webdav/Greenshell.php

http://71.13.238.14/webdav/Greenshell.php

http://210.175.78.71/webdav/Greenshell.php

http://222.24.19.18/webdav/Greenshell.php

http://87.79.66.248/webdav/Greenshell.php

http://66.171.182.154/webdav/Greenshell.php

http://210.47.36.6/webdav/Greenshell.php

http://147.46.216.176/webdav/Greenshell.php

http://87.79.66.248/webdav/Greenshell.php

http://92.39.20.52/webdav/Greenshell.php

http://208.115.223.114/webdav/Greenshell.php

http://210.175.78.71/webdav/Greenshell.php

http://212.91.233.115/webdav/Greenshell.php

http://195.243.244.22/webdav/Greenshell.php

http://222.24.19.18/webdav/Greenshell.php

http://147.46.216.176/webdav/Greenshell.php

http://202.169.30.215/webdav/Greenshell.php

http://174.37.60.119/webdav/Greenshell.php

http://70.38.118.206/webdav/Greenshell.php

http://71.13.238.10/webdav/Greenshell.php

http://71.13.238.32/webdav/Greenshell.php

http://165.234.1.18/webdav/Greenshell.php

http://216.38.161.104/webdav/Greenshell.php

http://71.13.238.4/webdav/Greenshell.php

http://71.13.238.25/webdav/Greenshell.php

http://68.232.226.42/webdav/Greenshell.php

http://173.192.69.18/webdav/Greenshell.php

http://66.171.182.154/webdav/Greenshell.php

http://173.15.180.89/webdav/Greenshell.php

http://188.39.86.169/webdav/Greenshell.php

http://212.91.233.114/webdav/Greenshell.php

http://31.163.203.16/webdav/Greenshell.php

http://213.8.91.167/webdav/Greenshell.php

http://202.120.1.33/webdav/Greenshell.php

http://219.219.114.91/webdav/Greenshell.php

http://202.72.218.181/webdav/Greenshell.php

Stay tuned!

- No comments:
Tags: , , , , , , , ,

U.S Justice Department Releases "Legal Considerations when Gathering Online Cyber Threat Intelligence" - Where's the Meat?

Surprise, surprise! The U.S DoJ has recently released a detailed "Legal Considerations when Gathering Online Cyber Threat Intelligence" guide which aims to educate security practitioners on their way to gather threat intelligence and how to actually utilize the information to further assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.

What the paper basically explains is the basics of passive OSINT however it also includes a detailed explanation on the actual use of cybercrime-friendly forums to gather threat intelligence potentially signaling a "bad taste" trend further enticing users into joining these forum communities potentially contributing to the overall increase of cybercrime internationally.

What should be taken clearly into consideration in terms of possible recommendations for this research guide is that it doesn't take to become a cybercriminal in order to catch a cybercriminal and that on the majority of occasions the majority of information required to launch an investigation into the whereabouts of high-profile cybercriminals is actually publicly accessible.

Users who are interested in joining the world of threat intelligence gathering should consider going through my "The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compromise - An Open Letter to the U.S Intelligence Community" post including to actually join forces in my currently ongoing Law Enforcement and OSINT operation called "Uncle George" where the idea is to obtain a direct download copy of my "Cybercrime Forum Data Set for 2019" and participate in the actual enrichment and analysis of the forum communities for the purpose of assisting U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these forum communities.

Stay tuned!
- No comments:
Tags: , , , , , , ,

Historical OSINT - International Institute For Counter-Terrorism Serving Malware - An Analysis

The International Institute For Counter-Terrorism is known to have served malicious software to its targeted user base back in 2013.

In this post I'll provide actionable intelligence behind the campaign and discuss in-depth the tactics technique and procedures of the cybercriminals behind it.

Sample malicious software client-side exploits serving chain:

hxxp://ict.org.il/js/1.html

Sample malicious MD5 known to have participated in the campaign:

MD5: e29c9a81c204aeb901a7287978cf58db

Once executed the sample drops additional MD5s on the affected host:

MD5: d2354e9ce69985c1f55dbad2837099b8

MD5: 4e1e2b9cd6b5bca2b1b935ddc97f2d7a

Once executed the sample phones back to the following C&C server domain:

hxxp://interfacet.oicp.net - 65.19.141.203

Related malicious domains known to have phoned back to the same C&C server IP (65.19.141.203):

360safeupdate02.gicp.net

ainiyi.oicp.net

akrso.gicp.net

botnet004.gicp.net

botnetdown.gicp.net

caoqihua520.gicp.net

catx.vicp.cc

ciygqn.gicp.net

cn88.5166.info

daihocvn.gicp.net

data.imzone.in

dnfbfz01.gicp.net

ericsson.vicp.cc

getnew.vicp.cc

grandoiltech.eicp.net

haiqing.51vip.biz

interfacet.oicp.net

isacat.gicp.net

iteni.vicp.cc

jinxg999.gicp.net

jiodi.oicp.net

love14789632.oicp.net

lu111111.gicp.net

lululu.vicp.cc

lwtyy.oicp.net

mhkmir.eicp.net

mlhl.vicp.cc

oypp.oicp.net

qqua.51vip.biz

rave.oicp.net

roujisevftp.gicp.net

roujisevftp1.gicp.net

roujisevftp2.gicp.net

sq3431.vicp.cc

wg5173.gicp.net

wsgj.eicp.net

www.96331.com

yanxiannishunyi.gicp.net

yudecai86.gicp.net

Stay tuned!

- No comments:
Tags: , , , , , , , , , ,
Subscribe to: Posts (Atom)