Thursday, October 27, 2022

Who DDoS-ed Georgia/Bobbear.co.uk and a Multitude of Russian Homosexual Sites in 2009? - An OSINT Analysis

NOTE:

I took these screenshots circa 2009.

UPDATE:

Here are some of the related botnet C&C server domains known to have been involved in the campaign:
hxxp://cxim.inattack.ru/www3/www/
hxxp://i.clusteron.ru/bstatus.php

hxxp://203.117.111.52/www7/www/getcfg.php (cxim.inattack.ru)

hxxp://cxim.inattack.ru/www2/www/stat.php
hxxp://cxim.inattack.ru/www3/www/stat.php
hxxp://cxim.inattack.ru/www4/www/stat.php
hxxp://cxim.inattack.ru/www5/www/stat.php
hxxp://cxim.inattack.ru/www6/www/stat.php
hxxp://finito.fi.funpic.org/black/stat.php
hxxp://logartos.org/forum/stat.php - 195.24.78.242
hxxp://weberror.cn/be1/stat.php
hxxp://prosto.pizdos.net/_lol/stat.php
hxxp://h278666y.net/www/stat.php - 72.233.60.254

I've decided to share this post including related screenshots and technical details with the idea to inspire everyone to continue doing their research including cyber attack and campaign tracking and monitoring including cyber attack and cyber attack campaign attribution efforts.

Back in 2009 there was a major speculation that Russia indeed launched a massive DDoS (Distributed Denial of Service) attack against Georgia which was in fact true. What was particularly interesting about this campaign was the fact that the same DDoS for hire including the managed DDoS service that was behind the attack was also observed to launch related DDoS attack campaigns against bobbear.co.uk including a multi-tude of Russian homosexual Web sites where the actual Web sites indeed posted a message back then on their official Web sites signaling the existence of the DDoS attack targeting their Web sites.

Who was behind the campaigns? An image is worth a thousand words including the actual use of the original Maltego Community Edition back then which used to produce outstanding results in a variety of cases and cyber attack incidents and campaigns.

Sample screenshots include:




Sample DDoS C&C domains known to have been involved in the campaign include:
hxxp://emultrix.org
hxxp://yandexshit.com
hxxp://ad.yandexshit.com
hxxp://a-nahui-vse-zaebalo-v-pizdu.com
hxxp://killgay.com
hxxp://ns1.guagaga.net
hxxp://ns2.guagaga.net
hxxp://ohueli.net
hxxp://pizdos.net

Sample DDoS C&C domain URLs known to have been involved in the campaign include:

hxxp://a-nahui-vse-zaebalo-v-pizdu.com/a/nahui/vse/zaebalo/v/pizdu/
hxxp://prosto.pizdos.net/_lol/

Related domains known to have been involved in the campaign include:
hxxp://candy-country.com
hxxp://best-info.in
hxxp://megadwarf.com.com 
hxxp://good412.com
hxxp://oceaninfo.co.kr
hxxp://kukutrustnet777.info
hxxp://kukutrustnet888.info
hxxp://kukutrustnet987.info
hxxp://asjdiweur87wsdcnb.info
hxxp://pedmeo222nb.info
hxxp://gondolizo18483.info
hxxp://technican.w.interia.pl
hxxp://pzrk.ru
hxxp://bpowqbvcfds677.info
hxxp://bmakemegood24.com
hxxp://bperfectchoice1.com
hxxp://bcash-ddt.net
hxxp://bddr-cash.net
hxxp://bxxxl-cash.net
hxxp://balsfhkewo7i487fksd.info
hxxp://buynvf96.info
hxxp://httpdoc.info
hxxp://piceharb.com
hxxp://ultra-shop.biz
hxxp://googlets.info
hxxp://kokaco.info
hxxp://simdream.info
hxxp://simdream.biz
hxxp://lamour.ws
hxxp://prosto.pizdos.net
hxxp://vse.ohueli.net
hxxp://uploder.ws
hxxp://oole.biz
hxxp://yandexshit.com
hxxp://emultrix.org
hxxp://snail.pc.cz
hxxp://bibi.hamachi.cc
hxxp://killgay.com
hxxp://installs.bitacc.com
hxxp://hg7890.com
hxxp://dungcoivb.googlepages.com
hxxp://toggle.com 
hxxp://nhatquanglan2.0catch.com
hxxp://svxela.com
hxxp://united-crew.org

Sample malicious MD5s known to have been involved in the campaign include:
MD5: cde613793e24508f32c38249d396f686
MD5:f13e24a0d7372e096392855d423db4da
MD5:ac43d13455ef4ba50ed522e4a54137dc
MD5:e729f992bea0896f104742e5cbc522c2
MD5:88bed9482f6e0578b59710c41ab890d7
MD5:0472379daba0ab1abee7468786a0953a
MD5:7507022e3cab75888ea960fb48476f2d
MD5:0fd3521e3e150f45a7b243de8760d74d
MD5:ad4007f5ee084e27f7149a98dfa469ba
MD5:d2b08dfcd438d8c106f9be5157553454
MD5:cd193c00728634b6ac3f91c0c5bcf196
MD5:8f69e9577380fd9ba37c1d0d9d5603c4
MD5:eea49d19db46f2cb8767270b019a427a
MD5:372db70ffa24bc0e1bc0ceb2375537b0
MD5:a738127a58985d233e52ee1eacce1bab
MD5:51a33d949644923332f192346aa38569
MD5:f47315c7623954c18c8ce83231044ab4
MD5:21823675dc1cc678ae28228bbfbdf9e2
MD5:38ed6d225770518deedae8c906d11d6c
MD5:b37e79d7ae5315d1479fc140ec8f049e
MD5:39a0f4c388d18b67ebed3c8c1b29dc4e
09f89b063f884b11fdf785e7eab8548b
MD5:ce2e644d48492dd254149b51a0d32fe7
MD5:25c65d3634ee36b1c99a45ce3d5f8fdc
MD5:e5950a5269c79a7e0158814749f3effc
MD5:561002ecbef499fc0624cedaacd81066
MD5:f6fe1019d426535765ae3800eafb7b9b
MD5:a4f51e896be7e9f5474d24e0c20b0d24
MD5:0d294580dafad0a16849fae4af757c3b
MD5:1ad98858daf6d7f570918b4c3402d824
MD5:0230f77066c14f50b42f32bcb195c8a3
MD5:95158942a3b730307abbd863a0cc6ab6
MD5:f5c9d013f0e363f1eab616e3a97b83cd
MD5:ad0bf946c3e415d9b7842326afb11b90
MD5:03d7957bf93b01365ec16ef9bf6bccc1
MD5:bb2ffbccce05868adf958d90f458d970
MD5:25a9e89e00798cdd8e358f29524b2539
MD5:a3b69591bc5bce27100fe18deaf97a99
MD5:1f2836f33ff85a814e3fb6e17e1b9cc9

Related domains known to have involved in the campaign include:

hxxp://ohueli.net
hxxp://emultrix.org
hxxp://lamour.ws

Related domain C&C server URLs known to have been involved in the campaign include:

hxxp://pzrk.ru/logo4.gif?1395a=80218&id=2378151660
hxxp://pzrk.ru/logo4.gif?12a76=76406&id=2626553800
hxxp://aapowqbvcfds677.info/?fd1c=64796&id=2378151660
hxxp://c34.statcounter.com/counter.php?sc_project=3034266&java=0&security=297102af&invisible=0
hxxp://jbalbfhkewo7i487fksd.info/?41d39=269625&id=241094347
hxxp://32106.bpowqbvcfds677.info/?32106=205062&id=241094347
hxxp://abpowqbvcfds677.info/?323d5=205781&id=241094347
hxxp://macedonia.my1.ru/mainh.gif?32905=207109&id=241094347
hxxp://good412.com/c.bin
hxxp://www.good412.com/c.bin
hxxp://www.f5ds1jkkk4d.info/?id25765twcvqr41865&rnd=70609
hxxp://bpowqbvcfds677.info/?32145=205125&id=2507836605
hxxp://pzrk.ru/logo4.gif?361b9=221625&id=2578125312
hxxp://abpowqbvcfds677.info/?324fe=206078&id=2507836605
hxxp://bbaakemegood24.com/?33a7a=211578&id=2578125312
hxxp://32319.bpowqbvcfds677.info/?32319=205593&id=2507836605
hxxp://jbalbfhkewo7i487fksd.info/?40f2f=266031&id=2507836605
hxxp://aapowqbvcfds677.info/?32452=205906&id=2507836605
hxxp://ww11.bbeakemegood24.com/
hxxp://macedonia.my1.ru/mainh.gif?13033=77875&id=2456212732
hxxp://bbaakemegood24.com/?12d83=77187&id=2623433696
hxxp://jrsx.jre.net.cn/logos.gif?135ef=79343&id=2456212732
hxxp://pzrk.ru/logo4.gif?142ef=82671&id=2623433696
hxxp://bbaakemegood24.com/?1a3cc=107468&id=2456212732
hxxp://17a3c.bpowqbvcfds677.info/?17a3c=96828&id=2551547297
hxxp://bbaakemegood24.com/?1d200=119296&id=2551547297
hxxp://pzrk.ru/logo4.gif?18b43=101187&id=2551547297
hxxp://aapowqbvcfds677.info/?17b74=97140&id=2551547297
hxxp://technican.w.interiowo.pl/tanga.gif?12f67=77671&id=2378151660
hxxp://pacwebco.com/logost.gif?13081=77953&id=2626553800
hxxp://abpowqbvcfds677.info/?fd8a=64906&id=2378151660
hxxp://bbaakemegood24.com/?11298=70296&id=2626553800
hxxp://perevozka-gruzov.ru/ft.gif?17318=95000&id=2503118808
hxxp://jbalbfhkewo7i487fksd.info/?21f55=139093&id=2378151660
hxxp://bbaakemegood24.com/?111ed=70125&id=2503118808
hxxp://pacwebco.com/logost.gif?109ce=68046&id=2503118808
hxxp://perevozka-gruzov.ru/as.gif?17961=96609&id=2503118808

Stay tuned!

No comments:

Post a Comment