Monday, January 24, 2022

Exposing a Portfolio of Pay Per Install Rogue and Fraudulent and Malicious Affiliate Network Domains - An OSINT Analysis

 
Dear blog readers,

I've decided to share with everyone an in-depth historical OSINT analysis on some of the primary pay per install rogue fraudulent and malicious affiliate network based rogue and fraudulent revenue sharing scheme operating malicious software gangs that are known to have been active back in 2008 with the idea to assist everyone in their cyber campaign attribution efforts.

Sample portfolio of pay per install rogue fraudulent and malicious affiliate network domains known to have been in operation in 2008 include:

vipsoftcash[.]com
iframevip[.]com
avicash[.]com
softmonsters[.]biz
cashboom[.]biz
loader[.]cc
luxecash[.]com
iframepartners[.]com
installsforyou[.]biz
topsale2[.]ru
cashcodec[.]com
go-go-cash[.]com
oxocash[.]com
3xl-cash2[.]com
3xlpartnership[.]com
installs4sale[.]com
profitclick[.]org
megatraffer[.]com
oemcash[.]com
goldencashworld[.]biz
topsale[.]us
installsmarket[.]com
profit-cash[.]biz
ADWSearch[.]com
ovocash[.]com
loadsprofit[.]com
exerevenue[.]com
adwaredollars[.]com
yabucks[.]com
installing[.]cc
installconverter[.]com
topsale[.]us
bakasoftware[.]com
goldencashworld[.]net
niftystats[.]com
niftystats[.]com
royal-cash[.]com
dogmasoftware[.]com
3xlsoftware[.]com
rashacash[.]com
3xltop[.]com
vipinstall[.]cn
installercash[.]com
spicycodec[.]com
softwareprofit[.]com
codecmoney[.]biz
trafcash[.]com
smilecash[.]biz
bucksloads[.]com
traffic-converter[.]biz
eupays[.]com
seocash[.]us
vipppc[.]ru
cashwrestler[.]com
VipSoftCash[.]com
vscstatistics[.]com
vipsoftcashstats[.]com
Spy-Partners[.]com
vippirog[.]com
cashbotnet[.]com
installsforyou[.]biz
profit-cash[.]biz
bestcash[.]biz
VisitPay[.]com
partnerka[.]com
spy-partners[.]com
download4money[.]com
luxecash[.]net
iframe911[.]com
LOADBUCKS[.]BIZ
Cashpanic[.]com
longbucks[.]com
drugrevenue[.]com
evapharmacy[.]ru
bucksloads[.]com
spydevastator[.]com
softcash[.]org
3xlsoftware[.]com
rashacash[.]com
3xlcash[.]com
spicycodec[.]com
buckster[.]ru
trafficconverter2[.]biz
bucksware[.]com
bucksware-admin[.]com
mac-codec[.]com
traffic-converter[.]biz
klikadult[.]com
goldencash[.]com
payperinstall[.]org
pay-per-install[.]com
pay-per-install[.]org
zangocash[.]com
iframebiz[.]com
webmaster-money[.]org
cash4toolbar[.]com
toolbar4cash[.]com
bluechillies[.]com
adwaredollars[.]com
iframestat[.]org
snapinstalls[.]com
installercash[.]com
installcash[.]org
earnperinstall[.]com
dollarsengine[.]com
installercash[.]com
vombacash[.]com
softahead[.]com
iframestat[.]org
antispy[.]ws
sexprofit[.]com
evapharmacy-login[.]biz
vipsoftcash[.]com
glavmed[.]com

Sample name servers known to have been used by the same rogue fraudulent and malicious pay per install affiliate network domains include:

ns1[.]cgymwmlcaa[.]com A 85[.]17[.]136[.]135
ns1[.]cdpvaqnlod[.]com A 85[.]17[.]136[.]135
ns1[.]ccytvpbsdg[.]com A 85[.]17[.]136[.]135
ns1[.]cbfkzhtyik[.]com A 85[.]17[.]136[.]135
ns1[.]cezqtessjo[.]com A 85[.]17[.]136[.]135
ns1[.]cfsiqejclo[.]com A 85[.]17[.]136[.]135
ns1[.]catjepzcft[.]com A 85[.]17[.]136[.]135
ns1[.]dhxkycjmrg[.]net A 85[.]17[.]136[.]135
ns1[.]dglcxlcfmk[.]net A 85[.]17[.]136[.]135
ns1[.]damqrgldev[.]net A 85[.]17[.]136[.]135
ns1[.]dfhatnjfjw[.]net A 85[.]17[.]136[.]135
ns1[.]ddzmuatncz[.]net A 85[.]17[.]136[.]135

ns1[.]cgymwmlcaa[.]com A 72[.]232[.]184[.]10
ns1[.]cdpvaqnlod[.]com A 72[.]232[.]184[.]10
ns1[.]ccytvpbsdg[.]com A 72[.]232[.]184[.]10
ns1[.]cbfkzhtyik[.]com A 72[.]232[.]184[.]10
ns1[.]cezqtessjo[.]com A 72[.]232[.]184[.]10
ns1[.]cfsiqejclo[.]com A 72[.]232[.]184[.]10
ns1[.]chyaicpvxo[.]com A 72[.]232[.]184[.]10
ns1[.]catjepzcft[.]com A 72[.]232[.]184[.]10
ns1[.]dhxkycjmrg[.]net A 72[.]232[.]184[.]10
ns1[.]dcorbtfyni[.]net A 72[.]232[.]184[.]10
ns1[.]dglcxlcfmk[.]net A 72[.]232[.]184[.]10
ns1[.]detjstniup[.]net A 72[.]232[.]184[.]10
ns1[.]damqrgldev[.]net A 72[.]232[.]184[.]10
ns1[.]dfhatnjfjw[.]net A 72[.]232[.]184[.]10
ns1[.]dbsjxuvijx[.]net A 72[.]232[.]184[.]10
ns1[.]ddzmuatncz[.]net A 72[.]232[.]184[.]10

cgymwmlcaa[.]com  A  195[.]2[.]253[.]247 
cezqtessjo[.]com  A  195[.]2[.]253[.]247 
cfsiqejclo[.]com  A  195[.]2[.]253[.]247 
chyaicpvxo[.]com  A  195[.]2[.]253[.]247 
cdpvaqnlod[.]com  A  195[.]2[.]253[.]246 
ccytvpbsdg[.]com  A  195[.]2[.]253[.]246 
cbfkzhtyik[.]com  A  195[.]2[.]253[.]246 
catjepzcft[.]com  A  195[.]2[.]253[.]246 

http://catjepzcft[.]com
http://catjepzcft[.]com
http://damqrgldev[.]net
http://catjepzcft[.]com 
http://damqrgldev[.]net

catjepzcft[.]com

damqrgldev[.]net  195[.]2[.]253[.]248  
dcorbtfyni[.]net A 195[.]2[.]253[.]248
damqrgldev[.]net A 195[.]2[.]253[.]248
dbsjxuvijx[.]net A 195[.]2[.]253[.]248
ddzmuatncz[.]net A 195[.]2[.]253[.]248

dhxkycjmrg[.]net A 195[.]2[.]253[.]249
dglcxlcfmk[.]net A 195[.]2[.]253[.]249
detjstniup[.]net A 195[.]2[.]253[.]249
dfhatnjfjw[.]net A 195[.]2[.]253[.]249

dhxkycjmrg[.]net NS ns1[.]dhxkycjmrg[.]net
ns1[.]dhxkycjmrg[.]net A 72[.]232[.]184[.]10
ns1[.]dhxkycjmrg[.]net A 85[.]17[.]136[.]135
dcorbtfyni[.]net NS ns1[.]dhxkycjmrg[.]net
dglcxlcfmk[.]net NS ns1[.]dhxkycjmrg[.]net
detjstniup[.]net NS ns1[.]dhxkycjmrg[.]net
damqrgldev[.]net NS ns1[.]dhxkycjmrg[.]net
dfhatnjfjw[.]net NS ns1[.]dhxkycjmrg[.]net
dbsjxuvijx[.]net NS ns1[.]dhxkycjmrg[.]net
ddzmuatncz[.]net NS ns1[.]dhxkycjmrg[.]net

Related pay per install rogue fraudulent and malicious domains known to have been used back in 2008 for various rogue fraudulent and malicious purposes include:

drawn-cash[.]com
vippay[.]com
bucksware-admin[.]com
www[.]system-protector[.]net
sys-scan-1[.]biz
sys-scan-wiz[.]biz
topsale2[.]ru
earning4u[.]com
flashdollars[.]com
installing[.]cc
siteload[.]cn A 94[.]247[.]2[.]54
hostnsload[.]cn
siteinstall[.]cn
hostnsinstall[.]cn
jjupsport[.]ru
installz[.]cn
adware-help[.]com
fliporn[.]com
dailybucks[.]org
installloader[.]com
installaga[.]cn
georgenatas[.]in
naemnitibo[.]in
tirosanare[.]in
mialo-goodle[.]info
nailcash[.]com
ultraantivirus2009[.]com
nailcash[.]com  A  64[.]86[.]17[.]9 
virusalarmpro[.]com  A  64[.]86[.]17[.]9 
vmfastscanner[.]com  A  64[.]86[.]17[.]9 
mysuperviser[.]com  A  64[.]86[.]17[.]9 
virusmelt[.]com  A  64[.]86[.]17[.]9 
payvirusmelt[.]com  A  64[.]86[.]17[.]9 
updvmfnow[.]cn  A  64[.]86[.]17[.]9 
mysupervisor[.]net  A  64[.]86[.]17[.]9

Related personal email accounts known to have been used for various related pay per install rogue fraudulent and malicious affiliate network domain registrations include:

pvc6168@sina[.]com
windinv@yahoo[.]com
new@loveplus[.]in
johnson8402@post[.]com
lmunozv1@live[.]com
ididid828@gmail[.]com
onlineprivacy@aol[.]com
alex@bnetworks[.]us
milen[.]radumilo@gmail[.]com
ztao72945@gmail[.]com
redsunray@hotmail[.]com
WINDINV@YAHOO[.]COM
tvmt2000@yahoo[.]com
325214476@qq[.]com
adxluxe@gmail[.]com
SexPicker@gmail[.]com
domainaccount@protonmail[.]com
ancientholdings@fastmail[.]fm
newseowork12@gmail[.]com
oem[.]myrian@gmail[.]com
229848501@qq[.]com
bdmailhere@gmail[.]com
danny9@gmail[.]com
phone49012@yahoo[.]com
miok2001@mail[.]ru
zuev@cmedia-online[.]ru
daniel[.]bastien@gmail[.]com
domainadmin1900@gmail[.]com
larsonown@gmail[.]com
ppcseo2@gmail[.]com
sima[.]jogminaite@inbox[.]lt
topsaleus@gmail[.]com

Stay tuned!
- No comments:
Tags: , , , , , , ,

This presentation aims to detail Dancho Danchev's perspective into gathering threat intelligence processing it and enriching and disseminating it to users vendors and organizations globally heavily relying on a threat intelligence "rock star" model and methodology where the ultimate goal for this case study would be to take down Iran-based hackers and hacking groups and their entire online operations and attempt to shut them down and take them offline citing possible malicious use and actual abuse of international Internet laws and regulations and ultimatetely attempt to make an impact in terms of tracking them down and offering never-published and discussed personally identifiable information on their whereabouts and malicious online activities.

- No comments:

Exposing the Internet-Connected Infrastructure of the REvil Ransomware Gang - An In-Depth OSINT Analysis

Dear blog readers,

In this post I've decided to do an in-depth OSINT analysis on the recently busted REvil ransomware gang and decided to elaborate more and emphasize on the key fact in specific how come that a single ransomware group with several publicly accessible and easy to shut down C&C (command and control) server domains including several randomly generated Dark Web Onion URLs could easily result in millions of damage and who really remembers a situation when getting paid for getting hacked including the basic principle that you should never interact with cybercriminals but instead should passively and proactively monitor them could result in today's modern and unspoken ransomware growth epidemic and the rise of wrong buzz words as for instance ransomware-as-a-corporation where you basically have the bad guys obtain initial access to an organization's network and then hold its information encryption leading us to the logical conclusion who on Earth would pay millions of dollars to avoid possible bad reputation damage including to fuel growth into a rogue and fraudulent scheme as as for instance the encryption of sensitive company information and leaking it to the public in exchange for financial rewards.


Sample REvil ransomware gang publicly accessible C&C (command and control) servers include:
hxxp://decoder[.]re
hxxp://decryptor[.]cc - 136[.]243[.]214[.]30; 45[.]138[.]74[.]27
hxxp://decryptor[.]top

Related name servers known to have been used in the campaign include:
hxxp://1-you[.]njalla[.]no
hxxp://3-get[.]njalla[.]fo
hxxp://2-can[.]njalla[.]in
hxxp://1-you[.]njalla[.]no

Related responding IPs for hxxp://decryptor[.]cc:

2021/12/30 - 103[.]224[.]212[.]219

2021/10/23 - 198[.]58[.]118[.]167

2021/10/23 - 45[.]79[.]19[.]196

2021/10/23 - 45[.]56[.]79[.]23

2021/10/23 - 45[.]33[.]18[.]44

2021/10/23 - 72[.]14[.]178[.]174

2021/10/23 - 45[.]33[.]2[.]79

2021/10/23 - 45[.]33[.]30[.]197

2021/10/23 - 96[.]126[.]123[.]244

2021/10/23 - 45[.]33[.]23[.]183

2021/10/23 - 173[.]255[.]194[.]134

2021/10/23 - 45[.]33[.]20[.]235

2021/10/23 - 72[.]14[.]185[.]43

2021/10/08 - 78[.]41[.]204[.]37

2021/10/03 - 209[.]126[.]123[.]12

2021/09/24 - 78[.]41[.]204[.]28

2021/09/03 - 209[.]126[.]123[.]13

2021/08/19 - 78[.]41[.]204[.]38

2021/08/02 - 81[.]171[.]22[.]4

2021/07/27 - 81[.]171[.]22[.]6

2021/04/17 - 103[.]224[.]212[.]219

2020/11/10 - 45[.]138[.]74[.]27

2020/11/04 - 45[.]138[.]74[.]27

2020/09/14 - 136[.]243[.]214[.]30

2020/09/06 - 136[.]243[.]214[.]30

2020/08/30 - 212[.]22[.]78[.]23

2020/08/23 - 212[.]22[.]78[.]23

2020/07/30 - 212[.]22[.]78[.]23

2020/07/24 - 212[.]22[.]78[.]23

2020/07/07 - 212[.]22[.]78[.]23

2020/05/30 - 193[.]164[.]150[.]68

2020/05/20 - 193[.]164[.]150[.]68

2020/05/10 - 194[.]36[.]190[.]41

2020/05/08 - 194[.]36[.]190[.]41

2020/04/29 - 194[.]36[.]190[.]41

2020/04/06 - 194[.]36[.]190[.]41

2020/02/17 - 94[.]103[.]87[.]78

Related responding IPs for hxxp://decryptor[.]top (185[.]193[.]127[.]162; 192[.]124[.]249[.]13; 96[.]9[.]252[.]156):

2021/07/12 - 45[.]9[.]148[.]108

2020/09/18 - 185[.]193[.]127[.]162

2020/09/15 - 185[.]193[.]127[.]162

2020/08/07 - 185[.]193[.]127[.]162

2020/01/16 - 162[.]251[.]120[.]66

2019/12/23 - 45[.]138[.]96[.]206

2019/12/12 - 107[.]175[.]217[.]162

2019/10/07 - 96[.]9[.]252[.]156

2019/09/04 - 96[.]9[.]252[.]156

2019/07/15 - 91[.]214[.]71[.]139

Related MD5s known to have been involved in the campaign:

MD5: 57d4ea7d1a9f6b1ee6b22262c40c8ef6

MD5: fe682fad324bd55e3ea9999abc463d76

MD5: e87402a779262d1a90879f86dba9249acb3dce47

MD5: 4334009488b277d8ea378a2dba5ec609990f2338

MD5: 2dccf13e199b60dd2cd52000a26f8394dceccaa6

Stay tuned!

- No comments:
Tags: , , , ,
Subscribe to: Posts (Atom)