Exposing Russian Business Network's Mykhaylo Sergiyovich Rytikov's AbdAllah Internet Hizmetleri Bulletproof Hosting Provider on U.S Secret Service's Most Wanted Cybercriminals List

I've decided to share with everyone some actionable intelligence on one of the Russian Business Network's primary franchise networks in Turkey namely AbdAllah Internet Hizmetleri which back in the day used to be responsible for some pretty decent bulletproof hosting malicious and fraudulent cybercrime activity in particular to offer actionable intelligence on Mykhaylo Sergiyovich Rytikov it's owner who's currently on U.S Secret Service's most wanted cybercriminals list.

Known domains affiliated with AbdAllah Internet Hizmetleri:

hxxp://tiket[.]cc

hxxp://abdulla[.]cc

hxxp://privateforum[.]cn - upomajuliya745@gmail.com; xpj88kf@gmail.com; 316411856@qq.com

Related known domains affiliated with AbdAllah Internet Hizmetleri:

hxxp://ns1[.]srv4u[.]biz

hxxp://bulletproof-service[.]com - Email: support@hosting-offshore.biz - 202.83.212.250

hxxp://tarahost[.]net - Email: konstantin@karyaev.com -  89.108.73.93

Related domains known to have been registered by the same domain registrant:

hxxp://all-mafia[.]net

hxxp://shampanskoe[.]info

hxxp://mashost[.]org

hxxp://flexi-domains[.]com

hxxp://5pagess[.]net

hxxp://extrasoft[.]biz

hxxp://golovolomka[.]info

hxxp://optical-coatings[.]info

hxxp://polevoi[.]info

hxxp://belorussia[.]info

hxxp://3alab[.]com

hxxp://prezervativ[.]org

hxxp://brodyaga[.]net

hxxp://skramedia[.]com

hxxp://tarafree[.]com

hxxp://mp3-mmf[.]com

hxxp://myproga[.]net

hxxp://extrahost[.]su

hxxp://garanthost[.]com

hxxp://grand-host[.]net

hxxp://technormativ[.]info

hxxp://xp-hosting[.]net

hxxp://kredits[.]cn

hxxp://tarahost[.]biz

hxxp://tarahost[.]org

hxxp://optical-coatings-design[.]info

hxxp://extrasoft-outsourcing[.]info

hxxp://pm-tost[.]net

hxxp://pm-sotovik[.]net

hxxp://pm-ranlix[.]net

hxxp://pm-holland[.]net

hxxp://swlu[.]info

hxxp://valdiss[.]info

hxxp://karyaev[.]com

hxxp://x450[.]info

hxxp://grand-host[.]biz

hxxp://flexi-classifieds[.]com

hxxp://flexi-sitebuilder[.]com

hxxp://flexi-projects[.]com

hxxp://bloggast[.]info

hxxp://pereezd-pro[.]info

hxxp://eduaction[.]info

hxxp://wmnakovalnya[.]com

hxxp://retro80x[.]com

hxxp://tarafree[.]net

hxxp://skramedia[.]org

hxxp://oldactors[.]net

hxxp://tarahost[.]net

hxxp://janimation[.]net

hxxp://tarahost[.]com

hxxp://skramedia[.]biz

hxxp://vv-want[.]info

hxxp://skramedia[.]net

hxxp://olimp-sport[.]com

hxxp://youhouse[.]biz

hxxp://kroleki[.]com

hxxp://extrasoft-projects[.]info

hxxp://zelenaya[.]com

hxxp://cazinowm[.]com

hxxp://extrasoft-outsourcing[.]net

Related domains known to have been involved with AbdAllah Internet Hizmetleri:

hxxp://magic-jackpot-cas[.]com

hxxp://euro-vip-casino[.]com

hxxp://royal-casino-vip[.]com

hxxp://sexrusfuck[.]com

hxxp://royal-cas-vip[.]com

hxxp://2400-usd-casino[.]com

hxxp://royalcasino-vip[.]com

hxxp://2400usd-casino[.]net

hxxp://eurocasino-vip[.]com

hxxp://sinlife[.]cn

hxxp://byron-consulting-group[.]com

hxxp://28-07[.]com

hxxp://28-07[.]net

hxxp://job-consults[.]org

hxxp://837-86[.]org

hxxp://expressdeal[.]biz

hxxp://cron[.]li

hxxp://crons[.]cc

hxxp://cronos[.]mn

hxxp://crinc[.]mn

hxxp://crinc[.]li

hxxp://ultrasmoke[.]cn

hxxp://supersmoke[.]cn

hxxp://globalsmoke[.]cn

hxxp://937-86[.]org

hxxp://cronco[.]li

hxxp://tradegroup-ha[.]com

hxxp://ha-tradegroup[.]com

hxxp://crinc[.]jp

hxxp://tradegroup-ha[.]net

hxxp://investmentcron[.]cn

hxxp://glb-soft[.]com

hxxp://croninv[.]cc

hxxp://cronis[.]cn

hxxp://crons[.]ac

hxxp://cronn[.]eu

hxxp://dkebooks[.]com

hxxp://cronoi[.]cc

hxxp://jieod[.]com

hxxp://midgejs[.]com

hxxp://crin[.]ac

hxxp://aoejf[.]com

hxxp://yseac[.]com

hxxp://kaserid[.]com

hxxp://crin[.]cc

hxxp://jekdoe[.]com

hxxp://ujeose[.]com

hxxp://masiwer[.]com

hxxp://reusiwe[.]com

hxxp://kaoeds[.]com

hxxp://iwoser[.]com

hxxp://planet0day[.]biz

hxxp://xeirod[.]com

hxxp://neusoas[.]com

hxxp://geoepd[.]com

hxxp://efuyr[.]com

hxxp://ziude[.]com

hxxp://polsenstanford[.]com

hxxp://heyud[.]com

hxxp://woqkr[.]com

hxxp://seiudr[.]com

hxxp://aosier[.]com

hxxp://dueor[.]com

hxxp://crins[.]ac

hxxp://verbespecially[.]com

hxxp://fivejoy[.]com

hxxp://riverwomen[.]com

hxxp://trianglesentence[.]com

hxxp://floorside[.]com

hxxp://developtail[.]com

hxxp://womanfinish[.]com

hxxp://alwaysfell[.]com

hxxp://differcollect[.]com

hxxp://goodalso[.]com

hxxp://kingbrought[.]com

hxxp://findcharacter[.]com

hxxp://chanceexpect[.]com

hxxp://beardictionary[.]com

hxxp://forwardfield[.]com

hxxp://tinydown[.]com

hxxp://jobwhether[.]com

hxxp://numeralcity[.]com

hxxp://cronin[.]jp

hxxp://equalcatch[.]com

hxxp://streamwho[.]com

hxxp://selectmonth[.]com

hxxp://propercame[.]com

hxxp://grewsoil[.]com

hxxp://townslip[.]com

hxxp://stationheavy[.]com

hxxp://charactereven[.]com

hxxp://milk0soft[.]com

hxxp://goldverb[.]com

hxxp://windowlisten[.]com

hxxp://bqgqnfc[.]cn

hxxp://wrbhnuw[.]cn

hxxp://a9da6[.]org

hxxp://04ccc408[.]org

hxxp://bdb7beb6[.]org

hxxp://scalespread[.]com

hxxp://thencloud[.]com

hxxp://figurespoke[.]com

hxxp://fullfraction[.]com

hxxp://propertytall[.]com

hxxp://beautyfig[.]com

hxxp://hadover[.]com

hxxp://followsalt[.]com

hxxp://staysay[.]com

hxxp://herexcept[.]com

hxxp://thanscore[.]com

hxxp://humanthus[.]com

hxxp://branchfelt[.]com

hxxp://areacountry[.]com

hxxp://meetduring[.]com

hxxp://movestood[.]com

hxxp://stillverb[.]com

hxxp://suggesteye[.]com

hxxp://preparebut[.]com

hxxp://hurrysound[.]com

hxxp://cookcompare[.]com

hxxp://0daycod[.]biz

hxxp://europeansmoke[.]cn

hxxp://sprybog[.]net

hxxp://taybaol[.]com

hxxp://polsenstanford[.]com

hxxp://bconsgroup[.]com 

Exposing a Currently Active and Spreading Cobalt Strike Serving Malicious Software Campaign

I've just came across to a currently circulating Cobalt Strike serving malicious software campaign and I've decided to share the details with everyone reading this blog.

Original malware hosting location: hxxp://bsctech[.]ac[.]th/css/43[.]exe

MD5: d8d8cb60d196a26765261b1ca8604d1e

Sample C&C server IPs known to have been involved in the campaign include:

hxxp://5[.]253[.]234[.]40 -> hxxp://5[.]253[.]234[.]40/activity -> hxxp://5[.]253[.]234[.]40/activity/submit[.]php

Sample geolocation of the known C&C server IP:

Sample C&C server domains known to have been involved in the campaign include:

hxxp://bpltjykhm[.]online

hxxp://51lqm[.]online

A Peek Inside a Zunker Botnet C&C Administration Panel - An OSINT Analysis

As I've been digging deep inside an old threat intelligence and technical collection archive and I've decided to share several screenshots worth everyone's while.

The following is basically several sample screenshots courtesy of the Zunker botnet C&C command and control interface which back in the day used to dominate the threat landscape including the sophisticated cybercrime ecosystem with some pretty interesting and sophisticated features.

Sample screenshots include:

Happy Holidays From The (Not) Republic of Bulgaria - An Analysis - Part Two

Can you slap it? Do you know that your degree of education is proportional with the price size of your t-shirt which means that we're not interested in counting that much I mean the almighty dollar which you can't behold yourself to all of its mightiness? "Give me a moron and I'll beat him" instead of "Give me an IP and I'll move the earth" type of mentality? Are you a retard or are you a moron or are you a dipshit where the word cannot really behold itself to its almighty awesomeness? Try the two of these as you're only a low waged moron that cannot really count anything between one or two which means the actual times you'll get slapped by someone who'll eventually find out and seek your responsibility for your general moronic attitude. It means that you're a retard.

Stay tuned!