Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 04/06/23

Thursday, April 06, 2023

Exposing the Fashion Brands of the Conti Ransomware Group

Dear blog readers,

I've decided to share with everyone a series of photos obtained by data mining the recently leaked Conti ransomware gang's internal communications with the idea to raise awareness on some of the fashion brands supposedly managed and operated by members of the Conti ransomware gang.

Sample personally identifiable information:

hxxp://www.wildberries.ru/brands/leylo

hxxp://instagram.com/leylo_wear

leyloekb@gmail.com

+7-912-633-13-03

hxxp://leylo.ru/

hxxp://vk.com/leylo_wear

Sample photos include:

Stay tuned!

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Profiling the Internet Connected Infrastructure of the Genesis Market Cybercrime-Friendly Online Marketplace

Dear blog readers,

I've decided to take a deeper look inside the Internet connected infrastructure of the recently seized Genesis Market cybercrime-friendly marketplace with the idea to provide actionable intelligence and to assist vendors organizations and researchers including U.S Law Enforcement on its way to properly track down and monitor the cybercriminals behind these campaigns.

Related Genesis Market domains:

hxxp://sync[.]genesis-update[.]net

hxxp://sync[.]genesis-security[.]net

hxxp://g3n3sis[.]pro

hxxp://xmpp[.]genesis[.]market

hxxp://genesis[.]marjet

hxxp://g3n3sis[.]org

hxxp://sync[.]gsconnects[.]com

hxxp://g3n3sis[.]org

hxxp://g3n3sis[.]pro

hxxp://g3n3sis[.]me

Sample IPs known to have been involved in the campaign include:

195[.]206[.]181[.]217

hxxp://sync.genesis-update.net

hxxp://sync.genesis-security.net

hxxp://g3n3sis.pro

hxxp://xmpp.genesis.market

89[.]44[.]9[.]110

hxxp://genesis.marjet

hxxp://g3n3sis.org

hxxp://sync.gsconnects.com

89[.]42[.]212[.]194
163[.]172[.]125[.]48

hxxp://genesis.marjet

hxxp://g3n3sis.org

hxxp://sync.gsconnects.com

Sample related domains:

hxxp://softexpertupdate.com

hxxp://cms.softexpertupdate.com

hxxp://179.43.157.79.mywebccon.us

hxxp://seed.bitcoinstats.com

hxxp://dnsseed.bluematt.me

hxxp://psql04.exoffer.net

hxxp://pornnhub.net

hxxp://status.softexpertupdate.com

hxxp://www.exoffer.net

hxxp://portal.softexpertupdate.com

hxxp://server.softexpertupdate.com

hxxp://www.softexpertupdate.com

hxxp://mysql.softexpertupdate.com

hxxp://nationalcasino-pl.org

hxxp://g3n3sis.pro

hxxp://sync.genesis-security.net

hxxp://g3n3sis.org

hxxp://www.pornnhub.net

hxxp://mail.pornnhub.net

hxxp://vps.pornnhub.net

hxxp://ww1.pornnhub.net

hxxp://ftp.pornnhub.net

hxxp://vpn.pornnhub.net

hxxp://mx.pornnhub.net

hxxp://app.pornnhub.net

hxxp://hostmaster.pornnhub.net

hxxp://sync.genesis-update.net

hxxp://remote.pornnhub.net

hxxp://server.pornnhub.net

hxxp://stage.pornnhub.net

hxxp://citrix.pornnhub.net

hxxp://email.pornnhub.net

hxxp://files.pornnhub.net

Sample IPs:

179[.]43[.]157[.]79

hxxp://exoffer[.]net - Email: lisadaley0024@gmail[.]com

hxxp://softexpertupdate[.]com - Email: proprivxx@rambler[.]ru

179[.]43[.]157[.]79

hxxp://pornnhub[.]net - Email: mertvural@mynet[.]com; vuralmert@mynet[.]com

hxxp://exoffer[.]net

hxxp://123nextgift[.]com

hxxp://update-flash[.]net

hxxp://recallsystem[.]net

hxxp://flash-update[.]net

hxxp://k7m58z65g32t[.]net

hxxp://filesbase[.]net - Email: aleksei[.]rqbakov@mail[.]ru - hxxp://realstatistics[.]info; hxxp://webstatisticspro[.]net

hxxp://softexpertupdate[.]com

hxxp://pornnhub[.]net

Dots dots dots. We've already got the aleksei.rqbakov@mail.ru email profiled here.

Sample screenshots include:

Stay tuned!

Dancho Danchev