Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: February 2024

Thursday, February 29, 2024

Exposing an IRC Botnet - An OSINT Analysis

Since 2021 as a part of an in-house research and capability building project we’ve been collecting tons of publicly accessible only cybercrime forum information data where we aimed at building the actual volume for this project which currently amounts to 1.5TB of actionable intelligence on current and historical cybercrime and cybercriminal activity where we aim to provide an in-depth analysis in an upcoming set of white papers on the topic of the current and global and current and emerging state of cybercrime globally including to provide as much qualitative and quantitative including in-depth and relevant technical details on their malicious and fraudulent activity online where our primary goal would be to assist fellow researchers vendors and organizations including Law Enforcement on its way to improve their situational awareness in the field and to build their analysis capabilities by providing them with an in-depth overview including the big picture and all the relevant connect the dots research and analysis in our upcoming set of white papers.

In this analysis I'll discuss in-depth a IRC botnet that I came across using the original 1.5TB of actionable intelligence data set that I've been working on since 2021.

Sample personally identifiable email address account known to have been involved in the campaign includes:

breng_me_do[.]live.nl

Sample domains:
hxxp://mboost.su
hxxp://verify-security-settings.su
hxxp://kei.su
hxxp://paypalobjects-com-nl-secure-verify-cmdflowsession.net
hxxp://x1x2.su

Related domains:

hxxp://e2b3.org
hxxp://c1d2.org
hxxp://x1ua.org
hxxp://r00n.org - Email: trainerlouise[.]yahoo.com
hxxp://n0ur.org
hxxp://m4r4.org

Related MD5s known to have phoned back to these domains include:

978f87f1cdbd13b571a8b0fec4cfd1a1
cfb69f9061e28c74f2d617a67d3e19ad
69be9bb725115c880d500c02046e2f42
74a62a2e9de0952559e5609c6a126661
f980d6c065cd50d0e0e835141d080770
150498a047c1b6af4e347a0a9919d580
581f13653c95d8868c38e88cc5edec3f

Relate domains known to have been registered using trainerlouise[.]yahoo.com:

hxxp://jossven.com
hxxp://0dayx.com
hxxp://alm7.net
hxxp://marcandpatrick.net
hxxp://retk03.com
hxxp://xixbh.net
hxxp://0n3mmm.com
hxxp://drwhox.com
hxxp://myserversconfig.com
hxxp://yamimo.com
hxxp://caninebaby.com
hxxp://002mom.com
hxxp://rania-style.com
hxxp://001mom.com
hxxp://8rb.su
hxxp://lebanonbt.info - Email: sullt4n[.]hotmail.com
hxxp://honeycat.org
hxxp://thismynew1.info
hxxp://artiho.com
hxxp://003mom.com
hxxp://idolmovies.com
hxxp://sandbland.com - Email: jackycohen202[.]yahoo.com
hxxp://googleure.com
hxxp://retk01.com
hxxp://sult4n.net
hxxp://mom002.net - Email: perezoza1[.]gmail.com
hxxp://photobeat.su - Email: mingtian8132[.]qq.com
hxxp://elnytydma.com
hxxp://wipmania.net
hxxp://yongyuan2.com
hxxp://smellypussy.info
hxxp://xludakx.com
hxxp://tassweq.com
hxxp://rimpac0.com
hxxp://t7v4d.com
hxxp://haztuwebsite.com
hxxp://ksaxchat.net
hxxp://elperro23.net
hxxp://rwt234.com

Related domains known to have been registered using sullt4n[.]hotmail.com:

hxxp://l33t-milf.info
hxxp://x1x4x0.net
hxxp://alm7.net
hxxp://saudi.su
hxxp://l33t-ppl.info

Related MD5s known to have phoned back to these domains:

340acbbd837832cc42466a81357021dc
d8ef3cdc01c913766936fb030c82e0ea
866b03e6b586e9a021aafed06fa6d917
d42b2512ce22ee8ef61049821d14e83a
be347d137978487c3063c1801794ba46
13addecefb590192d4f537506af563b5
686a6b93bf39d770c750582aba9600a3
a8e4ac094b856e4fa4db55735c64736f
ad4f1412fc78ada25c9757ffa7a29ab3
bbfab98efe673911164de671542cb2ef

Related MD5s known to have phoned back to these domains include:

c74db600c2158d921bfd44eb3b5a1b35
a2fe5e31cb05073dadfe2d8c91f14bbc
1d05fba397bce9ebbb4684235e6b75b2
4150cc172ac27014796972a713717dcc
9ca0a2f6dffef2730a94ed79ef97aea9
942bc3399887085a7b6f771e5e5918e1
b617bb6abbe1995a97688e4cc74f7875
31175b6d020ff6cd98a870cee472172b
fe429f28fbdbd863a4b70a1a97bc11db
cba3813f2f3e1bd8ebe81b8d816639e1
f75909083afc394e3a30580ed6bbd538
55e676a6cb4e1a8b647a112c30ae3d0b
ceb6d8764e43cae795de32bd56c38489
15f2e12d309d143c2fb25d7040cd184a
e43bf58277a31894052b637ac70b658a
8cf9f96ff33a81bcd39d173356fc1adf
419a9ab98c26646d365aec564f1c3c51
a9d421a233108de81dbefc19623043a6
b6098ec3625f30bae42869b5d34b0273
ace5df390f8dcfd0defd286aba25a66e
1a24570afc2a0cd8f422fbf17352af6f
61cf47b9e315441ce20bb92665891103
5f3befb6f6749f58ba3b54041bde28d7
7bb27134f61163400306e2ac45b6e92b
76eeed5e103f690c555b0e88a536163f
388b23a3ae3f64837df0b0c95f20e731
cc13d2e7da89391428d078ef486978b2
2f086d52737f8f6b0d4333089aae5d49
934ff0dccf44a9dc662604050d1496a3
832d5a45883cf8e24f24113dfd5cce30
69795f0e15ce52303ef134cb527146d2
8ad16e64d26ae7eb976ab4137fd82b47
5e3ab30b83f661e3c9a9e03367505dff
b9d86885cec94ffdefe9a271d363e051
989c562db7edf397d512e28c5df41489
bbfab98efe673911164de671542cb2ef
be347d137978487c3063c1801794ba46
68636da56c83715de2290164bcf756b0
e8f92cafa9789d3579ceb11e5c01dab1
a8e4ac094b856e4fa4db55735c64736f
ad4f1412fc78ada25c9757ffa7a29ab3
bcea574ab3b77340f9547064b382f4e5
6e6a849a6d50223435b0bf8520616cc7
1ac0f0ed620167316005eed04188df52
d65a94fb3af688779a1341825e25eed1
6b32910a30125c548c502470b2735011
c5fcd41c4b226f09d3ae2964c62efb3a
347ab96164badd2a304ee1cb7acb86ce
d1b1ed1b4225834211d7a0511a572771
3fa93942d2e4bbbbea31940cbe689934
524b0ef1e7e4dfe2ad8c9fcb39760e02
fe4ba5c4b12f8d65417132dccca96614

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Ex-Cybercrime Forum Community Member Runs a Profitable Penetration Testing Business - An Analysis

Since 2021 as a part of an in-house research and capability building project I’ve been collecting tons of publicly accessible only cybercrime forum information data where I aimed at building the actual volume for this project which currently amounts to 1.5TB of actionable intelligence on current and historical cybercrime and cybercriminal activity where I aim to provide an in-depth analysis in an upcoming set of white papers on the topic of the current and global and current and emerging state of cybercrime globally including to provide as much qualitative and quantitative including in-depth and relevant technical details on their malicious and fraudulent activity online where our primary goal would be to assist fellow researchers vendors and organizations including Law Enforcement on its way to improve their situational awareness in the field and to build their analysis capabilities by providing them with an in-depth overview including the big picture and all the relevant connect the dots research and analysis in our upcoming set of white papers.

Sample personally identifiable email address account known to have been involved in the campaign includes:

dovolniipirogok[.]hotmail.com

In this analysis I've spotted and decided to elaborate more on a well known and confirmed as a cybercriminal in my own 1.5TB cybercrime and cybercriminal activity data set that appears to be running a currently active low-profile Penetration Testing business with several employees and a LinkedIn Company Page.

My initial analysis states that as the email account he used to register his domain is a well known email address account that belongs to a well known cybercriminal users organizations and companies should probably stay away and keep in mind when doing business with the low profile Penetration Testing company operated by the cybercriminal which we’ll profile in this post.

hxxp://secure-partners.com - 67.222.38.88

Secure Partners

3578 Hartsel Dr,

E230 Colorado Springs,

CO 80920

P: (719) 219-9489

We also have the same IP (67.222.38.88) acting as a C&C for the following MD5: C74971B8BBE623CE9CA42DAEA37B89C5 in specific it phones back to hxxp://www.revivemyappliance.com/a7/?qRNhrDdX=RwazjtCjCkDOJFWkqyvig/WpDe8bVejY7lRk4rW26z7wj0389UWJMya8nIjb6sumHpd9Rw==&TV=bl1d7BMXcny4&sql=1

Related MD5s known to have phoned back to revivemyappliance.com:

a1391b9873a51ab38b3e160fb157bbee

dfc2e426f67bb90a2ece8ec6e9d627c8

98a1ca5c120649dce089c077854027f3

b999cd98ab68cd8c0384da456b73d516

41005e714de8c9f71c013b97c35e5eb3

b98d55a66bc6f3577a6e6fe3d0ea15f2

What we’ve got here is a decent example of a fraudulent infrastructure where we have a confirmed and well known cybercriminal operating a low profile Penetration Testing company which also has a LinkedIn page where several people are known to work there including an additional domain parked on the same IP as the original IP of the domain operated by the cybercriminal where we also have a malicious software variant that’s phoning back to another domain parked on the same IP where we also have an additional set of malicious MD5s also phoning back to the same domain where both of these domains including the one registered by the confirmed cybercriminal are using the same IP which means that this is a very good example of a cybercriminal infrastructure gone rogue in the context of staying beneath the radar where the most important part of the situation is to keep in mind that the cybercriminal behind this low profile Penetration Testing company could easily turn it into a profitable business including to possibly scam an unknown number of users into doing business with him where the most important part would be to keep an eye on this Web property where the most important part would be to monitor for additional spam and advertising and additional advertising and promotion campaigns by the cybercriminal in order to drive sales and new clients to his low profile company on the Web.

We also have the following malicious URLs known to have phoned back to the same malicious MD5s which we profiled and earlier exposed such as for instance:

hxxp://www.revivemyappliance.com/a7/?DxO=RwazjtDTADTAKiPW2Cvig/WpDe8bVejY7lRk56ut5DbiiEGz4

xzTKQ3pk93g2qTv&SNl=sPxt4JrPCz6TDH

hxxp://www.casineuros.com/a7/

hxxp://www.luxuryconversion.com/a7/

hxxp://www.carminesforlife.com/a7/

hxxp://benthanh-toyota.com/a7/

hxxp://www.hugedomains.com/domain_profile.cfm?d=brandsinfinity&e=com

hxxp://www.revivemyappliance.com/a7/?P2uLzd=RwazjtDTADTAKiPW2Cvig/WpDe8bVejY7lRk56ut5DbiiEGz4xz

TKQ3pk93g2qTv&DDIDU=MjLPbJ5HQZclu8m0

hxxp://short-it.com/a7/?P2uLzd=gTy+o5HC3Jf2kvAJCACoCIH3YpRJsHlS6mNQC/VkGp63JvDNxPxGGVsb3uu3q

Dyy&DDIDU=MjLPbJ5HQZclu8m0

hxxp://www.theadvancedcoach.com/a7/

hxxp://www.revivemyappliance.com/a7/

hxxp://www.revivemyappliance.com/a7/?A2MDSDG=RwazjtDQDE/FJFbXrSvig/WpDe8bVejY7lJ0koK3+T7xjFb66

EHFa2iwkOiw6++xEqQl&mN9tO=h0DX3z

hxxp://www.xctljc.com/a7/?mN9tO=h0DX3z&A2MDSDG=Q+xSXVSgPsX+ui8RWtkE0LMceuxsebFTKQeh

0+SSCeFZZ9AoDc0s

cGF/ruslfBefMMLU

hxxp://survey-smiles.com/

hxxp://www.revivemyappliance.com/a7/?oPO4K6h=RwazjtDVe0WzIiSi2yvig/WpDe8bVejY7lRk96mt6Cnzjk3g/gSdJ

Wq+/ILE8MriKZM=&9rIl=nN6t3ZDP3FAX40&sql=1

hxxp://www.ketones.info/a7/

hxxp://www.reducetarian.biz/a7/?oPO4K6h=hdedISV3GjDwkmYUr4ft9lbxQf5yIg0ZRDGn00BC0yORqxC+L

Jf8C9E+DkmPMyQTbog

=&9rIl=nN6t3ZDP3FAX40&sql=1

hxxp://www.goedutravel.com/a7/

hxxp://www.rabe-networks.com/a7/?fxlp=gTy+o5HEp+aFmvd9CwCoCIH3YpRJsHlS6mNQG/dkFoGmIPye2e

QIFTxMsbSTglK/psg=&0bttHX=iL0dq0_pa60t&sql=1

hxxp://www.reducetarian.biz/a7/

hxxp://www.selviproperty.com/a7/

hxxp://www.thienduonghoaviet.com/a7/?02=bQddxXucNe29VgTebBtA37DhuJ2IGQJkXaFwMcPFPgq+UoNzs

Oqq2tV01DJMkfBpSQI=&1bwLa

=EZAlzpAxxBtP4v

hxxp://www.funnysworld.com/a7/?oPO4K6h=9oEwhj9cjQtWoAZ592x26CQcHxBSDeonZxLLJOS9NBoVsJ0z

EW9ie8zv+Q/WO1Nper8=&9rIl=nN6t3ZDP3FAX40&sql=1

hxxp://www.goedutravel.com/a7/?02=+QgAwB0JSqywEHA/g7haNvd0hUThneNW/QLTtREdHuhFes4kAovV

61wXtISSNHAGc/o=&1bwLa=EZAlzpAxxBtP4v&sql=1

hxxp://www.schmidtatlanguage.com/a7/

hxxp://www.cyn.ink/a7/

hxxp://www.crstudents.net/a7/

hxxp://www.ketones.info/a7/?zRvt4=XrirpkiDLcQ9fw7qDYhW1dM9xDWogF1l4YBu9es5ZIWkp3Ui6MLi6L

vpdBpdPNsgPJA2&6lxhA8

=U6AlEh

https://aditsachde.com/a7/?zRvt4=9+VsDL3+BkSQJt3J0F2JcNxBq+LVDZq3Wx7/mrtE4zOErkw2WeD5MJ/6

W1dCG9iG4qiF&6lxhA8=U6AlEh

hxxp://www.funnysworld.com/a7/

hxxp://www.xn--vuqu93jrjhqkc.net/a7/

hxxp:///aditsachde.com/

hxxp:///www.revivemyappliance.com/a7/?fxlp=RwazjtDVe0WzIiSi2yvig/WpDe8bVejY7lRk96mt6Cnzjk3g/gSd

JWq+/ILE8MriKZM=&0bttHX=iL0dq0_pa60t

hxxp://www.fiveroot.com/a7/

hxxp://www.niggerboutique.com/a7/?oPO4K6h=snNxYPt1gU4a0EYQNZ7aN+NZ5XcR4nxC7CQy3MMjOmJ

z3Vz9sLCh2zy8SF8gpYiEV6I=&

9rIl=nN6t3ZDP3FAX40&sql=1

hxxp://www.globaltimbereurope.com/a7/

hxxp://www.donghairc.com/a7/

Dancho Danchev

Wednesday, February 28, 2024

Exposing the Warzone RAT (Remote Access Tool) Enterprise - An OSINT Analysis

This just in.

Here's the analysis.

hxxp://www.warzone.ws/

Personal emails: solmyr@warzone.ws; ebase03@hotmail.com

XMPP/Jabber ID: solmyr@xmpp.jp

Telegram: solwz; sammysamwarzone

Skype: vuln.hf

Facebook account: https://www.facebook.com/il.meli.5

Sample photos of Warzone RAT (Remote Access Tool):

Sample photos of Daniel Meli:

Dancho Danchev

Monday, February 26, 2024

From the "Dipshitness is Cool But Is It Relevant" Department?

From the "we' hate you. "We" don't want to see you. You don't exist and we don't want to see or hear anything about you department.

Cheers!

Dancho Danchev

The Troyan, Bulgaria Local Dipshit Leader Gipsy King That "Killed" Them All

Writing dipshit "poetry" and singing it "all" constitutes illegal and dipshit activity. Guess what? You're somehow supposed to be master of it.

Dancho Danchev

Profiling the xDedic Cybercrime Service Enterprise

My latest white paper for WhoisXML API.

The popular cybercrime-friendly xDedic service was recently shut down and in this analysis we’ll take an in-depth look inside the Internet-connected infrastructure of the xDedic cybercrime-friendly enterprise and will offer practical and relevant technical insights making it easier for fellow researchers vendors and law enforcement to keep track of their current and historical including upcoming online activities.

Sample domains:
hxxp://xdedic.biz
hxxp://xdedic.ac
hxxp://xdedic.tk

Known responding IPs:
194.12.255.28
81.25.59.80
125.209.101.190
41.74.66.229
186.2.163.126
91.220.101.43
41.164.71.116
104.21.31.62
172.67.175.56
104.31.84.191
104.31.85.191
185.214.10.111
93.158.215.185
87.236.215.18
5.135.26.102
176.123.6.191

Personally identifiable information:
Email: support@xdedic.biz, abuse@xdedic.ac
Jabber Supports: support@xdedic.tk, support2@xdedic.tk
ICQ 591-20-47

Related personally identifiable information:

support@e-investhost.com

Name Server: NS1.E-INVESTHOST.COM
Name Server: NS10.E-INVESTHOST.COM
Name Server: NS2.E-INVESTHOST.COM
Name Server: NS20.E-INVESTHOST.COM
Name Server: NS21.E-INVESTHOST.COM
Name Server: NS3.E-INVESTHOST.COM
Name Server: NS4.E-INVESTHOST.COM
Name Server: NS5.E-INVESTHOST.COM
Name Server: NS6.E-INVESTHOST.COM
Name Server: NS7.E-INVESTHOST.COM
Name Server: NS8.E-INVESTHOST.COM
Name Server: NS9.E-INVESTHOST.COM

Current related domain registrations:
infox.sg
getmobiledevices.com
trustpharms.com
start55555.com
elevrus24.com

Known responding IPs:
141.105.69.219
80.93.188.78
158.255.1.56
88.208.35.36
88.208.57.120
188.126.76.59
46.229.164.15
185.26.230.134
62.152.53.50
209.99.40.222
103.18.40.182

Historic related domain registrations:
mstroy.pro
viagraovernightdelivery.biz
kuechenmarkt.moscow
baf.moscow
xdedic.biz
kurgan-45.info
rrwiki.biz
legioneer.biz

Known responding IPs:
209.99.40.219
104.21.31.62
172.67.175.56
74.220.207.139
5.135.26.102
91.220.101.43
104.31.84.191
104.31.85.191
41.164.71.116
194.12.255.28
81.25.59.80
125.209.101.190
41.74.66.229
186.2.163.126
185.84.110.74
185.84.110.75
185.84.110.72
185.84.110.73
185.84.110.70
185.84.110.71
185.84.110.65
185.84.110.66
185.84.110.84
185.84.110.85
185.84.110.82
185.84.110.83

Related domain registrations:

xdedic.biz
wertor.info
adminin.mobi
swap-money.biz
fedumps.pro
gossipgel.com
viagra-purchase.org
goodfinance-blog.com
q-seo.biz
ed-generics-online.com
hotnpapers.com
buycytotecnow.com
pharmaplus.biz
buyingamoxicillin.com
buyingclomid.com
amtrustpills.com
site-in-top.biz
omerta.cc
xdedic.biz
wertor.info
adminin.mobi
ed-generics-online.com
buycytotecnow.com
swap-money.biz
fedumps.pro
gossipgel.com
viagra-purchase.org
goodfinance-blog.com
q-seo.biz
pharmaplus.biz

Known responding IPs:

91.195.240.117
193.187.128.22
18.215.128.143
193.187.128.60
52.4.209.250
149.202.225.167
18.213.250.117
91.227.18.166
172.67.164.204
194.190.153.138
104.31.70.227
212.47.196.170
195.140.147.9
104.31.71.227
51.161.1.45
89.111.178.107
45.156.119.4
209.99.40.220
40.117.174.224
89.111.176.101
178.154.240.197
89.111.176.224
194.85.61.76
38.11.201.106
38.165.108.130
204.12.207.178
192.151.154.52
104.21.31.62
156.253.118.74
186.2.163.126
5.135.26.102
91.220.101.43
172.67.175.56
119.28.6.251
104.31.84.191
72.52.178.23
104.31.85.191
150.95.54.165
41.164.71.116
150.95.255.38
194.12.255.28
185.28.193.195
81.25.59.80
159.253.25.197
125.209.101.190
159.253.28.197
41.74.66.229
187.134.45.172
89.35.39.50
190.133.29.139
209.99.40.223
189.245.138.156
141.8.224.169
187.204.88.251
91.237.88.232
201.119.124.139
186.50.114.86
201.119.9.63
186.48.59.8
170.178.183.18
103.224.182.242
75.2.18.233
165.3.150.34
154.221.230.198
169.148.17.239
154.201.195.229
179.25.249.159
155.159.237.68
2.88.87.18
160.124.92.248
186.50.124.35
15.197.210.240
178.73.236.178
210.230.244.170
141.8.224.93
91.209.77.20
188.120.239.86
184.168.221.55
208.91.197.206
185.53.179.8
141.8.224.183
85.114.137.19
52.200.243.123
52.20.104.240
52.71.117.99
107.23.160.218
162.214.81.12
103.50.163.86
52.71.185.125
52.6.86.86
54.210.33.190
54.236.123.224
107.23.198.240
52.4.72.137
23.20.239.12
54.174.212.152
54.208.174.161

Dancho Danchev

Saturday, February 24, 2024

Conti Ransomware Gang's Russia-Based Music Album Labels and Plastika Recording Studio - An OSINT Analysis

I recently came across to another image courtesy of Conti ransomware gang's internal and publicly accessible leaked communication which I data mined with the idea to come up with a proper analysis and connect the dots which in this case appear that a member of the Conti ransomware gang who's responsible for their advertising and marketing creative is also busy doing advertising and marketing creative for other clients companies and organizations in this specific case Russia-based rap and hip artists and their album covers.

Is this the case? Let's find out.

Original Russia-based Artist album cover screenshot found by data mining Conti ransomware gang's publicly accessible leaked internal communication

Original Russian Music Artist SAYTEE SAI - Nikita Zharinov – Born on10 January 2002 - hxxp://vk.com/kidsocial Album Cover Part of the PLASTIKA Russia-Based Recording Studio

Sample personal photos of Nikita Zharinov: