Ex-Cybercrime Forum Community Member Runs a Profitable Penetration Testing Business - An Analysis

Since 2021 as a part of an in-house research and capability building project I’ve been collecting tons of publicly accessible only cybercrime forum information data where I aimed at building the actual volume for this project which currently amounts to 1.5TB of actionable intelligence on current and historical cybercrime and cybercriminal activity where I aim to provide an in-depth analysis in an upcoming set of white papers on the topic of the current and global and current and emerging state of cybercrime globally including to provide as much qualitative and quantitative including in-depth and relevant technical details on their malicious and fraudulent activity online where our primary goal would be to assist fellow researchers vendors and organizations including Law Enforcement on its way to improve their situational awareness in the field and to build their analysis capabilities by providing them with an in-depth overview including the big picture and all the relevant connect the dots research and analysis in our upcoming set of white papers.

 

Sample personally identifiable email address account known to have been involved in the campaign includes:

dovolniipirogok[.]hotmail.com

In this analysis I've spotted and decided to elaborate more on a well known and confirmed as a cybercriminal in my own 1.5TB cybercrime and cybercriminal activity data set that appears to be running a currently active low-profile Penetration Testing business with several employees and a LinkedIn Company Page.

 

My initial analysis states that as the email account he used to register his domain is a well known email address account that belongs to a well known cybercriminal users organizations and companies should probably stay away and keep in mind when doing business with the low profile Penetration Testing company operated by the cybercriminal which we’ll profile in this post.

 

hxxp://secure-partners.com - 67.222.38.88

 

Secure Partners

3578 Hartsel Dr,

E230 Colorado Springs,

CO 80920

P: (719) 219-9489

We also have the same IP (67.222.38.88) acting as a C&C for the following MD5: C74971B8BBE623CE9CA42DAEA37B89C5 in specific it phones back to hxxp://www.revivemyappliance.com/a7/?qRNhrDdX=RwazjtCjCkDOJFWkqyvig/WpDe8bVejY7lRk4rW26z7wj0389UWJMya8nIjb6sumHpd9Rw==&TV=bl1d7BMXcny4&sql=1

 

 

Related MD5s known to have phoned back to revivemyappliance.com:

a1391b9873a51ab38b3e160fb157bbee

dfc2e426f67bb90a2ece8ec6e9d627c8

98a1ca5c120649dce089c077854027f3

b999cd98ab68cd8c0384da456b73d516

41005e714de8c9f71c013b97c35e5eb3

b98d55a66bc6f3577a6e6fe3d0ea15f2

 

What we’ve got here is a decent example of a fraudulent infrastructure where we have a confirmed and well known cybercriminal operating a low profile Penetration Testing company which also has a LinkedIn page where several people are known to work there including an additional domain parked on the same IP as the original IP of the domain operated by the cybercriminal where we also have a malicious software variant that’s phoning back to another domain parked on the same IP where we also have an additional set of malicious MD5s also phoning back to the same domain where both of these domains including the one registered by the confirmed cybercriminal are using the same IP which means that this is a very good example of a cybercriminal infrastructure gone rogue in the context of staying beneath the radar where the most important part of the situation is to keep in mind that the cybercriminal behind this low profile Penetration Testing company could easily turn it into a profitable business including to possibly scam an unknown number of users into doing business with him where the most important part would be to keep an eye on this Web property where the most important part would be to monitor for additional spam and advertising and additional advertising and promotion campaigns by the cybercriminal in order to drive sales and new clients to his low profile company on the Web.

We also have the following malicious URLs known to have phoned back to the same malicious MD5s which we profiled and earlier exposed such as for instance:

hxxp://www.revivemyappliance.com/a7/?DxO=RwazjtDTADTAKiPW2Cvig/WpDe8bVejY7lRk56ut5DbiiEGz4

xzTKQ3pk93g2qTv&SNl=sPxt4JrPCz6TDH

hxxp://www.casineuros.com/a7/

hxxp://www.luxuryconversion.com/a7/

hxxp://www.carminesforlife.com/a7/

hxxp://benthanh-toyota.com/a7/

hxxp://www.hugedomains.com/domain_profile.cfm?d=brandsinfinity&e=com

hxxp://www.revivemyappliance.com/a7/?P2uLzd=RwazjtDTADTAKiPW2Cvig/WpDe8bVejY7lRk56ut5DbiiEGz4xz

TKQ3pk93g2qTv&DDIDU=MjLPbJ5HQZclu8m0

hxxp://short-it.com/a7/?P2uLzd=gTy+o5HC3Jf2kvAJCACoCIH3YpRJsHlS6mNQC/VkGp63JvDNxPxGGVsb3uu3q

Dyy&DDIDU=MjLPbJ5HQZclu8m0

hxxp://www.theadvancedcoach.com/a7/

hxxp://www.revivemyappliance.com/a7/

hxxp://www.revivemyappliance.com/a7/?A2MDSDG=RwazjtDQDE/FJFbXrSvig/WpDe8bVejY7lJ0koK3+T7xjFb66

EHFa2iwkOiw6++xEqQl&mN9tO=h0DX3z

hxxp://www.xctljc.com/a7/?mN9tO=h0DX3z&A2MDSDG=Q+xSXVSgPsX+ui8RWtkE0LMceuxsebFTKQeh

0+SSCeFZZ9AoDc0s

cGF/ruslfBefMMLU

hxxp://survey-smiles.com/

hxxp://www.revivemyappliance.com/a7/?oPO4K6h=RwazjtDVe0WzIiSi2yvig/WpDe8bVejY7lRk96mt6Cnzjk3g/gSdJ

Wq+/ILE8MriKZM=&9rIl=nN6t3ZDP3FAX40&sql=1

hxxp://www.ketones.info/a7/

hxxp://www.reducetarian.biz/a7/?oPO4K6h=hdedISV3GjDwkmYUr4ft9lbxQf5yIg0ZRDGn00BC0yORqxC+L

Jf8C9E+DkmPMyQTbog

=&9rIl=nN6t3ZDP3FAX40&sql=1

hxxp://www.goedutravel.com/a7/

hxxp://www.rabe-networks.com/a7/?fxlp=gTy+o5HEp+aFmvd9CwCoCIH3YpRJsHlS6mNQG/dkFoGmIPye2e

QIFTxMsbSTglK/psg=&0bttHX=iL0dq0_pa60t&sql=1

hxxp://www.reducetarian.biz/a7/

hxxp://www.selviproperty.com/a7/

hxxp://www.thienduonghoaviet.com/a7/?02=bQddxXucNe29VgTebBtA37DhuJ2IGQJkXaFwMcPFPgq+UoNzs

Oqq2tV01DJMkfBpSQI=&1bwLa

=EZAlzpAxxBtP4v

hxxp://www.funnysworld.com/a7/?oPO4K6h=9oEwhj9cjQtWoAZ592x26CQcHxBSDeonZxLLJOS9NBoVsJ0z

EW9ie8zv+Q/WO1Nper8=&9rIl=nN6t3ZDP3FAX40&sql=1

hxxp://www.goedutravel.com/a7/?02=+QgAwB0JSqywEHA/g7haNvd0hUThneNW/QLTtREdHuhFes4kAovV

61wXtISSNHAGc/o=&1bwLa=EZAlzpAxxBtP4v&sql=1

hxxp://www.schmidtatlanguage.com/a7/

hxxp://www.cyn.ink/a7/

hxxp://www.crstudents.net/a7/

hxxp://www.ketones.info/a7/?zRvt4=XrirpkiDLcQ9fw7qDYhW1dM9xDWogF1l4YBu9es5ZIWkp3Ui6MLi6L

vpdBpdPNsgPJA2&6lxhA8

=U6AlEh

https://aditsachde.com/a7/?zRvt4=9+VsDL3+BkSQJt3J0F2JcNxBq+LVDZq3Wx7/mrtE4zOErkw2WeD5MJ/6

W1dCG9iG4qiF&6lxhA8=U6AlEh

hxxp://www.funnysworld.com/a7/

hxxp://www.xn--vuqu93jrjhqkc.net/a7/

hxxp:///aditsachde.com/

hxxp:///www.revivemyappliance.com/a7/?fxlp=RwazjtDVe0WzIiSi2yvig/WpDe8bVejY7lRk96mt6Cnzjk3g/gSd

JWq+/ILE8MriKZM=&0bttHX=iL0dq0_pa60t

hxxp://www.fiveroot.com/a7/

hxxp://www.niggerboutique.com/a7/?oPO4K6h=snNxYPt1gU4a0EYQNZ7aN+NZ5XcR4nxC7CQy3MMjOmJ

z3Vz9sLCh2zy8SF8gpYiEV6I=&

9rIl=nN6t3ZDP3FAX40&sql=1

hxxp://www.globaltimbereurope.com/a7/

hxxp://www.donghairc.com/a7/