Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 09/16/24

Monday, September 16, 2024

A Personally Identifiable Cyber Jihadist Domain Portfolio

Dear blog readers,

The following is a compilation of publicly accessible information on cyber jihad URLs.

Sample domains include:

hxxp://7hj[.]com
hxxp://alhawali[.]com
hxxp://almurabeton[.]org
hxxp://anwar-islam[.]com
hxxp://aqsavoice[.]net
hxxp://fateh[.]ornewsindex[.]php
hxxp://lvo[.]info
hxxp://palestine-info-urdu[.]com
hxxp://qudsway[.]org
hxxp://web[.]manartv[.]org
hxxp://3asfh[.]com
hxxp://abrarway[.]com
hxxp://al-ansar[.]biz
hxxp://al-ansar[.]net
hxxp://al-fateh[.]net
hxxp://al-mojahedoon[.]net
hxxp://al-nour[.]net
hxxp://alaaleb[.]org
hxxp://alahed[.]org
hxxp://alawajy[.]net
hxxp://alemdad[.]org
hxxp://alftn[.]org
hxxp://alhaq[.]info
hxxp://alharamain[.]net
hxxp://alharamain[.]org
hxxp://alhesbah[.]org
hxxp://aljarha[.]org
hxxp://alkotla[.]com
hxxp://alkotla[.]net
hxxp://alkotla[.]org
hxxp://alm2sda[.]com
hxxp://alm2sda[.]net
hxxp://almahdiscouts[.]org
hxxp://almjlah[.]net
hxxp://almoltaqa[.]org
hxxp://almuhajiroun[.]com[.]pk
hxxp://almuhajiroun[.]com
hxxp://almuk[.]comobm
hxxp://almuslimoon[.]com
hxxp://alnour[.]net
hxxp://alokab[.]com
hxxp://alqaida[.]com
hxxp://alqassam[.]net
hxxp://alrassoul[.]org
hxxp://alresalah[.]org
hxxp://alsakifah[.]org
hxxp://alshahd[.]net
hxxp://alshorouq[.]org
hxxp://alsunnah[.]org
hxxp://altartousi[.]com
hxxp://alwatanvoice[.]com
hxxp://ansaar[.]info
hxxp://aqsavoice[.]com
hxxp://as-sabeel[.]com
hxxp://as-sahwah[.]com
hxxp://ayobi[.]com
hxxp://b-alshohda[.]com
hxxp://baqiatollah[.]org
hxxp://barsomyat[.]com
hxxp://bouti[.]net
hxxp://caliphate[.]net
hxxp://cdlr[.]net
hxxp://cihad[.]net
hxxp://clearguidance[.]com
hxxp://d3wa[.]net
hxxp://daralislamia[.]com
hxxp://donhost[.]co[.]uk
hxxp://ekhlaas[.]com
hxxp://elehssan[.]com
hxxp://et[.]4t[.]com
hxxp://ezzedeen[.]net
hxxp://faroq[.]net
hxxp://faroq[.]orgnews
hxxp://fateh-org[.]org
hxxp://fateh[.]org
hxxp://fateh[.]tv
hxxp://fatehfalcons[.]org
hxxp://fatehorg[.]org
hxxp://forbidden-news[.]com
hxxp://forum[.]tevhidweb[.]com
hxxp://h-alali[.]net
hxxp://hamasonline[.]com
hxxp://hamasonline[.]org
hxxp://hayaa[.]org
hxxp://hilafet[.]com
hxxp://hizb-ut-tahrir[.]dk
hxxp://hizb-ut-tahrir[.]org
hxxp://hizballah[.]org
hxxp://hizbollah[.]org
hxxp://hizbollah[.]tv
hxxp://hosteurope[.]com
hxxp://ikhwan[.]net
hxxp://ilakat[.]org
hxxp://infopalestina[.]com
hxxp://instimata[.]com
hxxp://intiqad[.]com
hxxp://iraqirabita[.]net
hxxp://islam-minbar[.]net
hxxp://islam-qa[.]com
hxxp://islamic-bloc[.]net
hxxp://islamic-block[.]org
hxxp://islamic-minbar[.]com
hxxp://islamicawakening[.]com
hxxp://islamicbloc[.]net
hxxp://islamicblock[.]com
hxxp://islamichackers[.]com
hxxp://islammessage[.]com
hxxp://istimata[.]com
hxxp://iu-shabeba[.]org
hxxp://jahido[.]com
hxxp://jahido[.]com
hxxp://jahra[.]org
hxxp://jamaaway[.]org
hxxp://jewstoislam[.]com
hxxp://jihadbinaa[.]org
hxxp://jihadislami[.]org
hxxp://jihadonline[.]net
hxxp://jihadunspun[.]com
hxxp://jimail[.]com
hxxp://jimail[.]com
hxxp://jimails[.]com
hxxp://jwebs[.]net
hxxp://jwebs[.]org
hxxp://kataeb-ezzeldeen[.]com
hxxp://kataebabuali[.]com
hxxp://kataebabuali[.]net
hxxp://kataebabuali[.]org
hxxp://kataebalaqsa[.]com
hxxp://kataebalaqsa[.]org
hxxp://kataebaqsa[.]com
hxxp://kataebaqsa[.]net
hxxp://kataebaqsa[.]org
hxxp://kataebaqsa1[.]com
hxxp://kataebaqsaforum[.]org
hxxp://kataebq[.]com
hxxp://khayma[.]com
hxxp://khiamwatch[.]net
hxxp://khilafah[.]com
hxxp://maac[.]ws
hxxp://maktab-al-jihad[.]com
hxxp://manartv[.]com
hxxp://mawlawi[.]net
hxxp://mojahedun[.]com
hxxp://moqawama[.]net
hxxp://moqawama[.]org
hxxp://moqawama[.]tv
hxxp://muslimeen[.]co[.]uk
hxxp://naimkassem[.]org
hxxp://nasrallah[.]net
hxxp://nasrollah[.]net
hxxp://nasrollah[.]org
hxxp://obm[.]clara[.]net
hxxp://openforum[.]ws
hxxp://palestine-info[.]cc
hxxp://palestine-info[.]co[.]uk
hxxp://palestine-info[.]com
hxxp://palestine-info[.]info
hxxp://palestine-info[.]net
hxxp://palestine-info[.]ru
hxxp://palestine-persian[.]info
hxxp://palestinegallery[.]com
hxxp://palestineway[.]com
hxxp://palestinianforum[.]net
hxxp://palsm[.]com
hxxp://palvoice[.]com
hxxp://palvoice[.]com
hxxp://pflp-gc[.]org
hxxp://qal3ah[.]net
hxxp://qana[.]net
hxxp://qaradawi[.]netsite
hxxp://qawim[.]org
hxxp://qudsnews[.]net
hxxp://qudsonline[.]net
hxxp://qudsway[.]com
hxxp://qudsway[.]net
hxxp://rabdullah[.]com
hxxp://rabdullah[.]net
hxxp://rantisi[.]net
hxxp://register[.]com
hxxp://ribaat[.]org
hxxp://rightword[.]net
hxxp://saaid[.]net
hxxp://sabiroon[.]com
hxxp://sabiroon[.]net
hxxp://sabiroon[.]org
hxxp://sadaaljihad[.]net
hxxp://sahwah[.]com
hxxp://salafiahweb[.]tk
hxxp://sarayaalquds[.]com
hxxp://sarayaalquds[.]org
hxxp://shareeah[.]com
hxxp://shareeah[.]org
hxxp://shikaki[.]com
hxxp://shikaki[.]net
hxxp://shuhadaa[.]org
hxxp://specialforce[.]net
hxxp://sraya[.]com
hxxp://stcom[.]net
hxxp://tawhed[.]ws
hxxp://the-revival-forum[.]info
hxxp://trouble-free[.]net
hxxp://wilayah[.]com
hxxp://wilayah[.]ir
hxxp://wilayah[.]net
hxxp://wilayah[.]org
hxxp://worldofislam[.]info
hxxp://yaislah[.]org
hxxp://alaaleb[.]org
hxxp://aljarha[.]org
hxxp://alkotla[.]com
hxxp://alwatanvoice[.]com
hxxp://as-sabeel[.]com
hxxp://daralislamia[.]com
hxxp://dci[.]co[.]ir
hxxp://elehssan[.]com
hxxp://forum[.]tevhidweb[.]com
hxxp://ibtekarat[.]com
hxxp://infopalestina[.]com
hxxp://jihadunspun[.]com
hxxp://jwebs[.]org
hxxp://khayma[.]com
hxxp://palestine-info[.]ru
hxxp://qana[.]net
hxxp://sarayaalquds[.]com
hxxp://the-revival-forum[.]info
hxxp://wilayah[.]org

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

The Intersection Between a Snowden Slide and a Supposedly Malicious MD5

This is from the "correct if I'm wrong but this is publicly accessible information so why shouldn't I take a look at it" department.

I've been recently going though Snowden's archive and I came across to my favorite presentation which is on the topic of 4th party collection and now that we all know that I've participated in GCHQ's Lovely Horse program with my Twitter account where I was "supposed" to improve the security awareness of the GCHQ with my tweets I came across to several unredacted domain names in NSA's TAO Application Suite and I've decided to look them up while living in the universal world where everyone seems to submit and know everything which is VirusTotal.

The document is also available in the OCR version at the National Security Archive.

Here are the domains:

hxxp://mcee.org - 65.111.254.13

hxxp://sandrogolinelli.net

hxxp://transpersia.com

Here are the results:

http://mcee.org; http://sandrogolinelli.net; http://transpersia.com where we already know that MD5: e5107ff5153547a8d9cc5738289e9f96 is known to have phoned back to mcee.org in specific http://mcee.org/service.php?p=dlfile&a=3574736a716a07016a0201060d0103010615515945595441535a47586a565459595754565e155

354415d50471843061b041b03 and http://mcee.org/service.php?p=pop&url=2160677e657e13157e1615121915171512015920282b0c0c0c0111130e10110e1311101901111

41b14101b1119010c0c0c2b606213641016631014016473736e731b01094f544d4d082b and MD5: adfbc680b21257cc8b2f204de72ec57a is known to have phoned back to sandrogolinelli.net where we also know that the same MD5 is known to have phoned back to pooladimm.com (5.144.130.34)

Dancho Danchev

International Embassies Web Malware Exploitation Serving Domain Properties

Folks,

Do you remember the international embassies web malware exploitation spree using client-side exploits that took place back in 2009 with the Russian Business Network the hosting provider of choice for these campaigns?

I recently took the effort to look at my original data set here and tried to enrich it and provide additional analysis with more details and context.

Sample domains known to have been operated by the same individuals behind these campaigns include:

hxxp://beert54[.]xyz
hxxp://aaepgp[.]com
hxxp://brightstonepharma[.]com
hxxp://ksfcradio[.]com
hxxp://ksfcnews[.]com
hxxp://kklfnews[.]com
hxxp://arabiandemographics[.]com
hxxp://sig4forum[.]com
hxxp://pornokman[.]com
hxxp://pinalbal[.]com
hxxp://bodinzone[.]com
hxxp://123124[.]com
hxxp://pixf[.]biz
hxxp://frmimg[.]info
hxxp://us-shops[.]online
hxxp://hornybabeslive[.]com
hxxp://pharmacyit[.]net
hxxp://deapotheke[.]com
hxxp://cplplywood[.]com
hxxp://us-electro[.]online
hxxp://omiardo[.]com
hxxp://frmimg[.]info
hxxp://ramualdo[.]com
hxxp://pixf[.]biz
hxxp://ksfcnews[.]com
hxxp://ksfcradio[.]com
hxxp://kklfnews[.]com
hxxp://odmarco[.]com
hxxp://us-electro[.]online
hxxp://123124[.]com
hxxp://sig4forum[.]com
hxxp://brightstonepharma[.]com
hxxp://bodinzone[.]com
hxxp://aaepgp[.]com
hxxp://pinalbal[.]com
hxxp://cplplywood[.]com
hxxp://pornokman[.]com
hxxp://hornybabeslive[.]com
hxxp://beert54[.]xyz
hxxp://us-shops[.]online
hxxp://deapotheke[.]com
hxxp://pharmacyit[.]net

Sample personally identifiable email address accounts known to have been involved in these campaigns:

nepishite555suda[.]gmail.com
abusecentre[.]gmail.com
belyaev_andrey[.]inbox.ru
srvs4you[.]gmail.com
migejosh[.]yahoo.com
kseninkopetr[.]nm.ru
palfreycrossvw[.]gmail.com
redemption[.]snapnames.com
mogensen[.]fontdrift.com
xix.x12345[.]yahoo.com
johnvernet[.]gmail.com
4ykakabra[.]gmail.com
mironbot[.]gmail.com
fuadrenalray[.]gmail.com
incremental[.]list.ru
traffon[.]gmail.com
auction[.]r01.ru
admin[.]brut.cn
bobby10[.]mail.zp.ua
ipspec[.]gmail.com
OdileMarcotte[.]gmail.com
sflgjlkj45[.]yahoo.com

Sample MD5s:

MD5: ca9c64945425741f21ba029568e85d29
MD5: b252c210eeed931ee82d0bd0f39c4f1d
MD5: 787ed25000752b1c298b8182f2ea4faa
MD5: fcbd2777c8352f8611077c084f41be8c
MD5: ce02bed90fd08c3586498e0d877ff513
MD5: 97ff606094de24336c3e91eaa1b2d4f0
MD5: a0caae81c322c03bd6b02486319a7f40
MD5: 5733030dcd96cec73e0a86da468a101c
MD5: 5d8398070fa8888275742db5b8bbcebf

Dancho Danchev