Proprietary Threat Intelligence Reports Available On Demand - Request a Copy Today!

Dear blog readers - I wanted to let everyone know of two -- currently in the works -- proprietary Threat Intelligence type of reports - that you and your organization can easily acquire on demand. The first report details in-depth including tactics techniques and procedures including hundreds of IOCs (Indicators of Compromise) in terms of the Pay-Per-Install Business Model circa 2008 - worth $1,500 and the second report which is also available on demand details the inner workings of the CAPTCHA-Solving Underground Market Business Model - which is also worth $1,500.

Similar my most recently -- now publicly available -- report on "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report" capabilities including a complimentary social network graph - the proprietary Threat Intelligence reports can be requested online - and the user including the organization will receive a complimentary copy of the report - including a possible attribution vector - within 30 days prior to making a purchase.

How you can order a copy of the report?


Feel free to approach me at dancho.danchev@hush.com to inquire about making a purchase.

Stay tuned! Continue reading →

Historical OSINT - Yet Another Massive Scareware-Serving Campaign Courtesy of the Koobface Gang

It's 2010 and I've recently came across to yet another currently active scareware-serving campaign courtesy of the Koobface gang this time successfully introducing a CAPTCHA-breaking module potentially improving the propagation and distribution scale within major social networks.

In this post I'll discuss the campaign and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of AS29550 - EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
hxxp://ebeoxuw.cn/?uid=13301
hxxp://ebiezoj.cn/22/?uid=13301
hxxp://goscanhand.com/?uid=13301
hxxp://byxzeq.cn/22/?uid=13301

Sample malicious MD5 known to have participated in the campaign:
MD5: 16575a1d40f745c2e39348c1727b8552

Once executed a sample malware phones back to:
hxxp://in5it.com/download/Ipack.jpg - the actual executable

Related malicious MD5 known to have participated in the campaign:
MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd

Related malicious MD5 known to have participated in the campaign:
MD5: 6262c0cb1459adc8f278136f3cff2777

It's worth pointing out that prior to analyzing the campaign it appears that the Koobface gang has recently introduced a CAPTCHA-breaking module which basically relies on the active outsourcing of the CAPTCHA-breaking process potentially improving the Koobface spreading and propagation effectiveness.

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: cf9729bf3969df702767f3b9a131ec2c

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e

Once executed a sample phones back to the following C&C server IPs:
hxxp://capthcabreak.com/captcha/?a=get&i=0&v=14 - 67.212.69.230
hxxp://captchastop.com/captcha/?a=get&i=1&v=14 - 67.212.69.230 Continue reading →