Profiling Yaroslav Vasinskyi from the Kaseya Ransomware Attack Campaign - An OSINT Analysis

It appears that the U.S Justice Department has recently made arrests in the Kaseya ransomware dropping campaign and I've decided to dig a little bit deeper and actually offer and provide the necessary actionable intelligence in the context of exposing the individuals behind these campaigns in the context of assisting U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.

Sample personally identifiable information on Yaroslav Vasinskyi:

Mobile: +380993082660

Phone: 1-800-225-5324 which is actually the phone number of the FBI

Personal email address accounts: yarik45@gmail[.]com, yaroslav2468@mail[.]ru

Online handles: Yarik45, Yaroslav2468

ICQ: 635995970

including the following Web site which is he known to have been offering around various cybercrime-friendly forum communities as a template - hxxp://wholesale-dress[.]net which is currently owned and managed by hxxp://counterfeittechnology[.]com including the following domains known to have been registered by the same individual that registered the original domain:

opensib[.]com

fotonota[.]me

bartrans[.]net

nebolsina[.]com

digitalreality[.]world

digitalrealty[.]world

whitecrow[.]club

opensib[.]club

vkfoto[.]org

vkfoto[.]net

vkfoto[.]biz

foto2u[.]info

foto2u[.]org

foto2u[.]net

foto2u[.]biz

foto4u[.]biz

photo2u[.]biz

gospace[.]biz

aircitypost[.]com

youhavedownloaded[.]com

xmllogistic[.]org

mega-battery[.]com

aramzam[.]com

allforlaptop[.]com

soirot[.]com

mailingtechnology[.]info

mailingtechnology[.]org

counterfeit[.]technology

xmllogistic[.]net

xmllogistic[.]com

ftn-presentation[.]com

counterfeittechnology[.]com

toskanmarket[.]com

identificationninja[.]com

mrboating[.]com

ironsyssecurity[.]com

danandnadia[.]us

xmlshop[.]biz

shopxml[.]biz

xmlshop[.]us

shopxml[.]us

mrboating[.]us

mrboating[.]biz

xmlshop[.]org

shopxml[.]org

mrboating[.]org

dressinus[.]us

dressywomen[.]com

bridalcorn[.]org

promdressesuk[.]org

lafemmedresses2015[.]org

sherrihilldress[.]org

cheap-dressuk[.]org

talkdressprom[.]org

promdressbee[.]us

weddingdresshotsale[.]org

mypromdressstore[.]org

sweetymalada[.]us

onlydress[.]org

promdressstores[.]org

promdressesshop[.]org

addressingmachines[.]org

dresskey[.]org

justdress[.]org

Sample personally identifiable information on Yevgeniy Igorevich Polyanin also known as LK4D4, Damnating, Dam2life, Noodlleds, Antunpitre, Affilate 23:

Email: damnating@yandex[.]ru, antunpitre@gmail[.]com

The following email account - antunpitre@gmail[.]com is known to have registered an android malware C&C server in the past (hxxp://foto2u[.]biz) - 209[.]99[.]40[.]224; 209[.]99[.]17[.]27; 178[.]32[.]152[.]214; 5[.]254[.]113[.]102) which is known to have been serving the following malicious MD5 (7a140b4835e9ed857eda1f0dbfbfa3e8) and once executed is known to have phoned back to the following malicious C&C server domain - hxxp://phoneactivities[.]com - 103[.]232[.]215[.]133 including the following related malicious and fraudulent C&C server domains:

hxxp://vkfoto[.]org

hxxp:// vkfoto[.]net

hxxp:// vkfoto[.]biz

hxxp:// foto2u[.]info

hxxp:// foto2u[.]org

hxxp:// foto2u[.]net

hxxp:// foto2u[.]biz

hxxp:// photo2u[.]biz

Stay tuned!

Continue reading →

Profiling Russia's U.S Election Interference 2016 - An OSINT Analysis

Note: This OSINT analysis has been originally published at my current employer's Web site - https://whoisxmlapi.com where I'm currently acting as a DNS Threat Researcher since January, 2021. 

We’ve decided to take a closer look at the U.S Elecetion 2016 interference provoked by several spear phishing and malicious campaigns courtesy of Russia for the purpose of offering and providing actionable threat intelligence including possible attribution clues for some of the known participants in this campaign potentially assisting fellow researchers and Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.

In this analysis we’ll take a closer look at the Internet connected infrastructure behind the U.S Election 2016 campaign in terms of malicious activity and offer practical and relevant including actionable threat intelligence on their whereabouts.

Sample malicious and fraudulent C&C domains known to have participated in the U.S Elections 2016 campaign:

linuxkrnl[.]net

accounts-qooqle[.]com

account-gooogle[.]com

accoounts-google[.]com

account-yahoo[.]com

accounts-googlc[.]com

accoutns-google[.]com

addmereger[.]com

akamainet[.]net

akamaivirusscan[.]com

apple-icloud-services[.]com

apple-notification[.]com

arabianbusinessreport[.]com

azamtelecom[.]com

babylonn[.]com

baengmail[.]com

boobleg[.]com

chinainternetservices[.]com

com-hdkurknfkjdnkrnngujdknhgfr[.]com

combin-banska-stiavnica[.]com

cvk-leaks[.]com

fb-security[.]com

g00qle[.]com

global-exchange[.]net

googlesetting[.]com

hlbnk[.]com

homesecuritysystems-sale[.]com

icloud-localisation[.]com

imperialc0nsult[.]com

informationen24[.]com

interglobalswiss[.]com

intra-asiarisk[.]com

invest-sro[.]com

iphone-onlineshopping[.]net

kur4[.]com

lastdmp[.]com

localisation-apple-icloud[.]com

localisation-apple-support[.]com

localisation-mail[.]com

login-163[.]com

login-kundenservice[.]com

magic-exchange[.]com

mail-apple-icloud[.]com

mailpho[.]com

malprosoft[.]com

medicalalertgroup[.]com

megafileuploader[.]com

mfadaily[.]com

mfapress[.]com

militaryexponews[.]com

msoftonline[.]com

myaccountgoogle[.]com

myaccountsgoogle[.]com

mydomainlookup[.]net

mypmpcert[.]com

net-a-porter-coupon[.]com

newiphone-online[.]net

newiphone-supply[.]net

newreviewgames[.]com

nobel-labs[.]net

nvidiaupdate[.]com

obamacarerx[.]net

onlinecsportal[.]com

pass-google[.]com

password-google[.]com

paydaytoday-uk[.]com

pb-forum[.]com

planetaryprogeneration[.]com

regionoline[.]com

security-notifications[.]com

service-facebook[.]com

servicesupdates[.]com

set121[.]com

set132[.]com

set133[.]com

sicherheitsteam-pp[.]com

sicherheitsteam-pp[.]net

skypeupdate[.]com

smp-cz[.]com

soft-storage[.]com

solutionmanualtestbank[.]com

ssl-icloud[.]com

team-google[.]com

techlicenses[.]com

techlicenses[.]net

ua-freedom[.]com

updates-verify[.]com

us-mg7mail-transferservice[.]com

us-westmail-undeliversystem[.]com

us6-yahoo[.]com

vatlcan[.]com

wordpressjointventure[.]com

ya-support[.]com

yandex-site[.]com

yepost[.]com

Related malicious and fraudulent emails known to have participated in the U[.]S Elections 2016 campaign:

julienobruno@hotmail[.]com

jenna[.]stehr@mail[.]com

s[.]simonis@mail[.]com

domreg@247livesupport[.]biz

kumarhpt@yahoo[.]com

aksnes[.]thomas@yahoo[.]com

yingw90@yahoo[.]com

andre_roy@mail[.]com

myprimaryreger@gmail[.]com

okorsukov@yahoo[.]com

tzubtfpx5@mail[.]ru

annaablony@mail[.]com

jamesyip823@gmail[.]com

tmazaker@gmail[.]com

emmer[.]brown@mail[.]com

qupton@mail[.]com

adel[.]rice@mail[.]com

trainerkart2@gmail[.]com

cowrob@mail[.]com

direct2playstore@gmail[.]com

cffaccll@mail[.]com

drgtradingllc@gmail[.]com

jack2020@outlook[.]com

pdkt00@Safe-mail[.]net

david_thompson62@aol[.]com

distardrupp@gmail[.]com

perplencorp@gmail[.]com

spammer11@superrito[.]com

jilberaner@yahoo[.]de

snowyowl@jpnsec[.]com

asainchuk@gmail[.]com

OKEKECHIDIC@GMAIL[.]COM

abelinmarcel@outlook[.]fr

idesk[.]corp[.]apple[.]com@gmail[.]com

mutantcode@outlook[.]fr

pier@pipimerah[.]com

vrickson@mail[.]com

prabhakar_malreddy@yahoo[.]com

Sample related email known to have participated in the U[.]S Elections 2016 campaign:

jack2020@outlook[.]com

Sample Maltego Graph of a sample malicious and fraudulent domain registrant known to have participated in the U.S Election 2016 campaign:

Sample related domains known to have participated in the U.S Elections 2016 campaign:

support-forum[.]org

oceaninformation[.]org

vodafoneupdate[.]org

succourtion[.]org

eascd[.]org

northropgruman[.]org

apple-iphone-services[.]com

localisation-security-icloud[.]com

applesecurity-supporticloud[.]com

icloud-iphone-services[.]com

icloud-id-localisation[.]com

apple-localisation-id[.]com

identification-icloud-id[.]com

cloud-id-localisation[.]com

support-security-icloud[.]com

identification-apple-id[.]com

localisation-apple-security[.]com

security-icloud-localisation[.]com

dabocom[.]com

quick-exchange[.]com

hygani[.]com

hztx88[.]com

sddqgs[.]net

qufu001[.]com

lutushiqi[.]com

gsctgs[.]com

tazehong[.]com

hthgj[.]com

kvistberga[.]com

bjytj[.]net

cqhuicang[.]com

softbank-tech[.]com

osce-press[.]org

maxidea[.]tw

sdti[.]tw

gmailcom[.]tw

zex[.]tw

gain-paris-notaire[.]fr

loto-fdj[.]fr

client-amzon[.]fr

idse-orange[.]fr

rgraduzkfghgd[.]com

jmhgjqtmhanoncp[.]com

stwdchstclovuzk[.]com

puxqtyrwzuzybgzehc[.]com

maatil[.]com[.]ng

surestbookings[.]com

asatuyouth[.]org[.]ng

hanna[.]ng

hostlink[.]com[.]ng

sirbenlimited[.]com

dce[.]edu[.]ng

eventsms[.]com[.]ng

krsbczmxwdsjwtizmx[.]com

alizirwzyjazurof[.]com

zslipanehule[.]com

cxotonspmjkxw[.]com

wpifmhyjkxyt[.]com

ngvsngpwdidmn[.]com

imperialvillas[.]com[.]ng

lipyhgpofsnifste[.]com

flexceeweb[.]com

fgfcpkdcnebgduls[.]com

shinjiru[.]us

supportchannel[.]net

couponofferte[.]com

psepaperindustrial[.]com

lakws[.]com

perplencorp[.]com

lbchemtrade[.]com

viaggibelli[.]com

liontitco[.]com

svendiamo[.]com

orogenicgroup[.]com

giudeviaggio[.]com

greenskill[.]net

siteseditor[.]net

e-mail-supports[.]com

biplen[.]com

infradesajohor[.]com

dealhot[.]net

suanmin[.]com

on9on9[.]com

accoutns-google[.]com

puroniq[.]com

sinqa[.]com

sadihadi[.]com

mrangkang[.]com

terumbu[.]com

phygitail[.]com

veraniq[.]com

potxr[.]com

icraw[.]com

thearoid[.]com

teempo[.]com

parblue[.]com

mydomainlookup[.]net

adrianvonziegler[.]net

zetindustries[.]com

researchs[.]com[.]ng

joymoontech[.]com

researchmaterials[.]com[.]ng

james823[.]com

oneibeauty[.]net

We’ll continue monitoring the campaign and post updates as soon as new developments take place.

Stay tuned!

Continue reading →

Exposing Aleksandr Zhukov from the Media Methane Rogue Fraudulent and Malicious Advertising Enterprise - An OSINT Analysis

Following the recent revelations and actual U.S DoJ bust and lawsuit against Aleksandr Zhukov from Media Methane responsible for the MethBrowser ad-fraud scheme I've decided to take a little bit deeper look inside its online infrastructure and actually elaborate more on the fraudulent practices applied by the group including to offer practical and relevant actionable intelligence in terms of exposing the group's online infrastructure.

In this post I'll discuss the group's online infrastructure and elaborate more on some of the key individuals behind the gang with the idea to empower the security community and U.S Law Enforcement with the necessary data and information to track down and prosecute the cybercriminals behind these campaigns.

Rogue Company Name: Media Methane

Rogue Company Product: MethBrowser

Rogue online infrastructure provider:

host1plus / DIGITAL ENERGY TECHNOLOGIES

inetnum: 179.61.128/17

inetnum: 181.41.192/19

inetnum: 181.214/15

inetnum: 191.96/16

inetnum: 191.101/16

Speed Home Internet LTD

US online LTD

Dallas online LTD

Home Internet Orang LTD

ATOL Intertnet

CH wireless

SecureShield LLC

HomeChicago Int

AmOL wireless Net

Verison Home Provider LTD

Rogue netblocks known to have been involved in the campaign:

45.33.224.0/20

45.43.128.0/21

45.43.136.0/22

45.43.140.0/23

45.43.144.0/20

45.43.160.0/19

64.137.0.0/20

64.137.16.0/21

64.137.24.0/22

64.137.30.0/23

64.137.32.0/20

64.137.48.0/21

64.137.60.0/22

64.137.64.0/18

104.143.224.0/19

104.222.160.0/19

104.233.0.0/18

104.238.0.0/19

104.239.0.0/19

104.239.32.0/20

104.239.48.0/21

104.239.56.0/23

104.239.60.0/22

104.239.64.0/18

104.243.192.0/20

104.248.0.0/16

104.249.0.0/18

104.250.192.0/19

160.184.0.0/16

161.8.128.0/17

165.52.0.0/14

168.211.0.0/16

179.61.129.0/24

179.61.137.0/24

179.61.196.0/24

179.61.202.0/24

179.61.208.0/24

179.61.216.0/24

179.61.218.0/23

179.61.229.0/24

179.61.230.0/23

179.61.233.0/24

179.61.234.0/23

179.61.237.0/24

179.61.239.0/24

179.61.242.0/24

181.41.199.0/24

181.41.200.0/24

181.41.202.0/24

181.41.204.0/24

181.41.206.0/23

181.41.208.0/24

181.41.213.0/24

181.41.215.0/24

181.41.216.0/24

181.41.218.0/24

181.214.5.0/24

181.214.7.0/24

181.214.9.0/24

181.214.11.0/24

181.214.13.0/24

181.214.15.0/24

181.214.17.0/24

181.214.19.0/24

181.214.21.0/24

181.214.23.0/24

181.214.25.0/24

181.214.27.0/24

181.214.29.0/24

181.214.31.0/24

181.214.39.0/24

181.214.41.0/24

181.214.43.0/24

181.214.45.0/24

181.214.47.0/24

181.214.49.0/24

181.214.57.0/24

181.214.71.0/24

181.214.72.0/21

181.214.80.0/21

181.214.88.0/23

181.214.94.0/23

181.214.96.0/19

181.214.160.0/21

181.214.168.0/22

181.214.172.0/23

181.214.175.0/24

181.214.176.0/20

181.214.192.0/21

181.214.200.0/22

181.214.214.0/23

181.214.216.0/21

181.214.224.0/20

181.214.240.0/22

181.215.5.0/24

181.215.7.0/24

181.215.9.0/24

181.215.11.0/24

181.215.13.0/24

181.215.15.0/24

181.215.17.0/24

181.215.19.0/24

181.215.21.0/24

181.215.23.0/24

181.215.25.0/24

181.215.27.0/24

181.215.29.0/24

181.215.31.0/24

181.215.33.0/24

181.215.35.0/24

181.215.37.0/24

181.215.39.0/24

181.215.41.0/24

181.215.43.0/24

181.215.45.0/24

181.215.47.0/24

181.215.50.0/23

181.215.52.0/22

181.215.56.0/21

181.215.64.0/20

181.215.80.0/21

188.42.0.0/21

191.96.0.0/24

191.96.16.0/24

191.96.18.0/24

191.96.21.0/24

191.96.23.0/24

191.96.29.0/24

191.96.30.0/24

191.96.39.0/24

191.96.40.0/23

191.96.43.0/24

191.96.44.0/22

191.96.50.0/23

191.96.52.0/22

191.96.56.0/22

191.96.60.0/23

191.96.62.0/24

191.96.69.0/24

191.96.70.0/23

191.96.72.0/23

191.96.74.0/24

191.96.76.0/22

191.96.80.0/21

191.96.88.0/22

191.96.92.0/24

191.96.94.0/24

191.96.96.0/23

191.96.108.0/23

191.96.110.0/24

191.96.113.0/24

191.96.114.0/24

191.96.116.0/23

191.96.119.0/24

191.96.120.0/23

191.96.122.0/24

191.96.124.0/22

191.96.133.0/24

191.96.134.0/24

191.96.138.0/24

191.96.140.0/24

191.96.145.0/24

191.96.148.0/24

191.96.150.0/24

191.96.152.0/21

191.96.160.0/22

191.96.164.0/24

191.96.168.0/24

191.96.170.0/24

191.96.172.0/24

191.96.174.0/24

191.96.177.0/24

191.96.178.0/23

191.96.182.0/24

191.96.185.0/24

191.96.186.0/23

191.96.189.0/24

191.96.190.0/24

191.96.193.0/24

191.96.194.0/24

191.96.196.0/22

191.96.200.0/23

191.96.203.0/24

191.96.210.0/24

191.96.212.0/23

191.96.214.0/24

191.96.221.0/24

191.96.222.0/23

191.96.226.0/23

191.96.232.0/24

191.96.234.0/23

191.96.236.0/23

191.96.239.0/24

191.96.244.0/24

191.96.246.0/24

191.101.25.0/24

191.101.36.0/22

191.101.40.0/21

191.101.128.0/22

191.101.132.0/23

191.101.134.0/24

191.101.146.0/23

191.101.148.0/23

191.101.176.0/23

191.101.182.0/24

191.101.184.0/22

191.101.188.0/23

191.101.192.0/22

191.101.196.0/23

191.101.204.0/22

191.101.216.0/22

191.101.220.0/24

191.101.222.0/23

196.62.0.0/16

204.52.96.0/20

204.52.112.0/22

204.52.116.0/23

204.52.120.0/23

204.52.122.0/24

204.52.124.0/22

206.124.104.0/21

209.192.128.0/19

216.173.64.0/18

Rogue domains known to have been involved in the campaign:

adzos.com

clickandia.com

webvideocore.com

clickservers.net

clickmediallc.net

mobapptrack.com

rtbclick.net

xmlsearchresult.com

Sample personal email address accounts known to have been involved in the campaign:

adw0rd.yandex.ru@gmail.com

clickandia@yahoo.com

Rogue Facebook profiles belonging to company employees include:

https://www.facebook.com/oleksandr.beletskyi

https://www.facebook.com/rowan.villaluz

Stay tuned!

Continue reading →

Russia's SVR Launches "SecureDrop" Similar National Security Threats Soliciting Web Site on the Dark Web - An Analysis

Big stuff! Russia's SVR has recently launched a Dark Web onion Web site similar to SecureDrop for the purpose of enticing citizens and individuals into submitting information regarding threats facing Russia. Users are enticed into visiting the Dark Web onion Web site including to use a publicly accessible PGP for the purpose of submitting information relevant to Nation Security Threats facing Russia.

Primary Russia SVR Dark Web Onion URL:

hxxp://svrgovru24yd42e6mmrnohzs37hb35yqeulvmvkc76e3drb75gs4qrid.onion

Primary Russia SVR Public PGP Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF7bruoBEACb78LwhlBJDhT707sK7MlFGB0S8qCaSQdUVzMAdQ5kW9hB/FJV
f1FmO4szUPvWCwHVvynM8JCBfRM6E2jaET24yxJOJbEOKNYEtMCCe2+uhUVKe4pc
w6GzmD0g1ODfW3mdnlF3DNokBKAd85sB3/owJhxBbwBUPEUmk+DVSCAiM8paO8pT
b89BoqN63hdal8fCO8BtNngl3oI+xS3kKRCWkn5IuEZdDxCUqB8CzX9QMGX84DhH
wlHvvFuqOpDJt07ULh3a/T4QxoLCYQYS+a7KWmZQhObe/4ecWOrxKHrugB/cXzGu
4V+02OKB9Gq03AVSLhfO50yIhoggHEDyIvDzFaBRcfZxtIDXY2F49A+VWaLLixYt
ZixrrK0HMEJMvSoXceQZU2g5Fi7qTCwuOxirhq0zOlI/orAQTHVthcmBYqt2jX1X
7075/lmjJd0mS3hqofOYfbkTQutYI8hjXqFfcIOqkhNwyiGge9/qejULy29MoEir
jvB5sUg9joI77LjoE2e7v1NBq2XHSyMFfAkr9D2Dd/qYiMBgyhjBUGwIs7BmDcES
8fRwJynRgUElX1YiREIMRtCvxz+GwhF7Smnu1KXqeo7OotKI4783Qp0R+RIcaczb
VmWnaK6v5TVaxGO+0Yw8eFjts/UTrrECcc9D7LYC9DzFmb6fpdKwQl/cUQARAQAB
tB5mZWVkYmFjayA8ZmVlZGJhY2tAc3ZyLmdvdi5ydT6JAjkEEwECACMFAl7bruoC
GwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDyY8kgehzDs0MAD/4yx68x
ijVJSoRx/ArI4g4MBK9h1f76aQtIsisQZdysS0gI9TXiOiTH+ncezzjLl6dpogq8
06MxSKX5xqWTdYzuHmJYmk51mDOzLV5B5wu/hz7FJ/JWow8qX3S0T1kGZiAhx1l7
lgtZ2fSCgad7XEWUIQBL93s0wqYfr3Tk1ZRLrFx+ds29IlP3xHz4MZhvEcbgoWUo
9NMefp5nzLwTNcyKOs14VA8cPR6i0DboPRGO85WW1mVFl+Uii76HRqNVLy30dgXt
6VPYVgAh1Tki2OX9W2SFwp2q97y9LSpYZlwZBZgS2k6FiCj59FCUdJWe3PBZ+sQR
kXS5/Nh/UUqHH++Cpedgu9RwG/jpjMHOg4zOrdx4UT5a52/MhX/7nqmG2s99c3tx
03I4m9dSe9S/pvfE6q3+eQrb3AFgixhpzlRCJulEcMd4HerfpAJkRJDKQojkG8tR
aV9FEDz669mFlUtgRBTEp7TMT2/JbkreqONQ/ycL7KRXRLTM7Ql0oL3Xzuddio2Y
ic2R0/03sTVENblMysQvUDw9IOEV+PtWRSwosa7YxwcEYkOwtMjOsGjJ6CtbAq3d
ByNhS+9lX6QM9VKtge5JwC519emSDEKnt4SvEwRcWLnWU90+rEBPsIou3HFEwQ8a
YV9tCx2MYia8e/yz6VsSpecVVkB6wWroP33oWLkCDQRe267qARAAwhrcr4W0tBOW
Xo++XlsS55Efy8bhM+H/ETP1Z8VhdgbC8LwmTAeCWp/FztoblhNGUlBfvy8ZqHS9
3D5U/SQo+WOBuvaQ28RtY/0JCML6Ms+u0W1UE2TbM499TQMO3xZWozacy7qrkg0O
SCL1JQ0YLLPdUa9T9I2ZUrplww7b/wN+NFRUkPd5tDsPbKKul0aw4y0IJVSIhXU4
XrQUX0iff5jIymzqEr1u15iEX6AwvwT3iHNCEhr0lWe7KVnjr3pxG1tlBS5cECrp
1D3twOCTJrQKhsJBaPNG8yhj4hHG0iPmgb4SLonRwyzoRFg9/F7ALig4P26lmN67
3UYpTr4jGxBiAPyMohzj4mWfDjp95blIs7c1Yf1DcqhO/ODAX0qtlWivp/uNB73p
ry/ixPP18YrDnCEzW4U8uJ/yiony4U9O0G26GjtEgB7ZGryk6fToRepCd8hL0hsM
p3iLxm5LYvtDw4EExTNksNLgxIp7KNN+/tb0o7b4Y8UoG6fVMpywVID6iKeyIiVW
5KhKRRYCw84VMWs5yl6igEc1FEplAw804zANIqM2J/QBfgplstrhJ3Y6wkHFEblT
8TvTqGr5MJzkSr1ZxnX6uVctKR8VTIHy7gHQ3G3Z75saNvcU+4qqNg/0PfLbnW/O
79x5UiIZa2vNaIl1kSRn98YsMKEYlk0AEQEAAYkCHwQYAQIACQUCXtuu6gIbDAAK
CRDyY8kgehzDs/VcD/9y7TtPthPTgkWGlnCXl+wL9BWFnumbQrYq7SQ5AauI86BH
5LCjweoPcgUkG3GF0o81NEZpWh+ZDl0h5VzEdc7bvQt9ZP16czuwhyZiK+b2me/n
Lutx9b2fUePRfKBnhm1vomShcvOXH3fmp80w9JsB92Wj56Ajo5WR3hIcHHheOSRa
63K/rzdQZ7UIDPDVIROEHMJciuo8V2H+FNvHkjSJPkgnAj17+XqvAEUdMF9hTHUN
uM2AajUrpWB3OXpbTMCDWbXoBWMDfVki7EFiFftXkLnaExqk2A9zgjEy+nht9S1y
l6NXwM6McpHxClzSoZDTDugywUPF3Izx1F5tca0DJeoyNTs3Gp6CcEnV9Qs9F5MW
0iw2mi5eF1uHV0JOQGLkFQWuGeyoe9Nio3L9Ho3uEzInQ/V9uvo84RbfarmmVXFY
lVjF2icAMzU3eTOGqAUIS10XFADYxRfogqG25jjjwFS4b/9YJqsImE8e+x75f+z6
0Nx0SAfvURUNjqPcTyQhpnlHPg8ayZzECLF2NCeLRQo8s/zNd3IxRJpdbgjgLK4A
L7/Zek4rAP8W0fc2wcFZjuwRCvPWvIID3mP1EsUru5TLSfkxo2B03HzPB6WMyH5v
iSzLXvjpn272L9B1TE8FFBC6Dl0U74+np+lHVM+qIEfWE8KMK3nVEqIXBfzGcQ==
=5vim
-----END PGP PUBLIC KEY BLOCK-----

Stay tuned!

Continue reading →

Recommended High-Profile Espionage Movie for Watching!

Dear blog readers,

Remember the DVD of the Weekend blog post series? I've decided to resume posting high-quality YouTube video and movies worth watching with the idea to continue the series. In this post I've decided to share the Red Joan movie trailer which is a high-profile espionage movie which you should definitely consider watching.

Stay tuned!

Continue reading →

Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An OSINT Analysis

Continuing the "FBI Most Wanted Cybercriminals" series I've decided to take a closer look at the "Jabber ZeuS" including Evgeniy Mikhaylovich Bogachev for the purpose of providing actionable intelligence on the fraudulent and malicious infrastructure that was utilized in the campaign including personally identifiable information of the individuals behind it with the idea to assist law enforcement and the U.S Intelligence community with the necessary data to track down and prosecute the individuals behind the campaign.

In this post I'll provide actionable intelligence on the infrastructure used by the "Jabber ZeuS" gang including personally identifiable information for Evgeniy Mikhaylovich Bogachev and some of his known associates.

Sample Personal Photos of Evgeniy Mikhaylovich Bogachev:

Slavik's IM and personal email including responding IP:
bashorg@talking.cc - 112.175.50.220

Personal Address:
Lermontova Str. Anapa, Russian Federation

Instant Messaging account:
lucky12345@jabber.cz

Related name servers:
ns.humboldtec.cz - 88.86.102.49
ns2.humboldtec.cz - 188.165.248.173

Related domains part of a C&C phone-back location:
hxxp://slaviki-res1.com
hxxp://slavik1.com - 91.213.72.115
hxxp://slavik2.com
hxxp://slavik3.com

Slavik's primary email:
luckycats2008@yahoo.com

Slavik's ICQ numbers:
ICQ - 42729771
ICQ - 312456

Related emails known to have participated in the campaign:
alexgarbar-chuck@yahoo.com
bollinger.evgeniy@yandex.ru
charajiang16@gmail.com

Related domains known to have participated in the campaign:
hxxp://visitcoastweekend.com - 103.224.182.253; 70.32.1.32; 192.184.12.62; 141.8.224.93; 69.43.160.163
hxxp://incomeet.com - 192.186.226.71; 66.199.248.195
hxxp://work.businessclub.so

Related information on his colleague (chingiz) as seen in the attached screenshot:

Real Name: Galdziev Chingiz

Related domains known to have participated in the campaign:
hxxp://fizot.org
hxxp://fizot.com - 50.63.202.35; 184.168.221.33
hxxp://poymi.ru - 109.206.190.54

Related name servers known to have participated in the campaign:
ns1.fizot.com - 35.186.238.101
ns2.fizot.com

Related domain including an associated email using the same name server:
hxxp://averfame.org - harold@avereanoia.org

Google Analytics ID: UA-3816538

Related domains known to have participated in the campaign:
hxxp://awmproxy.com
hxxp://pornxplayer.com

Related emails known to have participated in the campaign:
fizot@mail.ru
xtexgroup@gmail.com
xtexcounter@bk.ru

Related domains known to have responded to the same malicious and fraudulent IP - 178.162.188.28:
hxxp://dnevnik.cc
hxxp://xvpn.ru
hxxp://xsave.ru
hxxp://anyget.ru
hxxp://nezayti.ru
hxxp://proproxy.ru
hxxp://hitmovies.ru
hxxp://appfriends.ru
hxxp://naraboteya.ru
hxxp://naraboteya.ru
hxxp://awmproxy.com
hxxp://zzyoutube.com
hxxp://pornxplayer.com
hxxp://awmproxy.net
hxxp://checkerproxy.net

Related domains known to have participated in the campaign:
hxxp://fizot.livejournal.com/
hxxp://russiaru.net/fizot/

Instant Messaging Account:
ICQ - 795781

Related personally identifiable information of Galdziev Chingiz:
hxxp://phpnow.ru
ICQ - 434929
Email: info@phpnow.ru

Related domains known to have participated in the campaign:
hxxp://filmv.net
hxxp://finance-customer.com
hxxp://firelinesecrets.com
hxxp://fllmphpxpwqeyhj.net
hxxp://flsunstate333.com

Related individuals known to have participated in the campaign:
Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits

Related Instant Messaging accounts and emails known to have participated in the campaign:
iceix@secure-jabber.biz
shwark.power.andrew@gmail.com
johnlecun@gmail.com
gribodemon@pochta.ru,
glazgo-update-notifier@gajim.org
gribo-demon@jabber.ru
aqua@incomeet.com
miami@jabbluisa.com
um@jabbim.com
hof@headcounter.org
theklutch@gmail.com
niko@grad.com
Johnny@guru.bearin.donetsk.au
petr0vich@incomeet.com
mricq@incomeet.com
T4ank@ua.fm
tank@incomeet.com
getreadysafebox.ru
john.mikleymaiI.com
aIexeysafinyahoo.corn
rnoscow.berlin@yahoo.com
cruelintention@email.ru,
bind@ernail.ru
firstmen17@rarnbler.ru
benny@jabber.cz
airlord1988@gmail.com
bxl@hotmail.com
i_amhere@hotmail.fr
daniel.h.b@universityofsutton.com
princedelune@hotmail.fr
bxl_@msn.com
danibxl@hotmail.fr
danieldelcore@hotmail.com.
d.frank@jabber.jp
d.frank@0nl1ne.at
duo@jabber.cn
fering99@yahoo.com
secustar@mail.ru
h4x0rdz@hotmail.com
Donsft@hotmail.com
mary.j555@hotmail.com
susanneon@googlemail.com
kainehabe@hotmail.com
virus_e_2003@hotmail.com
spanishp@hotmail.com
sere.bro@hotmail.com
lostbuffer@hotmail.com
lostbuffer@gmail.com
vlad.dimitrov@hotmail.com
jheto2002@gmail.com
sector.exploits@gmail.com

We'll post new updates as soon as new developments take place.

Related posts:
Exposing Iran's Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis
Who's Behind the Syrian Electronic Army? - An OSINT Analysis Continue reading →

Historical OSINT - "I Know Who DDoS-ed Georgia and Bobbear.co.uk Last Summer"

Appreciate my rhetoric. In this post I'll provide actionable intelligence on a key DDoS for hire service that was primarily used in the Russia vs Georgia Cyber Attacks circa 2009 including the DDoS attack against Bobbear.co.uk.

Related actionable intelligence on the campaign:
hxxp://setx.in - Email: info@antiddos.eu - setx.mail@gmail.com - hxxp://httpdoc.info - hxxp://fakamaza.info. The last one with the email address "team@russia-vs-georgia.org" in the WHOIS info.

Related malicious URLs known to have participated in the campaign:
hxxp://cxim.inattack.ru/www7/www/auth.php

Related malicious URLs known to have participated in the campaign:
hxxp://h278666y.net/main/load.exe
hxxp://h278666y.net/www/auth.php

Related malicious MD5s known to have participated in the campaign:
MD5: 34413180d372a9e66d0d59baf0244b8f
MD5: 42e4bbd47d322ec563c86c636c3f10b9
MD5: ed36b42fac65236a868e707ee540c015
MD5: c9fa1c95ab4ec1c1d46abe5445fb41e4

hxxp://cxim.inattack.ru/www3/www/
hxxp://i.clusteron.ru/bstatus.php

Related malicious URLs known to have participated in the campaign:
hxxp://svdrom.cn

Related malicious URLs known to have participated in the campaign:
hxxp://203.117.111.52/www7/www/getcfg.php

Related malicious domains known to have participated in the campaign:
hxxp://cxim.inattack.ru/www2/www/stat.php
hxxp://cxim.inattack.ru/www3/www/stat.php
hxxp://cxim.inattack.ru/www4/www/stat.php
hxxp://cxim.inattack.ru/www5/www/stat.php
hxxp://cxim.inattack.ru/www6/www/stat.php
hxxp://finito.fi.funpic.org/black/stat.php
hxxp://logartos.org/forum/stat.php - 195.24.78.242
hxxp://weberror.cn/be1/stat.php
hxxp://prosto.pizdos.net/_lol/stat.php
hxxp://h278666y.net/www/stat.php - 72.233.60.254 Continue reading →

Historical OSINT - A Peek Inside The Georgia Government's Web Site Compromise Malware Serving Campaign - 2010

Remember the massive Russia vs Georgia cyber attack circa 2009? It seems that the time has come for me to dig a little bit deeper and provide actionable intelligence on one of the actors that seem to have participated in the campaign including a sample Pro-Georgian type of Cyber Militia that apparently attempted to "risk-forward" the responsibility for waging Cyberwar to third-parties including Russian and Anti-Georgia supporters.

How come? In this post I'll provide actionable intelligence on what appears to be a currently active Brazilian supporter of the Cyber Attacks that took place circa 2009 with the idea to discuss in-depth the tools and motivation for launching the campaign of the cybercriminals behind it.

Sample malicious URL known to have participated in the campaign:
hxxp://geocities.ws/thezart/

It's 2010 and I'm coming across to a malicious and fraudulent file repository that can be best described as a key actor that managed to participate perhaps even orchestrate the Russia vs Georgia cyber attacks circa 2009. Who is this individual? How did he manage to contribute to the Russian vs Georgia cyber attacks? Did he rely on active outsourcing or was he hired to perform the orchestrated DDoS for hire attacks that took place back then? Keep reading.

It appears that a Brazilian user known as The Zart managed to participated in the Russia vs Georgia cyber attacks circa 2009 relying on a variety of tools and techniques known as:

- DNS Amplification Attacks
- Web Site Defacement Tools
- Targeted Spreading of Vulnerable Legitimate Web Sites
- Automated Web-Site Exploitation - Long Tail of The Malicious Web

which basically resulted in a self-mobilized militia that actually participated and launched the Russia vs Georgia cyber attacks circa 2009.

Related posts:
The Russia vs Georgia Cyber Attack
Who's Behind the Georgia Cyber Attacks?
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks Continue reading →

The Russia vs Georgia Cyber Attack

Last month's lone gunman DDoS attack against Georgia President's web site seemed like a signal shot for the cyber siege to come a week later. Here's the complete coverage of the coordination phrase, the execution and the actual impact of the cyber attack so far - "Coordinated Russia vs Georgia cyber attack in progress" :

"Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations), and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth. With the attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak of DDoS attack and the actual defacements started taking place as of Friday."

Some of the tactics used :
distributing a static list of targets, eliminate centralized coordination of the attack, engaging the average internet users, empower them with DoS tools; distributing lists of remotely SQL injectable Georgian sites; abusing public lists of email addresses of Georgian politicians for spamming and targeted attacks; destroy the adversary’s ability to communicate using the usual channels -- Georgia's most popular hacking portal is under DDoS attack from Russian hackers.

Some of the parked domains acting as command and control servers for one of the botnets at 79.135.167.22 :
emultrix .org
yandexshit .com
ad.yandexshit .com
a-nahui-vse-zaebalo-v-pizdu .com
killgay .com
ns1.guagaga .net
ns2.guagaga .net
ohueli .net
pizdos .net
googlecomaolcomyahoocomaboutcom.net

Actual command and control locations :
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/
prosto.pizdos .net/_lol/

Consider going through the complete coverage of what's been happening during the weeked. Considering the combination of tactics used, unless the conflict gets solved, more attacks will definitely take place during the week. Continue reading →

Who's Who in Cyber Warfare?

Wondering what's the current state of cyber warfare capabilities of certain countries, I recently finished reading a report "Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States", a very in-depth summary of Nation2Nation Cyber conflicts and developments I recommend you to read in case you're interested. It covers China, India, Iran, North Korea, Pakistan, and, of course, Russia. Some selected brief excerpts on China, Iran, and Russia :



China
"Beijing’s intelligence services continue to collect science and technology information to support the government’s goals, while Chinese industry gives priority to domestically manufactured products to meet its technology needs. The PLA maintains close ties with its Russian counterpart, but there is significant evidence that Beijing seeks to develop its own unique model for waging cyber warfare."



Iran
"The armed forces and technical universities have joined in an effort to create independent cyber R & D centers and train personnel in IT skills; and second, Tehran actively seeks to buy IT and military related technical assistance and training from both Russia and India."



Russia
"Russia’s armed forces, collaborating with experts in the IT sector and academic community, have developed a robust cyber warfare doctrine. The authors of Russia’s cyber warfare doctrine have disclosed discussions and debates concerning Moscow’s official policy. “Information weaponry,” i.e., weapons based on programming code, receives paramount attention in official cyber warfare doctrine."



Technology as the next Revolution in Military Affairs (RMA) was inevitable development, what's important to keep in mind is knowing who's up to what, what are the foundations of their military thinking, as well as who's copying attitude from who. Having the capacity to wage offensive and defense cyber warfare is getting more important, still, military thinkers of certain countries find network centric warfare or total renovation of C4I communications as the panacea when dealing with their about to get scraped conventional weaponry systems. Convergence represents countless opportunities for waging Cyber Warfare, offensive one as well, as I doubt there isn't a country working on defensive projects.



In a previous post Techno-Imperialism and the Effect of Cyberterrorism I also provided detailed overview of the concept and lots of real-life scenarios related to Cyberterrorism, an extension of Cyber warfare capabilities. It shouldn't come as a surprise to you, that a nation's military and intelligence personnel have, or seek to gain access to 0day security vulnerabilities, the currency of trade in today's E-society as well as recruiting local "renegades".



Undermining a nation's confidence in its own abilities, the public's perception of inevitable failure, sophisticated PSYOPS, "excluded middle" propaganda, it all comes down to who's a step ahead of the event by either predicting or intercepting its future occurrence. Information is not power, it's noise turning into Knowledge, one that becomes power -- if and when exercised. Continue reading →

Travel Without Moving - Typhoon Class Submarines

In previous posts "Security quotes : a FSB (successor to the KGB) analyst on Google Earth", "Suri Pluma - a satellite image processing tool and visualizer", "The "threat" by Google Earth has just vanished in the air" I talked about various issues related to satellite imagery and security.


Moreover, I'm also actively covering various emerging Space Warfare issues, and with the recent speculation that the Okno ELINT complex in Tajikistan is becoming Russian and different "schools of thought", there's a lot to come for sure. Google Maps/Earth did not only restart the real estate industry, it made the world a smaller place, a more competitive one, and hopefully a safer one if security counts here.



As of today, I decided to start posting a weekly section, the "Travel Without Moving" series, presenting interesting and publicly obtained imagery of sights that somehow made me an impression. The other day I came across to a (perhaps scraped by now) Typhoon Class Submarines at GoogleSightseeing.com -- the largest and quietest types of submarines.



That's perhaps the perfect moment to mention the cool pictures of a Soviet Underground Submarine Base in the Nuclear Submarine Base that "Until the collapse of the Soviet Union in 1991 Balaklava was one of the most secret towns in Russia. 10km south eas of Sevastopol on the Black Sea Coast, this small town was the home to a Nuclear Submarine Base." Take a tour for yourself! Continue reading →

Why's that radar screen not blinking over there?

Two days ago, the Russian News & Information Agency - Novosti, reported on how "Russian bombers flew undetected across Arctic" more from the article :



"Russian military planes flew undetected through the U.S. zone of the Arctic Ocean to Canada during recent military exercises, a senior Air Force commander said Saturday. The commander of the country's long-range strategic bombers, Lieutenant General Igor Khvorov, said the U.S. Air Force is now investigating why its military was unable to detect the Russian bombers. They were unable to detect the planes either with radars or visually," he said."



SpaceWar.com, and several other sites/agencies also picked up the story, still its truthfulness, excluding the lack of coverage, can always be questioned, as "by the end of the year, two more Tu-160s will be commissioned for the long-range strategic bomber fleet, Khorov said." So, while I agree with him on the visual confirmation issue, such an achievement is hell of an incentive for commissioning more planes, isn't it? Moreover, should the what used to be, the world's largest radar - The Over-The-Horizon Backscatter Radar have been scrapped given Iran's (and not only) nuclear ambitions, or the ongoing space warfare doctrine would be the logical successor in here?



Let's for instance assume it actually happened, and take the reverse approach -- it actually happened in Russia too, back in 1987, and it wasn't a senior air force commander that did it, if he did, but 19 years old Mathias Rust who landed on the Red Square itself.



More details will follow for sure, so stay tuned, meanwhile take a look at Google Earth's Community spot link on Mathias's landing.



UPDATE
Nice article on the topic, and a great quote as well "Scanning containers full of sneakers for a 'nuke in a box' is not a really thoughtful thing."



Technorati tags:
Military, Radar, Bomber Continue reading →