Historical OSINT - Spamvertized Swine Flu Domains - Part Two

It's 2010 and I've recently came across to a currently active diverse portfolio of Swine Flu related domains further enticing users into interacting with rogue and malicious content.

In this post I'll profile and expose a currently active malicious domains portfolio currently circulating in the wild successfully involved in an ongoing variety of Swine Flu malicious spam campaigns and will provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://pehwitew.cn - 58.17.3.44; 58.20.140.5; 220.248.167.126; 60.191.221.116; 110.52.6.252

Related name servers known to have participated in the campaign:
hxxp://ns6.plusspice.com - 110.52.6.252
hxxp://ns2.morewhole.com
hxxp://ns2.extolshare.com
hxxp://ns2.pridesure.com
hxxp://ns2.swellwise.com
hxxp://ns4.boostwise.com
hxxp://ns6.maxitrue.com
hxxp://ns4.sharezeal.com
hxxp://ns2.extolcalm.com
hxxp://ns4.humortan.com
hxxp://ns2.joysheer.com
hxxp://ns2.zestleads.com
hxxp://ns4.fizzleads.com
hxxp://ns4.maxigreat.com
hxxp://ns4.spicyrest.com
hxxp://ns4.hardyzest.com
hxxp://ns2.resttrust.com
hxxp://ns2.alertwow.com
hxxp://ns2.savetangy.com
hxxp://ns4.lovetangy.com
hxxp://ns2.coyrosy.com

Related malicious domains known to have participated in the campaign:
hxxp://jihpuyab.cn
hxxp://dabwedib.cn
hxxp://jehrawob.cn
hxxp://lacgidub.cn
hxxp://fektiyub.cn
hxxp://qucmolac.cn
hxxp://xopfekec.cn
hxxp://gamfesec.cn
hxxp://xokdemic.cn
hxxp://papxunic.cn
hxxp://jiqlosic.cn
hxxp://liynaloc.cn
hxxp://womrifuc.cn
hxxp://picduluc.cn
hxxp://feqtawuc.cn
hxxp://becfuzuc.cn
hxxp://ximnusad.cn
hxxp://limyoxed.cn
hxxp://cokgozed.cn
hxxp://qursehod.cn
hxxp://pimfilod.cn
hxxp://zofxitod.cn
hxxp://pehdiwod.cn
hxxp://ruvvabud.cn
hxxp://japwolud.cn
hxxp://qolqaqaf.cn
hxxp://tacreyaf.cn
hxxp://rajvufef.cn
hxxp://hiwjadif.cn
hxxp://pejjenif.cn
hxxp://hakyabof.cn
hxxp://rijgihag.cn
hxxp://pipgaqag.cn
hxxp://jaxkewag.cn
hxxp://cikqumog.cn
hxxp://tircodug.cn
hxxp://juryaqug.cn
hxxp://yawfadah.cn
hxxp://yabtudah.cn
hxxp://qifhihah.cn
hxxp://xeyselah.cn
hxxp://cotmetah.cn
hxxp://bulmitah.cn
hxxp://tegbejih.cn
hxxp://tuymokih.cn
hxxp://modqopoh.cn
hxxp://qejpoduh.cn
hxxp://xajsomuh.cn
hxxp://wisziruh.cn
hxxp://maypajej.cn
hxxp://tivhikej.cn
hxxp://holmayej.cn
hxxp://dabtizej.cn
hxxp://koyxuwij.cn
hxxp://romxebuj.cn
hxxp://hilzuluj.cn
hxxp://zulfavuj.cn
hxxp://vojhowuj.cn
hxxp://daldukak.cn
hxxp://rakvirak.cn
hxxp://fimresak.cn
hxxp://zepyosak.cn
hxxp://tovpiwak.cn
hxxp://raqhizak.cn
hxxp://salhibik.cn
hxxp://xonzulik.cn
hxxp://jezwutik.cn
hxxp://lungodok.cn
hxxp://qeytakok.cn
hxxp://weswukuk.cn
hxxp://lawmamuk.cn
hxxp://xomhoruk.cn
hxxp://zitkowuk.cn
hxxp://hoyzexuk.cn
hxxp://cutholal.cn
hxxp://jidtecel.cn
hxxp://jovmuhil.cn
hxxp://guxdipil.cn
hxxp://kujkuwil.cn
hxxp://kojvifol.cn
hxxp://zitgohol.cn
hxxp://cosxotol.cn
hxxp://wahwoxol.cn
hxxp://siqsayol.cn 
hxxp://pipwoqul.cn
hxxp://zilfumam.cn
hxxp://fokvidem.cn
hxxp://vamhefem.cn
hxxp://hipxetem.cn
hxxp://hasrozem.cn
hxxp://yovbafim.cn
hxxp://zutgaqim.cn
hxxp://kamnorim.cn
hxxp://nussotim.cn
hxxp://yiblegom.cn
hxxp://vorteyom.cn
hxxp://mokgupum.cn
hxxp://xennesum.cn
hxxp://feshivum.cn
hxxp://nakcaban.cn
hxxp://yaxxokan.cn
hxxp://qikciqan.cn
hxxp://gagsuran.cn
hxxp://bopxuran.cn
hxxp://giwduvan.cn
hxxp://gixreqin.cn
hxxp://leccatin.cn
hxxp://jollipon.cn
hxxp://vuzlopon.cn
hxxp://butkoxon.cn
hxxp://falyewun.cn
hxxp://noscajap.cn
hxxp://xirqocep.cn
hxxp://daqdohep.cn
hxxp://wokvarep.cn
hxxp://hoggudip.cn
hxxp://heqfavip.cn
hxxp://jowrewip.cn
hxxp://cimqiqop.cn
hxxp://cibqobup.cn
hxxp://zijreyup.cn
hxxp://tosnabaq.cn
hxxp://tochekaq.cn
hxxp://cosmoqaq.cn
hxxp://zavnusaq.cn
hxxp://vufsaqeq.cn
hxxp://dagligiq.cn
hxxp://wugjaziq.cn
hxxp://fepsuwoq.cn
hxxp://pombeyoq.cn
hxxp://dokcokuq.cn
hxxp://diwsutuq.cn
hxxp://sayjumar.cn
hxxp://jidxurer.cn
hxxp://qalhiyir.cn
hxxp://goqtoqor.cn
hxxp://gaxdavor.cn
hxxp://kazqikas.cn
hxxp://piskeces.cn
hxxp://qamhadis.cn
hxxp://wifdixis.cn
hxxp://hejhelos.cn
hxxp://hedwimos.cn
hxxp://kerrucus.cn
hxxp://forhalus.cn
hxxp://fesnupus.cn
hxxp://lanzuhat.cn
hxxp://kadmepat.cn
hxxp://potzoyat.cn
hxxp://jupkevet.cn
hxxp://xagmiqit.cn
hxxp://woxjatit.cn
hxxp://gukpuxit.cn
hxxp://dubpacut.cn
hxxp://nifbihut.cn
hxxp://qunkofav.cn
hxxp://vippogav.cn
hxxp://rimjulav.cn
hxxp://kemhenav.cn
hxxp://gutziqav.cn
hxxp://gipbilev.cn
hxxp://kaxcidiv.cn
hxxp://xajwawov.cn
hxxp://rejcoyov.cn
hxxp://jogsuduv.cn
hxxp://lamfoguv.cn
hxxp://daxtohuv.cn
hxxp://mihwuxuv.cn
hxxp://hiwjuhaw.cn
hxxp://gohkijaw.cn
hxxp://tuwqetaw.cn
hxxp://lacjebew.cn
hxxp://vodrubew.cn
hxxp://pehwitew.cn
hxxp://yezxewew.cn
hxxp://yuvsobow.cn
hxxp://yodmapow.cn
hxxp://qotpobuw.cn
hxxp://megrafuw.cn
hxxp://zamponuw.cn
hxxp://kotzequw.cn
hxxp://yudmaruw.cn
hxxp://hamqiruw.cn
hxxp://siwwawuw.cn
hxxp://veqniwuw.cn
hxxp://bepnudax.cn
hxxp://jehfefax.cn
hxxp://boxjokex.cn
hxxp://yoclerex.cn
hxxp://guzjacix.cn
hxxp://mexcekix.cn
hxxp://kibtixix.cn
hxxp://conyixix.cn
hxxp://famlojox.cn
hxxp://jizwalox.cn
hxxp://dahhowox.cn
hxxp://zicquvtx.cn
hxxp://cavxujux.cn
hxxp://voqnolux.cn

Known to have responded to the same malicious IP (60.191.221.123) are also the following malicious domains:
hxxp://vitsulob.cn
hxxp://jahnivub.cn
hxxp://wipviyub.cn
hxxp://gokbulac.cn
hxxp://bedqaqac.cn
hxxp://suvnuqac.cn
hxxp://wukcilec.cn
hxxp://lukbolec.cn
hxxp://juhfaqic.cn
hxxp://mixwiqic.cn
hxxp://qikloric.cn
hxxp://halgiyic.cn
hxxp://jocvoloc.cn
hxxp://gugmikad.cn
hxxp://zoqvulad.cn
hxxp://zokdoled.cn
hxxp://daxlated.cn
hxxp://cahnubid.cn
hxxp://cufxuhod.cn
hxxp://libsorod.cn
hxxp://vopqatod.cn
hxxp://cebvoyod.cn
hxxp://lansocud.cn
hxxp://zohpakud.cn
hxxp://hekwasud.cn
hxxp://niknuvud.cn
hxxp://meymuhaf.cn
hxxp://nigkojef.cn
hxxp://bazmoyef.cn
hxxp://roszadif.cn
hxxp://sapmofif.cn
hxxp://kudxodof.cn
hxxp://pefkipof.cn
hxxp://xoqresof.cn
hxxp://fipxevof.cn
hxxp://quyzeluf.cn
hxxp://xujyeruf.cn
hxxp://xenpikeg.cn
hxxp://tafwohig.cn
hxxp://kowtuhig.cn
hxxp://dinpisig.cn
hxxp://teryuvig.cn
hxxp://funcizig.cn
hxxp://ciytamog.cn
hxxp://jemsowog.cn 
hxxp://kiqzijug.cn
hxxp://pulfaxug.cn
hxxp://wojlabah.cn
hxxp://belzejah.cn
hxxp://pefdovah.cn
hxxp://xijsameh.cn
hxxp://racridih.cn
hxxp://rewfahih.cn
hxxp://vihxujih.cn
hxxp://qujvosih.cn
hxxp://figqacuh.cn
hxxp://xohmoluh.cn
hxxp://jicniwuh.cn
hxxp://kapxuraj.cn
hxxp://jubjavaj.cn
hxxp://bidkuqej.cn
hxxp://jarvixej.cn
hxxp://qinzidij.cn
hxxp://zagzafij.cn
hxxp://merjuwij.cn
hxxp://weqbujuj.cn
hxxp://gucdaluj.cn
hxxp://modxowuj.cn
hxxp://tobponak.cn
hxxp://tacjujek.cn
hxxp://fumliqek.cn
hxxp://wavfebik.cn
hxxp://xizqibik.cn
hxxp://focnigik.cn
hxxp://biqmipik.cn
hxxp://zowcoqik.cn
hxxp://fexsitik.cn
hxxp://qebdevik.cn
hxxp://xolkisok.cn
hxxp://kuqwuwok.cn
hxxp://gunwonuk.cn
hxxp://hewquvuk.cn
hxxp://gunbaqal.cn
hxxp://seysixal.cn
hxxp://zaymamel.cn
hxxp://weznohil.cn
hxxp://keczakil.cn
hxxp://wawberol.cn
hxxp://naftemul.cn
hxxp://sedbonam.cn
hxxp://velwapam.cn
hxxp://zinzutam.cn
hxxp://nudgixam.cn 
hxxp://mibpabem.cn
hxxp://yolbaqem.cn
hxxp://fogduqem.cn
hxxp://qawtotem.cn
hxxp://qalfusim.cn
hxxp://kocguwim.cn
hxxp://zishikom.cn
hxxp://kozpipom.cn
hxxp://loblahum.cn
hxxp://winbomum.cn
hxxp://jakmezum.cn
hxxp://taglolan.cn
hxxp://suznuwan.cn
hxxp://jekwazan.cn
hxxp://toxmijen.cn
hxxp://nikguzen.cn
hxxp://dedmewin.cn
hxxp://jebvuwun.cn
hxxp://tupsikap.cn
hxxp://dudsuzap.cn
hxxp://yessafep.cn
hxxp://danxenep.cn
hxxp://leklidip.cn
hxxp://duklimip.cn
hxxp://yevnurip.cn
hxxp://virrotip.cn
hxxp://lalyezop.cn
hxxp://jaztecup.cn
hxxp://gokbehup.cn
hxxp://cuqyirup.cn
hxxp://gajvizup.cn
hxxp://cahwikaq.cn
hxxp://xeqbelaq.cn
hxxp://xicbamaq.cn
hxxp://qofqoneq.cn
hxxp://givxuyeq.cn
hxxp://gonganiq.cn
hxxp://vijsoziq.cn
hxxp://bignijoq.cn
hxxp://jejroxoq.cn
hxxp://culfunuq.cn
hxxp://qevxayuq.cn
hxxp://merwosar.cn
hxxp://loxvafer.cn
hxxp://cawnamir.cn
hxxp://wocyorir.cn
hxxp://tokhador.cn
hxxp://yuznisor.cn
hxxp://vamtator.cn
hxxp://gojligur.cn
hxxp://vukqejur.cn
hxxp://fewxopur.cn
hxxp://wukwoxur.cn
hxxp://bavyoxur.cn
hxxp://jegdufas.cn
hxxp://rillefes.cn
hxxp://niwwages.cn
hxxp://comrames.cn
hxxp://rohfapes.cn
hxxp://lehredis.cn
hxxp://jepniwos.cn
hxxp://lexxedus.cn
hxxp://xuljuhus.cn
hxxp://levgepat.cn
hxxp://modhewet.cn
hxxp://kawlozet.cn
hxxp://bufsofit.cn
hxxp://gekloyit.cn
hxxp://tercifot.cn
hxxp://yughaqut.cn
hxxp://surfabav.cn
hxxp://yutbevav.cn
hxxp://mowvahev.cn
hxxp://tuwcexev.cn
hxxp://liqfimiv.cn
hxxp://pefxamuv.cn
hxxp://goqdexuv.cn
hxxp://fozlubaw.cn
hxxp://yuxcizaw.cn
hxxp://mevvubew.cn
hxxp://nuzzuhew.cn
hxxp://dibkicow.cn
hxxp://lobrakow.cn
hxxp://vuksirow.cn
hxxp://samnuvow.cn
hxxp://jizlotuw.cn
hxxp://buzgikax.cn
hxxp://jawcesax.cn
hxxp://qatvegex.cn
hxxp://gegfejex.cn
hxxp://cigxekex.cn
hxxp://kejjobox.cn
hxxp://yosbucox.cn
hxxp://kelmogox.cn
hxxp://jeqyuzox.cn
hxxp://jocxebux.cn
hxxp://tawcizux.cn
hxxp://kittokay.cn
hxxp://seryusay.cn
hxxp://nocbusey.cn
hxxp://semfihiy.cn
hxxp://xotgajiy.cn
hxxp://sarvujiy.cn
hxxp://gicmosiy.cn
hxxp://fulpaziy.cn
hxxp://cunzumoy.cn

Related malicious name servers known to have participated in the campaign:
hxxp://ns2.boostaroma.com - 110.52.6.252
hxxp://ns2.okultra.com
hxxp://ns2.swellfab.com
hxxp://ns2.shehead.com
hxxp://ns2.atbread.com
hxxp://ns2.treatglad.com
hxxp://ns2.plumbold.com
hxxp://ns2.callold.com
hxxp://up2.thicksend.com
hxxp://ns6.zestkind.com
hxxp://ns2.burnround.com
hxxp://ns2.witproud.com
hxxp://ns2.fizznice.com
hxxp://ns6.plusspice.com
hxxp://up2.humaneagree.com
hxxp://ns2.adorewee.com
hxxp://ns4.kindable.com
hxxp://ns2.prideable.com
hxxp://ns2.cuddlyhumble.com
hxxp://ns2.ablewhole.com
hxxp://ns2.quickwhole.com
hxxp://ns2.plumpwhole.com
hxxp://up2.begancome.com
hxxp://up2.sizeplane.com
hxxp://up2.colonytype.com
hxxp://ns6.prizeaware.com
hxxp://ns2.pridesure.com
hxxp://ns2.toophrase.com
hxxp://ns2.loyalrise.com
hxxp://up2.pathuse.com
hxxp://ns2.dimplechaste.com
hxxp://ns2.welltrue.com
hxxp://ns2.ziptrue.com
hxxp://ns2.silverwe.com
hxxp://ns2.calmprize.com
hxxp://ns2.firmrich.com
hxxp://ns2.activeinch.com
hxxp://ns2.cookmulti.com
hxxp://ns2.wellmoral.com
hxxp://ns2.peakswell.com
hxxp://ns2.posewill.com
hxxp://ns2.droolcool.com
hxxp://up2.cuddlypoem.com
hxxp://ns2.loyalcalm.com
hxxp://ns2.extolcalm.com
hxxp://ns2.radiothan.com
hxxp://up2.persontrain.com
hxxp://ns2.awardfun.com
hxxp://ns4.zealreap.com
hxxp://ns2.piousreap.com
hxxp://ns2.firstreap.com
hxxp://ns2.grandzap.com
hxxp://ns2.royalzap.com
hxxp://ns6.ablezip.com
hxxp://ns2.zapeager.com
hxxp://up2.blockfather.com
hxxp://ns2.breezycorner.com
hxxp://ns2.donewater.com
hxxp://ns2.listenflower.com
hxxp://ns2.dimplechair.com
hxxp://up2.yardcolor.com
hxxp://ns4.fizzleads.com
hxxp://up2.finestgrass.com
hxxp://ns2.prizebeats.com
hxxp://ns4.maxigreat.com
hxxp://ns2.flairtreat.com
hxxp://up2.tingleflat.com
hxxp://ns6.proudquiet.com
hxxp://ns2.morequiet.com
hxxp://ns2.droolplanet.com
hxxp://up2.giftedunit.com
hxxp://ns2.solarwit.com
hxxp://ns2.ropemeant.com
hxxp://ns2.paradiseobedient.com
hxxp://ns4.paradiseobedient.com
hxxp://up2.minealert.com
hxxp://ns4.spicyrest.com
hxxp://ns4.alertjust.com
hxxp://ns2.resttrust.com
hxxp://ns2.pagefew.com
hxxp://ns2.multiaglow.com
hxxp://ns2.objectallow.com
hxxp://ns2.alertwow.com
hxxp://ns2.alivejuicy.com
hxxp://ns2.restjuicy.com
hxxp://ns2.funcomfy.com
hxxp://ns2.solarcomfy.com
hxxp://ns2.prizetangy.com
hxxp://ns2.wholehappy.com
hxxp://ns2.prideeasy.com
hxxp://ns2.suddeneasy.com
hxxp://ns2.treatrosy.com
hxxp://ns2.earlytwenty.com

Related malicious domains known to have participated in the campaign:
hxxp://xiskizop.cn - 58.17.3.44; 60.191.239.189; 203.93.208.86 - hxxp://ns5.prizeaware.com; hxxp://ns1.grandzap.com; hxxp://ns3.alertjust.com

Related malicious domains known to have participated in the campaigns:
hxxp://xancefab.cn
hxxp://busgihab.cn
hxxp://putcojab.cn
hxxp://nizvonab.cn
hxxp://bulpapab.cn
hxxp://laztoqab.cn
hxxp://varsesab.cn
hxxp://pahdeheb.cn
hxxp://wiqponeb.cn
hxxp://rutfuseb.cn
hxxp://zacniyeb.cn
hxxp://beblelib.cn
hxxp://gahvosib.cn
hxxp://rigzowib.cn
hxxp://bacnaxib.cn
hxxp://pexyufob.cn
hxxp://sowgugob.cn
hxxp://buhbulob.cn
hxxp://ciybufub.cn
hxxp://xoddimub.cn
hxxp://nugtaqub.cn
hxxp://buvkuzub.cn
hxxp://fikqebac.cn
hxxp://pevremac.cn
hxxp://qokbasac.cn
hxxp://patmebec.cn
hxxp://kuntigec.cn
hxxp://jolcekec.cn
hxxp://wihjorec.cn
hxxp://fixruyec.cn
hxxp://gospozec.cn
hxxp://batrijic.cn
hxxp://rebzomic.cn
hxxp://loqrupic.cn
hxxp://diqhaqic.cn
hxxp://bohkoqic.cn
hxxp://beszesic.cn
hxxp://tuzhovic.cn
hxxp://hesyuvic.cn
hxxp://kovhewic.cn
hxxp://lufreyic.cn
hxxp://noxrazic.cn
hxxp://lefviboc.cn
hxxp://fodcuboc.cn
hxxp://pevhihoc.cn
hxxp://widlajoc.cn
hxxp://zocwoloc.cn
hxxp://janpupoc.cn
hxxp://mefbuqoc.cn
hxxp://hujqezoc.cn
hxxp://capjebuc.cn
hxxp://befqacuc.cn
hxxp://socjujuc.cn
hxxp://qivbiruc.cn
hxxp://tuxbaxuc.cn
hxxp://tidsuyuc.cn
hxxp://kapdacad.cn
hxxp://lagfagad.cn
hxxp://japtugad.cn
hxxp://bechumad.cn
hxxp://holceqad.cn
hxxp://bectusad.cn
hxxp://tabzuwad.cn
hxxp://rednezad.cn
hxxp://megzizad.cn
hxxp://forvafed.cn
hxxp://hojliged.cn
hxxp://fuxcexed.cn
hxxp://baxpuxed.cn
hxxp://lugjized.cn
hxxp://lewdozed.cn
hxxp://hiszedid.cn
hxxp://buyquhid.cn
hxxp://wovyokid.cn
hxxp://yojvimid.cn
hxxp://widxixid.cn
hxxp://yovxoxid.cn
hxxp://reywufod.cn
hxxp://hubzahod.cn
hxxp://qapzekod.cn
hxxp://falxalod.cn
hxxp://yiznunod.cn
hxxp://towqotod.cn
hxxp://loxlayod.cn
hxxp://rockozod.cn
hxxp://johmabud.cn
hxxp://muvyucud.cn
hxxp://vattehud.cn
hxxp://fuytejud.cn
hxxp://kenyilud.cn
hxxp://cibsarud.cn
hxxp://najsatud.cn
hxxp://xibwazud.cn
hxxp://laztafaf.cn
hxxp://piynosaf.cn
hxxp://yelpidef.cn
hxxp://yagtudef.cn
hxxp://levxifef.cn
hxxp://povxajef.cn
hxxp://hetbetef.cn
hxxp://hudvotef.cn
hxxp://hemfowef.cn
hxxp://coqvazef.cn
hxxp://yawhojif.cn
hxxp://muvcewif.cn
hxxp://xadgobof.cn
hxxp://baxwuhof.cn
hxxp://wijtekof.cn
hxxp://sknqikof.cn
hxxp://mussiqof.cn
hxxp://gegwasof.cn
hxxp://xangesof.cn
hxxp://wumdewof.cn
hxxp://hoqtayof.cn
hxxp://kiyvayof.cn
hxxp://cufdicuf.cn
hxxp://gotbucuf.cn
hxxp://gexzehuf.cn
hxxp://cepceluf.cn
hxxp://gepleluf.cn
hxxp://tefhosuf.cn
hxxp://xaqqivuf.cn
hxxp://wubfezuf.cn
hxxp://panrozuf.cn
hxxp://nadvofag.cn
hxxp://yawjehag.cn
hxxp://zeltimag.cn
hxxp://misgaqag.cn
hxxp://noxyaxag.cn
hxxp://sunluxag.cn
hxxp://bozhoceg.cn
hxxp://dawqefeg.cn
hxxp://locfemeg.cn
hxxp://mivlaneg.cn
hxxp://vaqxiseg.cn
hxxp://gesyateg.cn
hxxp://kumweteg.cn
hxxp://jefpaveg.cn
hxxp://lilyegig.cn
hxxp://janweqig.cn
hxxp://diwjusig.cn
hxxp://sohmiwig.cn
hxxp://rimmazig.cn
hxxp://tirpedog.cn
hxxp://jamguhog.cn
hxxp://bejfakog.cn
hxxp://bebyolog.cn
hxxp://kixmamog.cn
hxxp://tofyeqog.cn
hxxp://kojxuqog.cn
hxxp://puqtabug.cn
hxxp://suszibug.cn
hxxp://ciwracug.cn
hxxp://nahbugug.cn
hxxp://gaygokug.cn
hxxp://seygoqug.cn
hxxp://helqasug.cn
hxxp://tockesug.cn
hxxp://jipqevug.cn
hxxp://rewnowug.cn
hxxp://nazxefah.cn
hxxp://hofkagah.cn
hxxp://coszegah.cn
hxxp://vojyojah.cn
hxxp://nihwalah.cn
hxxp://yojzatah.cn
hxxp://buvsutah.cn
hxxp://hulgadeh.cn
hxxp://nibzofeh.cn
hxxp://xickeqeh.cn
hxxp://kapmereh.cn
hxxp://regyaveh.cn
hxxp://lizpazeh.cn
hxxp://lujpobih.cn
hxxp://xozyecih.cn
hxxp://telhetih.cn
hxxp://dussadoh.cn
hxxp://lerbenoh.cn
hxxp://yokveqoh.cn
hxxp://hafgoqoh.cn
hxxp://gagkiroh.cn
hxxp://teftebuh.cn
hxxp://fitsofuh.cn
hxxp://ziwvomuh.cn
hxxp://fazlenuh.cn
hxxp://gazkinuh.cn
hxxp://dutmivuh.cn
hxxp://zukdayuh.cn
hxxp://busgayuh.cn
hxxp://nohpobaj.cn
hxxp://qusdumaj.cn
hxxp://wizdaqaj.cn
hxxp://wuwbeqaj.cn
hxxp://girzidej.cn
hxxp://vespifej.cn
hxxp://ceszegej.cn
hxxp://juqbumej.cn
hxxp://xuxmanej.cn

Related malicious name servers known to have participated in the campaign:
hxxp://ns1.quvzipda.com - 193.165.209.3
hxxp://ns1.syquskezaja.com
hxxp://ns1.mnysiwugpa.com
hxxp://ns1.uzfayxlob.com
hxxp://ns1.umkeihfub.com
hxxp://ns1.diethealthworld.com
hxxp://ns2.diethealthworld.com
hxxp://ns1.pillshopstore.com
hxxp://ns2.pillshopstore.com
hxxp://ns1.ixcopvudeg.com
hxxp://ns1.cuzatpih.com
hxxp://ns1.fondukoiwi.com
hxxp://ns1.zevmyxhyhl.com
hxxp://ns1.pecsletoil.com
hxxp://ns1.havputviwl.com
hxxp://ns1.icuhzapyl.com
hxxp://ns1.ollectimon.com
hxxp://ns1.calpuwhup.com
hxxp://ns1.miacohder.com
hxxp://ns1.rjycbaswes.com
hxxp://ns1.tlyldihkis.com
hxxp://ns2.bestfreepills.com
hxxp://ns2.storehealthpills.com
hxxp://ns1.medspillsdiscounts.com
hxxp://ns1.ribormolu.com
hxxp://ns1.sluxjagvyw.com
hxxp://ns1.marttabletsrx.com
hxxp://ns1.zirremeaby.com
hxxp://ns1.xioduvvejy.com
hxxp://ns1.tmypheatvy.com
hxxp://ns1.zurmeigguz.com
hxxp://ns1.pendyxconvam.net
hxxp://ns1.mevkybmomu.net
hxxp://ns1.wutvymnu.net
hxxp://ns1.atquackephix.net
hxxp://ns1.gneqwyapuz.net
hxxp://ns1.az6.ru
hxxp://ns1.compmegastore.ru
hxxp://ns1.wearcompstore.ru
hxxp://ns1.compnetstore.ru
hxxp://ns1.seaportative.ru
hxxp://ns1.webshopmag.ru
hxxp://ns2.webshopmag.ru
hxxp://ns1.markettradersmag.ru
hxxp://ns1.storeonlinecomp.ru
hxxp://ns1.livingmagcomp.ru
hxxp://ns1.magcompdirect.ru
hxxp://ns1.storemycompdirect.ru

Related malicious domains known to have participated in the campaigns:
hxxp://hyuljavmyca.com - 212.174.200.111
hxxp://rjiofnida.com
hxxp://lubetokbufa.com
hxxp://homhylvega.com
hxxp://syquskezaja.com
hxxp://kriwmikib.com
hxxp://rhuwcugniob.com
hxxp://fonrasetlid.com
hxxp://rycnyrfikre.com
hxxp://tonlijwe.com
hxxp://mefcyqwef.com
hxxp://lorcowurayf.com
hxxp://ubeuhroqug.com
hxxp://fadjybzih.com
hxxp://ghaknikfehi.com
hxxp://ksoknadsi.com
hxxp://fondukoiwi.com
hxxp://reixvyklick.com
hxxp://qworjulnenk.com
hxxp://svozquzrel.com
hxxp://pecsletoil.com
hxxp://havputviwl.com
hxxp://pendyxconvam.com
hxxp://whapzintaon.com
hxxp://ollectimon.com
hxxp://japyebawn.com
hxxp://xovtemfajo.com
hxxp://shymumoufjo.com
hxxp://calpuwhup.com
hxxp://iescehqucr.com
hxxp://thepillcorner.com
hxxp://kvirincyofr.com
hxxp://iecoqwecs.com

hxxp://syquskezaja.com - 200.204.57.187
hxxp://cuzatpih.com
hxxp://ollectimon.com
hxxp://sluxjagvyw.com
hxxp://xioduvvejy.com
hxxp://nravsaelvi.net
hxxp://pendyxconvam.net
hxxp://mevkybmomu.net
hxxp://atquackephix.net
hxxp://gneqwyapuz.net

Related malicious domains known to have participated in the campaign:
hxxp://tovpuveb.cn
hxxp://risregib.cn
hxxp://sapwopub.cn
hxxp://kutwuzub.cn
hxxp://dijmigac.cn
hxxp://davzunic.cn
hxxp://cuwlicoc.cn
hxxp://hinkizad.cn
hxxp://tiwkicid.cn
hxxp://giddehid.cn
hxxp://qehmujid.cn
hxxp://jadyoxid.cn
hxxp://yipxakud.cn
hxxp://qophepud.cn
hxxp://nawfusud.cn
hxxp://xohpebaf.cn
hxxp://yilqobaf.cn
hxxp://gelkinef.cn
hxxp://zigconef.cn
hxxp://vasgotef.cn
hxxp://gitmufif.cn
hxxp://pujxatof.cn
hxxp://tagcafuf.cn
hxxp://joywehuf.cn
hxxp://xoggunuf.cn
hxxp://pezpipuf.cn
hxxp://gugfequf.cn
hxxp://kattowuf.cn
hxxp://rosmicag.cn
hxxp://nagnuteg.cn
hxxp://fohjedig.cn
hxxp://hijderig.cn
hxxp://dittomog.cn
hxxp://zubwefah.cn
hxxp://fodpohah.cn
hxxp://sehviwah.cn
hxxp://hifkuneh.cn
hxxp://bidfecih.cn
hxxp://wuxmulih.cn
hxxp://beqwacoh.cn
hxxp://qukvimoh.cn
hxxp://vasxavoh.cn
hxxp://salxaxoh.cn
hxxp://labyocaj.cn
hxxp://zigxadij.cn
hxxp://hixkanij.cn
hxxp://zixkitoj.cn
hxxp://zijzoguj.cn
hxxp://yiwzuluj.cn
hxxp://survuruj.cn
hxxp://feftuqak.cn
hxxp://ziscawak.cn
hxxp://wacpowek.cn
hxxp://segjinuk.cn
hxxp://viqfizuk.cn
hxxp://qawgegal.cn
hxxp://loqfogal.cn
hxxp://sihwohal.cn
hxxp://babtakal.cn
hxxp://nagnemel.cn
hxxp://ribwegil.cn
hxxp://watpiyil.cn
hxxp://goxmabul.cn
hxxp://siwkecul.cn
hxxp://selzimul.cn
hxxp://qakwivul.cn
hxxp://bedvuyul.cn
hxxp://fiddozul.cn
hxxp://joldokim.cn
hxxp://foztokim.cn
hxxp://woklahum.cn
hxxp://gavsanum.cn
hxxp://kejrupum.cn
hxxp://hagjatum.cn
hxxp://xumfuzum.cn
hxxp://mafcocan.cn
hxxp://geqkedan.cn
hxxp://fumhasan.cn
hxxp://zosqinen.cn
hxxp://nonzinen.cn
hxxp://tahyedin.cn
hxxp://niyyurin.cn
hxxp://wokmison.cn
hxxp://nekmerun.cn
hxxp://gebzevun.cn
hxxp://dizxohap.cn
hxxp://wirzovap.cn
hxxp://cobyizip.cn
hxxp://sokwimop.cn
hxxp://digjipop.cn
hxxp://qagtohup.cn
hxxp://wodkepaq.cn
hxxp://kuqqavaq.cn
hxxp://vogyafeq.cn
hxxp://qokyaziq.cn
hxxp://gelmaloq.cn
hxxp://rikxeduq.cn
hxxp://mifzoyuq.cn
hxxp://jitmekar.cn
hxxp://zedbeper.cn
hxxp://qoyrifir.cn
hxxp://rerbogir.cn
hxxp://nexyutir.cn
hxxp://yuvwobor.cn
hxxp://raddijor.cn
hxxp://rehciror.cn
hxxp://jowqasor.cn
hxxp://wotrisor.cn
hxxp://tinselur.cn
hxxp://sacvakes.cn
hxxp://xonlefis.cn
hxxp://sehwukos.cn
hxxp://torxupos.cn
hxxp://yujzidus.cn
hxxp://dejzezat.cn
hxxp://gunjivet.cn
hxxp://hecfocav.cn
hxxp://yuxdiqav.cn
hxxp://guysogiv.cn
hxxp://tebziniv.cn
hxxp://dedsupov.cn
hxxp://genwsxov.cn
hxxp://xaycozuv.cn
hxxp://fojgoraw.cn
hxxp://suwsozaw.cn
hxxp://hudwuhew.cn
hxxp://momzuhew.cn
hxxp://pibwokiw.cn
hxxp://lacfimiw.cn
hxxp://jubduriw.cn
hxxp://talcuviw.cn
hxxp://xavgubow.cn
hxxp://zovcofow.cn
hxxp://qopzubax.cn
hxxp://dogqodax.cn
hxxp://jimjakax.cn
hxxp://ricnafex.cn
hxxp://nadlewex.cn
hxxp://mokcegox.cn
hxxp://getkixox.cn
hxxp://wucpulux.cn
hxxp://dalpobay.cn
hxxp://refhagay.cn
hxxp://jusyadey.cn
hxxp://reqpijey.cn
hxxp://vebzaqiy.cn
hxxp://sejtogoy.cn
hxxp://yecnaquy.cn
hxxp://xufguyuy.cn
hxxp://puktunaz.cn
hxxp://zaztuvaz.cn
hxxp://sixbufiz.cn
hxxp://nofdowiz.cn
hxxp://cuvxoqoz.cn
hxxp://yugkiwuz.cn

Related malicious domains known to have participated in the campaign:
hxxp://columnultra.com - 58.17.3.41
hxxp://milkhold.com
hxxp://eagerboard.com
hxxp://yesonlynoun.com
hxxp://differdo.com
hxxp://seemlykeep.com
hxxp://seemnear.com
hxxp://modernbut.com

Related malicious domains known to have participated in the campaign:
hxxp://litgukab.cn
hxxp://xojyupab.cn
hxxp://ritlarab.cn
hxxp://qeqyukeb.cn
hxxp://fedpijib.cn
hxxp://xumlodob.cn
hxxp://kozgewob.cn
hxxp://fajnahec.cn
hxxp://nedsicic.cn
hxxp://hertuqic.cn
hxxp://linrudoc.cn
hxxp://gilqufuc.cn
hxxp://lijwituc.cn
hxxp://loqbaxuc.cn
hxxp://camxezuc.cn
hxxp://foyxolad.cn
hxxp://bapvusad.cn
hxxp://wokmeyad.cn
hxxp://yizqosed.cn
hxxp://vivwiwef.cn
hxxp://percaqof.cn
hxxp://cepceluf.cn
hxxp://paqhizuf.cn
hxxp://vorvivag.cn
hxxp://maynixeg.cn
hxxp://mujyumig.cn
hxxp://coyrekog.cn
hxxp://xetvetih.cn
hxxp://mugyujuh.cn
hxxp://supsizuh.cn
hxxp://bixtakaj.cn
hxxp://lanmixej.cn
hxxp://worxezej.cn
hxxp://tikgepij.cn
hxxp://yatsanak.cn
hxxp://tucgosak.cn
hxxp://hihnuwak.cn
hxxp://qilfadek.cn
hxxp://zibsitik.cn
hxxp://xetmojok.cn
hxxp://yelsecuk.cn
hxxp://confowuk.cn
hxxp://pozzoxuk.cn
hxxp://savhixal.cn
hxxp://nudtaqel.cn
hxxp://keptavol.cn
hxxp://berqufam.cn
hxxp://wuqrulam.cn
hxxp://goftiwam.cn
hxxp://vowcajem.cn
hxxp://rizfinim.cn
hxxp://jetgekom.cn
hxxp://letjucun.cn
hxxp://wivwiqap.cn
hxxp://duccesap.cn
hxxp://zamyisap.cn
hxxp://ranpovep.cn
hxxp://kucdawep.cn
hxxp://limjapip.cn
hxxp://ciggecop.cn
hxxp://ziybelop.cn
hxxp://yakquyeq.cn
hxxp://borremiq.cn
hxxp://vuzwesuq.cn
hxxp://rosvocor.cn
hxxp://hakdugas.cn
hxxp://kabmebes.cn
hxxp://purhuves.cn
hxxp://gopmocis.cn
hxxp://cabziqis.cn
hxxp://pomzonos.cn
hxxp://zojvapus.cn
hxxp://nobfemat.cn
hxxp://ritcubav.cn
hxxp://bibbikev.cn
hxxp://daslulev.cn
hxxp://naczoduv.cn
hxxp://betjoqiw.cn
hxxp://yoqlamow.cn
hxxp://jawjeqow.cn
hxxp://zijmivuw.cn
hxxp://dupqozuw.cn
hxxp://fatnudax.cn
hxxp://defrogax.cn
hxxp://kalyahax.cn
hxxp://toztipax.cn
hxxp://gecfopax.cn
hxxp://wuqzubex.cn
hxxp://hexpadix.cn
hxxp://luhnukox.cn
hxxp://vecbibey.cn
hxxp://dimgecey.cn
hxxp://fammuvey.cn
hxxp://zepfabiy.cn
hxxp://gewvamiy.cn
hxxp://pekzariy.cn
hxxp://pixkinaz.cn
hxxp://mecqulez.cn
hxxp://yubreliz.cn
hxxp://juvmeriz.cn
hxxp://mafcixiz.cn
hxxp://butlezoz.cn
hxxp://xisqapuz.cn
hxxp://jihkohab.cn
hxxp://litgukab.cn
hxxp://xojyupab.cn
hxxp://ritlarab.cn
hxxp://qancabeb.cn
hxxp://xaqkabeb.cn
hxxp://qeqyukeb.cn
hxxp://bobhoneb.cn
hxxp://fedpijib.cn
hxxp://kozgewob.cn
hxxp://mirlacub.cn
hxxp://jokrogub.cn
hxxp://qupbihac.cn
hxxp://viqnijac.cn
hxxp://bucdawac.cn
hxxp://latzoyac.cn
hxxp://ferkogec.cn
hxxp://qujqugec.cn
hxxp://fajnahec.cn
hxxp://saybilec.cn
hxxp://yaxxosec.cn
hxxp://nedsicic.cn
hxxp://cimhijic.cn
hxxp://hertuqic.cn
hxxp://linrudoc.cn
hxxp://mahhekoc.cn
hxxp://pegvijuc.cn
hxxp://camxezuc.cn
hxxp://kossehad.cn
hxxp://bapvusad.cn
hxxp://coffebed.cn
hxxp://xadjeqid.cn
hxxp://pehxarid.cn
hxxp://maknohod.cn
hxxp://yujhaqod.cn
hxxp://vevteyod.cn
hxxp://rinmumud.cn
hxxp://xuldeyud.cn
hxxp://fedrujaf.cn
hxxp://nugnosaf.cn
hxxp://koxpelef.cn
hxxp://tecyatef.cn
hxxp://hemfowef.cn
hxxp://pavlegif.cn
hxxp://percaqof.cn
hxxp://sizkeyof.cn
hxxp://zugkucuf.cn
hxxp://rijhuhuf.cn
hxxp://cepceluf.cn
hxxp://paqhizuf.cn
hxxp://xowjicag.cn
hxxp://dofpalag.cn
hxxp://hujrulag.cn
hxxp://maxtayag.cn
hxxp://qekvoceg.cn
hxxp://vazwureg.cn
hxxp://pilpuweg.cn
hxxp://wedruweg.cn
hxxp://cexkezeg.cn
hxxp://mujyumig.cn
hxxp://wintabog.cn
hxxp://nuzmohog.cn
hxxp://coyrekog.cn
hxxp://tubvuxog.cn
hxxp://zavdahug.cn
hxxp://yukpikug.cn
hxxp://muwsikeh.cn
hxxp://pecculeh.cn
hxxp://rafniteh.cn
hxxp://nukfijih.cn
hxxp://xetvetih.cn
hxxp://tikbacoh.cn
hxxp://zikwufuh.cn
hxxp://mugyujuh.cn
hxxp://hijbumuh.cn
hxxp://wubxayuh.cn
hxxp://quntoyuh.cn
hxxp://supsizuh.cn
hxxp://techegaj.cn
hxxp://bixtakaj.cn
hxxp://wuwbeqaj.cn
hxxp://caqhiqaj.cn
hxxp://lijzarej.cn
hxxp://lanmixej.cn
hxxp://jutzuzej.cn
hxxp://betkawij.cn
hxxp://mumrojoj.cn
hxxp://wulkukoj.cn
hxxp://selqetuj.cn
hxxp://zuvbowuj.cn
hxxp://sevpohak.cn
hxxp://qusvilak.cn
hxxp://qowrirak.cn
hxxp://tucgosak.cn
hxxp://bajhukek.cn
hxxp://qeyzecik.cn
hxxp://pijridik.cn
hxxp://yecgajik.cn
hxxp://tovboqik.cn
hxxp://sirrotik.cn
hxxp://pomzexik.cn
hxxp://nopvafok.cn
hxxp://xetmojok.cn
hxxp://fuqzuxok.cn
hxxp://xajkimuk.cn
hxxp://confowuk.cn
hxxp://pozzoxuk.cn
hxxp://vufmikal.cn
hxxp://korkusal.cn
hxxp://yasdaxal.cn
hxxp://nibnupel.cn
hxxp://nudtaqel.cn
hxxp://zivwirel.cn
hxxp://facjacil.cn
hxxp://qaqdidil.cn
hxxp://zirmidil.cn
hxxp://pivteqil.cn
hxxp://mutzomol.cn
hxxp://bahfosol.cn
hxxp://kajvatol.cn
hxxp://keptavol.cn
hxxp://mevvuqul.cn
hxxp://berqufam.cn
hxxp://zihwujam.cn
hxxp://jormofem.cn
hxxp://vowcajem.cn
hxxp://yawyibim.cn
hxxp://mibyumim.cn
hxxp://pabfakom.cn
hxxp://jetgekom.cn
hxxp://xolkizom.cn
hxxp://mujsikum.cn
hxxp://moynukan.cn
hxxp://ranfelan.cn
hxxp://kayjamen.cn
hxxp://kudcedon.cn
hxxp://getwison.cn
hxxp://givjivon.cn
hxxp://faykirun.cn
hxxp://zebxaxun.cn
hxxp://coclecap.cn
hxxp://texnipap.cn
hxxp://humyipap.cn
hxxp://duccesap.cn
hxxp://zamyisap.cn
hxxp://lunyicep.cn
hxxp://ranpovep.cn
hxxp://yifkebip.cn
hxxp://yiryemip.cn
hxxp://mowmoqip.cn
hxxp://wozhihop.cn
hxxp://mefrexop.cn
hxxp://qidyubup.cn
hxxp://qidjohup.cn
hxxp://lotjolup.cn
hxxp://dirdotup.cn
hxxp://memqowaq.cn
hxxp://civvufeq.cn
hxxp://bobfiliq.cn
hxxp://borremiq.cn
hxxp://singuroq.cn
hxxp://qudjuvoq.cn
hxxp://vuzwesuq.cn
hxxp://nuvmotuq.cn
hxxp://zohcidar.cn
hxxp://rentumar.cn
hxxp://fipzaqar.cn
hxxp://siqcatar.cn
hxxp://sagvitar.cn
hxxp://luqsiger.cn
hxxp://zuyxewer.cn
hxxp://jagnuyer.cn
hxxp://ruhbulir.cn
hxxp://sityeyir.cn
hxxp://rosvocor.cn
hxxp://julxapor.cn
hxxp://rixlupur.cn
hxxp://jutfisur.cn
hxxp://fabmotur.cn
hxxp://bukpuzur.cn
hxxp://pozsigas.cn
hxxp://hakdugas.cn
hxxp://lokzihas.cn
hxxp://mukkebes.cn
hxxp://mijpedes.cn
hxxp://conzakes.cn
hxxp://fodbemes.cn
hxxp://maqpumes.cn
hxxp://purhuves.cn
hxxp://hohgibis.cn
hxxp://kezyubis.cn
hxxp://gopmocis.cn
hxxp://soqsedis.cn
hxxp://defdoris.cn
hxxp://pomzonos.cn
hxxp://lanhovus.cn

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Spam-friendly Image Randomization Tool Released on the Underground Marketplace

Cybercriminals, continue applying basic QA (Quality Assurance) processes, to their fraudulent campaigns, on their way to achieve a posive ROI (Return on Investment) out of their fraudulent activities.

In this post, we'll discuss a newly launched commercial tool, that's capable of generating unique images, for the purpose of tricking spam filters, in an attempt to trick end users into falling victim into the fraudulent campaign.

Priced at $25, the API-enabled tool is capable of converting a regular image, executed in a spam campaign, into a new one, successfully bypassing spam filters, exposing end users to fraudulent attempts, generating fraudulent revenue, for the cybercriminals behind the campaign.

We expect to continue observing an increase in QA (Quality Assurance) driven underground market propositions, leading to a successful set of fraudulent propositions, dominating the underground marketplace.

Continue reading →

Spamvertised 'Uniform Traffic Ticket' and 'FDIC Notifications' Serving Malware - Historical OSINT

The following intelligence brief will summarize the findings from a brief analysis performed on two malware campaigns from August, namely, the spamvertised Uniform Traffic Tickets and the FDIC Notification.

_Uniform Traffic Tickets

Spamvertised attachments - Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip

Detection rates:
Ticket.exe - Gen:Trojan.Heur.FU.bqW@aK9ebrii -  Detection rate: 37/43 (86.0%)
MD5   : 6361d4a40485345c18473f3c6b4b6609
SHA1  : 50b09bb2e0044aa139a84c2e445a56f01d70c185
SHA256: ca67a14bfed2a7bc2ac8be9c01cb17d5da12b75320b4bad4fe8d8a6759ad9725

Ticket1.exe - Trojan-Downloader.Win32.Small.ccxz - Detection rate: 36/44 (81.8%)
MD5   : e2a2d67b8a52ae655f92779bec296676
SHA1  : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf
SHA256: 50b104c5f8314327e03b01e7f7c2535d8de7cd9f73f8e16d1364c7fd021a90cc

Upon execution the samples phone back to:
sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to the same IP is also survey-providers.info) - AS51630 - Email: admin@sdkjgndfjnf.ru
rattsillis.com/ftp/g.php - 195.189.226.109; 178.208.77.247; 195.189.226.107; 195.189.226.108 - AS41018 - Email: admin@jokelimo.com
rattsillis.com/pusk3.exe - 195.189.226.109; 178.208.77.247; 195.189.226.107; 195.189.226.108 - AS41018 - Email: admin@jokelimo.com

DNS emulation of ns1.lemanbrostm.info reveals two domains belidiskalom.com - 178.208.76.175 - Email: admin@belidiskalom.com and lemanbrostm.info - Email: coz@yahoo.com using the same name server. 

Known MD5 modifications for pusk3.exe at rattsillis.com:
c6dab856705b5dfd09b2adbe10701b05
f167213c6a79f2313995e80a8ac29939
f4764cce5c3795b1d63a299a5329d2e2
dae9e7653573478a6b41a62f7cb99c12
69c983c9dfaf37e346004c9aaf54a3d0
d875b8e32a231405c7fa96b810e9b361
628270c6e44b0fa21ef8e87c6bc36f57
9b69dabd876e967bcd2eb85465175e3b
0434c084dba8626df980c7974d5728e1

Related binaries and associated MD5 modifications:
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0
rattsillis.com/pusk.exe - MD5: 55d8e25bc373a98c5c29284c989953ab; 368c86556e827d898f043a4d5f378fa0; 7411d0d29db91f2625ee36d438eb6ac4; 3ea4e9fd297b3058ebbb360c1581aaac;
rattsillis.com/pusk2.exe - MD5: dae9e7653573478a6b41a62f7cb99c12; b73705c097c9be9779730d801ad098e0; d7952c1e77d7bb250cdfa88e157fb5a8

Known MD5 modifications for pusk3.exe at sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf

sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8; ebf7278a7239378e7d70d426779962ce
sdkjgndfjnf.ru/pusk2.exe - MD5: d9e36e25a3181f574fd5d520cb501d3a
sdkjgndfjnf.ru/pusk.exe - MD5: fce04f7681283207d585561ed91e77b4

sdkjgndfjnf.ru/blood.exe -  MD5: 577cf0b7ca3d5bcbe35764024f241fa8

Detection rate for blood.exe:
blood.exe - Trojan-Spy.Win32.Zbot - 25/44 (56.8%)
MD5   : 577cf0b7ca3d5bcbe35764024f241fa8
SHA1  : 30f542a44d06d9125cdfbdd38d79de778e4c0791
SHA256: 1741ef5d24641ee99b5d78a68109162bebc714c3d19abc37e3d4472f3dcd6f18

_FDIC Notification

Spamvertised attachments: FDIC_Document.zip

Detection rate:FDIC_Document.exe -  Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5%)

MD5   : 7b5a271c58c6bb18d79cd48353127ff6

SHA1  : 6526b6097df42f93bee25d7ea73f95d2fcc24d3a

SHA256: a09165c71a8dd2a1338b2bd0c92ae07495041ae15592e3432bd50600e6ef2af0

Upon execution phones back to:
rattsillis.com/ftp/g.php
rattsillis.com/blood.exe
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0

What's particularly interesting is the fact that both campaigns have been launched by the same cybercriminal, with the same C&C - rattsillis.com also seen in the spamvertised ACH Payment Canceled campaign.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Inside a Money Laundering Group's Spamming Operations

UPDATE: The command and control domain has been taken care of courtesy of the brisk response of OC3 Networks Abuse Team.

Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated the outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self-serving groups of cybercriminals which engage in literally each and every aspect of cybercrime - money mule recruiters in this very specific case.

What do the known money laundering aliases such as Value Trans Financial Group, Inc. (valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Premium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. (eagle-group.net); DBS Group Inc. (dbs-group.cn); FB&B Group Inc. (fbb-groupli.cc); Advance Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common?

It's a 31,000 infected hosts botnet which they use exclusively for spamming.

The money laundering organization describes itself as:
"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial education. The head of the company was Karl Schick. At the very beginning of its business activity the company provided fairly narrow range of services at the investment market. Within 15 years of hard work the company has acquired international standing and managed to develop into a global financial holding with the staff of 3,000 people and headquarters in more than 100 countries of the world."

Interestingly, on the majority of occasions cybercriminals tend to undermine the level of operational security that they could have achieved at the first place, and this is one of those cases where their misconfigured botnet command and control allows other cybercriminals to hijack their botnet, and security researchers to shut it down effectively.

The people behind this money laundering organization are either lazy, or ignorant to the point where the botnet's command and control interface would be using the very same web server that they use for recruitment purposes.

Here are some screenshots of their command and control interface used exclusively for spam campaigns:

The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related and separate money laundering brand portfolios (the quality of the historical CYBERINT on behalf of Bobbear is the main reason why commissioned DDoS attacks were hitting the site last year).

Taking down the group's command and control domain is in progress. Continue reading →

Dealing with Spam - The O'Reilly.com Way

While China feels that centralization is the core of everything, and is licensing the use of mail servers to fight spam, thus totally ignoring the evolution of spam techniques, the other day I came across to some recent Spam Statistics from Oreilly.com -- scary numbers!

"Our mail servers accepted 1,438,909 connections, attempting to deliver 1,677,649 messages. We rejected 1,629,900 messages and accepted only 47,749 messages. That's a ratio of 1:34 accepted to rejected messages! Here is how the message rejections break down:

Bad HELO syntax: 393284
Sending mail server masquerades as our mail server: 126513
Rejected dictionary attacks: 22567
Rejected by SORBS black list: 262967
Rejected by SpamHaus black list: 342495
Rejected by local block list: 5717
Sender verify failed: 4525
Recipient verify failed (bad To: address): 287457
Attempted to relay: 5857
No subject: 176
Bad header syntax: 0
Spam rejected (score => 10): 42069
Viruses/malware rejected: 2575
Bad attachments rejected: 1594"

Draw up the conclusions for yourself, besides shooting into the dark or general syntax errors, total waste of email traffic resulting in delayed email is the biggest downsize here, thankfully, non-commercial methods are still capable of dealing with the problem. At the bottom line, sending a couple of million email messages on the cost of anything, and getting a minor response from a "Hey this is hell of a deal and has my username on the top of it!" type of end users seems to keep on motivating the sender. Localized spam is much more effective as an idea, but much easier to trace compared to mass-marketing approaches, though I feel it would emerge with the time.

Browse through Spamlinks.net for anything anti-spam related, quite an amazing resource. Continue reading →

An Over-performing Spammer

Th3 4r7 0f $3nd!ng spam messages is evolving like never before, and while spammers are still catching up with the newest technologies such as VoIP, WiFi, Cell phones -- newest at least in respect to spamming -- trying to avoid the now mature indystry's practices, and taking advantage of the growing economies and their newbie users as victims, is what keeps it going.

I simply couldn't resist not to share this, seems like this spammer is totally overperforming himself. How would I fell a victim into this, given I cannot read what I'm about to get scammed with?

Spammers today are in a world of pain when it comes to the industry's experience in detecting their messages, still, spam continues to represent the majority of email traffic worldwide, and it's getting more creative. Images, "marketing" messages that you can barely read, old psychological tricks, but still, out of couple of million messages, someone still takes it personal, and feels like making a deal online.

Why spamming works? Because of the ubiquity of email, because of the freely available, marketed as fresh, email lists, and at the bottom line, the price for a spammer to send couple of million emails is getting lower with botnets on demand becoming a commodity. End users, end up sending spam to themselves for being infected with malware. What's next? Spamming is still catching up with the technological posibilities, and Chinese telecom operators for instance happen to be the most experienced ones in filtering mobile phones spam -- guess they're also over-performing in between censorship. Continue reading →

Fighting Internet's email junk through licensing

Just came across this story at Slashdot, interesting approach :



"China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII)."



While the commitment is a remarkable event given China's booming Internet population -- among the main reasons Google had to somehow enter China's search market and take market share from Baidu.com -- you don't need a mail server to disseminate spam and phishing attacks like it used to be in the old days. You need botnets, namely, going through CME's List, you would see how the majority of today's malware is loaded with build-in SMTP engine, even offline/in-transit/web email harvesting modules.



You can often find China on the top of every recently released spam/phishing/botnet trends summary, which doesn't mean Chinese Internet users are insecure -- just unaware. What you can do is educate the masses to secure the entire population, and stimulate the growth of the local security market that everyone is so desperately trying to tap into.


Moreover, I doubt you can regulate the type of Internet users still trying to freely access information, again with the wrong attitude in respect to security :



"..prohibiting use of email to discuss certain vaguely defined subjects related to 'network security' and ' information security', and also reiterate that emails which contain content contrary to existing laws must not be copied or forwarded. Wide-ranging laws of this nature have been used against political and religous dissenters in the past."



It's like legally justifying the country's censorship practices through introducing the law, whereas I feel "network security" and "information security" attacks outside the homeland get favored, compared to internal ones, don't you?



Forbidden fruits turn into dangerous desires on the majority of occasions, and you just can't control that, what's left to censor it.



Technorati tags:
Security, Malware, Spam, Phishing, China Continue reading →