Money Mule Recruiters Trick Mules Into Installing Fake Transaction Certificates

What is more flattering than Ukrainian blackhat SEO gangs using name as redirectors, including offensive messages, the Koobface gang redirecting Facebook's IP space to your blog, or a plain simple danchodanchev admin panel within a Crime Pack kit?

It's the money mule recruiters who modify the HOSTS file of gullible mules to redirect ddanchev.blogspot.com and bobbear.co.uk to 127.0.0.1. Now that's flattering, considering the fact that my public money mule ecosystem related research represents a tiny percentage of the real profiling/activities taking place behind the curtains.







a

Related coverage of money laundering/recruitment in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Scareware, Blackhat SEO, Spam and Google Groups Abuse, Courtesy of the Koobface Gang

The Koobface gang is known to have embraced the potential of the "underground multi-tasking" model a long time ago, in order to achieve the "malicious economies of scale" effect. This "underground multi-tasking" most commonly comes in the form of multiple monetization campaigns, which upon closer analysis always lead back to the Koobface gang's infrastructure. In fact, the gang is so obsessed with efficiency, that particular redirectors and key malicious domains for a particular campaign, are also, simultaneously rotated across all the campaigns that they manage.

For instance, throughout the past half an year, a huge percentage of the malicious infrastructure used simultaneously in multiple campaigns, was parked on the now shut down Riccom LTD - AS29550. From the massive blackhat SEO campaigns affecting millions of legitimate web sites managed by the gang,  to the malvertising attack at the New York Times web site, and the click-fraud facilitating Bahama botnet, the Koobface botnet is only the tip of the iceberg for the efficient and fraudulent money machine that the gang operates.

In this analysis, I'll once again establish a connection between the ongoing blackhat SEO campaigns managed by the gang (Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware; U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding; Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign), with a spam campaign that's also syndicated across multiple Google Groups, and the Koobface botnet itself, with a particular emphasis on the scareware monetization taking place across all the campaigns.





Related Koobface research and analysis:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Facebook FarmTown Malvertising Campaign Courtesy of the Koobface Gang

Earlier this week, another malvertising campaign affected a popular community, in the face of Facebook's FarmTown.

You have to analyze,  and cross-check it to believe it.

Key summary points:

• the email test@now.net.cn used to register all the domains involved in the malvertising campaign, is exclusively used by the Koobface gang for numerous scareware registrations seen -

a Continue reading →

Malicious Script Artifacts at China Green Dot Gov Dot Cn - A Reminiscence of Asprox's Multi-Tasking Activities

Malware artifacts, abandoned mass iframe embedded/injected campaigns, and low Quality Assurance (QA) campaigns, continue popping up on everyone's radar, raising eyebrows as to the extend of incompetence, possible evasive tactics, plain simple lack of applied QA when maintaining these campaigns, or the end of a campaign's life cycle.

What's the value of assessing such a non-active campaign? Can the analysis provide any clues into related currently active malicious campaigns that typically for such type of campaigns, continue relying on the same malicious infrastructure? But of course.

Let's assess the malicious artifacts at hxxp://chinagreen.gov.cn, connect them to the multi-tasking activities conducted on behalf of the Asprox botnet, as well as several spamvertised malware campaigns circa 2010, and most importantly provide actionable intelligence on currently active campaigns that continue using the very same infrastructure for command and control purposes.

Malicious scripts at China Green Dot Gov Dot CN:
update.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
gdi.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
ver.webserivcekota.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
batch.webserviceaan.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
nemohuildiin.ru/tds/go.php?sid=1 - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
parkperson.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"
nutcountry.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"

What's so special about the spamvertised XeroxWorkCentre Pro campaign is that, back in 2010, it used to drop an Asprox sample, naturally phoning back to well known Asprox C&Cs at the time.

nemohuildiin.ru is known to have responded to 31.31.204.61 and most recently to 5.63.152.19

Known to have responded to the same IP (31.31.204.61) are also the following malicious domains:
000sstd.com
02143.ru
03111991.ru
0414.ru
0424.ru
050175.ru
054ru.ru
06140.ru
0664346910.ru
0801.ru
08108.ru
087474.ru
08755.ru
0925.ru
0go.ru
1-androds.ru
10000taxi.ru
1001domains.ru
100yss.ru
124k.ru

Moreover, we also got a decent number of malicious MD5s known to have used the same IP as C&C ove the last couple of months, indicating that the artifact is still part of the C&C infrastructure of active campaigns.

The following malicious MD5s are also known to have phoned back to the same IP over the last couple of months:
MD5: 3e3d249c43950ac8bedb937f1ea347f5
MD5: 398b5f0c4b8f9adb1db8420801b52562
MD5: 9a1602a2693ae510339ef5f0d25be0b3
MD5: 9bc423773de47d95de1718173ec8485f
MD5: 637db36286b3e300c37e99a0b4772548
MD5: 9829c64613909fbb13fc402f23baff1b
MD5: f23562bafd94f7b836633f1fb7f9e18f
MD5: 7d263c93829447b2399c2e981d66c9df
MD5: 6ee37ead84906711cb2eed6d7f2fcc88
MD5: 54eb099176e7d65817d1b9789845ee4e
MD5: 723618efbd0d3627da09a770e5fd28c2
MD5: 151030c819209af9b7b2ecf2f5c31aa0
MD5: 279d390b9116f0f8ac80321e5fa43453
MD5: f78ff547ce388a403f5ba979025cd556
MD5: afa7090479ac49a3547931fe249c52e3
MD5: a2565684ae4c0af5a99214da83664927
MD5: ce4f032a3e478f4d4cac959b2e999b5a

Known to have responded to 5.63.152.19 are also the following malicious domains:
6tn.ru
azosi.ru
bi-news.ru
buygroup.ru
dnpsirius.ru
enterplus.ru
nemohuildiin.ru
nfs-worlds.ru
rassylka-na-doski.ru
santehnikaoptom.ru
v-odnoklassniki.ru

In a cybercrime ecosystem dominated by leaked DIY mass Web site hacking tools, and sophisticated iframe-ing platforms, malicious artifacts are a great reminder that as long as the Web site remains susceptible to remote exploitation, it's only a matter of time before a potential cybercriminal embeds/injects malicious script on it. That's cybercrime-friendly common sense.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Malicious Script Artifacts at China Green Dot Gov Dot Cn - A Reminiscence of Asprox's Multi-Tasking Activities

Malware artifacts, abandoned mass iframe embedded/injected campaigns, and low Quality Assurance (QA) campaigns, continue popping up on everyone's radar, raising eyebrows as to the extend of incompetence, possible evasive tactics, plain simple lack of applied QA when maintaining these campaigns, or the end of a campaign's life cycle.

What's the value of assessing such a non-active campaign? Can the analysis provide any clues into related currently active malicious campaigns that typically for such type of campaigns, continue relying on the same malicious infrastructure? But of course.

Let's assess the malicious artifacts at hxxp://chinagreen.gov.cn, connect them to the multi-tasking activities conducted on behalf of the Asprox botnet, as well as several spamvertised malware campaigns circa 2010, and most importantly provide actionable intelligence on currently active campaigns that continue using the very same infrastructure for command and control purposes.

Malicious scripts at China Green Dot Gov Dot CN:
update.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
gdi.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
ver.webserivcekota.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
batch.webserviceaan.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
nemohuildiin.ru/tds/go.php?sid=1 - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
parkperson.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"
nutcountry.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"

What's so special about the spamvertised XeroxWorkCentre Pro campaign is that, back in 2010, it used to drop an Asprox sample, naturally phoning back to well known Asprox C&Cs at the time.

nemohuildiin.ru is known to have responded to 31.31.204.61 and most recently to 5.63.152.19

Known to have responded to the same IP (31.31.204.61) are also the following malicious domains:
000sstd.com
02143.ru
03111991.ru
0414.ru
0424.ru
050175.ru
054ru.ru
06140.ru
0664346910.ru
0801.ru
08108.ru
087474.ru
08755.ru
0925.ru
0go.ru
1-androds.ru
10000taxi.ru
1001domains.ru
100yss.ru
124k.ru

Moreover, we also got a decent number of malicious MD5s known to have used the same IP as C&C ove the last couple of months, indicating that the artifact is still part of the C&C infrastructure of active campaigns.

The following malicious MD5s are also known to have phoned back to the same IP over the last couple of months:
MD5: 3e3d249c43950ac8bedb937f1ea347f5
MD5: 398b5f0c4b8f9adb1db8420801b52562
MD5: 9a1602a2693ae510339ef5f0d25be0b3
MD5: 9bc423773de47d95de1718173ec8485f
MD5: 637db36286b3e300c37e99a0b4772548
MD5: 9829c64613909fbb13fc402f23baff1b
MD5: f23562bafd94f7b836633f1fb7f9e18f
MD5: 7d263c93829447b2399c2e981d66c9df
MD5: 6ee37ead84906711cb2eed6d7f2fcc88
MD5: 54eb099176e7d65817d1b9789845ee4e
MD5: 723618efbd0d3627da09a770e5fd28c2
MD5: 151030c819209af9b7b2ecf2f5c31aa0
MD5: 279d390b9116f0f8ac80321e5fa43453
MD5: f78ff547ce388a403f5ba979025cd556
MD5: afa7090479ac49a3547931fe249c52e3
MD5: a2565684ae4c0af5a99214da83664927
MD5: ce4f032a3e478f4d4cac959b2e999b5a

Known to have responded to 5.63.152.19 are also the following malicious domains:
6tn.ru
azosi.ru
bi-news.ru
buygroup.ru
dnpsirius.ru
enterplus.ru
nemohuildiin.ru
nfs-worlds.ru
rassylka-na-doski.ru
santehnikaoptom.ru
v-odnoklassniki.ru

In a cybercrime ecosystem dominated by leaked DIY mass Web site hacking tools, and sophisticated iframe-ing platforms, malicious artifacts are a great reminder that as long as the Web site remains susceptible to remote exploitation, it's only a matter of time before a potential cybercriminal embeds/injects malicious script on it. That's cybercrime-friendly common sense.

Updates will be posted as soon as new developments take place. Continue reading →

Summarizing Webroot's Threat Blog Posts for October

The following is a brief summary of all of my posts at Webroot's Threat Blog for October, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform
02. Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part two
03. ‘T-Mobile MMS message has arrived’ themed emails lead to malware
04. DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities
05. Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted in the wild
06. New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild
07. Cybercriminals offer spam-friendly SMTP servers for rent – part two
08. Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate fraudulent/malicious online activity
09. Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams
10. Compromised Turkish Government Web site leads to malware
11. Novice cyberciminals offer commercial access to five mini botnets
12. Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware
13. Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild
14. Malicious ‘FW: File’ themed emails lead to malware
15. Mass iframe injection campaign leads to Adobe Flash exploits
16. Rogue ads lead to the ‘Mipony Download Accelerator/FunMoods Toolbar’ PUA (Potentially Unwanted Application)
17. A peek inside the administration panel of a standardized E-shop for compromised accounts
18. U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails
19. New DIY compromised hosts/proxies syndicating tool spotted in the wild
20. Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)
21. Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware
22. Fake ‘Important: Company Reports’ themed emails lead to malware
23. Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot
24. Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for September

The following is a brief summary of all of my posts at Webroot's Threat Blog for September, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the wild
02. Scammers pop up in Android’s Calendar App
03. Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the wild
04. Managed Malicious Java Applets Hosting Service Spotted in the Wild
05. Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps
06. 419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis themed scams
07. Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the SIM card on request
08. Yet another ‘malware-infected hosts as anonymization stepping stones’ service offering access to hundreds of compromised hosts spotted in the wild
09. Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts based DIY DoS tool
10. Cybercriminals sell access to tens of thousands of malware-infected Russian hosts
11. Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware
12. Cybercriminals experiment with Android compatible, Python-based SQL injecting releases
13. Newly launched E-shop offers access to hundreds of thousands of compromised accounts
14. DIY commercial CAPTCHA-solving automatic email account registration tool available on the underground market since 2008
15. Yet another subscription-based stealth Bitcoin mining tool spotted in the wild

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Fake Pinterest 'Don't forget to confirm your email!' Themed Emails Serve Client-side Exploits and Malware

Cybercriminals have just launched yet another massive spam campaign, this time attempting to trick Pinterest users into thinking that they've received an email confirmation request. In reality though, once users click on the links found in the malicious emails, they're automatically exposed to client-side exploits, with the campaign dropping two malware samples on the affected hosts once a successful client-side exploitation takes place.

Let's dissect the campaign, expose the malicious portfolio of domains involved in it, provide MD5s of the served malware as well as a sample exploit, and provide actionable (historical) intelligence regarding related malicious activities that have been taking place using same infrastructure that's involved in the Pinterest campaign.

Spamvertised malicious URL: 
boxenteam.com/hathaway/index.html?emailmpss/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
theodoxos.gr/hairstyles/defiling.js
web29.webbox11.server-home.org/volleyballs/cloture.js
knopflos-combo.de/subdued/opposition.js

Sample client-side exploits serving URL:
pizzapluswindsor.ca/topic/latest-blog-news.php

Malicious domain name reconnaissance:
pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145

Responding to the same IP (50.116.6.57) are also the following malicious domains part of the campaing's infrastructure:
pizzapluswindsor.ca
plainidea.com
procreature.com
poindextersonpatrol.com
pixieglitztutus.com

Known to have responded to the second IP (174.140.169.145) are also the following malicious domains:
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
mcbelectrical.ca
oliviagurun.com
onecable.ca
onlyidea.com
originalpizzaplus.ca
originalpizzaplus.com
papak.ca
pccreature.com
pixieglitztutus.com
pizzapluswindsor.ca
saltlakecityutahcommercialrealestate.com

The following malicious MD5s are known to have phoned back to the same IP on the 22nd of September, 2013:
MD5: 5d14ee5800fc3c73e4d40567044c4149
MD5: bdc2ac48921914f25d1a3a164266cebc
MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07
MD5: 31c3eae608247c2901d64643d5626b1f
MD5: 3cff9bba085254f2a524207a1388b015
MD5: b59743a3b128c9676548510627db4ac5
MD5: 53004bb63d32792c9bc1b8b26db0f197
MD5: b59743a3b128c9676548510627db4ac5
MD5: 53004bb63d32792c9bc1b8b26db0f197
MD5: 94e7cf26589baac1d47d6834e6375a62
MD5: 38461b4537fb269b2142e7fbac16375b
MD5: 041e9ccce8809371b07f0ac1c4d02b33
MD5: 868cf2c7af8863aebbaeb42c1b404b36
MD5: 7ec71f392dfc98336808ca6e31f25969
MD5: 6792b758ea961f58ad5b2f1eb96a648a
MD5: 33550cef428cad48ba776ea109fe1936
MD5: af84138bc55192ce722582def2f05200
MD5: 170524f3457d1fa681cc5dafbcc86199
MD5: e3af059e42b82b8658f3d05043a5a213
MD5: 4724783ae2c928b40dd2c0ac6d85cbc4
MD5: 9b8d87230ee7f553e8a9011a37ca699e
MD5: e4d63169ddac5e34fe000dc21c88682f
MD5: 5f777af07c79369310dff97d04c026cd
MD5: 200badc2e35ce57f1e511aea7322e207
MD5: 93fe170f26d99aea52b30b74afdf96bc
MD5: d06a0cc046e99496ada5591d9f457fc1
MD5: 6f857be5377a7543858aacefea6f1a30
MD5: 92ed463b3c38f2c951c3acd78e7a2df3
MD5: 8f01cd5ddd6e599e79ddcefbff9c0891

Detection rate for a sample served exploit from the Pinterest themed campaign: 
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

Upon successful client-side exploitation, the campaign drops two malware samples on the affected hosts.

Detection rate for the first dropped sample: 
MD5: ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 out of 48 antivirus scanners as UDS:DangerousObject.Multi.Generic

Once executed, it phones back to the following C&C:
78.140.131.151/uploading/id=REDACTED&u=PSEUDO_RANDOM_CHARACTERS

The following malicious MD5s are also known to have phoned back to the following C&C IP (78.140.131.151) in the past:
MD5: ca783e0964e7dcb91fcc2a2ff4b8058f
MD5: d02b0e60f94d718fca19893f13dbd93e
MD5: 3618032d05c12e6d25aa4b7bc9086e06
MD5: 20777b8e6362f8775060fc4fdb191978
MD5: 5a1fb639f5dd97b62b5cf79c84d479f6
MD5: 30f8d972566930c103f9edb7f9bd699e
MD5: 7011abeefd5c9e7c21e3cbe28cc5e71a
MD5: bbb57f1a5004b6adc016c0c9e92add19
MD5: cca6b7fae6678c4b17f21b2ed4580404
MD5: 0decc3f58519c587949dff871fccba5e
MD5: 1b18f9138adbd6b4bf7125c7e6a97aae
MD5: 1e4451c19f07ef6bde87ffbcecc5afb3
MD5: e92297e402fcd03f06c94fe52985a3e9
MD5: 818e329757630bccc9536151f533fad2
MD5: 79e8677f857531118e61fa9238287acb
MD5: de8ef966e7e5251b642540e715d673a6
MD5: 9be83dc4b829ffba26029b173b36237d
MD5: c9b3f7888faa393ee14815494a311684
MD5: d90058b75b8730f9d6bf94a845b3dfda
MD5: e14b4290eec92ce6cd3e0349c17bc062
MD5: 6d5f5419f6a116f4283ae58516ff90a1
MD5: d0587b6e83a70798077e2938af66c50c
MD5: 12449febf7efed7bceade5720c8f635d
MD5: 992fc7370b39553ebcb3c03c23c15517
MD5: 1c198a6b80b1dcf280db30133c26d479
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6
MD5: 1a3679c0c7c42781d9ee5b6987efa726
MD5: 7d21915fc425b3545c8e156116f91e00

Detection rate for the second dropped sample:
MD5: 83bbe52c8584a5dab07a11ecc5aaf090 - detected by 3 out of 48 antivirus scanners as Trojan-Spy.Win32.Zbot.qgje; Trojan.Backdoor.RV

Once executed it starts listening on ports 7867 and 1653.

The sample then creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{EFF344E9-7488-141E-11EB-B06D3016937F}
Global\{EFF344E9-7488-141E-75EA-B06D5417937F}
Global\{EFF344E9-7488-141E-4DE9-B06D6C14937F}
Global\{EFF344E9-7488-141E-65E9-B06D4414937F}
Global\{EFF344E9-7488-141E-89E9-B06DA814937F}
Global\{EFF344E9-7488-141E-BDE9-B06D9C14937F}
Global\{EFF344E9-7488-141E-51E8-B06D7015937F}
Global\{EFF344E9-7488-141E-81E8-B06DA015937F}
Global\{EFF344E9-7488-141E-FDE8-B06DDC15937F}
Global\{EFF344E9-7488-141E-0DEF-B06D2C12937F}
Global\{EFF344E9-7488-141E-5DEF-B06D7C12937F}
Global\{EFF344E9-7488-141E-95EE-B06DB413937F}
Global\{EFF344E9-7488-141E-F1EE-B06DD013937F}
Global\{EFF344E9-7488-141E-89EB-B06DA816937F}
Global\{EFF344E9-7488-141E-F9EF-B06DD812937F}
Global\{EFF344E9-7488-141E-E5EF-B06DC412937F}
Global\{EFF344E9-7488-141E-0DEE-B06D2C13937F}
Global\{EFF344E9-7488-141E-09ED-B06D2810937F}
Global\{EFF344E9-7488-141E-51EF-B06D7012937F}
Global\{EFF344E9-7488-141E-35EC-B06D1411937F}
Global\{EFF344E9-7488-141E-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

Once executed, it also drops MD5: 2da7bbc5677313c2876b571b39edc7cf and MD5: 83bbe52c8584a5dab07a11ecc5aaf090 on the affected hosts.

It then phones back to the following C&C (command and control servers):
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108

We've already seen (some of) these C&C IPs in the following profiled malicious campaign "Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Fake Pinterest 'Don't forget to confirm your email!' Themed Emails Serve Client-side Exploits and Malware

Cybercriminals have just launched yet another massive spam campaign, this time attempting to trick Pinterest users into thinking that they've received an email confirmation request. In reality though, once users click on the links found in the malicious emails, they're automatically exposed to client-side exploits, with the campaign dropping two malware samples on the affected hosts once a successful client-side exploitation takes place.

Let's dissect the campaign, expose the malicious portfolio of domains involved in it, provide MD5s of the served malware as well as a sample exploit, and provide actionable (historical) intelligence regarding related malicious activities that have been taking place using same infrastructure that's involved in the Pinterest campaign.

Spamvertised malicious URL: 
boxenteam.com/hathaway/index.html?emailmpss/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
theodoxos.gr/hairstyles/defiling.js
web29.webbox11.server-home.org/volleyballs/cloture.js
knopflos-combo.de/subdued/opposition.js

Sample client-side exploits serving URL:
pizzapluswindsor.ca/topic/latest-blog-news.php

Malicious domain name reconnaissance:
pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145

Responding to the same IP (50.116.6.57) are also the following malicious domains part of the campaing's infrastructure:
pizzapluswindsor.ca
plainidea.com
procreature.com
poindextersonpatrol.com
pixieglitztutus.com

Known to have responded to the second IP (174.140.169.145) are also the following malicious domains:
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
mcbelectrical.ca
oliviagurun.com
onecable.ca
onlyidea.com
originalpizzaplus.ca
originalpizzaplus.com
papak.ca
pccreature.com
pixieglitztutus.com
pizzapluswindsor.ca
saltlakecityutahcommercialrealestate.com

The following malicious MD5s are known to have phoned back to the same IP on the 22nd of September, 2013:
MD5: 5d14ee5800fc3c73e4d40567044c4149
MD5: bdc2ac48921914f25d1a3a164266cebc
MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07
MD5: 31c3eae608247c2901d64643d5626b1f
MD5: 3cff9bba085254f2a524207a1388b015
MD5: b59743a3b128c9676548510627db4ac5
MD5: 53004bb63d32792c9bc1b8b26db0f197
MD5: b59743a3b128c9676548510627db4ac5
MD5: 53004bb63d32792c9bc1b8b26db0f197
MD5: 94e7cf26589baac1d47d6834e6375a62
MD5: 38461b4537fb269b2142e7fbac16375b
MD5: 041e9ccce8809371b07f0ac1c4d02b33
MD5: 868cf2c7af8863aebbaeb42c1b404b36
MD5: 7ec71f392dfc98336808ca6e31f25969
MD5: 6792b758ea961f58ad5b2f1eb96a648a
MD5: 33550cef428cad48ba776ea109fe1936
MD5: af84138bc55192ce722582def2f05200
MD5: 170524f3457d1fa681cc5dafbcc86199
MD5: e3af059e42b82b8658f3d05043a5a213
MD5: 4724783ae2c928b40dd2c0ac6d85cbc4
MD5: 9b8d87230ee7f553e8a9011a37ca699e
MD5: e4d63169ddac5e34fe000dc21c88682f
MD5: 5f777af07c79369310dff97d04c026cd
MD5: 200badc2e35ce57f1e511aea7322e207
MD5: 93fe170f26d99aea52b30b74afdf96bc
MD5: d06a0cc046e99496ada5591d9f457fc1
MD5: 6f857be5377a7543858aacefea6f1a30
MD5: 92ed463b3c38f2c951c3acd78e7a2df3
MD5: 8f01cd5ddd6e599e79ddcefbff9c0891

Detection rate for a sample served exploit from the Pinterest themed campaign: 
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

Upon successful client-side exploitation, the campaign drops two malware samples on the affected hosts.

Detection rate for the first dropped sample: 
MD5: ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 out of 48 antivirus scanners as UDS:DangerousObject.Multi.Generic

Once executed, it phones back to the following C&C:
78.140.131.151/uploading/id=REDACTED&u=PSEUDO_RANDOM_CHARACTERS

The following malicious MD5s are also known to have phoned back to the following C&C IP (78.140.131.151) in the past:
MD5: ca783e0964e7dcb91fcc2a2ff4b8058f
MD5: d02b0e60f94d718fca19893f13dbd93e
MD5: 3618032d05c12e6d25aa4b7bc9086e06
MD5: 20777b8e6362f8775060fc4fdb191978
MD5: 5a1fb639f5dd97b62b5cf79c84d479f6
MD5: 30f8d972566930c103f9edb7f9bd699e
MD5: 7011abeefd5c9e7c21e3cbe28cc5e71a
MD5: bbb57f1a5004b6adc016c0c9e92add19
MD5: cca6b7fae6678c4b17f21b2ed4580404
MD5: 0decc3f58519c587949dff871fccba5e
MD5: 1b18f9138adbd6b4bf7125c7e6a97aae
MD5: 1e4451c19f07ef6bde87ffbcecc5afb3
MD5: e92297e402fcd03f06c94fe52985a3e9
MD5: 818e329757630bccc9536151f533fad2
MD5: 79e8677f857531118e61fa9238287acb
MD5: de8ef966e7e5251b642540e715d673a6
MD5: 9be83dc4b829ffba26029b173b36237d
MD5: c9b3f7888faa393ee14815494a311684
MD5: d90058b75b8730f9d6bf94a845b3dfda
MD5: e14b4290eec92ce6cd3e0349c17bc062
MD5: 6d5f5419f6a116f4283ae58516ff90a1
MD5: d0587b6e83a70798077e2938af66c50c
MD5: 12449febf7efed7bceade5720c8f635d
MD5: 992fc7370b39553ebcb3c03c23c15517
MD5: 1c198a6b80b1dcf280db30133c26d479
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6
MD5: 1a3679c0c7c42781d9ee5b6987efa726
MD5: 7d21915fc425b3545c8e156116f91e00

Detection rate for the second dropped sample:
MD5: 83bbe52c8584a5dab07a11ecc5aaf090 - detected by 3 out of 48 antivirus scanners as Trojan-Spy.Win32.Zbot.qgje; Trojan.Backdoor.RV

Once executed it starts listening on ports 7867 and 1653.

The sample then creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{EFF344E9-7488-141E-11EB-B06D3016937F}
Global\{EFF344E9-7488-141E-75EA-B06D5417937F}
Global\{EFF344E9-7488-141E-4DE9-B06D6C14937F}
Global\{EFF344E9-7488-141E-65E9-B06D4414937F}
Global\{EFF344E9-7488-141E-89E9-B06DA814937F}
Global\{EFF344E9-7488-141E-BDE9-B06D9C14937F}
Global\{EFF344E9-7488-141E-51E8-B06D7015937F}
Global\{EFF344E9-7488-141E-81E8-B06DA015937F}
Global\{EFF344E9-7488-141E-FDE8-B06DDC15937F}
Global\{EFF344E9-7488-141E-0DEF-B06D2C12937F}
Global\{EFF344E9-7488-141E-5DEF-B06D7C12937F}
Global\{EFF344E9-7488-141E-95EE-B06DB413937F}
Global\{EFF344E9-7488-141E-F1EE-B06DD013937F}
Global\{EFF344E9-7488-141E-89EB-B06DA816937F}
Global\{EFF344E9-7488-141E-F9EF-B06DD812937F}
Global\{EFF344E9-7488-141E-E5EF-B06DC412937F}
Global\{EFF344E9-7488-141E-0DEE-B06D2C13937F}
Global\{EFF344E9-7488-141E-09ED-B06D2810937F}
Global\{EFF344E9-7488-141E-51EF-B06D7012937F}
Global\{EFF344E9-7488-141E-35EC-B06D1411937F}
Global\{EFF344E9-7488-141E-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

Once executed, it also drops MD5: 2da7bbc5677313c2876b571b39edc7cf and MD5: 83bbe52c8584a5dab07a11ecc5aaf090 on the affected hosts.

It then phones back to the following C&C (command and control servers):
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108

We've already seen (some of) these C&C IPs in the following profiled malicious campaign "Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware".

Updates will be posted as soon as new developments take place. Continue reading →

Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware

A currently circulating malicious 'Facebook notifications" themed spam campaign, attempts to trick Facebook's users into thinking that they've received a notifications digest for the activity that (presumably) took place while they were logged out of Facebook. In reality though, once users click on any of the links found in the malicious email, they're automatically exposed to client-side exploits ultimately dropping malware on their hosts.

Let's dissect the campaign, provide actionable intelligence on the campaign's structure, the involved portfolio of malicious domains, actual/related MD5s, and as always, connect the currently ongoing campaign with two other previously profiled malicious campaigns.

Spamvertised URL:
hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
hxxp://3dbrandscapes.com/starker/manipulator.js
hxxp://distrigold.eu/compounding/melisa.js
hxxp://ly-ra.com/shallot/mandalay.js

Client-side exploits serving URL:
hxxp://directgrid.org/topic/lairtg-nilles-slliks.php

Malicious domain name reconnaissance:
directgrid.org - 50.116.10.71 - Email: ringfields@islandresearch.net

Responding to the following IP (50.116.10.71) are also the following malicious domains participating in the campaign:
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
integra-inspection.co
integra-inspection.info
taxipunjab.com
taxisamritsar.com
watttrack.com

The following malicious MD5s are known to have been downloaded -- related campaigns -- from the same IP (50.116.10.71):
MD5: 7eb6740ed6935da49614d95a43146dea
MD5: 7768f7039988236165cdd5879934cc5d

The following malicious MD5s are known to have 'phoned back' to the same IP (50.116.10.71) over the past 24 hours:
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: 7ad68895e5ec9d4f53fc9958c70df01a
MD5: fd99250ecb845a455499db8df1780807
MD5: fd99250ecb845a455499db8df1780807
MD5: 3983170d46a130f23471340a47888c93
MD5: c86c79d9fee925a690a4b0307d7f2329
MD5: 25f498f7823f12294c685e9bc79376d2
MD5: 470f4aa3f76ea3b465741a73ce6c22fe
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 086b16af34857cb5dfb0163cc1c92569
MD5: e066b50bae491587574603bdfd60826e
MD5: eb22137880f8c5a03c73135f288afb8a
MD5: b88392fb63747668c982b6321e5ce712
MD5: 6254d901b1566bef94e673f833adff8c
MD5: 258d640b802a0bbe08471f4f064cb94a
MD5: c1cefb742107516c3a73489eae176745
MD5: a19f1d5c98c2d7f036f2693ad6c14626
MD5: 3f02f35bc73ad9ef14ab4f960926fd45

Sample detection rate for the client-side exploits serving malicious script:
MD5: 00f5d150ff1b50c0bbc1d038eb676c29 - detected by 2 out of 48 antivirus scanners as Script.Exploit.Kit.C; Troj/ObfJS-EO

Sample detection rate for the served exploit:
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.Generic; HEUR_JAVA.EXEC; TROJ_GEN.F47V0927

Upon successful client-side exploitation the campaign drops the following malicious sample on the affected hosts:
MD5: 6ef9476e6227ef631b231b66d7a2a08b - detected by 7 out of 48 antivirus scanners as Win32/Spy.Zbot.AAU; Trojan-Spy.Win32.Zbot.qckm; TROJ_GEN.F47V0927

Once executed, the sample starts listening on ports 3185 and 7101.

It also creates the following Mutexes on the system:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{3DC7903B-A05A-C62A-11EB-B06D3016937F}
Global\{3DC7903B-A05A-C62A-75EA-B06D5417937F}
Global\{3DC7903B-A05A-C62A-4DE9-B06D6C14937F}
Global\{3DC7903B-A05A-C62A-65E9-B06D4414937F}
Global\{3DC7903B-A05A-C62A-89E9-B06DA814937F}
Global\{3DC7903B-A05A-C62A-BDE9-B06D9C14937F}
Global\{3DC7903B-A05A-C62A-51E8-B06D7015937F}
Global\{3DC7903B-A05A-C62A-81E8-B06DA015937F}
Global\{3DC7903B-A05A-C62A-FDE8-B06DDC15937F}
Global\{3DC7903B-A05A-C62A-0DEF-B06D2C12937F}
Global\{3DC7903B-A05A-C62A-5DEF-B06D7C12937F}
Global\{3DC7903B-A05A-C62A-95EE-B06DB413937F}
Global\{3DC7903B-A05A-C62A-F1EE-B06DD013937F}
Global\{3DC7903B-A05A-C62A-89EB-B06DA816937F}
Global\{3DC7903B-A05A-C62A-F9EF-B06DD812937F}
Global\{3DC7903B-A05A-C62A-E5EF-B06DC412937F}
Global\{3DC7903B-A05A-C62A-0DEE-B06D2C13937F}
Global\{3DC7903B-A05A-C62A-09ED-B06D2810937F}
Global\{3DC7903B-A05A-C62A-51EF-B06D7012937F}
Global\{3DC7903B-A05A-C62A-35EC-B06D1411937F}
Global\{3DC7903B-A05A-C62A-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Waosumag

And changes the following Registry Values:
[HKEY_CURRENT_USER\Identities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> Keby = ""%AppData%\Ortuet\keby.exe""
[HKEY_CURRENT_USER\Software\Microsoft\Waosumag] -> 2df3e6ig = 23 CD 87 C3 1E D1 FA C6 28 2E DF 4D 12 21; 2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 CD C6 05 2E EF 4D

It then phones back to the following C&C (command and control) servers:
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108
173.202.183.58
201.170.83.92
81.136.188.57
71.186.174.184

We've already seen the same IPs (217.35.75.232; 108.240.232.212) in the following previously profiled malicious campaign - Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware.

We've also seen (107.193.222.108) in the following malicious campaign - Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware, indicating that all of these campaigns are controlled using the same malicious botnet infrastructure.

The following malicious MD5s are also known to have phoned back to the same C&C servers used in this campaign, over the past 24 hours:
MD5: 9f550edbb505e22b0203e766bd1b9982
MD5: 46cdaead83d9e3de803125e45ca88894
MD5: ffe07e0997d8ec82feb81bac53838d6d
MD5: 28c0bc772aec891a08b06a4029230626
MD5: c8055c6668d1c4c9cb9d68c2c09c14d4
MD5: 0bbabb722e1327cbe903ab477716ae2e
MD5: c4c5db70e7c971e3e556eb9d65f87c84
MD5: 0ff4d450ce9b1eaaef5ed9a5a1fa392d
MD5: e01f435a8c5ed93f6800971505a2cdd2
MD5: 042508083351b79f01a4d7b7e8e35826
MD5: 1f5f75ae82d6aa7099315bf19d0ae4e0
MD5: 35c4d4c2031157645bb3a1e4e709edeb
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: fd99250ecb845a455499db8df1780807
MD5: 1fab971283479b017dfb79857ecd343b
MD5: a130cddd61dad9188b9b89451a58af28
MD5: 2af94e79f9b9ee26032ca863a86843be
MD5: 8b03a5cf4f149ac7696d108bff586cc5
MD5: 802a522405076d7f8b944b781e4fe133
MD5: b9c7d2466a689365ebb8f6f607cd3368
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: c62b6206e9eefe75ba1804788dc552f7
MD5: 385b5358f6a1f15706b536a9dc5b1590
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: 4850969b7febc82c8b82296fa129e818
MD5: 203e0acced8a76560312b452d70ff1e7
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: edb1a26ebb8ab5df780b643ad1f0d50f
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 47d4804fda31b6f88b0d33b86fc681ae
MD5: 086b16af34857cb5dfb0163cc1c92569

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware

A currently circulating malicious 'Facebook notifications" themed spam campaign, attempts to trick Facebook's users into thinking that they've received a notifications digest for the activity that (presumably) took place while they were logged out of Facebook. In reality though, once users click on any of the links found in the malicious email, they're automatically exposed to client-side exploits ultimately dropping malware on their hosts.

Let's dissect the campaign, provide actionable intelligence on the campaign's structure, the involved portfolio of malicious domains, actual/related MD5s, and as always, connect the currently ongoing campaign with two other previously profiled malicious campaigns.

Spamvertised URL:
hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
hxxp://3dbrandscapes.com/starker/manipulator.js
hxxp://distrigold.eu/compounding/melisa.js
hxxp://ly-ra.com/shallot/mandalay.js

Client-side exploits serving URL:
hxxp://directgrid.org/topic/lairtg-nilles-slliks.php

Malicious domain name reconnaissance:
directgrid.org - 50.116.10.71 - Email: ringfields@islandresearch.net

Responding to the following IP (50.116.10.71) are also the following malicious domains participating in the campaign:
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
integra-inspection.co
integra-inspection.info
taxipunjab.com
taxisamritsar.com
watttrack.com

The following malicious MD5s are known to have been downloaded -- related campaigns -- from the same IP (50.116.10.71):
MD5: 7eb6740ed6935da49614d95a43146dea
MD5: 7768f7039988236165cdd5879934cc5d

The following malicious MD5s are known to have 'phoned back' to the same IP (50.116.10.71) over the past 24 hours:
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: 7ad68895e5ec9d4f53fc9958c70df01a
MD5: fd99250ecb845a455499db8df1780807
MD5: fd99250ecb845a455499db8df1780807
MD5: 3983170d46a130f23471340a47888c93
MD5: c86c79d9fee925a690a4b0307d7f2329
MD5: 25f498f7823f12294c685e9bc79376d2
MD5: 470f4aa3f76ea3b465741a73ce6c22fe
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 086b16af34857cb5dfb0163cc1c92569
MD5: e066b50bae491587574603bdfd60826e
MD5: eb22137880f8c5a03c73135f288afb8a
MD5: b88392fb63747668c982b6321e5ce712
MD5: 6254d901b1566bef94e673f833adff8c
MD5: 258d640b802a0bbe08471f4f064cb94a
MD5: c1cefb742107516c3a73489eae176745
MD5: a19f1d5c98c2d7f036f2693ad6c14626
MD5: 3f02f35bc73ad9ef14ab4f960926fd45

Sample detection rate for the client-side exploits serving malicious script:
MD5: 00f5d150ff1b50c0bbc1d038eb676c29 - detected by 2 out of 48 antivirus scanners as Script.Exploit.Kit.C; Troj/ObfJS-EO

Sample detection rate for the served exploit:
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.Generic; HEUR_JAVA.EXEC; TROJ_GEN.F47V0927

Upon successful client-side exploitation the campaign drops the following malicious sample on the affected hosts:
MD5: 6ef9476e6227ef631b231b66d7a2a08b - detected by 7 out of 48 antivirus scanners as Win32/Spy.Zbot.AAU; Trojan-Spy.Win32.Zbot.qckm; TROJ_GEN.F47V0927

Once executed, the sample starts listening on ports 3185 and 7101.

It also creates the following Mutexes on the system:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{3DC7903B-A05A-C62A-11EB-B06D3016937F}
Global\{3DC7903B-A05A-C62A-75EA-B06D5417937F}
Global\{3DC7903B-A05A-C62A-4DE9-B06D6C14937F}
Global\{3DC7903B-A05A-C62A-65E9-B06D4414937F}
Global\{3DC7903B-A05A-C62A-89E9-B06DA814937F}
Global\{3DC7903B-A05A-C62A-BDE9-B06D9C14937F}
Global\{3DC7903B-A05A-C62A-51E8-B06D7015937F}
Global\{3DC7903B-A05A-C62A-81E8-B06DA015937F}
Global\{3DC7903B-A05A-C62A-FDE8-B06DDC15937F}
Global\{3DC7903B-A05A-C62A-0DEF-B06D2C12937F}
Global\{3DC7903B-A05A-C62A-5DEF-B06D7C12937F}
Global\{3DC7903B-A05A-C62A-95EE-B06DB413937F}
Global\{3DC7903B-A05A-C62A-F1EE-B06DD013937F}
Global\{3DC7903B-A05A-C62A-89EB-B06DA816937F}
Global\{3DC7903B-A05A-C62A-F9EF-B06DD812937F}
Global\{3DC7903B-A05A-C62A-E5EF-B06DC412937F}
Global\{3DC7903B-A05A-C62A-0DEE-B06D2C13937F}
Global\{3DC7903B-A05A-C62A-09ED-B06D2810937F}
Global\{3DC7903B-A05A-C62A-51EF-B06D7012937F}
Global\{3DC7903B-A05A-C62A-35EC-B06D1411937F}
Global\{3DC7903B-A05A-C62A-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Waosumag

And changes the following Registry Values:
[HKEY_CURRENT_USER\Identities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> Keby = ""%AppData%\Ortuet\keby.exe""
[HKEY_CURRENT_USER\Software\Microsoft\Waosumag] -> 2df3e6ig = 23 CD 87 C3 1E D1 FA C6 28 2E DF 4D 12 21; 2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 CD C6 05 2E EF 4D

It then phones back to the following C&C (command and control) servers:
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108
173.202.183.58
201.170.83.92
81.136.188.57
71.186.174.184

We've already seen the same IPs (217.35.75.232; 108.240.232.212) in the following previously profiled malicious campaign - Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware.

We've also seen (107.193.222.108) in the following malicious campaign - Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware, indicating that all of these campaigns are controlled using the same malicious botnet infrastructure.

The following malicious MD5s are also known to have phoned back to the same C&C servers used in this campaign, over the past 24 hours:
MD5: 9f550edbb505e22b0203e766bd1b9982
MD5: 46cdaead83d9e3de803125e45ca88894
MD5: ffe07e0997d8ec82feb81bac53838d6d
MD5: 28c0bc772aec891a08b06a4029230626
MD5: c8055c6668d1c4c9cb9d68c2c09c14d4
MD5: 0bbabb722e1327cbe903ab477716ae2e
MD5: c4c5db70e7c971e3e556eb9d65f87c84
MD5: 0ff4d450ce9b1eaaef5ed9a5a1fa392d
MD5: e01f435a8c5ed93f6800971505a2cdd2
MD5: 042508083351b79f01a4d7b7e8e35826
MD5: 1f5f75ae82d6aa7099315bf19d0ae4e0
MD5: 35c4d4c2031157645bb3a1e4e709edeb
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: fd99250ecb845a455499db8df1780807
MD5: 1fab971283479b017dfb79857ecd343b
MD5: a130cddd61dad9188b9b89451a58af28
MD5: 2af94e79f9b9ee26032ca863a86843be
MD5: 8b03a5cf4f149ac7696d108bff586cc5
MD5: 802a522405076d7f8b944b781e4fe133
MD5: b9c7d2466a689365ebb8f6f607cd3368
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: c62b6206e9eefe75ba1804788dc552f7
MD5: 385b5358f6a1f15706b536a9dc5b1590
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: 4850969b7febc82c8b82296fa129e818
MD5: 203e0acced8a76560312b452d70ff1e7
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: edb1a26ebb8ab5df780b643ad1f0d50f
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 47d4804fda31b6f88b0d33b86fc681ae
MD5: 086b16af34857cb5dfb0163cc1c92569

Updates will be posted as soon as new developments take place. Continue reading →

Dissecting FireEye's Career Web Site Compromise

Remember when back in 2010, I established a direct connection between several mass Wordpress blogs compromise campaigns, with the campaign behind the compromised Web site of the U.S. Treasury, prompting the cybercriminal(s) behind it to redirect all the campaign traffic to my Blogger profile?

It appears that the cybercriminal/gang of cybercriminals behind these mass Web site compromise campaigns is/are not just still in business, but also -- Long Tail of the malicious Web -- managed to infect FireEye' (external network) Careers Web Site.

Let's dissect the campaign, expose the malicious domains portfolio behind it, provide MD5s for a sample exploit, the dropped malware, and connect it to related malicious campaigns, all of which continue to share the same malicious infrastructure.

Sample redirection chain:
hxxp://vjs.zencdn.net/c/video.js -> hxxp://cdn.adsbarscipt.com/links/jump/ (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44) (IE) -> hxxp://cdn.adsbarscipt.com/links/flash/?updnew (CHROME) -> hxxp://209.239.127.185/591918d6c2e8ce3f53ed8b93fb0735cd/face-book.php

Detection rate for a sample malicious script found on the client-side exploits serving site:
MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 1 out of 49 antivirus scanners as Trojan.Script.Heuristic-js.iacgm

Sample detection rate for the served client-side exploit:
MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen; HEUR_JAVA.EXEC

Detection rate for a sample dropped malware:
MD5: 4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out of 49 antivirus scanners as Trojan-PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C

The following malicious MD5s are known to have been downloaded from the same IPs (cdn.adsbarscipt.com (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44):
MD5: 82e1013106736b74255586169a217d66
MD5: 01771c3500a5b1543f4fb43945337c7d
MD5: dbf6f5373f56f67e843af30fded5c7f2

Additionally, the campaign is also known to have dropped MD5: 01771c3500a5b1543f4fb43945337c7d

Once executed, the most recently dropped sample (MD5: 4bfb3379a2814f5eb67345d43bce3091) phones back to the following C&C servers:
main-firewalls.com (67.228.177.174; 74.204.171.69; 85.195.104.90) - Email: alex1978a@bigmir.net
simple-cdn-node.com (109.120.143.109) - Email: alex1978a@bigmir.net
akamai.com/gate.php

Deja vu! We've already seen alex1978a@bigmir.net in Network Solution's (2010) mass Wordpress blogs compromise, a campaign which is also directly connected with the compromise of the Web site of the U.S Treasury.

The sample also attempts to download the following additional malware variants:
main-firewalls.com/6.exe
main-firewalls.com/1.exe
simple-cdn-node.com/1.exe - MD5: 05d003a374a29c9c2bbc250dd5c56d7c

Responding to 67.228.177.174 are also the following malicious domains:
aodairangdong.com
bolsaminimall.com
catch-cdn.com
corp-firewall.com
himarkrealty.com
ngnetworld.com
ritz-entertainment.com
server.evietmusic.com
viettv24.com
vpoptv.com        
plussolarsolutions.com
artistflower.com
autoairsystems.com   
eighteas.com
greenpowersurvey.com
phattubi.com
ritz-entertainment.com
saigoncitymall.com

The following malicious MD5s are also known to have phoned back to the same IP (67.228.177.174) in the past:
MD5: 05636d38090e5726077cea54d2485806
MD5: 53b73675f1b08cf7ecfc3c80677c8d2e
MD5: 0f424ff9db97dafaba746f26d6d8d5c0
MD5: 633d6de861edc2ecf667f02d0997f10e
MD5: d13ead2b8a424b5e9c5977f8715514c4
MD5: bfc9803c94cc8ba76a916f8e915042e4
MD5: a04d33ced90f72c1a77f312708681c07
MD5: 7e6e15518cc48639612aa4ff00a2a454
MD5: 98d78ef8cc5aee193a7b7a3c3bb58c87
MD5: a030d6e35d736db9dd433a8d2ac8a915
MD5: 1f7a6ed70be6e13efb45e5ba80eed76e
MD5: cfc727a0ad51eb1f111305873d2ade04
MD5: 1b6de030ed3b42e939690630f63d6933
MD5: fa9e92d42580e1789ed04e551a379e4e
MD5: 2ed9d63e4d557667bad7806872cf4412
MD5: bef16d25b2cada2a388ea06c204b44f3
MD5: 77a93ba48d6532e069745bca117d26ed
MD5: 7c7e4cef8a7181f7982a841f7f752368
MD5: 57b5e6f38998e32fa93856970cc66c5e
MD5: 5d388b1f2bf2dc9493f5c4cfb9d53ca0
MD5: ec24a959e39c5d2eb7dc769f4b098efb
MD5: 6357085196499ef5301548ff17b62619
MD5: 3173d4be34f489a4630f2439f9653c2c
MD5: 3bd239ee46ab8ba02f57ed1762bd3ae6
MD5: dce3e33eb294f0a7688be5bea6b7e9d4
MD5: 1ed678e9d29c25043fdd1b4c44f5b2ea
MD5: eccce6f5f509f4ef986d426445a98f0d
MD5: 74e1e2f2d562ab6883124cfa43300cf2
MD5: 6922efa2e5aa16b78c982d633cbe44e9

Responding to 85.195.104.90 are also the following malicious domains:
catch-cdn.com
corp-firewall.com
kronoemail.com
main-firewalls.com
viacominfosys.com
emaildatastore.com

The following malicious MD5s are also known to have phoned back to the same IP (85.195.104.90) in the past:
MD5: 88110dbce9591b68b06b859e7965d509
MD5: 0e055888564fb59cb6d4e35a5c5fb33d
MD5: e9d8d2842b576fd4f6ef9dde1fea4b9f
MD5: e750031fc9b9264852133d8f7284ac7a
MD5: e0da2ca4e9a174cd3c6f8a348e4861ad
MD5: b23a579d7b8bf5a03c121d2f74234b2d
MD5: a1ee5246d984d900f27ce94fbfc37c2b
MD5: 2118a70a2ccf0a7772725e765ad64e08
MD5: f26848e64040b4b6614d95bd967045df
MD5: 9c5997b32bea6945f0cb9ff0c18cf040
MD5: 353305483087a5316fd75f63d641ec1f
MD5: 34e67771ca411b163866f1e795b2e72e
MD5: 571e04b5af915979efc5a7f77794facb
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76
MD5: e2137edd5f550b1942c16e70095c436b
MD5: 97437f6d670db2596b6a6b53c887055c

Such type of factual attribution based on gathered historical OSINT, isn't surprising, thanks to the fact that despite the increasing number of novice cybercriminals joining the ecosystem, the "usual suspects" continue operating for the sake of achieving their fraudulent and malicious objectives.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting FireEye's Career Web Site Compromise

Remember when back in 2010, I established a direct connection between several mass Wordpress blogs compromise campaigns, with the campaign behind the compromised Web site of the U.S. Treasury, prompting the cybercriminal(s) behind it to redirect all the campaign traffic to my Blogger profile?

It appears that the cybercriminal/gang of cybercriminals behind these mass Web site compromise campaigns is/are not just still in business, but also -- Long Tail of the malicious Web -- managed to infect FireEye' (external network) Careers Web Site.

Let's dissect the campaign, expose the malicious domains portfolio behind it, provide MD5s for a sample exploit, the dropped malware, and connect it to related malicious campaigns, all of which continue to share the same malicious infrastructure.

Sample redirection chain:
hxxp://vjs.zencdn.net/c/video.js -> hxxp://cdn.adsbarscipt.com/links/jump/ (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44) (IE) -> hxxp://cdn.adsbarscipt.com/links/flash/?updnew (CHROME) -> hxxp://209.239.127.185/591918d6c2e8ce3f53ed8b93fb0735cd/face-book.php

Detection rate for a sample malicious script found on the client-side exploits serving site:
MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 1 out of 49 antivirus scanners as Trojan.Script.Heuristic-js.iacgm

Sample detection rate for the served client-side exploit:
MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen; HEUR_JAVA.EXEC

Detection rate for a sample dropped malware:
MD5: 4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out of 49 antivirus scanners as Trojan-PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C

The following malicious MD5s are known to have been downloaded from the same IPs (cdn.adsbarscipt.com (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44):
MD5: 82e1013106736b74255586169a217d66
MD5: 01771c3500a5b1543f4fb43945337c7d
MD5: dbf6f5373f56f67e843af30fded5c7f2

Additionally, the campaign is also known to have dropped MD5: 01771c3500a5b1543f4fb43945337c7d

Once executed, the most recently dropped sample (MD5: 4bfb3379a2814f5eb67345d43bce3091) phones back to the following C&C servers:
main-firewalls.com (67.228.177.174; 74.204.171.69; 85.195.104.90) - Email: alex1978a@bigmir.net
simple-cdn-node.com (109.120.143.109) - Email: alex1978a@bigmir.net
akamai.com/gate.php

Deja vu! We've already seen alex1978a@bigmir.net in Network Solution's (2010) mass Wordpress blogs compromise, a campaign which is also directly connected with the compromise of the Web site of the U.S Treasury.

The sample also attempts to download the following additional malware variants:
main-firewalls.com/6.exe
main-firewalls.com/1.exe
simple-cdn-node.com/1.exe - MD5: 05d003a374a29c9c2bbc250dd5c56d7c

Responding to 67.228.177.174 are also the following malicious domains:
aodairangdong.com
bolsaminimall.com
catch-cdn.com
corp-firewall.com
himarkrealty.com
ngnetworld.com
ritz-entertainment.com
server.evietmusic.com
viettv24.com
vpoptv.com        
plussolarsolutions.com
artistflower.com
autoairsystems.com   
eighteas.com
greenpowersurvey.com
phattubi.com
ritz-entertainment.com
saigoncitymall.com

The following malicious MD5s are also known to have phoned back to the same IP (67.228.177.174) in the past:
MD5: 05636d38090e5726077cea54d2485806
MD5: 53b73675f1b08cf7ecfc3c80677c8d2e
MD5: 0f424ff9db97dafaba746f26d6d8d5c0
MD5: 633d6de861edc2ecf667f02d0997f10e
MD5: d13ead2b8a424b5e9c5977f8715514c4
MD5: bfc9803c94cc8ba76a916f8e915042e4
MD5: a04d33ced90f72c1a77f312708681c07
MD5: 7e6e15518cc48639612aa4ff00a2a454
MD5: 98d78ef8cc5aee193a7b7a3c3bb58c87
MD5: a030d6e35d736db9dd433a8d2ac8a915
MD5: 1f7a6ed70be6e13efb45e5ba80eed76e
MD5: cfc727a0ad51eb1f111305873d2ade04
MD5: 1b6de030ed3b42e939690630f63d6933
MD5: fa9e92d42580e1789ed04e551a379e4e
MD5: 2ed9d63e4d557667bad7806872cf4412
MD5: bef16d25b2cada2a388ea06c204b44f3
MD5: 77a93ba48d6532e069745bca117d26ed
MD5: 7c7e4cef8a7181f7982a841f7f752368
MD5: 57b5e6f38998e32fa93856970cc66c5e
MD5: 5d388b1f2bf2dc9493f5c4cfb9d53ca0
MD5: ec24a959e39c5d2eb7dc769f4b098efb
MD5: 6357085196499ef5301548ff17b62619
MD5: 3173d4be34f489a4630f2439f9653c2c
MD5: 3bd239ee46ab8ba02f57ed1762bd3ae6
MD5: dce3e33eb294f0a7688be5bea6b7e9d4
MD5: 1ed678e9d29c25043fdd1b4c44f5b2ea
MD5: eccce6f5f509f4ef986d426445a98f0d
MD5: 74e1e2f2d562ab6883124cfa43300cf2
MD5: 6922efa2e5aa16b78c982d633cbe44e9

Responding to 85.195.104.90 are also the following malicious domains:
catch-cdn.com
corp-firewall.com
kronoemail.com
main-firewalls.com
viacominfosys.com
emaildatastore.com

The following malicious MD5s are also known to have phoned back to the same IP (85.195.104.90) in the past:
MD5: 88110dbce9591b68b06b859e7965d509
MD5: 0e055888564fb59cb6d4e35a5c5fb33d
MD5: e9d8d2842b576fd4f6ef9dde1fea4b9f
MD5: e750031fc9b9264852133d8f7284ac7a
MD5: e0da2ca4e9a174cd3c6f8a348e4861ad
MD5: b23a579d7b8bf5a03c121d2f74234b2d
MD5: a1ee5246d984d900f27ce94fbfc37c2b
MD5: 2118a70a2ccf0a7772725e765ad64e08
MD5: f26848e64040b4b6614d95bd967045df
MD5: 9c5997b32bea6945f0cb9ff0c18cf040
MD5: 353305483087a5316fd75f63d641ec1f
MD5: 34e67771ca411b163866f1e795b2e72e
MD5: 571e04b5af915979efc5a7f77794facb
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76
MD5: e2137edd5f550b1942c16e70095c436b
MD5: 97437f6d670db2596b6a6b53c887055c

Such type of factual attribution based on gathered historical OSINT, isn't surprising, thanks to the fact that despite the increasing number of novice cybercriminals joining the ecosystem, the "usual suspects" continue operating for the sake of achieving their fraudulent and malicious objectives.

Updates will be posted as soon as new developments take place. Continue reading →