Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Friday, December 23, 2016

Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection

In, a, cybercrime, dominated, by, fraudulent, propositions, historical, OSINT, remains, a, crucial, part, in, the, process, of, obtaining, actionable. intelligence, further, expanding, a, fraudulent, infrastructure, for, the, purpose, of, establishing, a, direct, connection, with, the, individuals, behind, it. Largely, relying, on, a, set, of, tactics, techniques, and, procedures, cybercriminals, continue, further, expanding, their, fraudulent, infrastructure, successfully, affecting, hunreds, of, thousands, of, users, globally, further, earning, fraudulent, revenue, in, the, process, of, committing, fraudulent, activity, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

In, this, post, we'll, discuss, a, black, hat, SEO (search engine optimization), campaign, intercepted, in, 2009, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, successfully, establishing, a, direct, connection, with, the, Koobface, gang.

The, Koobface, gang, having, successfully, suffered, a, major, take, down, efforts, thanks, to, active, community, and, ISP (Internet Service Provider), cooperation, has, managed, to, successfully, affect, a, major, proportion, of, major, social, media, Web, sites, including, Facebook, and, Twitter, for, the, purpose, of, further, spreading, the, malicious, software, served, by, the, Koobface, gang, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, fake, security, software, and, the, reliance, on, a, fraudulent, affiliate-network, based, type, of, monetizing, scheme.

Largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, including, social, media, propagation, black, hat, SEO (search engine optimization), and, client-side, exploits, the, Koobface, gang, has, managed, to, successfully, affect, hundreds, of, thousands, of, users, globally, successfully, populating, social, media, networks, such, as, Facebook, and, Twitter, with, rogue, and, bogus, content, for, the, purpose, of, spreading, malicious, software, and, earning, fraudulent, revenue, in, the, process, largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, affiliate-network, based, traffic, monetizing, scheme.

Let's, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, with, the, Koobface, gang, and, the, Koobface, botnet's, infrastructure.

Sample URL, redirection, chain:
hxxp://flash.grywebowe.com/elin5885/?x=entry:entry091109-071901; -> http://alicia-witt.com/elin1619/?x=entry:entry091112-185912 -> hxxp://indiansoftwareworld.com/index.php?affid=31700 - 213.163.89.56

Sample, detection, rate, for, a, malicious, executable:MD5: bd7419a376f9526719d4251a5dab9465

Sample, URL, redirection, chain, leading, to, client-side, exploits:
hxxp://loomoom.in/counter.js - 64.20.53.84 - the front page says "We are under DDOS attack. Try later".
hxxp://firefoxfowner.cn/?pid=101s06&sid=977111 -> hxxp://royalsecurescana.com/scan1/?pid=101s6&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZT0xMjUxNMkNPAhN

Sample, detection, rate, for, a, malicious, executable:
MD5: a91a1bb995e999f27ffc5d9aa0ac2ba2

Once, executed, a, sample, malware, phones, back, to:
hxxp://systemcoreupdate.com/download/timesroman.tif - 213.136.83.234

Sample, URL, redirection, chain:
hxxp://oppp.in/counter.js - 64.20.53.83 - the same message is also left "We are under DDOS attack. Try later"
hxxp://johnsmith.in/counter.js - 64.20.53.86
hxxp://gamotoe.in/counter.js
hxxp://polofogoma.in/counter.js
hxxp://jajabin.in/counter.js
hxxp://dahaloho.in/counter.js
hxxp://gokreman.in/counter.js
hxxp://freeblogcounter2.com/counter.js
hxxp://lahhangar.in/counter.js
hxxp://galorobap.in/counter.js

Sample, directory, structure, for, the, black, hat, SEO (search engine optimization), campaign:
hxxp://images/include/bmblog
hxxp://bmblog/category/art/
hxxp://images/style/bmblog
hxxp://photos/archive/bmblog/
hxxp://templates/img/bmblog
hxxp://phpsessions/bmblog
hxxp://Index_archivos/img/bmblog/
hxxp://bmblog/category/hahahahahah/
hxxp://gallery/include/bmblog

Sample, malicious, domains, participating, in, the, campaign:
pcmedicalbilling.com - Email: sophiawrobertson@pookmail.com
securitytoolnow.com - Email: ronaldmpappas@dodgit.com
securitytoolsclick.net - Email: ruthdtrafton@dodgit.com
security-utility.net - Email: richardrmccullough@trashymail.com

Historically on the same IP were parked the following, now responding to 91.212.107.37 domains:
online-spyware-remover.biz - Email: robertsimonkroon@gmail.com
online-spyware-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.biz - Email: robertsimonkroon@gmail.com
spyware-online-remover.com - Email: robertsimonkroon@gmail.com
spyware-online-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.net - Email: robertsimonkroon@gmail.com
spyware-online-remover.org - Email: robertsimonkroon@gmail.com
tubepornonline.biz - Email: robertsimonkroon@gmail.com
tubepornonline.org - Email: robertsimonkroon@gmail.com

Sample, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://antyspywarestore.com/index.php?affid=90400
hxxp://newsecuritytools.net/index.php?affid=90400 - 78.129.166.11 - Email: joyomcdermott@gmail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 0feffd97ffe3ecc875cfe44b73f5653b
MD5: a0d9d3127509272369f05c94ab2acfc9

Naturally, it gets even more interesting, in particular the fact the very same robertsimonkroon@gmail.com used to register the domains historically parked at the IP that is currently hosting the scareware domains part of the massive blackhat SEO campaign -- the very same domains (hxxp://firefoxfowner.cn), were also in circulation on Koobface infected host, in a similar fashion when the domains used in the New York Times malvertising campaign were simultaneously used in blackhat SEO campaigns managed by the Koobface gang -- have not only been seen in July's scareware campaigns -- but also, has been used to register actual domains used as a download locations for the scareware campaigns part of the Koobface botnet's scareware business model.

Parked, at, the, same, malicious, IP (91.212.107.37), are, also, the, following, malicious, domains:
hxxp://free-web-download.com
hxxp://web-free-download.com
hxxp://iqmediamanager.com
hxxp://oesoft.eu
hxxp://unsoft.eu
hxxp://losoft.eu
hxxp://tosoft.eu
hxxp://kusoft.eu

Sample, detection, rate, for, a, malicious, executable:
MD5: 29ff816c7e11147bb74570c28c4e6103
MD5: e59b66eb1680c4f195018b85e6d8b32b
MD5: b34593d884a0bc7a5adb7ab9d3b19a2c

The overwhelming evidence of underground multi-tasking performed by the Koobface gang, it's connections to money mule recruitment scams, high profile malvertising attacks, and current market share leader in blackhat SEO campaigns, made, the, group, a, prominent, market, leader, within, the, cybercrime, ecosystem, having, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, earning, hundreds, of, thousands, in, fraudulent, revenue, in, the, process.

Related posts:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Historical OSINT - Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign

There's no such thing as free porn, unless there are client-side, exploits, served.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, end, users, into, clicking, on, malware-serving, client-side, exploits, embedded, content, for, the, purpose, of, affecting, a, socially, engineered, user''s, host, further, monetizing, access, by, participating, in, a, rogue, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, malicious, URL, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/HytucztXRs.html? -> hxxp://aboutg.dothome.co.kr/bbs/theme_1_1_1.php -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=6 -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=14 -> hxxp://meganxoxo.com - 74.222.13.2 - associated, name, servers: ns1.tube310.info; ns2.tube310.info - 74.222.13.24

Parked there (74.222.13.2) are also:
hxxp://e-leaderz.com - Email: seoproinc@gmail.com
hxxp://babes4you.info - 74.222.13.25
hxxp://tubexxxx.info
hxxp://my-daddy.info - 74.222.13.25

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://eroticahaeven.info
hxxp://freehotbabes.info
hxxp://freepornportal.info
hxxp://hot-babez.info
hxxp://sex-sexo.info
hxxp://tube310.info
hxxp://tube323.info

The exploitation structure is as follows:
hxxp://meganxoxo.com/xox/go.php?sid=6 -> hxxp://kibristkd.org.tr/hasan-ikizer/index01.php -> hxxp://fd1a234sa.com/js - 79.135.152.26 -> hxxp://asf356ydc.com/qual/index.php - CVE-2008-2992; CVE-2009-0927; CVE-2010-0886 -> hxxp://asf356ydc.com/qual/52472f502b9688d3326a32ed5ddd5d2c.js -> hxxp://asf356ydc.com/qual/abe9c321312b206bffa798ef9d5b6a9b.php?uid=206369 -> hxxp://188.243.231.39/public/qual.jar -> hxxp://asf356ydc.com/qual/load.php/0a3584217553d6fccbd74cfb73e954b6?forum=thread_id -> hxxp://asf356ydc.com/download/stat.php -> hxxp://asf356ydc.com/download/load/load.exe

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886
   - hxxp://jfkweb.chez.com/bud2.html
       - hxxp://jfkweb.chez.com/4.html
           - hxxp://wemhkr3t4z.com/qual/load/myexebr.exe
               - hxxp://asf356ydc.com/download/index.php
                   - hxxp://89.248.111.71/qual/load.php?forum=jxp&ql
                       - hxxp://asf356ydc.com/qual/index.php

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://qual/10964108e3afab081ed1986cde437202.js
hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php?spn=2&uid=213393&
hxxp://qual/index.php?browser_version=6.0&uid=213393&browser=MSIE&spn=2

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://download/banner.php?spl=javat
hxxp://download/j1_ke.jar
hxxp://download/j2_93.jar

parked on 89.248.111.71, AS45001, Interdominios_ono Grupo Interdominios S.A.
wemhkr3t4z.com - Email: fole@fox.net - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
hxxp://alhatester.com/cp/file.exe - 204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 208.73.211.247; 208.73.211.249; 208.73.211.246; 208.73.211.233; 208.73.211.238; 208.73.211.208

Known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs, are, also, the, following, malicious, MD5s:
MD5: 89fb419120d1443e86d37190c8f42ae8
MD5: 3194e6282b2e51ed4ef186ce6125ed73
MD5: 7f42da8b0f8542a55e5560e86c4df407
MD5: f8bdc841214ae680a755b2654995895e
MD5: ed8062e152ccbe14541d50210f035299

Once, executed, a, sample, malware (MD5: 89fb419120d1443e86d37190c8f42ae8), phones, back, to, the, following, C&C, server, IPs:
hxxp://gremser.eu
hxxp://bibliotecacenamec.org.ve
hxxp://fbpeintures.com
hxxp://postgil.com
hxxp://verum1.home.pl
hxxp://przedwislocze.internetdsl.pl
hxxp://iskurders.webkursu.net
hxxp://pennthaicafe.com.au
hxxp://motherengineering.com
hxxp://krupoonsak.com

Once, executed, a, sample, malware (MD5: 3194e6282b2e51ed4ef186ce6125ed73), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://get.enomenalco.club
hxxp://promos-back.peerdlgo.info
hxxp://get.cdzhugashvili.bid
hxxp://doap.ctagonallygran.bid
hxxp://get.gunnightmar.club
hxxp://huh.adowableunco.bid
hxxp://slibby.ineddramatiseo.bid

Once, executed, a, sample, malware (MD5: 7f42da8b0f8542a55e5560e86c4df407), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://acemoglusucuklari.com.tr
hxxp://a-bring.com
hxxp://tn69abi.com
hxxp://gim8.pl
hxxp://sso.anbtr.com

Once, executed, a, sample, malware (MD5: f8bdc841214ae680a755b2654995895e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.secdls.com
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com
hxxp://api.v2.sslsecure4.com
hxxp://api.v2.sslsecure5.com
hxxp://api.v2.sslsecure6.com
hxxp://api.v2.sslsecure7.com
hxxp://api.v2.sslsecure8.com

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://v00d00.org/nod32/grabber.exe - - 67.215.238.77; 67.215.255.139; 184.168.221.87

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (67.215.238.77):
MD5: 1233c86d3ab0081b69977dbc92f238d0

Known, to, have, responded, to, the, same, malicious, IPs, are, also, the, following, malicious, domains:
hxxp://blog.symantecservice37.com
hxxp://agoogle.in
hxxp://adv.antivirup.com
hxxp://cdind.antivirup.com

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://v00d00.org/nod32/update.php

Known, to, have, responded, to, the, same, malicious, IPs (67.215.255.139), are, also, the, following, malicious, domains:
hxxp://lenovoserve.trickip.net
hxxp://proxy.wikaba.com
hxxp://think.jkub.com
hxxp://upgrate.freeddns.com
hxxp://webproxy.sendsmtp.com
hxxp://yote.dellyou.com
hxxp://lostself.dyndns.info
hxxp://dellyou.com
hxxp://mtftp.freetcp.com
hxxp://ftp.adobe.acmetoy.com
hxxp://timeout.myvnc.com
hxxp://fashion.servehalflife.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (67.215.255.139):
MD5: e76aa56b5ba3474dda78bf31ebf1e6c0
MD5: 4de5540e450e3e18a057f95d20e3d6f6
MD5: 346a605c60557e22bf3f29a61df7cd21
MD5: ae9fefda2c6d39bc1cec36cdf6c1e6c4
MD5: da84f1d6c021b55b25ead22aae79f599

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (184.168.221.87), are, also, the, following, malicious, domains:
hxxp://teltrucking.com
hxxp://capecoraldining.org
hxxp://carsforsaletoronto.com
hxxp://joeyboca.com
hxxp://meeraamacids.com
hxxp://orangepotus.com
hxxp://palmerhardware.com
hxxp://railroadtohell.com

Related, malicious, MD5s, known, to, have, phoned, back, the, same, malicious, C&C, server, IPs (184.168.221.87):MD5: 037f8120323f2ddff3c806185512538c
MD5: 44f0e8fe53a3b489cb5204701fa1773d
MD5: 8a053e8d3e2eafc27be9738674d4d5b0
MD5: 9efc79cd75d23070735da219c331fe4d
MD5: ed81b9f1b72e31df1040ccaf9ed4393f

Once, executed, a, sample, malware (MD5: 037f8120323f2ddff3c806185512538c), phones, back, to, the, following, C&C, server, IPs:
hxxp://porno-kuba.net/emo/ld.php?v=1&rs=1819847107&n=1&uid=1

Once, executed, a, sample, malware, (MD5: 44f0e8fe53a3b489cb5204701fa1773d), phones, back, to, the, following, C&C, server, IPs:
hxxp://mhc.ir
hxxp://naphooclub.com
hxxp://mdesigner.ir
hxxp://nazarcafe.com
hxxp://meandlove.com
hxxp://nakhonsawangames.com
hxxp://mevlanacicek.com
hxxp://meeraprabhu.com
hxxp://micr.ae
hxxp://myhyderabadads.com
hxxp://cup-muangsuang.net

Sample, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://portinilwo.com/nhjq/n09230945.asp
    - hxxp://portinilwo.com/botpanel/sell2.jpg
        - hxxp://portinilwo.com/boty.dat
            - hxxp://91.188.60.161/botpanel/sell2.jpg
                - hxxp://91.188.60.161/botpanel/ip.php

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
asf356ydc.com - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, domains, known, to, have, participated, in, the, campaign:
asf356ydc.co
kaljv63s.com
sadkajt357.com

We'll, continue, monitoring, the, fraudulent, infrastructure, and, post, updates, as, soon, as, new, developments, take, place.

Dancho Danchev

Wednesday, December 21, 2016

New Service Offerring Fake Documents on Demand Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, multiple, underground, market, participants, and, hundreds, of, fraudulent, propositions, cybercriminals, continue, successfully, monetizing, access, to, malware-infected, hosts, for, the, purpose, of, earning, fraudulent, revenue, in, the, process, largely, relying, on, a, set, of, DIY (do-it-yourself), managed, cybercrime-friendly, services, successfully, monetizing, access, to, malware-infected, hosts, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

We've recently, intercepted, a, newly, launched, managed, on, demand, underground, market, type, of, service, proposition, offering, access, to, fake, documents, and, IDs, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, commiting, fraudulent, activities, while, earning, fraudulent, revenue, in, the, process, successfully, monetizing, access, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process.

In, this, post, we'll, profile, the, service, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

In, a, cybercrime, ecystem, populated, by, hundreds, of, fraudulent, propositions, cybercriminals, continue, actively, launching, managed, cybercrime-friendly, services, successfully, monetizing, access, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process. Largely, relying, on, a, diverse, set, of, tactics, techniques, and, procedures, cybercriminals, continue, successfully, launching, managed, cybercrime-friendly, services, successfully, empowering, novice, cybercriminals with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, earning, fraudulet, revenue, in, the, process, while, successfully, monetizing, access, to, malware-infected hosts, successfully, earning, fraudulent, revenue, in, the, process.

The, market, segment, for, fake, IDs, and, fake, documents, continues, flourishing, largely, thanks, to, a, diverse, set, of, underground, market, segment, cybercrime-friendly, managed, services, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, to, fruther, commit, cybercrime, while, earning, fraudulent, revenue, in, the, process, while, successfully, monetizing, access, to, malware-infected, hosts. In, a, market, segment, dominated, by, commiditized, underground, market, cybercrime-friendly, propositions, cybercriminals, continue, actively, populating, the, market, segment, for, fake, IDs, and, fake, documents, with, hundreds, of, fraudulent, propositions, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, to, further, commit, fraudulent, activity, while, earning, fraudulent, revenue, in, the, process.

We'll, continue, monitoring, the, market, segment, for, fake, documents, and, IDs, and, post, updates, as, soon, as, new, developments, take, place.

Related posts:
New Cybercrime-Friendly Service Offers Fake Documents and Bills on Demand
Cybercriminals Offer Fake/Fraudulent Press Documents Accreditation On Demand
Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID Cards
Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market Segment
Newly Launched 'Scanned Fake Passports/IDs/Credit Cards/Utility Bills' Service Randomizes and Generates Unique Fakes On The Fly
A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports

Dancho Danchev

Saturday, September 24, 2016

New Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, Google, Play, users, potentially, exposing, their, devices, to, a, multi-tide, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, devices. Largely, relying, on a, set, of, social, engineering, vectors, cybercriminals, continue, populating, Google, Play, with, hundreds, of, malicious, releases, successfully, bypassing, Google, Play's, security, mechanisms.

Thanks, to, a, vibrant, cybercrime, ecosystem, stolen, and, compromised, accounting, data, continues, to, represent, an, underground, market, commodity, successfully, empowering, novice, cybercriminals, with, the, necessary, tools, and, know-how, to, continue, launching, malicious, attacks. Largely, relying, on, a, set, of, social, engineering, vectors, cybercriminals, continue, to, successfully, compromise, and, take, advantage, of, stolen, publisher's, account, successfully, bypassing, Google, Play's, security, mechanisms, potentially, exposing, hundreds, of, thousands, of, users, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related malicious MD5s known to have participated in the campaign:

MD5: 3c4f56ebf48a0b47bffec547804d94f4

MD5: 8a81ef6673321bddc557c486bce2a025

MD5: 789cb05effb586bda98e87e71e340c39

MD5: 505e4d58c53d47245aa89c0fd7cded83

MD5: c7bb64012126e7f75feb5d021e755903

Once, executed, a, sample, malware (MD5: 3c4f56ebf48a0b47bffec547804d94f4), phones, back, to, the, following, C&C, server, IPs:

hxxp://art.hornymilfporna.com/g/getasite/

hxxp://art.hornymilfporna.com/z/orap/

hxxp://art.hornymilfporna.com/z/z2/

hxxp://art.hornymilfporna.com/z/z5/

Related malicious MD5s known to have phoned back to the same C&C server IP (art.hornymilfporna.com):

MD5: ee329ffcd6fe835bfdc0ec1a7f033584

Related malicious MD5s known to have phoned back to the same C&C server IP (hornymilfporna.com - 54.72.9.51; 104.27.188.20; 104.24.124.113):

MD5: d990fe6ed56e5f087dfc4c1ad09e2591

MD5: d129b79a68dd362714a4d35f9901c661

MD5: d74aab1f688c670c172c3767a17c4953

MD5: 5f8a4de87409b399d262bd0ae0a908d7

MD5: 189803a93cde9e0c401ac386c154328f

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server IPs:

hxxp://fullset.link

hxxp://allmodel-pro.com

hxxp://sso.anbtr.com

hxxp://xsso.allmodel-pro.com

hxxp://fullset.info

hxxp://groupmodel.biz

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:

212.61.180.100

195.22.28.222

212.61.180.100

54.72.9.51

Once, executed, a, sample, malware (MD5: 8a81ef6673321bddc557c486bce2a025), phones, back, to, the, following, C&C, server, IPs:

hxxp://cinar.pussyteenx.com/g/getasite/ - 8.5.1.44; 46.45.168.84

hxxp://cinar.pussyteenx.com/z/orap/

hxxp://cinar.pussyteenx.com/z/z2/

hxxp://cinar.pussyteenx.com/z/z5/

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):

MD5: b9a2447a5b292566b4998c5d996f488b

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):

MD5: f8205b4b9ae5d8ac8bf7b3996a6be408

MD5: a73138a8275b68296bfcf0ed39b2665c

MD5: ff06679eb18932e31f8b05d92a48b4eb

MD5: 107993dce5417356d40279feb2be0017

MD5: d5ed564fd2f4c10e3a26df9342a09545

Once, executed, a, sample, malware (MD5: f8205b4b9ae5d8ac8bf7b3996a6be408), phones, back, to, the, following, C&C, server, IPs:

hxxp://englishmeasure.net

hxxp://eitherdinner.net

hxxp://englishdinner.net

hxxp://eitherafraid.net

hxxp://englishafraid.net

hxxp://eithercircle.net

hxxp://englishcircle.net

hxxp://expectwheat.net

hxxp://becausewheat.net

hxxp://expectanger.net

hxxp://becauseanger.net

hxxp://expectalways.net

hxxp://becausealways.net

hxxp://expectforest.net

hxxp://becauseforest.net

hxxp://personwheat.net

hxxp://machinewheat.net

hxxp://personanger.net

hxxp://machineanger.net

hxxp://personalways.net

hxxp://machinealways.net

hxxp://personforest.net

hxxp://machineforest.net

hxxp://suddenwheat.net

hxxp://foreignwheat.net

hxxp://suddenanger.net

hxxp://foreignanger.net

hxxp://suddenalways.net

hxxp://foreignalways.net

hxxp://suddenforest.net

hxxp://foreignforest.net

hxxp://whetherwheat.net

hxxp://rightwheat.net

hxxp://whetheranger.net

hxxp://rightanger.net

hxxp://whetheralways.net

hxxp://rightalways.net

hxxp://whetherforest.net

hxxp://rightforest.net

hxxp://figurewheat.net

hxxp://thoughwheat.net

hxxp://figureanger.net

hxxp://thoughanger.net

hxxp://figurealways.net

hxxp://thoughalways.net

hxxp://figureforest.net

hxxp://thoughforest.net

hxxp://picturewheat.net

hxxp://cigarettewheat.net

hxxp://pictureanger.net

hxxp://cigaretteanger.net

hxxp://picturealways.net

hxxp://cigarettealways.net

hxxp://pictureforest.net

hxxp://cigaretteforest.net

hxxp://childrenwheat.net

hxxp://familywheat.net

hxxp://childrenanger.net

hxxp://familyanger.net

hxxp://childrenalways.net

hxxp://familyalways.net

hxxp://childrenforest.net

hxxp://familyforest.net

hxxp://eitherwheat.net

hxxp://englishwheat.net

hxxp://eitheranger.net

hxxp://englishanger.net

hxxp://eitheralways.net

hxxp://englishalways.net

hxxp://eitherforest.net

hxxp://englishforest.net

hxxp://expectschool.net

hxxp://becauseschool.net

hxxp://expectwhile.net

hxxp://becausewhile.net

hxxp://expectquestion.net

hxxp://becausequestion.net

hxxp://expecttherefore.net

hxxp://becausetherefore.net

hxxp://personschool.net

hxxp://machineschool.net

hxxp://personwhile.net

hxxp://machinewhile.net

hxxp://personquestion.net

hxxp://machinequestion.net

Once, executed, a, sample, malware (MD5: a73138a8275b68296bfcf0ed39b2665c), phones, back, to, the, following, C&C, server, IPs:

hxxp://figurefather.net

hxxp://thoughfather.net

hxxp://figureapple.net

hxxp://thoughapple.net

hxxp://figurebuilt.net

hxxp://thoughbuilt.net

hxxp://figurecarry.net

hxxp://thoughcarry.net

hxxp://picturefather.net

hxxp://cigarettefather.net

hxxp://pictureapple.net

hxxp://cigaretteapple.net

hxxp://picturebuilt.net

hxxp://cigarettebuilt.net

hxxp://picturecarry.net

hxxp://cigarettecarry.net

hxxp://childrenfather.net

hxxp://familyfather.net

hxxp://childrenapple.net

hxxp://familyapple.net

hxxp://childrenbuilt.net

hxxp://familybuilt.net

hxxp://childrencarry.net

hxxp://familycarry.net

hxxp://eitherfather.net

hxxp://englishfather.net

hxxp://eitherapple.net

hxxp://englishapple.net

hxxp://eitherbuilt.net

hxxp://englishbuilt.net

hxxp://eithercarry.net

hxxp://englishcarry.net

hxxp://expectmeasure.net

hxxp://becausemeasure.net

hxxp://expectdinner.net

hxxp://becausedinner.net

hxxp://expectafraid.net

hxxp://becauseafraid.net

hxxp://expectcircle.net

hxxp://becausecircle.net

hxxp://personmeasure.net

hxxp://machinemeasure.net

hxxp://persondinner.net

hxxp://machinedinner.net

hxxp://personafraid.net

hxxp://machineafraid.net

hxxp://personcircle.net

hxxp://machinecircle.net

hxxp://suddenmeasure.net

hxxp://foreignmeasure.net

hxxp://suddendinner.net

hxxp://foreigndinner.net

hxxp://suddenafraid.net

hxxp://foreignafraid.net

hxxp://suddencircle.net

hxxp://foreigncircle.net

hxxp://whethermeasure.net

hxxp://rightmeasure.net

hxxp://whetherdinner.net

hxxp://rightdinner.net

hxxp://whetherafraid.net

hxxp://rightafraid.net

hxxp://whethercircle.net

hxxp://rightcircle.net

hxxp://figuremeasure.net

hxxp://thoughmeasure.net

hxxp://figuredinner.net

hxxp://thoughdinner.net

hxxp://figureafraid.net

hxxp://thoughafraid.net

hxxp://figurecircle.net

hxxp://thoughcircle.net

hxxp://picturemeasure.net

hxxp://cigarettemeasure.net

hxxp://picturedinner.net

hxxp://cigarettedinner.net

hxxp://pictureafraid.net

hxxp://cigaretteafraid.net

hxxp://picturecircle.net

hxxp://cigarettecircle.net

hxxp://childrenmeasure.net

hxxp://familymeasure.net

hxxp://childrendinner.net

hxxp://familydinner.net

hxxp://childrenafraid.net

hxxp://familyafraid.net

hxxp://childrencircle.net

hxxp://familycircle.net

hxxp://eithermeasure.net

hxxp://englishmeasure.net

hxxp://eitherdinner.net

hxxp://englishdinner.net

hxxp://eitherafraid.net

hxxp://englishafraid.net

hxxp://eithercircle.net

hxxp://englishcircle.net

hxxp://expectwheat.net

hxxp://becausewheat.net

hxxp://expectanger.net

hxxp://becauseanger.net

hxxp://expectalways.net

hxxp://becausealways.net

hxxp://expectforest.net

hxxp://becauseforest.net

hxxp://personwheat.net

hxxp://machinewheat.net

hxxp://personanger.net

hxxp://machineanger.net

hxxp://personalways.net

hxxp://machinealways.net

hxxp://personforest.net

hxxp://machineforest.net

hxxp://suddenwheat.net

hxxp://foreignwheat.net

hxxp://suddenanger.net

hxxp://foreignanger.net

hxxp://suddenalways.net

hxxp://foreignalways.net

hxxp://suddenforest.net

hxxp://foreignforest.net

hxxp://whetherwheat.net

hxxp://rightwheat.net

hxxp://whetheranger.net

hxxp://rightanger.net

hxxp://whetheralways.net

hxxp://rightalways.net

hxxp://whetherforest.net

hxxp://rightforest.net

hxxp://figurewheat.net

hxxp://thoughwheat.net

hxxp://figureanger.net

Once, executed, a, sample, malware, phones, back, to the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://195.22.28.199
hxxp://184.168.221.55
hxxp://208.100.26.234
hxxp://184.168.221.35
hxxp://98.124.243.42
hxxp://208.100.26.234
hxxp://184.168.221.104
hxxp://173.236.80.218
hxxp://195.22.26.248
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://98.130.238.135

Once, executed, a, sample, malware (MD5: ff06679eb18932e31f8b05d92a48b4eb), phones, back, to, the, following, C&C, server, IPs:

hxxp://strengthbecame.net

hxxp://stillbecame.net

hxxp://strengthcontain.net

hxxp://stillcontain.net

hxxp://strengthbasket.net

hxxp://stillbasket.net

hxxp://movementsettle.net

hxxp://outsidesettle.net

hxxp://movementlanguage.net

hxxp://outsidelanguage.net

hxxp://movementdevice.net

hxxp://outsidedevice.net

hxxp://movementbefore.net

hxxp://outsidebefore.net

hxxp://buildingsettle.net

hxxp://eveningsettle.net

hxxp://buildinglanguage.net

hxxp://eveninglanguage.net

hxxp://buildingdevice.net

hxxp://eveningdevice.net

hxxp://buildingbefore.net

hxxp://eveningbefore.net

hxxp://storesettle.net

hxxp://mightsettle.net

hxxp://storelanguage.net

hxxp://mightlanguage.net

hxxp://storedevice.net

hxxp://mightdevice.net

hxxp://storebefore.net

hxxp://mightbefore.net

hxxp://doctorsettle.net

hxxp://prettysettle.net

hxxp://doctorlanguage.net

hxxp://prettylanguage.net

hxxp://doctordevice.net

hxxp://prettydevice.net

hxxp://doctorbefore.net

hxxp://prettybefore.net

hxxp://fellowsettle.net

hxxp://doublesettle.net

hxxp://fellowlanguage.net

hxxp://doublelanguage.net

hxxp://fellowdevice.net

hxxp://doubledevice.net

hxxp://fellowbefore.net

hxxp://doublebefore.net

hxxp://brokensettle.net

hxxp://resultsettle.net

hxxp://brokenlanguage.net

hxxp://resultlanguage.net

hxxp://brokendevice.net

hxxp://resultdevice.net

hxxp://brokenbefore.net

hxxp://resultbefore.net

hxxp://preparesettle.net

hxxp://desiresettle.net

hxxp://preparelanguage.net

hxxp://desirelanguage.net

hxxp://preparedevice.net

hxxp://desiredevice.net

hxxp://preparebefore.net

hxxp://desirebefore.net

hxxp://strengthsettle.net

hxxp://stillsettle.net

hxxp://strengthlanguage.net

hxxp://stilllanguage.net

hxxp://strengthdevice.net

hxxp://stilldevice.net

hxxp://strengthbefore.net

hxxp://stillbefore.net

hxxp://movementfound.net

hxxp://outsidefound.net

hxxp://movementspring.net

hxxp://outsidespring.net

hxxp://movementsuccess.net

hxxp://outsidesuccess.net

hxxp://movementbanker.net

hxxp://outsidebanker.net

hxxp://buildingfound.net

hxxp://eveningfound.net

hxxp://buildingspring.net

hxxp://eveningspring.net

hxxp://buildingsuccess.net

hxxp://eveningsuccess.net

hxxp://buildingbanker.net

hxxp://eveningbanker.net

hxxp://storefound.net

hxxp://mightfound.net

hxxp://storespring.net

hxxp://mightspring.net

hxxp://storesuccess.net

hxxp://mightsuccess.net

hxxp://storebanker.net

hxxp://mightbanker.net

hxxp://doctorfound.net

hxxp://prettyfound.net

hxxp://doctorspring.net

hxxp://prettyspring.net

hxxp://doctorsuccess.net

hxxp://prettysuccess.net

hxxp://doctorbanker.net

hxxp://prettybanker.net

hxxp://fellowfound.net

hxxp://doublefound.net

hxxp://fellowspring.net

hxxp://doublespring.net

hxxp://fellowsuccess.net

hxxp://doublesuccess.net

hxxp://fellowbanker.net

hxxp://doublebanker.net

hxxp://brokenfound.net

hxxp://resultfound.net

hxxp://brokenspring.net

hxxp://resultspring.net

hxxp://brokensuccess.net

hxxp://resultsuccess.net

hxxp://brokenbanker.net

hxxp://resultbanker.net

hxxp://preparefound.net

hxxp://desirefound.net

hxxp://preparespring.net

hxxp://desirespring.net

hxxp://preparesuccess.net

hxxp://desiresuccess.net

hxxp://preparebanker.net

hxxp://desirebanker.net

hxxp://strengthfound.net

hxxp://stillfound.net

hxxp://strengthspring.net

hxxp://stillspring.net

hxxp://strengthsuccess.net

hxxp://stillsuccess.net

hxxp://strengthbanker.net

hxxp://stillbanker.net

hxxp://movementairplane.net

hxxp://outsideairplane.net

hxxp://movementstraight.net

hxxp://outsidestraight.net

hxxp://movementguard.net

hxxp://outsideguard.net

hxxp://movementfence.net

hxxp://outsidefence.net

hxxp://buildingairplane.net

hxxp://eveningairplane.net

hxxp://buildingstraight.net

hxxp://eveningstraight.net

hxxp://buildingguard.net

hxxp://eveningguard.net

hxxp://buildingfence.net

hxxp://eveningfence.net

hxxp://storeairplane.net

hxxp://mightairplane.net

hxxp://storestraight.net

hxxp://mightstraight.net

hxxp://storeguard.net

hxxp://mightguard.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://98.124.243.39
hxxp://195.22.28.198
hxxp://216.239.34.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66
hxxp://81.21.76.62
hxxp://50.63.202.55
hxxp://208.91.197.25
hxxp://5.2.189.251
hxxp://195.22.28.198

Once, executed, a, sample, malware (MD5: 107993dce5417356d40279feb2be0017), phones, back, to, the, following, C&C, server, IPs:

hxxp://movementindustry.net

hxxp://outsideindustry.net

hxxp://movementbecame.net

hxxp://outsidebecame.net

hxxp://movementcontain.net

hxxp://outsidecontain.net

hxxp://movementbasket.net

hxxp://outsidebasket.net

hxxp://buildingindustry.net

hxxp://eveningindustry.net

hxxp://buildingbecame.net

hxxp://eveningbecame.net

hxxp://buildingcontain.net

hxxp://eveningcontain.net

hxxp://buildingbasket.net

hxxp://eveningbasket.net

hxxp://storeindustry.net

hxxp://mightindustry.net

hxxp://storebecame.net

hxxp://mightbecame.net

hxxp://storecontain.net

hxxp://mightcontain.net

hxxp://storebasket.net

hxxp://mightbasket.net

hxxp://doctorindustry.net

hxxp://prettyindustry.net

hxxp://doctorbecame.net

hxxp://prettybecame.net

hxxp://doctorcontain.net

hxxp://prettycontain.net

hxxp://doctorbasket.net

hxxp://prettybasket.net

hxxp://fellowindustry.net

hxxp://doubleindustry.net

hxxp://fellowbecame.net

hxxp://doublebecame.net

hxxp://fellowcontain.net

hxxp://doublecontain.net

hxxp://fellowbasket.net

hxxp://doublebasket.net

hxxp://brokenindustry.net

hxxp://resultindustry.net

hxxp://brokenbecame.net

hxxp://resultbecame.net

hxxp://brokencontain.net

hxxp://resultcontain.net

hxxp://brokenbasket.net

hxxp://resultbasket.net

hxxp://prepareindustry.net

hxxp://desireindustry.net

hxxp://preparebecame.net

hxxp://desirebecame.net

hxxp://preparecontain.net

hxxp://desirecontain.net

hxxp://preparebasket.net

hxxp://desirebasket.net

hxxp://strengthindustry.net

hxxp://stillindustry.net

hxxp://strengthbecame.net

hxxp://stillbecame.net

hxxp://strengthcontain.net

hxxp://stillcontain.net

hxxp://strengthbasket.net

hxxp://stillbasket.net

hxxp://movementsettle.net

hxxp://outsidesettle.net

hxxp://movementlanguage.net

hxxp://outsidelanguage.net

hxxp://movementdevice.net

hxxp://outsidedevice.net

hxxp://movementbefore.net

hxxp://outsidebefore.net

hxxp://buildingsettle.net

hxxp://eveningsettle.net

hxxp://buildinglanguage.net

hxxp://eveninglanguage.net

hxxp://buildingdevice.net

hxxp://eveningdevice.net

hxxp://buildingbefore.net

hxxp://eveningbefore.net

hxxp://storesettle.net

hxxp://mightsettle.net

hxxp://storelanguage.net

hxxp://mightlanguage.net

hxxp://storedevice.net

hxxp://mightdevice.net

hxxp://storebefore.net

hxxp://mightbefore.net

hxxp://doctorsettle.net

hxxp://prettysettle.net

hxxp://doctorlanguage.net

hxxp://prettylanguage.net

hxxp://doctordevice.net

hxxp://prettydevice.net

hxxp://doctorbefore.net

hxxp://prettybefore.net

fhxxp://ellowsettle.net

hxxp://doublesettle.net

hxxp://fellowlanguage.net

hxxp://doublelanguage.net

fhxxp://ellowdevice.net

hxxp://doubledevice.net

hxxp://fellowbefore.net

hxxp://doublebefore.net

hxxp://brokensettle.net

hxxp://resultsettle.net

hxxp://brokenlanguage.net

hxxp://resultlanguage.net

hxxp://brokendevice.net

hxxp://resultdevice.net

hxxp://brokenbefore.net

hxxp://resultbefore.net

hxxp://preparesettle.net

hxxp://desiresettle.net

hxxp://preparelanguage.net

hxxp://desirelanguage.net

hxxp://preparedevice.net

hxxp://desiredevice.net

hxxp://preparebefore.net

hxxp://desirebefore.net

hxxp://strengthsettle.net

hxxp://stillsettle.net

hxxp://strengthlanguage.net

hxxp://stilllanguage.net

hxxp://strengthdevice.net

hxxp://stilldevice.net

hxxp://strengthbefore.net

hxxp://stillbefore.net

hxxp://movementfound.net

hxxp://outsidefound.net

hxxp://movementspring.net

hxxp://outsidespring.net

hxxp://movementsuccess.net

hxxp://outsidesuccess.net

hxxp://movementbanker.net

hxxp://outsidebanker.net

hxxp://buildingfound.net

hxxp://eveningfound.net

hxxp://buildingspring.net

hxxp://eveningspring.net

hxxp://buildingsuccess.net

hxxp://eveningsuccess.net

hxxp://buildingbanker.net

hxxp://eveningbanker.net

hxxp://storefound.net

hxxp://mightfound.net

hxxp://storespring.net

hxxp://mightspring.net

hxxp://storesuccess.net

hxxp://mightsuccess.net

hxxp://storebanker.net

hxxp://mightbanker.net

hxxp://doctorfound.net

hxxp://prettyfound.net

hxxp://doctorspring.net

hxxp://prettyspring.net

hxxp://doctorsuccess.net

hxxp://prettysuccess.net

hxxp://doctorbanker.net

hxxp://prettybanker.net

hxxp://fellowfound.net

hxxp://doublefound.net

hxxp://fellowspring.net

hxxp://doublespring.net

hxxp://fellowsuccess.net

hxxp://doublesuccess.net

hxxp://fellowbanker.net

hxxp://doublebanker.net

hxxp://brokenfound.net

hxxp://resultfound.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://207.148.248.143
hxxp://50.63.202.56
hxxp://208.100.26.234
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://98.124.243.39
hxxp://195.22.28.199
hxxp://216.239.32.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66

Once, executed, a, sample, malware (MD5: d5ed564fd2f4c10e3a26df9342a09545), phones, back, to, the, following, C&C, server, IPs:

hxxp://desiredress.net

hxxp://strengthcatch.net

hxxp://stillcatch.net

hxxp://strengtheearly.net

hxxp://stilleearly.net

hxxp://strengthpublic.net

hxxp://stillpublic.net

hxxp://strengthdress.net

hxxp://stilldress.net

hxxp://expectlength.net

hxxp://becauselength.net

hxxp://expectnotice.net

hxxp://becausenotice.net

hxxp://expectindeed.net

hxxp://becauseindeed.net

hxxp://expectduring.net

hxxp://becauseduring.net

hxxp://personlength.net

hxxp://machinelength.net

hxxp://personnotice.net

hxxp://machinenotice.net

hxxp://personindeed.net

hxxp://machineindeed.net

hxxp://personduring.net

hxxp://machineduring.net

hxxp://suddenlength.net

hxxp://foreignlength.net

hxxp://suddennotice.net

hxxp://foreignnotice.net

hxxp://suddenindeed.net

hxxp://foreignindeed.net

hxxp://suddenduring.net

hxxp://foreignduring.net

hxxp://whetherlength.net

hxxp://rightlength.net

hxxp://whethernotice.net

hxxp://rightnotice.net

hxxp://whetherindeed.net

hxxp://rightindeed.net

hxxp://whetherduring.net

hxxp://rightduring.net

hxxp://figurelength.net

hxxp://thoughlength.net

hxxp://figurenotice.net

hxxp://thoughnotice.net

hxxp://figureindeed.net

hxxp://thoughindeed.net

hxxp://figureduring.net

hxxp://thoughduring.net

hxxp://picturelength.net

hxxp://cigarettelength.net

hxxp://picturenotice.net

hxxp://cigarettenotice.net

hxxp://pictureindeed.net

hxxp://cigaretteindeed.net

hxxp://pictureduring.net

hxxp://cigaretteduring.net

hxxp://childrenlength.net

hxxp://familylength.net

hxxp://childrennotice.net

hxxp://familynotice.net

hxxp://childrenindeed.net

hxxp://familyindeed.net

hxxp://childrenduring.net

hxxp://familyduring.net

hxxp://eitherlength.net

hxxp://englishlength.net

hxxp://eithernotice.net

hxxp://englishnotice.net

hxxp://eitherindeed.net

hxxp://englishindeed.net

hxxp://eitherduring.net

hxxp://englishduring.net

hxxp://expectclear.net

hxxp://becauseclear.net

hxxp://expectgeneral.net

hxxp://becausegeneral.net

hxxp://expectinclude.net

hxxp://becauseinclude.net

hxxp://expectnorth.net

hxxp://becausenorth.net

hxxp://personclear.net

hxxp://machineclear.net

hxxp://persongeneral.net

hxxp://machinegeneral.net

hxxp://personinclude.net

hxxp://machineinclude.net

hxxp://personnorth.net

hxxp://machinenorth.net

hxxp://suddenclear.net

hxxp://foreignclear.net

hxxp://suddengeneral.net

hxxp://foreigngeneral.net

hxxp://suddeninclude.net

hxxp://foreigninclude.net

hxxp://suddennorth.net

hxxp://foreignnorth.net

hxxp://whetherclear.net

hxxp://rightclear.net

hxxp://whethergeneral.net

hxxp://rightgeneral.net

hxxp://whetherinclude.net

hxxp://rightinclude.net

hxxp://whethernorth.net

hxxp://rightnorth.net

hxxp://figureclear.net

hxxp://thoughclear.net

hxxp://figuregeneral.net

hxxp://thoughgeneral.net

hxxp://figureinclude.net

hxxp://thoughinclude.net

hxxp://figurenorth.net

hxxp://thoughnorth.net

hxxp://pictureclear.net

hxxp://cigaretteclear.net

hxxp://picturegeneral.net

hxxp://cigarettegeneral.net

hxxp://pictureinclude.net

hxxp://cigaretteinclude.net

hxxp://picturenorth.net

hxxp://cigarettenorth.net

hxxp://childrenclear.net

hxxp://familyclear.net

hxxp://childrengeneral.net

hxxp://familygeneral.net

hxxp://childreninclude.net

hxxp://familyinclude.net

hxxp://childrennorth.net

hxxp://familynorth.net

hxxp://eitherclear.net

hxxp://englishclear.net

hxxp://eithergeneral.net

hxxp://englishgeneral.net

hxxp://eitherinclude.net

hxxp://englishinclude.net

hxxp://eithernorth.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://208.100.26.234
hxxp://195.22.28.199
hxxp://162.255.119.249
hxxp://208.100.26.234
hxxp://98.124.243.44

Once, executed, a, sample, malware (MD5: 789cb05effb586bda98e87e71e340c39), phones, back, to, the, following, C&C, server, IPs:

hxxp://diyar.collegegirlteen.com/g/getasite/ - 46.45.168.84

hxxp://diyar.collegegirlteen.com/z/orap/

hxxp://diyar.collegegirlteen.com/z/z2/

hxxp://diyar.collegegirlteen.com/z/z5/

Related, malicious, MD5s, known, to, have, phoned, back, to, the, following, C&C, server, IPs:

MD5: acd62483446c7ed057f312784bfddd61

Once, executed, a, sample, malware (MD5: 505e4d58c53d47245aa89c0fd7cded83), phones, back, to, the, following, C&C, server, IPs:

hxxp://van.cowteen.com/g/getasite/ - 46.45.168.84

hxxp://van.cowteen.com/z/orap/

hxxp://van.cowteen.com/z/z2/

hxxp://van.cowteen.com/z/z5/

Related. malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP:

MD5: 13f2e7b3141b84666e0209e140663ef2

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:

hxxp://w.bestmobile.mobi/ - 104.31.66.169; 104.31.67.169; 104.28.0.226; 104.28.1.226

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs:

MD5: 92bd8e7e58816bcb14f9dcbf839178ca

MD5: 1ee44596b174edb55c4bc497c1fe5f34

MD5: 443f732e406b3d96e53184917525e14a

MD5: a24fad894881b746c48420b019a225cf

MD5: 7c8a8f96c5b31e6ccae936ddc5226c91

Once, executed, a, sample, malware (MD5: a24fad894881b746c48420b019a225cf), phones, back, to, the, following, C&C, server, IPs:

hxxp://au.umeng.co - 140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195; 211.151.139.211; 211.151.139.210

hxxp://au.umeng.com/api/check_app_update - 140.205.134.243; 140.205.170.6; 140.205.250.51; 140.205.230.45; 140.205.155.238; 110.173.196.195; 211.151.151.6; 211.151.139.210;

211.151.139.211

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (au.umeng.co - 140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195; 211.151.139.211; 211.151.139.210):

MD5: 65a6f1e29b09ba7caa98a9763593aedb

MD5: 102111b9024b71f6ab584d22abdbc589

MD5: 9ad137e51a5b6b2288c774a74a7e80da

MD5: a70595e99b3471216404400b736eaf7c

MD5: 3d3360250c96dff33e177121113b5a3f

Once, executed, a, sample, malware, phones, back, to, the, same, C&C, server, IPs:

hxxp://211.139.191.223

hxxp://221.179.35.113

Once, executed, a, sample, malware, phones, back, to, the, same, C&C, server, IPs:

hxxp://115.28.174.189/hft/rq.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs:

MD5: c0464c5193dec0980a07fa2e50deffb1

We'll, continue, monitoring, the, market, segment, for, mobile, malware, and, post, updates, as, soon, as, new, developments, take, place.

Dancho Danchev