Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies

Remember, the, Russian, Business, Network, and, the, New, Media, Malware, Gang?

It's, been, several, years, since, I, last, posted, an, update, regarding, the, group's, activities, including, the, direct, establishing, of, a, direct, connection, between, the, Russian, Business, Network, the, New, Media, Malware, gang, including, a, variety, of, high, profile, Web, site, compromise, campaigns.

What's, particularly, interesting, about, the, group's, activities, is, the, fact, that, back, in, 2007, the, group's, activities, used, to, dominate, the, threat, landscape, in, a, targeted, fashion, including, the, active, utilization, of, client-side, exploits, and, the, active, exploitation, of, legitimate, Web, sites, successfully, positioning, the, group, including, the, Russian, Business, Network, as, a, leading, provider, of, malicious, activities, online, leading, to, a, series, of, analyses, successfully, detailing, the, activities, of, the, group, including, the, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, Storm, Worm, botnet.

In, this, post, I'll, provide, a, detailed, analysis, of, the, group's, activities, discuss, in, the, depth, the, tactics, techniques, and, procedures, (TTPs), of, the, group, including, a, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, direct, compromise, of, a, series, of, high, profile, Web, site, compromise, campaigns.

Having, successfully, tracked, down, and, profiled, the, group's, activities, for, a, period, of, several, years, and, based, on, the, actionable, intelligence, provided, regarding, the, group's, activities, we, can, easily, establish, a, direct, connection, between, the, New, Media, Malware, Gang, and, the, Russian, Business, Network, including, a, series, of, high, profile, Web, site, compromise, campaigns.

Key Summary Points:
- RBN Connection, New Media Malware Gang connection - "ai siktir" "Die()", money mule recruitment, money laundering of virtual currency
- Actionable CYBERINT data to assist law enforcement, academics and the private sector in ongoing or past cybercrime investigations
- Complete domain portfolios registered up to the present day using the same emails used to register the malicious domains during 2007-2009 to assist law enforcement, academics and the private sector in catching up with their malicious activities over the years
- Detailed analysis of each and every campaign's domain portfolios (up to present day) further dissecting the fraudulent schemes launched by the same cybercriminals that embedded malware on the embassies' web sites
- Complete IP Hosting History for each and every of the malicious domains/command and control servers during the time of the attack
 - The "Big Picture" detailing the inter-connections between the campaigns, with historical OSINT data pointing to the "New Media Malware Gang", back then customers of the Russian Business Network

Let's, profile, the, group's, activities, including, a, direct, establishing, of, a, connection, between, the, Russian, Business, Network, the, New, Media, Malware, Gang, and, the, Storm, Worm, botnet.

In, 2007, I, profiled, the, direct, compromise, of, the, Syrian, Embassy, in, London, including, a, related, compromise of, the, USAID.gov compromised, malware and exploits served, the, U.S Consulate St. Petersburg Serving Malware, Bank of India Serving Malware, French Embassy in Libya Serving Malware, Ethiopian Embassy in Washington D.C Serving Malware, Embassy of India in Spain Serving Malware, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, detailing, the, malicious, activities, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

Let's profile, the, campaigns, and, discuss, in, depth, the, direct, connection, between, the, group's, activities, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

sicil.info - on 2007-09-26 during the time of the attack, the domain was registered using the srvs4you@gmail.com email. The domain name first appeared online on 2006-06-10 with an IP 213.186.33.24. On 2007-07-11, it changed IPs to 203.121.79.71, followed by another change on 2008-01-06 to 202.75.38.150, another change on 2008-05-06 to 203.186.128.154, yet another change on 2008-05-18 to 190.183.63.103, and yet another change on 2008-07-27 to 190.183.63.56.

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (sicil.info):
MD5: 4802db20da46fca2a1896d4c983b13ba
MD5: f9434d86ef2959670b73a79947b0f4d2
MD5: 32dba64ae55e7bb4850e27274da42d1b
MD5: cd6a7ff6388fbd94b7ee9cdc88ca8f4d
MD5: 57dff9e8154189f0a09fb62450decac6

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (sicil.info), are, also, the, following, malicious, domains:
hxxp://144.217.69.62
hxxp://63.246.128.71
hxxp://207.150.177.28
hxxp://66.111.47.62
hxxp://66.111.47.4
hxxp://66.111.47.8

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (213.186.33.24):
MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb
MD5: 95cc3a0243aa050243ab858794c1d221
MD5: cc63d67282789e03469f2e6520c6de80
MD5: 3829506c454b86297d2828077589cbf8
MD5: 1e18b17149899d55d3625d47135a22a7

Once, executed, a, sample, malware (MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ioasis.org - 208.112.115.36
hxxp://polyhedrusgroup.com - 143.95.229.33
hxxp://espoirsetvie.com - 213.186.33.24
hxxp://ladiesdehaan.be - 185.59.17.113
hxxp://chonburicoop.net - 27.254.96.151
hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48

Related posts: Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (0ki.ru; 89.179.174.156):
MD5: cd33ea55b2d13df592663f18e6426921
MD5: 8e0c7757b82d14b988afac075e8ed5dc
MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012
MD5: e513a1b25e59670f777398894dfe41b6
MD5: 0fad43c03d80a1eb3a2c1ae9e9a6c9ed
MD5: 6e1b789f0df30ba0798fbc47cb1cec1c
MD5: 9f02232ed0ee609c8db1b98325beaa94

Once, executed, a, sample, malware (MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012), phones, back, to, the, following, C&C, server, IPs:
hxxp://lordofthepings.ru (173.254.236.159)
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz
hxxp://ladyhaha.xyz
hxxp://porkhalal.site
hxxp://rihannafap.site
hxxp://bieberfans.top
hxxp://runands.top
hxxp://frontlive.net
hxxp://offerlive.net
hxxp://frontserve.net
hxxp://offerserve.net
hxxp://hanghello.ru
hxxp://hanghello.net
hxxp://septemberhello.net
hxxp://hangmine.net
hxxp://septembermine.net
hxxp://hanglive.net
hxxp://wrongserve.ru
hxxp://wrongserve.net
hxxp://madelive.net

Once, executed, a, sample, malware (MD5: e513a1b25e59670f777398894dfe41b6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardlive.ru
hxxp://yardlive.net
hxxp://musiclive.net - 141.8.225.124
hxxp://yardserve.net
hxxp://musicserve.net - 185.53.177.20
hxxp://wenthello.net
hxxp://spendhello.ru
hxxp://wentmine.net
hxxp://spendmine.net
hxxp://spendhello.net
hxxp://joinlive.net
hxxp://wentserve.ru
hxxp://hanghello.net
hxxp://joinhello.net

hxxp://x12345.org - 46.4.22.145

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (miron555.org):
MD5: 0e423596c502c1e28cce0c98df2a2b6d
MD5: e75d92defb11afe50a8cc51dfe4fb6ee
MD5: adcedd763f541e625f91030ee4de7c19
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 0e423596c502c1e28cce0c98df2a2b6d

Over the years (up to present day) srvs4you@gmail.com is also known to have been used to register the following domains:
hxxp://10lann10.org
hxxp://24cargo.net
hxxp://ace-assist.biz
hxxp://activation-confirm.com
hxxp://adwoords.net
hxxp://alert-careerbuilder.com
hxxp://annebehnert.info
hxxp://apollo-services.net
hxxp://appolage.org
hxxp://auctions-ukash.com
hxxp://bbcfinancenews.com
hxxp://bestgreatoffers.org
hxxp://blackbird-registration.com
hxxp://bloomborg.biz
hxxp://businessproc1.com
hxxp://bussolutionsinc.org
hxxp://calisto-trading.com
hxxp://calisto-trading.net
hxxp://calisto-trading.org
hxxp://candy-country.com
hxxp://casheq.com
hxxp://cfca-usa.com
hxxp://cfodaily.biz
hxxp://citizenfinancial.net
hxxp://citylending.net
hxxp://clean2mail.com
hxxp://confirm-activation.com
hxxp://consultingwiz.org
hxxp://courierusa-online.com
hxxp://cristhmasx.com
hxxp://d-stanley.net
hxxp://dariazacherl.info
hxxp://des-group.com
hxxp://digital-investment-projects.com
hxxp://dns4your.net
hxxp://dvasuka.com
hxxp://easy-midnight.com
hxxp://easy-transfer.biz
hxxp://easymidnight.com
hxxp://ecareerstyle.com
hxxp://ecnoho.com
hxxp://efinancialnews.biz
hxxp://eluxuryauctions.com
hxxp://elx-ltd.net
hxxp://elx-trading.org
hxxp://elxltd.net
hxxp://emoney-ex.com
hxxp://epsincorp.net
hxxp://equitrust.org
hxxp://erobersteng.com
hxxp://erxlogistics.com
hxxp://esdeals.com
hxxp://estemaniaks.com
hxxp://eu-bis.com
hxxp://eu-cellular.com
hxxp://eubiz.org
hxxp://euwork.org
hxxp://expressdeal.info
hxxp://ezado.net
hxxp://fairwaylending.org
hxxp://fan-gaming.org
hxxp://fcinternatonal1.com
hxxp://fidelitylending.net
hxxp://financial-forbes.com
hxxp://financialnews-us.net
hxxp://firstcapitalgroup.org
hxxp://freemydns.org
hxxp://fremontlending.net
hxxp://fresh-solutions-mail.com
hxxp://fresh-solutions.us
hxxp://garnantfoundation.com
hxxp://gazenvagen.com
hxxp://globerental.com
hxxp://googmail.biz
hxxp://i-expertadvisor.com
hxxp://icebart.com
hxxp://icqdosug.com
hxxp://iesecurityupdates.com
hxxp://indigo-consulting.org
hxxp://indigo-job-with-us.com
hxxp://indigojob.com
hxxp://indigovacancies.com
hxxp://inncoming.com
hxxp://ivsentns.com
hxxp://iwiwlive.net
hxxp://iwiwonline.net
hxxp://jobs-in-eu.org
hxxp://kelermaket.com
hxxp://kklfnews.com
hxxp://knses.com
hxxp://komodok.com
hxxp://krdns.biz
hxxp://ksfcnews.com
hxxp://ksfcradio.com
hxxp://ktes314.org
hxxp://lda-import.com
hxxp://legal-solutions.org
hxxp://lgcareer.com
hxxp://lgtcareer.com
hxxp://librarysp.com
hxxp://littlexz.com
hxxp://mariawebber.org
hxxp://megamule.net
hxxp://moneycnn.biz
hxxp://njnk.net
hxxp://ns4ur.net
hxxp://nytimesnews.biz
hxxp://o2cash.net
hxxp://offsoftsolutions.com
hxxp://pcpro-tbstumm.com
hxxp://perfect-investments.org
hxxp://progold-inc.biz
hxxp://protectedsession.com
hxxp://razsuka.com
hxxp://reutors.biz
hxxp://rushop.us
hxxp://science-and-trade.com
hxxp://secure-operations.org
hxxp://securesitinngs.com
hxxp://servicessupport.biz
hxxp://sessionprotected.com
hxxp://sicil.info
hxxp://sicil256.info
hxxp://simple-investments-mail.org
hxxp://simple-investments.net
hxxp://simple-investments.org
hxxp://sp3library.com
hxxp://speeduserhost.com
hxxp://storempire.com
hxxp://tas-corporation.com
hxxp://tas-corporation.net
hxxp://tascorporation.net
hxxp://topixus.net
hxxp://tsrcorp.net
hxxp://u-file.org
hxxp://ukashauction.net
hxxp://ultragame.org
hxxp://unitedfinancegroup.org
hxxp://vanessakoepp.org
hxxp://verymonkey.com
hxxp://vesa-group.com
hxxp://vesa-group.net
hxxp://vipvipns.net
hxxp://vipvipns.org
hxxp://wondooweria.com
hxxp://wondoowerka.com
hxxp://wootpwnseal.com
hxxp://worldeconomist.biz
hxxp://wumtt-westernunion.com
hxxp://xsoftwares.com
hxxp://xxx2008xxx.com
hxxp://yourcashlive.com
hxxp://yourlive.biz
hxxp://yourmule.com

On 2008-09-25 0ki.ru was registered using the kseninkopetr@nm.ru email. The same email address is not known to have been used to register any additional domains.

On 2008-06-19 x12345.org was registered using the xix.x12345@yahoo.com email. On 2007-09-10 the domain use to respond to 66.36.243.97, then on 2007-11-13 it changed IPs to 58.65.236.10, following another change on 2008-05-06 to 203.186.128.154. No other domains are known to have been registered using the same email address.

On 2007-06-07, miron555.org was registered using the mironbot@gmail.com email, followed by another registration email change on 2008-02-12 to nepishite555suda@gmail.com. On 2007-04-24, the domain responded to 75.126.4.163. It then changed IPs on 2007-05-09 to 203.121.71.165, followed by another change on 2007-06-08 to 58.65.239.247, yet another change on 2007-07-15 to 58.65.239.10, another change on 2007-08-19 to 58.65.239.66, more IP changes on 2007-09-03 to 217.170.77.210, and yet another change on 2007-09-18 to 88.255.90.138.

Historically (up to present day), mironbot@gmail.com is also known to have been used to register the following domains:
hxxp://24-7onlinepharmacy.net
hxxp://bestmoviesonline.info
hxxp://brightstonepharma.com
hxxp://deapotheke.com
hxxp://dozor555.info
hxxp://my-traff.cn
hxxp://pharmacyit.net
hxxp://trffc.org
hxxp://trffc3.ru
hxxp://xmpharm.com

In, 2008, I, profiled, the, direct, compromise, of, The Dutch Embassy in Moscow Serving Malware, further, detailing, the, malicious, and, activity, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, direct, compromise, of, the, Embassy's Web, site.

On 2009-03-04, lmifsp.com was registered using the redemption@snapnames.com email. On 2007-11-30, it used to respond to 68.178.194.64, then on 2008-12-01 it changed IPs to 68.178.232.99.

In, 2008, I, profiled, the, direct, compromise, of, Embassy of Brazil in India Compromised, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

hxxp://google-analyze.com - 87.118.118.193

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (google-analyze.com - 87.118.118.193):
MD5: 2bcb74c95f30e3741210c0de0c1b406f

On 2008-10-15, traff.asia was registered using the traffon@gmail.com email.

On 2008-06-19, google-analyze.com was registered using the incremental@list.ru email. On 2007-12-21 it responded to 66.36.241.153, then it changed IPs on 2007-12-22 to 66.36.231.94, followed by another change on 2008-02-03 to 79.135.166.74, then to 195.5.116.251 on 2008-03-16, to 70.84.133.34 on 2008-07-31, followed by yet another change to 216.195.59.77 on 2008-09-15.

On 2008-08-05, google-analystic.net, is, known, to, have, responded, to, 212.117.163.162, and, was registered using the abusecentre@gmail.com email. On 2008-04-11 it used to respond to 64.28.187.84, it then changed IPS to 85.255.120.195 on 2008-08-03, followed by another change on 2008-08-10 to 85.255.120.194, then to 85.255.120.197 on 2008-09-07, to 69.50.161.117 on 2008-09-14, then to 66.98.145.18 on 2008-10-11, followed by another change on 2008-10-25 to 209.160.67.56.

On 2008-11-11, beshragos.com was registered using the migejosh@yahoo.com email. On 2008-11-11 it used to respond to 79.135.187.38.

In, 2009, I, profiled, the, direct, compromise, of, Ethiopian Embassy in Washington D.C Serving Malware, further, detailing, the, group's, activities, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On 2009-01-19, 1tvv.com is, known, to, have, responded, to, 69.172.201.153; 66.96.161.140; 122.10.52.139; 122.10.18.138; 67.229.44.15; 74.200.250.130; 69.170.135.92; 64.74.223.38, and, was registered using the mogensen@fontdrift.com email.

On 2005-08-27, the domain (1tvv.com) is, known, to, have, responded to 198.65.115.93, then on 2006-05-12 to 204.13.161.31, with yet another IP change on 2010-04-08 to 216.240.187.145, followed by yet another change on 2010-06-02 to 69.43.160.145, then on 2010-07-25 to 69.43.160.145.

On 2010-01-04, trafficinc.ru was registered using the auction@r01.ru email.

On 2009-03-01, trafficmonsterinc.ru was registered using the trafficmonsterinc.ru@r01-service.ru email.

On 2009-05-02, us18.ru, is, known, to, have, responded, to, 109.70.26.37; 185.12.92.229; 109.70.26.36, and, was registered using the belyaev_andrey@inbox.ru email.

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0b545cd12231d0a4239ce837cd371166
MD5: dae41c862130daebcff0e463e2c30e50
MD5: 601806c0a01926c2a94558148764797a
MD5: 45f97cd8df4448bbe073a38c264ef93f
MD5: 94aeba45e6fb4d17baa4989511e321b3

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: 4e0ce2f9f92ac5193c2a383de6015523
MD5: a38d47fcfdaf14372cea3de850cf487d
MD5: 014d2f1bae3611e016f96a37f98fd4b7
MD5: daad60cb300101dc05d2ff922966783b
MD5: 0a775110077e2c583be56e5fb3fa4f09

Once, executed, a, sample, malware (MD5: 4e0ce2f9f92ac5193c2a383de6015523), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.66.160
hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100
hxxp://sso.anbtr.com - 195.22.28.222

Once, executed, a, sample, malware (MD5: a38d47fcfdaf14372cea3de850cf487d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ledyazilim.com - 213.128.83.163
hxxp://ksandrafashion.com - 166.78.145.90
hxxp://lafyeri.com - 69.172.201.153
hxxp://kulppasur.com - 52.28.249.128
hxxp://toalladepapel.com.ar

hxxp://trafficinc.ru, is, known, to, have, responded, to, 222.73.91.203

hxxp://trafficmonsterinc.ru, is, known, to, have, responded, to, 178.208.83.7; 178.208.83.27; 91.203.4.112

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: ce4e2e12ee16d5bde67a3dc2e3da634b
MD5: 4423e04fb3616512bf98b5a565fccdd7
MD5: 33f890c294b2ac89d1ee657b94e4341d
MD5: 1c5096c3ce645582dd18758fe523840a
MD5: 1efae0b0cb06faacae46584312a12504

Once, executed, a, sample, malware (MD5: ce4e2e12ee16d5bde67a3dc2e3da634b), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://rms-server.tektonit.ru - 109.234.156.179
hxxp://365invest.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 4423e04fb3616512bf98b5a565fccdd7), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://topstat.mcdir.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 33f890c294b2ac89d1ee657b94e4341d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cadretest.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 1c5096c3ce645582dd18758fe523840a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.65.161
hxxp://testtrade.ru - 178.208.83.7
hxxp://chicostara.com - 91.142.252.26

In, 2009, I, profiled, the, direct, compromise, of Embassy of India in Spain Serving Malware, further, detailing, the, malicious, activity, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On 2008-09-07, msn-analytics.net was registered using the palfreycrossvw@gmail.com email. On 2007-06-17 it used to respond to 82.98.235.50, it then changed IPs on 2008-09-07 to 58.65.234.9, followed by another change on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 2009-12-29, and to 85.249.229.195 on 2010-03-09.

On 2008-07-10, pinoc.org was registered using the 4ykakabra@gmail.com email. On 2008-07-10 it responded to 58.65.234.9, it then changed IPs on 2008-08-17 to 91.203.92.13, followed by another change on 2008-08-24 to 58.65.234.9, followed by yet another change to 208.73.210.76 on 2009-10-03, and yet another change on 2009-10-06 to 96.9.186.245.

On 2008-09-20, wsxhost.net was registered using the palfreycrossvw@gmail.com email. On 2008-09-20 wsxhost.net responded to 58.65.234.9, it then changed IPs on 2008-12-22 to 202.73.57.6, followed by another change on 2009-05-18 to 202.73.57.11, yet another change on 2009-06-22 to 92.38.0.66, then to 91.212.198.116 on 2009-07-06, yet another change on 2009-08-17 to 210.51.187.45, then to 210.51.166.239 on 2009-08-25, and finally to 213.163.89.54 on 2009-09-05.

On 2008-06-29 google-analyze.cn was registered using the johnvernet@gmail.com email.

Historically (up to present day) johnvernet@gmail.com is known to have registered the following domains:
hxxp://baidustatz.com
hxxp://edcomparison.com
hxxp://google-analyze.org
hxxp://google-stat.com
hxxp://kolkoman.com
hxxp://m-analytics.net
hxxp://pinalbal.com
hxxp://pornokman.com
hxxp://robokasa.com
hxxp://rx-white.com
hxxp://sig4forum.com
hxxp://thekapita.com
hxxp://visittds.com

msn-analytics.net, is, known, to, have, responded, to, 216.157.88.21; 85.17.25.214; 216.157.88.22; 85.17.25.215; 85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: eb95798965a18e7844f4c969803fbaf8
MD5: 106b6e80be769fa4a87560f82cd24b57
MD5: 519a9f1cb16399c515723143bf7ff0d0
MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5
MD5: 613e8c31edf4da1b8f8de9350a186f41

Once, executed, a, sample, malware (MD5: eb95798965a18e7844f4c969803fbaf8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://thinstall.abetterinternet.com - 85.17.25.214
hxxp://survey-winner.net - 94.229.72.117
hxxp://survey-winner.net - 208.91.196.145
hxxp://comedy-planet.com

Once, executed, a, sample, malware (MD5: 106b6e80be769fa4a87560f82cd24b57), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147

Once, executed, a, sample, malware (MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://followfortieth.net
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147

pinoc.org, is, known, to, have, responded, to, 103.224.212.222; 185.53.179.24; 185.53.179.9; 185.53.177.10; 188.40.174.81; 46.165.247.18; 178.162.184.130

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 000125b0d0341fc078c7bdb5b7996f9e
MD5: b3bbeaca85823d5c47e36959b286bb22
MD5: 4faa9445394ba4edf73dd67e239bcbca
MD5: 9f3b9de8a3e7cd8ee2d779396799b17a
MD5: 38d07b2a1189eb1fd64296068fbaf08a

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://static.greatappsdownload.com - 54.230.187.48
hxxp://ww1.os.onlineapplicationsdownloads.com - 91.195.241.80
hxxp://os2.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://ww1.os2.onlineapplicationsdownloads.com - 91.195.241.80

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://errors.myserverstat.com - 103.224.212.222

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://scripts.dlv4.com - 103.224.212.222
hxxp://ww38.scripts.dlv4.com - 185.53.179.29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://complaintsboard.com - 208.100.35.85
hxxp://7ew8gov.firoli-sys.com - 103.224.212.222
hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234
hxxp://q8x3kb.wwwmediahosts.com - 204.11.56.48

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newworldorderreport.com - 50.63.202.29
hxxp://69jh93.firoli-sys.com - 103.224.212.222
hxxp://bpvv11ndq5.wwwmediahosts.com - 204.11.56.48
hxxp://0dbhwuja.hdmediastore.com - 45.33.9.234

wsxhost.net, is, known, to, have, responded, to, 184.168.221.45; 50.63.202.82; 69.43.161.172

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 117036e5a7b895429e954f733e0acada
MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be
MD5: 6e330742d22c5a5e99e6490de65fabd6
MD5: f1c9cd766817ccf55e30bb8af97bfdbb
MD5: 7f4145bc211089d9d3c666078c35cf3d

Once, executed, a, sample, malware (MD5: 117036e5a7b895429e954f733e0acada), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://amacweb.org
hxxp://superaffiliatehookup.com
hxxp://germanamericantax.com
hxxp://lineaidea.it
hxxp://speedysalesletter.com

Once, executed, a, sample, malware (MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://allstatesdui.com - 50.63.202.36
hxxp://wellingtontractorparts.com - 72.167.232.158
hxxp://amacweb.org - 160.16.211.99
hxxp://nctcogic.org - 207.150.212.74

Once, executed, a, sample, malware (MD5: 6e330742d22c5a5e99e6490de65fabd6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://santele.be - 176.62.170.69
hxxp://fever98radio.com - 141.8.224.93
hxxp://brushnpaint.com - 74.220.219.132
hxxp://jameser.com - 54.236.195.15
hxxp://hillsdemocrat.com - 67.225.168.30

Once, executed, a, sample, malware (MD5: f1c9cd766817ccf55e30bb8af97bfdbb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://afterpeace.net - 195.38.137.100
hxxp://sellhouse.net - 184.168.221.45

Once, executed, a, sample, malware (MD5: 7f4145bc211089d9d3c666078c35cf3d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://forcerain.net
hxxp://afterrain.net - 50.63.202.43)
hxxp://forcerain.ru
hxxp://forceheld.net

google-analyze.cn, is, known, to, have, responded, to, 103.51.144.81; 184.105.178.89; 65.19.157.235; 124.16.31.146; 123.254.111.190; 103.232.215.140; 103.232.215.147; 205.164.14.78; 50.117.116.117; 50.117.120.254; 205.164.24.45; 50.117.116.205; 50.117.122.90; 184.105.178.84; 50.117.116.204

Related malicious MD5s known to have phoned back to the same malicious C&C, server, IPs:
MD5: df05460b5e49cbba275f6d5cbd936d1d
MD5: 7732ffcf2f4cf1d834b56df1f9d815c9
MD5: 615eb515da18feb2b87c0fb5744411ac
MD5: 24fec5b3ac1d20e61f2a3de95aeb177c
MD5: 348eed9b371ddb2755eb5c2bfaa782ee

On 2008-08-27, yahoo-analytics.net was registered using the fuadrenalray@gmail.com email.

- google-analyze.org - Email: johnvernet@gmail.com - on, 2008-07-09, google-analyze.org , is, known, to, have, responded, to, 58.65.234.9, followed, by, a, hosting, change, on, 2008-08-17, with, google-analyze.org, responding, to, 91.203.92.13, followed, by, another, hosting, change, on, 2008-08-24, with, google-analyze.org, responding, to, 202.73.57.6.

- qwehost.com - Email: 4ykakabra@gmail.com - on, 2009-05-18, qwehost.com, is, known, to, have, responded, to, 202.73.57.11, followed, by, a, hosting, change, to, 202.73.57.11, followed, by, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 210.51.187.45.

- zxchost.com - Email: 4ykakabra@gmail.com - on, 2009-03-02, zxchost.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-25, pointing, to, 210.51.166.239.

- odile-marco.com - Email: OdileMarcotte@gmail.com - on, 2009-05-18, odile-marco.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 91.212.198.116.

- edcomparison.com - Email: johnvernet@gmail.com - on, 2009-05-18, edcomparison.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13,  this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 210.51.187.45.

- fuadrenal.com - Email: fuadrenalRay@gmail.com - on, 2009-01-26, fuadrenal.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, time, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.

- rx-white.com - Email: johnvernet@gmail.com - on, 2009-05-18, rx-white.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.

In, 2009, I, profiled, the, direct, compromise, of, Embassy of Portugal in India Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2009-03-30, ntkrnlpa.info, is, known, to, have, responded, to, 83.68.16.6. Related, domains, known, to, have, participated, in, the, same, campaign - betstarwager.cn; ntkrnlpa.cn.

In, 2007, I, profiled, the, direct, compromise, of, French Embassy in Libya Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2008-11-05, tarog.us (Email: bobby10@mail.zp.ua), used, to, respond, to, 67.210.13.94, followed, by, a, hosting, change, on, 2009-03-02, pointing, to, 208.73.210.121. Related, domains, known, to, have, participated, in, the, campaign: fernando123.ws; winhex.org - Email: ipspec@gmail.com

On, 2007-02-18, winhex.org, used, to, respond, to, 195.189.247.56, followed, by, a, hosting, change, on, 2007-03-03, pointing, to, 89.108.85.97, followed, by, yet, another, hosting, change, on, 2007-04-29, this, time, pointing, to, 203.121.71.165, followed, by, yet, another, hosting, change, on, 2007-08-19, this, time, pointing, to, 69.41.162.77.

On, 2007-11-23, kjlksjwflk.com (Email: sflgjlkj45@yahoo.com), used, to, respond, to, 58.65.239.114, followed, by, a, hosting, change, on, 2009-02-16, pointing, to, 38.117.90.45, followed, by, yet, another, hosting, change, on, 2009-03-09, this, time, pointing, to, 216.188.26.235.

In, 2009, I, profiled, the, direct, compromise, of, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Related, domains, known, to, have, participated, in, the, campaign:
- hxxp://filmlifemusicsite.cn; hxxp://promixgroup.cn; hxxp://betstarwager.cn; hxxp://clickcouner.cn

In, 2009, I, profiled, the, direct, compromise, of, USAID.gov compromised, malware and exploits served, further, establishing, a, direct, connection, between, the, gang's, activities, and, the, New, Media, Malware, Gang.

Related, domains, known, to, have, participated, in, the, campaign:
hxxp://should-be.cn - Email: admin@brut.cn; hxxp://orderasia.cn; hxxp://fileuploader.cn

In, 2007, I, profiled, the, direct, compromise, of, U.S Consulate St. Petersburg Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2007-08-31, verymonkey.com (Email: srvs4you@gmail.com), used, to, respond, to, 212.175.23.114, followed, by, a, hosting, change, on, 2007-09-07, pointing, to, 209.123.181.185, followed, by, yet, another, hosting, change, on, 2007-09-27, this, time, pointing, to, 88.255.90.50, followed, by, yet, another, hosting, change, on, 2008-11-11, this, time, pointing, to, 216.188.26.235.

What's, particularly, interested, about, the, gang's, activities, is, the, fact, that, back, in 2007, the, group, pioneered, for, the, first, time, the, utilization, of, Web, malware, exploitation, kits, further, utilizing, the, infrastructure, of, the, Russian, Business, Network, successfully, launching, a, multi-tude, of, malicious, campaigns, further, spreading, malicious, software, further, utilizing, the, infrastructure, of, the, Russian, Business, Network.

Related posts:
Syrian Embassy in London Serving Malware
USAID.gov compromised, malware and exploits served
U.S Consulate St. Petersburg Serving Malware
Bank of India Serving Malware
French Embassy in Libya Serving Malware
The Dutch Embassy in Moscow Serving Malware
Ethiopian Embassy in Washington D.C Serving Malware
Embassy of India in Spain Serving Malware
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware Continue reading →

Invitation to Join a Security Community

Dear blog readers, as I'm currently busy launching a private security community, I decided, to publicly announce, its, existence.

Topics of discussion:
- cybercrime research
- threat intelligence
- malicious software

Request an invite: dancho.danchev@hush.com Continue reading →

Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, malicious, releases, successfully, generating, hundreds, of, thousands, of, fraudulent, revenue, while, populating, their, botnet's, infected, population, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, active, malvertising, campaign, affecting, FoxNews, successfully, enticing, users, into, executing, malicious, software, on, the, the, affected, PCs, with, the, cybercriminals, behind, it, successfully, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://toppromooffer.com/vsm/index.html - 85.17.254.158; 69.43.161.174
    - hxxp://78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 - (78.47.132.222)    
        - hxxp://redirectclicks.com/?accs=845&tid=338 - 69.172.201.153; 176.74.176.178; 64.95.64.194
            - hxxp://http://redirectclicks.com/?accs=845&tid=339

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://truconv.com - 78.46.88.202

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (78.46.88.202):
MD5: 473e3615795609a091a2f2d3d1be2d00
MD5: 9e51c29682a6059b9b636db8bf7dcc25
MD5: 08a50ebcaa471cd45b3561c33740136d
MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1
MD5: fcdd2790dd5b1898ef8ee29092dca757

Once, executed, a, sample, malware (MD5: 473e3615795609a091a2f2d3d1be2d00), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yaskiya.cyberfight.de - 78.46.88.202

Once, executed, a, sample, malware (MD5: 9e51c29682a6059b9b636db8bf7dcc25), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://myweb111111.go.3322.org
hxxp://35free.net - 5.61.39.56
hxxp://newsoft1.go.3322.org
hxxp://newsoft11.go.3322.org

Once, executed, a, sample, malware (MD5: 08a50ebcaa471cd45b3561c33740136d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://darthvader.dyndns.tv
hxxp://www12.subdomain.com - 78.46.88.202

Once, executed, a, sample, malware (MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://tundeghanawork.co.gp - 78.46.88.202

Once, executed, a, sample, malware (MD5: fcdd2790dd5b1898ef8ee29092dca757), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsoft.go.3322.org - 221.130.179.36
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://users6.nofeehost.com - 67.208.91.110

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: c9ca43032633584ff2ae4e4d7442f123
MD5: a099766f448acd6b032345dfd8c5491d
MD5: da39ccb40b1c80775e0aa3ab7cefb4b0
MD5: 85750b93319bd2cf57e445e1b4850b08
MD5: e521b31eb97d6d25e3d165f2fe9ca3ba

Once, executed, a, sample, malware (MD5: c9ca43032633584ff2ae4e4d7442f123), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.tokoholapisa.com - 54.229.133.176
hxxp://down2load.net - 69.172.201.153
hxxp://cdn.download2013.net - 185.152.65.38

Once, executed, a, sample, malware (MD5: a099766f448acd6b032345dfd8c5491d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (176.74.176.178):
MD5: 116d07294fb4b78190f44524145eb200
MD5: f9e71f66e3aae789b245638a00b951a8
MD5: 1d6d4a64a9901985b8a005ea166df584
MD5: acfa1a5f290c7dd4859b56b49be41038
MD5: b63fd04a8cdf69fb7215a70ccd0aef27

Once, executed, a, sample, malware (MD5: 116d07294fb4b78190f44524145eb200), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.on86.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: f9e71f66e3aae789b245638a00b951a8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.linkbyte.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: 1d6d4a64a9901985b8a005ea166df584), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.pnmchgameserver.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: acfa1a5f290c7dd4859b56b49be41038), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.97dn.com - 45.125.35.85
hxxp://www.97wg.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: b63fd04a8cdf69fb7215a70ccd0aef27), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pajak.yogya.com - 69.172.201.153
hxxp://www.yogya.com
hxxp://return.uk.uniregistry.com - 176.74.176.178

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (64.95.64.194):
MD5: 7ca6214e3b75bc1f7a41aef3267afc29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freshtravel.net - 184.168.221.36
hxxp://experiencetravel.net - 217.174.248.145
hxxp://freshyellow.net
hxxp://experienceyellow.net
hxxp://freshclose.net
hxxp://experienceclose.net

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.43.161.174):
MD5: 674fca39caf18320e5a0e5fc45527ba4
MD5: 7017a26b53bc0402475d6b900a6c98ae
MD5: 0b61f6dfaddd141a91c65c7f290b9358
MD5: 4d5bc6b69db093824aa905137850e883
MD5: 201dee0da7b7807808d681510317ab59

Once, executed, a, sample, malware (MD5: 674fca39caf18320e5a0e5fc45527ba4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://aahydrogen.com - 208.73.210.214
hxxp://greatinstant.net
hxxp://ginsdirect.net
hxxp://autouploaders.net - 185.53.177.9

Once, executed, a, sample, malware (MD5: 7017a26b53bc0402475d6b900a6c98ae), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://w.wfetch.com - 69.43.161.174
hxxp://ww1.w.wfetch.com - 72.52.4.90

Once, executed, a, sample, malware (MD5: 4d5bc6b69db093824aa905137850e883), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://greattaby.com - 69.43.161.174
hxxp://ww41.greattaby.com - 141.8.224.79

Once, executed, a, sample, malware (MD5: 201dee0da7b7807808d681510317ab59), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://layer-ads.de - 69.43.161.174

Sample, URL, redirection, chain:
hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 204.11.56.45; 204.11.56.26; 208.73.210.215; 208.73.211.246; 82.98.86.178
    - hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc-sst&l=370&f=cs_3506417142&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM - 208.91.197.46; 204.11.56.48; 204.11.56.45; 204.11.56.26; 63.156.206.202; 63.149.176.12
        - hxxp://easywebchecklive.com/1/fileslist.js - 94.247.2.215
            - hxxp://78.47.132.222/a12/index2.php
                - hxxp://78.47.132.221/a12/pdf.php?u=i_7_0
                    - hxxp://78.47.132.221/a12/aff_12.exe?u=i_7_0&spl=4

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs (208.91.197.46):
MD5: b13f1af8fc426e350df11565dcf281e8
MD5: a189b3334fbd9cd357aedff22c672e9c
MD5: da53b068538ff03e2fc136c7d0816e39
MD5: ec08a877817c749597396e6b34b88e78
MD5: b9e7bf23de901280e62fd68090b5b8fa

Once, executed, a, sample, malware (MD5: b13f1af8fc426e350df11565dcf281e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.sslsecure1.com - 193.166.255.171
hxxp://staticrr.paleokits.net - 205.251.219.192
hxxp://dtrack.secdls.com
hxxp://staticrr.sslsecure1.com

Once, executed, a, sample, malware (MD5: a189b3334fbd9cd357aedff22c672e9c), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://staticrr.paleokits.net - 54.230.11.231
hxxp://staticrr.sslsecure1.com - 193.166.255.171
hxxp://staticrr.sslsecure2.com
hxxp://staticrr.sslsecure3.com - 208.91.197.46

Once, executed, a, sample, malware (MD5: ec08a877817c749597396e6b34b88e78), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://skyworldent.com
hxxp://solitaireinfo.com
hxxp://speedholidays.com - 206.221.179.26

Once, executed, a, sample, malware (MD5: b9e7bf23de901280e62fd68090b5b8fa), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com - 193.166.255.171
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com - 208.91.197.46

Related, malicious MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 969601cbf069a849197289e042792419

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware - Part Two

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's. infected, population, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, active, malicious, black, hat, SEO (search engine optimization), type, of, malicious, campaign, serving, malicious, software, to, unsuspecting, users, further, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://notice-of-unreported-income-email.donatehalf.com
hxxp://911-pictures.jewishreference.com
hxxp://911-pictures.dpakman91.com
hxxp://9-11-quotes.midweekpolitics.com

Sample, URL, redirection, chain:
hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237
    - hxxp://trivet.gmgroupenterprises.com/?trivettrivetgmgroupenterprisescom.swf
        - hxxp://vpizdutebygugol.xorg.pl/go/ - 193.203.99.111
            - hxxp://vpizdutebygugol.xorg.pl/go4/
                - hxxp://http://free-checkpc.com/l/d709f38e78s84y76u - 193.169.12.5
                    - hxxp://safe-fileshere.com/s/w58238e9a6dh76k73r/setup.exe - 193.169.12.5

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (193.203.99.111):
MD5: b761960b60f2e5617b4da2e303969ff1
MD5: a27ae350b9d29b13749b14e376a00b52
MD5: adbad83fadc017d60972efa65eb3c230
MD5: b1323d4c7e1f6455701d49621edfb545
MD5: c166767c8aa7a8eee0d12a6d9646b3e8

Once, executed, a, sample, malware (MD5: b761960b60f2e5617b4da2e303969ff1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: a27ae350b9d29b13749b14e376a00b52), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://gwg.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: adbad83fadc017d60972efa65eb3c230), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://htu.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: b1323d4c7e1f6455701d49621edfb545), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://htu.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: c166767c8aa7a8eee0d12a6d9646b3e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: 7df300b01243a42b4ddff724999cd4f7

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://updatepcnow.com - 208.73.211.249
hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (208.73.211.249):
MD5: 940be22f37e30c90d9fded842c23b24d
MD5: ef29c61908f678f313aa298343845175
MD5: 47f5002a0b9d312f28822d92a3962c81
MD5: ba83653117a6196d8b2a52fb168b8142
MD5: f29209f1ca6c4666207ea732c1f32978

Once, executed, a, sample, malware (MD5: 940be22f37e30c90d9fded842c23b24d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://softonic-analytics.net - 46.28.209.74
hxxp://superscan.sd.en.softonic.com - 46.28.209.70
hxxp://www.ledyazilim.com - 213.128.83.163

Once, executed, a, sample, malware (MD5: ef29c61908f678f313aa298343845175), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ksandrafashion.com - 208.73.211.173
hxxp://www.lafyeri.com
hxxp://kulppasur.com

Once, executed, a, sample, malware (MD5: 47f5002a0b9d312f28822d92a3962c81), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php

Once, executed, a sample, malware (MD5: ba83653117a6196d8b2a52fb168b8142), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://mhc.ir - 82.99.218.195
hxxp://naphooclub.com - 208.73.211.173
hxxp://mdesigner.ir - 176.9.98.58

Once, executed, a, sample, malware (MD5: f29209f1ca6c4666207ea732c1f32978), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (50.63.202.54):
MD5: 45497b47a6df2f6216b4c4bebc572dd3
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: 08db02c9873c0534656901d5e9501f46
MD5: 830b22b4a0520d1b46a493f03a6a0a66
MD5: 5ee1bfa766f367393782972718d4e82f

Once, executed, a, sample, malware (MD5: 45497b47a6df2f6216b4c4bebc572dd3), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz - 195.157.15.100

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49

Once, executed, a, sample, malware (MD5: 08db02c9873c0534656901d5e9501f46), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://musicbroke.net - 195.22.28.210

Once, executed, a, sample, malware (MD5: 830b22b4a0520d1b46a493f03a6a0a66), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159

Once, executed, a, sample, malware (MD5: 5ee1bfa766f367393782972718d4e82f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (54.85.196.8):
MD5: 05288748ddccf2e5fedef5d9e8218fef
MD5: 08936ff676b062a87182535bce23d901
MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7
MD5: 8a7e330ad88dcb4ced3e5e843424f85f
MD5: bf3d996376663feaea6031b1114eb714

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://graves111.net - 64.86.17.47 - Email: gertrudeedickens@text2re.com
hxxp://lending10.com
hxxp://adriafin.com
hxxp://7sevenseas.com
hxxp://ironins.com
hxxp://trdatasft.com
hxxp://omeoqka.cn
hxxp://trustshield.cn
hxxp://capide.cn
hxxp://tds-soft.comewithus.cn
hxxp://graves111.net
hxxp://reversfor5.net
hxxp://limestee.net
hxxp://landlang.net
hxxp://langlan.net
hxxp://limpopos.net
hxxp://clarksinfact.net

Sample, URL, redirection, chain:
hxxp://checkvirus-zone.com - 64.86.16.7 - Email: gertrudeedickens@text2re.com
    - hxxp://checkvirus-zone.com/?p=

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: b157106188c2debab5d2f1337c708e35

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pencil-netwok.com/?act=fb&1=1&2=0&3= - 204.11.56.48; 204.11.56.45; 209.222.14.3; 208.73.210.215; 208.73.211.152; 204.13.160.107

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 3c3346426923504571f81caffdac698d
MD5: ad4244794693b41c775b324c4838982a
MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e
MD5: 0526944bfb43b14d8f72fd184cd8c259
MD5: 29932b0cb61011ffc4834c3b7586d956

Once, executed, a, sample, malware (MD5: 3c3346426923504571f81caffdac698d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.76.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9

Once, executed, a, sample, malware (MD5: ad4244794693b41c775b324c4838982a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://banboon.com - 204.11.56.48
hxxp://bdb.com.my - 103.4.7.143
hxxp://baulaung.org - 52.28.249.128

Once, executed, a, sample, malware (MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cubingapi.com - 204.11.56.48
hxxp://error.cubingapi.com - 204.11.56.48

Once, executed, a, sample, malware (MD5: 0526944bfb43b14d8f72fd184cd8c259), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.77.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9

Once, executed, a, sample, malware (MD5: 29932b0cb61011ffc4834c3b7586d956), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
hxxp://rms365x24.com - 166.78.145.90

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, newly, added, socially, engineered, users, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, a, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, utilizing, blackhat, seo (search engine optmization), for, traffic, acquisition, tactics, techniques, and procedures, potentially, exposing, hundreds, of, thousands, of, socially, engineered, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, with, the, cybercriminals, behind, the, campaign, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, traffic, largely, relying, on, the, utilization, of, an, affiliate-network, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://blank_fax_forms.jevjahys.zik.dj -> hxxp://radioheadicon.cn - 216.172.154.34; 205.164.24.44; 205.164.24.45 ->

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://aizvfnnd.cc - Email: janice@whiteplainsrealty.com
hxxp://blnrriwbd.cc - Email: janice@whiteplainsrealty.com
hxxp://crrhxzp.cc - Email: janice@whiteplainsrealty.com
hxxp://ihmedkgi.cc - Email: janice@whiteplainsrealty.com
hxxp://izdzhpdn.cc - Email: janice@whiteplainsrealty.com
hxxp://krnflff.cc - Email: janice@whiteplainsrealty.com
hxxp://lgixuql.cc - Email: janice@whiteplainsrealty.com
hxxp://lsxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://mkzjuoz.cc - Email: janice@whiteplainsrealty.com
hxxp://mobqmizg.cc - Email: janice@whiteplainsrealty.com
hxxp://mqapagelq.cc - Email: janice@whiteplainsrealty.com
hxxp://mrvgusfdu.cc - Email: janice@whiteplainsrealty.com
hxxp://nurzcycxm.cc - Email: janice@whiteplainsrealty.com
hxxp://orhhcunye.cc - Email: janice@whiteplainsrealty.com
hxxp://pdbpczh.cc - Email: janice@whiteplainsrealty.com
hxxp://pkuidxdy.cc - Email: janice@whiteplainsrealty.com
hxxp://qicpfwrx.cc - Email: janice@whiteplainsrealty.com
hxxp://ruhilmec.cc - Email: janice@whiteplainsrealty.com
hxxp://sxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://tcygfdmc.cc - Email: janice@whiteplainsrealty.com
hxxp://tlhaxfr.cc - Email: janice@whiteplainsrealty.com
hxxp://vcjggcbgj.cc - Email: janice@whiteplainsrealty.com
hxxp://xlnojaz.cc - Email: janice@whiteplainsrealty.com
hxxp://zdqvzdj.cc - Email: janice@whiteplainsrealty.com

Sample, malicious, redirector, used, in, the, campaign:
hxxp://bostofsten1.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (216.172.154.34):
MD5: ad04fd31e9868b073222b3fd2aac93f7
MD5: 103ecb766e0deb06ccbcea0a8046b4cb
MD5: eb0fab963cd37660956a7ab0c66715c2
MD5: 00da0096bd91e89e4059c428259a6cbb
MD5: 9b7f0e0ebf1656227de9f8f97dfd9141

Once, executed, a, sample, malicious, executable, (MD5:ad04fd31e9868b073222b3fd2aac93f7) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 65.19.157.228

Once, executed, a, sample, malicious, executable, (MD5:00da0096bd91e89e4059c428259a6cbb) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cutalot.cn - 205.164.24.43

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.24.44):
hxxp://cycling20110829.usa.1204.net
hxxp://pepsizone.cn
hxxp://ysbr.cn
hxxp://interactsession-697593.regions.com.usersetup.cn
hxxp://ad.suoie.cn
hxxp://ycgezkpu.cn

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: cf7a53e66e397c29ea203e025c5d6465
MD5: 089886483353f93a36dd69f0776beace
MD5: 528ac8f94123aaa32058f0114b8e1fd2
MD5: 4e8405bb398509f17242c0b9f614d6e4
MD5: a364d4fe887e2e40bc1ec67ad6f9aa31

Once, executed, a, sample, malware (MD5:cf7a53e66e397c29ea203e025c5d6465), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://blenderartists.org - 141.101.125.180
hxxp://xibudific.cn - 50.117.122.92
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://hardwareindexx.com
hxxp://hardwareindexx.com.ovh.net

Once, executed, a, sample, malware (MD5:089886483353f93a36dd69f0776beace), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freeonlinedatingtips.net - 204.197.252.70
hxxp://xibudific.cn - 216.172.154.38
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://searchfeedbook.com
hxxp://searchfeedbook.com.ovh.net

Once, executed, a, sample, malware (MD5:528ac8f94123aaa32058f0114b8e1fd2), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://historykillerpro.com - 192.254.233.158
hxxp://motherboardstest.com - 195.22.26.252
hxxp://dolbyaudiodevice.com
hxxp://dolbyaudiodevice.com.ovh.net
hxxp://xibudific.cn - 50.117.116.204

Once, executed, a, sample, malware (MD5:4e8405bb398509f17242c0b9f614d6e4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pcskynet.cn
hxxp://gamepknet.cn
hxxp://pcskynet.cn.ovh.net
hxxp://gamepknet.cn.ovh.net
hxxp://yes16800.cn
hxxp://yes16800.cn.ovh.net

Once, executed, a, sample, malware (MD5:a364d4fe887e2e40bc1ec67ad6f9aa31), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://136136.com - 61.129.70.87
hxxp://xibudific.cn - 50.117.122.92
hxxp://hothintspotonline.com
hxxp://hothintspotonline.com.ovh.net
hxxp://hardwareindexx.com

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (205.164.24.45):
hxxp://17mv.com
hxxp://criding.com
hxxp://criding.com
hxxp://17mv.com
hxxp://baudu.com
hxxp://pwgo.cn
hxxp://suqiwyk.cn
hxxp://verringo.cn

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
MD5: 9905ba7c00761a792ad8a361b4de71ea
MD5: b83c68f7d09530181908d513eb30a002
MD5: 78941c2c4b05f8af9a31a9f3d4c94b57
MD5: 7a1b6153a3f00c430b09f1c7b9cf7a77
MD5: 2776c972fa934fd080f5189be7c98a77

Once, executed, a, sample, malware, phones, back, to, the, following, maliciuos, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://imagehut4.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yingzi.org.cn - 50.117.116.205

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qmmmm.com.cn - 50.117.122.94

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.94

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Hundreds of Malicious Web Sites Serve Client-Side Exploits, Lead to Rogue YouTube Video Players

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, a, botnet's, infected, population, further, spreading, malicious, software, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, potentially, exposing, the, affected, user, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, malware-infected, hosts, largely, relying, on, the, use, of, affiliate-network, based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, clicking, on, bogus, and, rogue, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, ultimately, attempting, to, socially, engineer, users, into, interacting, with, rogue, YouTube, Video, Players, ultimately, dropping, fake, security, software, also, known, as, scareware, on, the, affected, hosts, with, the, cybercriminals, behind, the, campaign, actively, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://acquaintive.in/x.html - 208.87.35.103
    - hxxp://xxxvideo-hlyl.cz.cc/video7/?afid=24 - 63.223.117.10
            - hxxp://binarymode.in/topic/j.php - 159.148.117.21 - Email: enquepuedo.senior@gmail.com
                - hxxp://binarymode.in/topic/exe.php?x=jjar
                    - hxxp://binarymode.in/topic/?showtopic=ecard&bid=151&e=post&done=image

Related, malicious, MD5s, known, to, have, responded, to, the, same, C&C, server, IPs (208.87.35.103):
MD5: a12c055f201841f4640084a70b34c0c4
MD5: b4d435f15d094289839eac6228088baf
MD5: 2782220da587427b981f07dc3e3e0d96
MD5: 1151cd39495c295975b8c85bd4b385e5
MD5: 2539d5d836f058afbbf03cb24e41970c

Once, executed, a, sample, malware (MD5: a12c055f201841f4640084a70b34c0c4), phones, back, to, the, following, C&C, server, IPs:
hxxp://926garage.com - 185.28.193.192
hxxp://quistsolutions.eu - 188.165.239.53
hxxp://rehabilitacion-de-drogas.org - 188.240.1.110
hxxp://bcbrownmusic.com - 69.89.21.66
hxxp://andzi0l.5v.pl - 46.41.150.7
hxxp://alsaei.com - 192.186.194.133

Once, executed, a, sample, malware (MD5: 2782220da587427b981f07dc3e3e0d96), phones, back, to, the, following, C&C, server, IPs:
hxxp://lafyeri.com
hxxp://kulppasur.com - 209.222.14.3
hxxp://toalladepapel.com.ar - 184.168.57.1
hxxp://www.ecole-saint-simon.net - 208.87.35.103

Once, executed, a, sample, malware (MD5: 2539d5d836f058afbbf03cb24e41970c), phones, back, to, the, following, C&C, server, IPs:
hxxp://realquickmedia.com (208.87.35.103)

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
hxxp://trustidsoftware.com
hxxp://tc28q8cxl2a5ljwa60skl87w6.cdx1cdx1cdx1.in
hxxp://golubu6ka.com
hxxp://cdx2cdx2cdx2.in
hxxp://redmewire.com
hxxp://5zw3t6jq8fiv9jtdqg23.cdx2cdx2cdx2.in
hxxp://es3iz6lb0pet3ix6la0p.cdx2cdx2cdx2.in
hxxp://qsd79bd0j8f7c90e057a.cdx1cdx1cdx1.in
hxxp://w8ncqpet2hx5kf9mbr1a.cdx1cdx1cdx1.in
hxxp://skygaran4ik.com
hxxp://5xj7wk9amqcpse2ug4ve.cdx1cdx1cdx1.in
hxxp://readrelay.com
hxxp://bk5sbm7xgo6vk0e6b3xc.cdx1cdx1cdx1.in
hxxp://d51f1qam8wi15wpxmtjq.cdx2cdx2cdx2.in
hxxp://wxvtsr98642pomligfed.cdx2cdx2cdx2.in
hxxp://zonkjhgebawzvsq09753.cdx1cdx1cdx1.in
hxxp://nightphantom.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
MD5: a6c06a59da36ee1ae96ffaff37d12f28
MD5: 2d1bb6ca54f4c093282ea30e2096af0f
MD5: adf037ecbd4e7af573ddeb7794b61c40
MD5: ce7d4a493fc4b3c912703f084d0d61e1
MD5: c36941693eeef3fa54ca486044c6085a

Once, executed, a, sample, malware (MD5:a6c06a59da36ee1ae96ffaff37d12f28), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 109.74.195.149
hxxp://zeplost.com - 109.74.195.149

Once, executed, a, sample, malware (MD5:2d1bb6ca54f4c093282ea30e2096af0f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qweplost.com - 109.74.195.149

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (96.126.106.156):
hxxp://checkwebspeed.net
hxxp://gercourses.com
hxxp://replost.com
hxxp://boltoflexaria.in
hxxp://levartnetcom.net
hxxp://boltoflex.in
hxxp://borderspot.net
hxxp://diathbsp.in
hxxp://ganzagroup.in
hxxp://httpsstarss.in
hxxp://missingsync.net
hxxp://qqplot.com
hxxp://evelice.in
hxxp://gotheapples.com
hxxp://surfacechicago.net
hxxp://zeplost.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0183a687365cc3eb97bb5c2710952f95
MD5: f1e3030a83fa2f14f271612a4de914cb
MD5: 97269450de58ef5fb8d449008e550bf0
MD5: c83962659f6773b729aa222bd5b03f2f
MD5: e0aa08d4d98c3430204c1bb6f4c980e1

Once, executed, a, sample, malware (MD5:0183a687365cc3eb97bb5c2710952f95), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156

Once, executed, a, sample, malware (MD5:f1e3030a83fa2f14f271612a4de914cb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://gercourses.com/borders.php

Once, executed, a, sample, malware (MD5:97269450de58ef5fb8d449008e550bf0), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156

Once, executed, a, sample, malware (MD5:c83962659f6773b729aa222bd5b03f2f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156

Once, executed, a, sample, malware (MD5:e0aa08d4d98c3430204c1bb6f4c980e1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Koobface Gang Utilizes, Google Groups, Serves, Scareware and Malicious Software

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, populating, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Groups, potentially, exposing, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, further, enticing, users, into, interacting, with, the, bogus, links, potentially, exposing, their, devices, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, between, the, campaign, and, the, Koobface, gang.

Related, malicious, rogue, content, URLs, known, to, have, participated, in, the, campaign:
- anisimivachev17 - 1125 messages
- ilariongrishelev24 - 1099 messages
- yuvenaliyarzhannikov15 - 1108 messages
- burniemetheny52 - 1035 messages
- mengrug - 1090 messages
- silabobrov27 - 1116 messages

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://wut.im/343535
hxxp://tpal.us/wedding2
hxxp://shrtb.us/New_year_video
hxxp://snipurl.com/tx2r6
hxxp://www.tcp3.com/helga-4315
hxxp://budurl.com/egph
hxxp://flipto.com/jokes/
hxxp://rejoicetv.info/newyear
hxxp://fauz.me/?livetv
hxxp://go2.vg/funnykids
hxxp://usav.us/anecdotes
hxxp://vaime.org/joke
hxxp://theflooracle.com/mistakes
hxxp://dashurl.com/video-jokes
hxxp://www.shortme.info/smileykids/
hxxp://starturl.com/clip32112
hxxp://starturl.com/rebeca
hxxp://starturl.com/video2231
hxxp://starturl.com/funclip
hxxp://starturl.com/sexchat
hxxp://snipurl.com/tx2r6
hxxp://www.41z.com/animals
hxxp://www.rehttp.com/?smileykids
hxxp://starturl.com/adamaura
hxxp://mytinyurls.com/wfj
hxxp://budurl.com/egph

Sample, detection, rate, for, a, malicious, executable:
MD5: 1e0d06095a32645c3f57f1b4dcbcfe5c

Sample, malicious, URL, involved, in, the, campaign:
hxxp://newsekuritylist.com/index.php?affid=92600 - 213.163.89.56 - Bobby.J.Hyatt@gmail.com

Parked there are also:
hxxp://networkstabilityinc .com - Email: juliacanderson@pookmail.com; marcusmhuffaker@mailinator.com; justinpnelson@dodgit.com
hxxp://indiansoftwareworld .com - Email: thelmamhandley@trashymail.com; leanngscofield@gmail.com; ernestygresham@trashymail.com
hxxp://antyvirusdevice .com - Email: latonyawmiller@pookmail.com; royawiley@pookmail.com; gracegoshea@pookmail.com; latonyawmiller@pookmail.com
hxxp://digitalprotectionservice .com - Email: clarencepfetter@trashymail.com; jamesdrobinson@pookmail.com; jamesdrobinson@pookmail.com; clarencepfetter@trashymail .com
hxxp://bestantyvirusservice .com - Email: kathrynrsmith@gmail.com; richardbhughey@gmail.com; joshuamwest@trashymail.com; kathrynrsmith@gmail.com
hxxp://antivirussoftrock .com - Email: michaelaturner@trashymail.com; gracemparker@trashymail.com; cliffordsfernandez@pookmail.com; michaelaturner@trashymail.com
hxxp://antywiramericasell .com - Email: Shannon.J.Ferguson@gmail.com
hxxp://antydetectivewaemergencyroom .com - Email: brettdpetro@gmail.com; valeriejweaver@dodgit.com; williekharris@mailinator.com; brettdpetro@gmail.com
hxxp://freeinternetvacation .com - Email: edwardmyoung@trashymail.com; aileenasaylor@gmail.com; williamjoverby@trashymail.com; edwardmyoung@trashymail.com
hxxp://aolbillinghq .com - Email: haroldamccarthy@trashymail.com; teodoromkeller@trashymail.com; joanswhite@dodgit.com; haroldamccarthy@trashymail.com
hxxp://scanserviceprovider .com - Email: rogerdmurphy@gmail.com; charlescvalentino@mailinator.com; eliarmcdonald@trashymail.com; rogerdmurphy@gmail.com
hxxp://securitytoolsquotes .com - Email: thurmanepidgeon@dodgit.com; jessicapgrady@dodgit.com; jamesmcummings@trashymail.com; thurmanepidgeon@dodgit.com
hxxp://electionprogress .com - Email: clarenceafloyd@pookmail.com; junerwurth@pookmail.com; edjbaxter@gmail.com; clarenceafloyd@pookmail.com
hxxp://myantywiruslist .com - Email: Nathan.S.Dennis@gmail.com
hxxp://antyspywarelistnow .com - Email: James.M.Miller@gmail.com
hxxp://securitylabtoday .com - Email: Marc.N.Torres@gmail.com
hxxp://yournecessary .com - Email: debrahbettis@gmail.com; myracbryant@dodgit.com; marycwilliams@dodgit.com; debrahbettis@gmail.com
hxxp://securityutilitysite .net - Email: michellemwelch@mailinator.com; charlesdfrazier@trashymail.com; rosaliejhumphrey@pookmail.com; michellemwelch@mailinator.com
hxxp://securitytoolsshop .net - Email: sarajgunter@gmail.com; kerstinrbray@gmail.com; keithrdejesus@mailinator.com; sarajgunter@gmail.com
hxxp://securitytooledit .net - Email: byronlross@pookmail.com; jamesslewis@mailinator.com; leighschancey@trashymail.com; byronlross@pookmail.com
hxxp://portsecurityutility .net - Email: marquettacpettit@trashymail.com; melindakbolin@pookmail.com; rhondaehipp@mailinator.com; marquettacpettit@trashymail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 4a3e8b6b7f42df0f26e22faafaa0327f
MD5: 64a111acdc77762f261b9f4202e98d29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsekuritylist.com/in.php?affid=92600
hxxp://newsekuritylist.com/in.php?affid=92600

Sample, URL, redirection, chain:
hxxp://rejoicetv.info/newyear
    - hxxp://91.207.4.19/tds/go.php?sid=3
        - hxxp://liveeditionpc.net?uid=297&pid=3&ttl=11845621a62 - 95.169.187.216 - korn989.net; liveeditionpc.net; createpc-pcscan-korn.net
            - hxxp://www1.hotcleanofyour-pc.net/p=== - 98.142.243.174 - live-guard-forpc.net is also parked there:

Sample, detection, rate, for, a, malicious, executable:
MD5: 4912961c36306d156e4e2b335c51151b

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://update2.pcliveguard.com/index.php?controller=hash - 124.217.251.99
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://securityearth.cn/Reports/MicroinstallServiceReport.php - 210.56.53.125

Sample, URL, redirection, chain:
hxxp://garlandvenit.150m.com
    - hxxp://online-style2.com
        - hxxp://scanner-malware15.com/scn3/?engine=
            - hxxp://scanner-malware15.com/download.php?id=328s3

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://eclipserisa.150m.com
hxxp://adamaura.150m.com
hxxp://hugodinah.150m.com
hxxp://roycesylvia.150m.com
hxxp://lindaagora.150m.com
hxxp://sharolynpam.150m.com
hxxp://letarebeca.150m.com
hxxp://letarebeca.150m.com

Sample, URL, redirection, chain:
hxxp://egoldenglove.com/Images/bin/movie/
    - hxxp://egoldenglove.com/Images/bin/movie/Flash_Update_1260873156.exe

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://2-weather.com/?pid=328s03&sid=3593b2&d=3&name=Loading%20video - 66.197.160.104 -mail@tatrum-verde.com
hxxp://scanner-spya8.com/scn3/?engine= - info@gainweight.com -

Sample, detection, rate, for, a, malicious, executable:
MD5: bfaba92c3c0eaec61679f03ff0eb0911

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://91.212.226.185/download/winlogo.bmp (windowsaltserver.com)

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://2-coat.com - 193.104.22.202 - Email: mail@tatrum-verde.com
hxxp://2-weather.com - 193.104.22.202 - - Email: mail@tatrum-verde.com - currently embedded on Koobface-infected hosts pushing scareware

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://online-style2.com - 66.197.160.104 - Email: mail@tatrum-verde.com
hxxp://scanner-malware15.com - Email: info@natural-health.org

Related, malicious, IPs, known, to, have, participated, in, the, campaign:
hxxp://68.168.212.142
hxxp://91.212.226.97
hxxp://66.197.160.105

Parked on 68.168.212.142:
hxxp://antispywareguide20 .com - Email: contacts@vertigo.us
hxxp://antispywareguide22 .com - Email: contacts@vertigo.us
hxxp://antispywareguide23 .com - Email: contacts@vertigo.us
hxxp://antispywareguide25 .com - Email: contacts@vertigo.us
hxxp://antispywareguide27 .com - Email: contacts@vertigo.us
hxxp://antispywaretools10 .com - Email: contacts@vertigo.us
hxxp://antispywaretools11 .com - Email: contacts@vertigo.us
hxxp://antispywaretools12 .com - Email: contacts@vertigo.us
hxxp://antispywaretools17 .com - Email: contacts@vertigo.us
hxxp://antispywaretools18 .com - Email: contacts@vertigo.us
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://birthday-gifts2 .com - Email: TheodoreWTurner@live.com
hxxp://christmasdecoration2 .com - Email: contact@trythreewish.us
hxxp://computerscanm0 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm2 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm4 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm6 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm8 .com - Email: JamesNTurner@yahoo.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com

hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com
hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://pc-antispyo3 .com
hxxp://pc-antispyo5 .com
hxxp://pc-antispyo6 .com
hxxp://pc-antispyo9 .com
hxxp://pc-securityv8 .com - Email: info@billBlog.com
hxxp://protect-pca1 .com
hxxp://protect-pcr1 .com
hxxp://protect-pct1 .com
hxxp://protect-pcu1 .com

hxxp://quick-antispy91 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy92 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy93 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy95 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy99 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner2 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner4 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner6 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner77 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner78 .com - Email: williams.trio@yahoo.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://safe-pc01 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc02 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc03 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc07 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc09 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc002 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc004.com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc009 .com - Email: JamesNTurner@yahoo.com
hxxp://scan-and-secure01 .com
hxxp://scan-and-secure04 .com
hxxp://scan-and-secure06 .com
hxxp://scan-and-secure07 .com
hxxp://scan-and-secure09 .com
hxxp://scan-computerab .com
hxxp://scan-computere0 .com

hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org
hxxp://securitysoftware1 .com
hxxp://securitysoftware3 .com
hxxp://securitysoftware5 .com
hxxp://securitysoftwaree .com
hxxp://securitysoftwaree7 .com
hxxp://security-softwareo1 .com
hxxp://security-softwareo5 .com
hxxp://security-softwareo7 .com
hxxp://unique-gifts2 .com - Email: contact@trythreewish.us
hxxp://unusual-gifts2 .com - Email: contact@trythreewish.us
hxxp://xmas-song .com - Email: contact@trythreewish.us

Parked on 91.212.226.97; 66.197.160.105:
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com
hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com

hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org

Parked on 66.197.160.104:
hxxp://2activities.com - Email: mail@tatrum-verde.com
hxxp://2-scenes.com - Email: mail@tatrum-verde.com
hxxp://2-weather.com - Email: mail@tatrum-verde.com
hxxp://online-fun2 .com - Email: mail@tatrum-verde.com
hxxp://online-news2.com - Email: mail@tatrum-verde.com
hxxp://online-style2 .com - Email: mail@tatrum-verde.com
hxxp://online-tv2.com - Email: mail@tatrum-verde.com
hxxp://snow-and-fun2 .com - Email: mail@tatrum-verde.com
hxxp://winterart2 .com - Email: info@territoryplace.us
hxxp://winterchristmas2 .com - Email: info@territoryplace.us
hxxp://wintercrafts2 .com - Email: info@territoryplace.us
hxxp://winterkids2 .com - Email: info@territoryplace.us
hxxp://winterphotos2 .com - Email: info@territoryplace.us
hxxp://winterpicture2 .com - Email: info@territoryplace.us
hxxp://winterscene2 .com - Email: info@territoryplace.us
hxxp://winterwallpaper2 .com - Email: info@territoryplace.us

What's particularly, interesting, about, this, particular, campaign, is, the, direct, connection, with, the, Koobface, gang, taking, into, consideration, the, fact, that, hxxp://redirector online-style2.com/?pid=312s03&sid=4db12f has, also, been, used, by, Koobface-infected hosts, and, most, importantly, the, fact, that, a, sampled, scareware, campaign from December 2009, were serving scareware parked on 193.104.22.200, where the Koobface scareware portfolio is parked, as, previously, profiled, and, analyzed.

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Related posts:
Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign Continue reading →

Historical OSINT - Rogue MyWebFace Application Serving Adware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, executing, a, malicious, software, largely, relying, on, basic, visual, social, engineering, enticing, users, into, executing, a, rogue, application, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, host.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domain, reconnaissance:
hxxp://mywebsearch.com - 74.113.233.48; 74.113.237.48; 66.235.119.48
hxxp://mywebface.mywebsearch.com - 74.113.233.64; 74.113.233.180

Sample, detection, rate, for, a, malicious, executable:
MD5: b32acfece8089e52fa2288cb421fa9de

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (74.113.233.48; 74.113.237.48; 66.235.119.48):
hxxp://myinfo.mywebsearch.com
hxxp://dl.mywebsearch.com
hxxp://tbedits.mywebsearch.com
hxxp://celebsauce.dl.mywebsearch.com
hxxp://bfc.mywebsearch.com
hxxp://bar.mywebsearch.com
hxxp://int.search.mywebsearch.com
hxxp://inboxace.dl.mywebsearch.com
hxxp://internetspeedtracker.dl.mywebsearch.com
hxxp://mywebface.dl.mywebsearch.com
hxxp://easypdfcombine.dl.mywebsearch.com
hxxp://onlinemapfinder.dl.mywebsearch.com
hxxp://eliteunzip.dl.mywebsearch.com
hxxp://mytransitguide.dl.mywebsearch.com
hxxp://packagetracer.dl.mywebsearch.com
hxxp://myway.mywebsearch.com
hxxp://helpint.mywebsearch.com
hxxp://zwinky.dl.mywebsearch.com
hxxp://weatherblink.dl.mywebsearch.com
hxxp://videoscavenger.dl.mywebsearch.com
hxxp://videodownloadconverter.dl.mywebsearch.com
hxxp://translationbuddy.dl.mywebsearch.com
hxxp://totalrecipesearch.dl.mywebsearch.com
hxxp://televisionfanatic.dl.mywebsearch.com
hxxp://retrogamer.dl.mywebsearch.com
hxxp://myscrapnook.dl.mywebsearch.com
hxxp://myfuncards.dl.mywebsearch.com
hxxp://gamingwonderland.dl.mywebsearch.com
hxxp://dictionaryboss.dl.mywebsearch.com
hxxp://astrology.dl.mywebsearch.com
hxxp://utmtrk2.mywebsearch.com
hxxp://utm2.mywebsearch.com
hxxp://utm.trk.mywebsearch.com
hxxp://utm.mywebsearch.com
hxxp://ak.ssl.toolbar.mywebsearch.com
hxxp://www122.mywebsearch.com
hxxp://couponalert.dl.mywebsearch.com
hxxp://help.mywebsearch.com
hxxp://srchsugg.mywebsearch.com
hxxp://utm.gr.mywebsearch.com
hxxp://utmtrk.gr.mywebsearch.com
hxxp://dp.mywebsearch.com
hxxp://download.mywebsearch.com
hxxp://www64.mywebsearch.com
hxxp://filmfanatic.mywebsearch.com
hxxp://mywebface.mywebsearch.com
hxxp://fromdoctopdf.dl.mywebsearch.com
hxxp://www173.mywebsearch.com
hxxp://www153.mywebsearch.com
hxxp://www170.mywebsearch.com
hxxp://www176.mywebsearch.com
hxxp://www155.mywebsearch.com
hxxp://www186.mywebsearch.com
hxxp://www156a.mywebsearch.com
hxxp://www187.mywebsearch.com
hxxp://www198.mywebsearch.com
hxxp://www154.mywebsearch.com
hxxp://cfg.mywebsearch.com
hxxp://mapsgalaxy.dl.mywebsearch.com
hxxp://edits.mywebsearch.com
hxxp://www.mywebsearch.com
hxxp://enable.mywebsearch.com
hxxp://live.mywebsearch.com
hxxp://config.mywebsearch.com
hxxp://anx.mywebsearch.com
hxxp://bstat.mywebsearch.com
hxxp://updates.mywebsearch.com
hxxp://home.mywebsearch.com
hxxp://search.mywebsearch.com
hxxp://stats.mywebsearch.com
hxxp://akd.search.mywebsearch.com
hxxp://ak2.home.mywebsearch.com
hxxp://ak.search.mywebsearch.com
hxxp://ak.toolbar.mywebsearch.com

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 83cdb402fcd68947f7519eaad515fa5a
MD5: 6b31cc25e68d5d008e319c4a1c8c4098
MD5: f2392d18a266f554743b495b4e71b2be
MD5: 9bcaeb5b4bdd6b9e22852a98ca630914
MD5: 4fd260e17ca40a31a7baace9af1b7db9

Once, executed, a, sample, malware, (MD5: 83cdb402fcd68947f7519eaad515fa5a), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.150.139.157/search.htm
hxxp://sev2012.com/page_click.php - 141.8.224.239; 54.72.9.51; 91.220.131.33; 91.236.116.20
hxxp://62.122.107.119/install.htm

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (178.150.139.157), are, also, the, following, malicious, domains:
hxxp://cejzesu.com
hxxp://hqyibul.wuwykym.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: c92a9961e6096eb7af3a34e9e48114f1
MD5: 25789eec9e0d4b5cdf184bf41460808e
MD5: 1a72e482e6ec352ae4c9206b92776f01
MD5: e22a0fd64e5b6193be655cc29ed19755
MD5: fe8a027fd45ec9621b34a20bc907fb2c

Once, executed, a, sample, malware (MD5: c92a9961e6096eb7af3a34e9e48114f1), phones, back, to, the, following, C&C, server, IPs:
http://178.150.244.54/mod2/mentalc.exe
http://178.150.139.157/mod1/mentalc.exe

Once, executed, a, sample, malware (MD5: 25789eec9e0d4b5cdf184bf41460808e), phones, back, to, the, following, C&C, server, IPs:
http://95.180.66.40/mod2/b0ber01.exe
http://91.245.79.46/mod1/b0ber01.exe
http://178.150.139.157/mod1/b0ber01.exe

Once, executed, a, sample, malware (MD5: 1a72e482e6ec352ae4c9206b92776f01), phones, back, to, the, following, C&C, server, IPs:
http://77.123.73.34/keybex4.exe
http://178.150.139.157/keybex4.exe

Once, executed, a, sample, malware (MD5: e22a0fd64e5b6193be655cc29ed19755), phones, back, to, the, following, C&C, server, IPs:
http://176.194.18.198/mod2/ozersid.exe
http://176.110.28.238/mod1/ozersid.exe
http://46.73.67.61/mod2/ozersid.exe
http://178.150.209.116/mod2/ozersid.exe
http://178.150.139.157/mod2/ozersid.exe
http://193.32.14.186/mod1/ozersid.exe
http://46.211.9.37/mod1/ozersid.exe

Once, executed, a, sample, malware (MD5: fe8a027fd45ec9621b34a20bc907fb2c), phones, back, to, the, following, C&C, server, IPs:
http://178.150.139.157/welcome.htm
http://77.122.28.206/default.htm
http://77.122.28.206/online.htm
http://mydear.name/page_umax.php

Once, executed, a, sample, malware, (MD5: 6b31cc25e68d5d008e319c4a1c8c4098), phones, back, to, the, following, C&C, server, IPs:
hxxp://cytpaxiz.us/rasta01.exe
hxxp://60.36.47.71/file.htm
hxxp://219.204.4.3/search.htm

Once, executed, a, sample, malware, (MD5: f2392d18a266f554743b495b4e71b2be), phones, back, to, the, following, C&C, server, IPs:
hxxp://46.121.221.173/start.htm
hxxp://burhyyal.epfusgy.com/calc.exe
hxxp://178.150.138.2/install.htm

Once, executed, a, sample, malware, (MD5: 9bcaeb5b4bdd6b9e22852a98ca630914), phones, back, to, the, following, C&C, server, IPs:
hxxp://159.224.191.47/install.htm
hxxp://109.87.184.7/setup.htm

Once, executed, a, sample, malware, (MD5: 4fd260e17ca40a31a7baace9af1b7db9), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.158.237.37/welcome.htm
hxxp://178.165.13.17/home.htm

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (74.113.233.48):
MD5: a3470a214ec34f7a0b9330e44af80714
MD5: 31593f94936e63152d35ca682fb9ef0b
MD5: eb003b7665b34f6ed3a7944e4254ad2d
MD5: ed1c465beca9596a9031580d1093cb13
MD5: cace61ddd8f8e30cf1f52f9ad6c66578

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://home.mywebsearch.com - 74.113.233.48
hxxp://akd.search.mywebsearch.com - 5.178.43.17
hxxp://ak.imgfarm.com - 90.84.60.81
hxxp://anx.mywebsearch.com - 74.113.233.187

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 11ddcf7bd806c9ef24cc84a440629e68
MD5: 8c1e63b34c678b48c63ba369239d5718
MD5: 10b4c54646567dcee605f5c36bfa8f17
MD5: 70dbce98f1d62c03317797a1dd3da151
MD5: ee00f47a51e91a1f70a5c7a0086b7220

Once, executed, a, sample, malware (MD5: 11ddcf7bd806c9ef24cc84a440629e68), phones, back, to, the, following, malicious, C&C, server, IPs:
http://78.62.197.14/online.htm
http://89.46.92.232/welcome.htm
http://89.46.92.232/login.htm

Once, executed, a, sample, malware (MD5: 8c1e63b34c678b48c63ba369239d5718), phones, back, to, the, following, malicious, C&C, server, IPs:
http://109.251.217.207/home.htm
http://109.251.217.207/login.htm

Once, executed, a, sample, malware, (MD5: 10b4c54646567dcee605f5c36bfa8f17), phones, back, to, the, following, malicious, C&C, server, IPs:
http://91.221.219.12/setup.htm

Once, executed, a, sample, malware, (MD5: 70dbce98f1d62c03317797a1dd3da151), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm

Once, executed, a, sample, malware (MD5: ee00f47a51e91a1f70a5c7a0086b7220), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Google Docs Hosted Rogue Chrome Extension Serving Campaign Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, malware-infected, hosts, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Docs, while, successfully, enticing, socially, engineered, users, into, clicking, on, bogus, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, exposing, socially, engineered, users, to, a, rogue, Chrome Extension.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, redirection, chain:
https://1364757661090.docs.google.com/presentation/d/1w5eh2rh6i0pbuVjb4_MzBNPEovRw3f6qiho7AshTcHI/htmlpresent?videoid=1364757661199 -> http://www.worldvideos.us/chrome.php -> https://chrome.google.com/webstore/detail/high-solution/jokhejlfefegeolonbckggpfggipmmim

Related, malicious, domain, reconnaissance:
hxxp://worldvideos.us - 89.19.10.194
ns1.facebookhizmetlerim.com
ns2.facebookhizmetlerim.com

Responding to 89.19.10.194 are also the following fraudulent domains part of the campaign's infrastructure:
hxxp://e-sosyal.biz
hxxp://facebookhizmetlerim.com
hxxp://facebookmedya.biz
hxxp://facebooook.biz
hxxp://fbmedyahizmetleri.com
hxxp://sansurmedya.com
hxxp://sosyalpaket.com
hxxp://worldmedya.net
hxxp://youtubem.biz

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (208.73.211.70):
hxxp://396p4rassd2.youlovesosoplne.net
hxxp://5q14.zapd.co
hxxp://airmats.com
hxxp://amciksikis.com
hxxp://anaranjadaverzochte.associate-physicians.org
hxxp://autorepairmanual.org
hxxp://blackoutblinds.com
hxxp://blog.jmarkafghans.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (208.73.211.70):
MD5: 584a779ae8cdea13611ff45ebab517ae
MD5: cea89679058fe5a5288cfacc1a64e431
MD5: 62eee7a0bed6e958e72c0edf9da17196
MD5: 160793c37a5aa29ac4c88ba88d1d7cc2
MD5: 46079bbcfcd792dfcd1e906e1a97c3a6

Once, executed, a, sample, malware (MD5: 584a779ae8cdea13611ff45ebab517ae), phones, back, to, the, following, C&C, server, IPs:
hxxp://zhutizhijia.com - 208.73.211.70

Once, executed, a, sample, malware (MD5: cea89679058fe5a5288cfacc1a64e431), phones, back, to, the, following, C&C, server, IPs:
hxxp://aieov.com - 208.73.211.70

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (141.8.224.239):
hxxp://happysocks.7live7.org
hxxp://hiepdam.org
hxxp://hyper-path.com
hxxp://interfacelife.com
hxxp://iowa.findanycycle.com
hxxp://massachusetts.findanyboat.com
hxxp://diptnyc.com

Related, maliciuos, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (141.8.224.239):
MD5: ddf27e034e38d7d35b71b7dc5668ffce
MD5: 6ba6451a9c185d1d07323586736e770e
MD5: 854ea0da9b4ad72aba6430ffa6cc1532
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: bf78b0fcfc8f1a380225ceca294c47d8

Once, executed, a, sample, malware (MD5:ddf27e034e38d7d35b71b7dc5668ffce), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://srv.desk-top-app.info - 141.8.224.239

Once, executed, a, sample, malware (MD5:6ba6451a9c185d1d07323586736e770e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://premiumstorage.info - 141.8.224.239

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49
hxxp://wentstate.net - 141.8.224.93
hxxp://musicnews.net - 176.74.176.187
hxxp://spendstate.net

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (89.19.10.194):
hxxp://liderbayim.com
hxxp://blacksport.org
hxxp://liderbayim.com
hxxp://2sosyal-panelim.com
hxxp://sosyal-panelim.com
hxxp://darknessbayim.com
hxxp://hebobayi.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - FTLog Worm Spreading Across Fotolog

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multu-tude, of, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, the, malware-infected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, monetizing, access, to, the, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a currently, circulating, malicious, spam, campaign, targeting, the, popular, social, network, Web, site, Fotolog, successfully, enticing, socially, engineered, users, into, interacting, with, malicious, links, while, monetizing, access, to, the, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://bit.ly/cBTsWo
        - hxxp://zwap.to/001mk
            - hxxp://www.cepsaltda.cl/uc/red.php?u=1 - 216.155.72.44
                - hxxp://supatds.cn/go.php?sid=1 - 92.241.164.1
                    - hxxp://www.cepsaltda.cl/uc/rcodec.php
                        - hxxp://cepsaltda.cl/uc/codec/divxcodec.exe

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: c6dbc58e0db3c597c4ab562ad9710a38

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Massive Black Hat SEO Campaing Serving Scareware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, acquiring, and, hijacking, traffic, for, the, purpose, of, converting, it, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, serving, fake, security, software, also, known, as, scareware, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, compromised, Web, sites:
hxxp://yushikai.co.uk
hxxp://www.heart-2-heart.nl
hxxp://www.stichtingkhw.nl
hxxp://burgessandsons.com
hxxp://marsmellow.info
hxxp://broolz.co.uk
hxxp://bodyscope.co.uk
hxxp://janschnoor.de
hxxp://goodluckflowers.com
hxxp://www.frank-carillo.com
hxxp://www.strijkvrij.com
hxxp://www.fotosiast.nl
hxxp://www.senbeauty.nl
hxxp://www.menno.info
hxxp://www.kul.fm

Sample, URL, redirection, chain:
hxxp://onotole.iblogger.org/2.html - 199.59.243.120; 205.164.14.79; 199.59.241.181 -> hxxp://mycommercialssecuritytool.com/index.php?affid=34100 - 89.248.171.48 - Email: Kathryn.D.Jennings@gmail.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://myatmoe.iblogger.org
hxxp://creditreport.iblogger.org
hxxp://movieddlheaven.iblogger.org
hxxp://cv-bruno-brocas.iblogger.org
hxxp://islife.iblogger.org
hxxp://iblogger.iblogger.org
hxxp://dressshirt.iblogger.org
hxxp://allians.iblogger.org
hxxp://rapid-weight-loss.iblogger.org
hxxp://breastaugm.iblogger.org
hxxp://uila.iblogger.org
hxxp://oh-tv.iblogger.org
hxxp://brudnopis.iblogger.org
hxxp://learnenglish.iblogger.org
hxxp://motivatedcats.iblogger.org
hxxp://robert.iblogger.org
hxxp://testforask.iblogger.org
hxxp://poormanguides.iblogger.org
hxxp://gelbegabeln.iblogger.org
hxxp://nuagerouge.iblogger.org
hxxp://chicos-on-line.iblogger.org
hxxp://hypnosisworld.iblogger.org
hxxp://tennis.iblogger.org
hxxp://ibu.iblogger.org
hxxp://turkifsa.iblogger.org
hxxp://amandacooper.iblogger.org
hxxp://tw.iblogger.org
hxxp://whedon.iblogger.org
hxxp://han.iblogger.org
hxxp://scclab.iblogger.org
hxxp://besftfoodblogger.iblogger.org
hxxp://premiummenderacunt.iblogger.org
hxxp://seobook.iblogger.org
hxxp://bestjackets.iblogger.org
hxxp://kidszone.iblogger.org
hxxp://liker2fb.iblogger.org
hxxp://vipin.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://palermo.iblogger.org
hxxp://forum.bay.de.iblogger.org
hxxp://online-guard.iblogger.org
hxxp://juhjsd.iblogger.org
hxxp://asulli.iblogger.org
hxxp://youtubetranscription.iblogger.org
hxxp://praza.iblogger.org
hxxp://free-worlds.iblogger.org
hxxp://mlm.iblogger.org
hxxp://myleskadusale.iblogger.org
hxxp://ninjapearls.iblogger.org
hxxp://bassian.iblogger.org
hxxp://d3-f21-w-14.iblogger.org
hxxp://mlk.iblogger.org
hxxp://pe.iblogger.org
hxxp://connor54321.iblogger.org
hxxp://smx.iblogger.org
hxxp://17fire.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://generalsurgery.iblogger.org
hxxp://megafon.iblogger.org
hxxp://dasefx.iblogger.org
hxxp://ysofii.iblogger.org
hxxp://priv8.iblogger.org
hxxp://kahramanmaras.iblogger.org
hxxp://kaoojcjl.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://dla-kobiet.iblogger.org
hxxp://karinahart.iblogger.org
hxxp://mariucciaelasuaombra.iblogger.org
hxxp://signinbay.de.iblogger.org
hxxp://pitstop.iblogger.org
hxxp://colorless.iblogger.org
hxxp://directorio.iblogger.org
hxxp://odenaviva.iblogger.org
hxxp://e-money.iblogger.org
hxxp://digicron.iblogger.org
hxxp://slotomania-hackers.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://bestoksriy.iblogger.org
hxxp://teamsite.iblogger.org
hxxp://mateaplicada.iblogger.org
hxxp://tmgames.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://priv8.iblogger.org
hxxp://sharepointdotnetwiki.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://seobook.iblogger.org
hxxp://jawwal.iblogger.org
hxxp://tomsplace.iblogger.org
hxxp://shreyo.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://beitypedia.iblogger.org
hxxp://dutcheastindies.iblogger.org
hxxp://cramat-satu.iblogger.org
hxxp://misc.iblogger.org
hxxp://espirito-de-aventura.iblogger.org
hxxp://tomksoft.iblogger.org
hxxp://mymovies.iblogger.org

Known, to, have, responded, to, the, same, malicious, IP (199.59.243.120) are, also, the, following, malicious, domains:
hxxp://brendsrnzwrn.cuccfree.com
hxxp://caraccidentlawyer19.us
hxxp://colombiavirtualtours.com
hxxp://dailydigest.cn
hxxp://drugaddiction569.us
hxxp://earnonline.cn
hxxp://epicor.in
hxxp://glhgk.com
hxxp://iroopay.com
hxxp://kajianislam.us

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (199.59.243.120):
MD5: c7bd669a416a8347aeba6117d0040217
MD5: ae89e09f52db7f9d69b9b9c40dbf35f9
MD5: b4399fc8f1de723d452b05ec474ca651
MD5: c779d9f4e9992ad5ffcd2353bb003a51
MD5: cc6efabb0a26c729f126b12be717de47

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://theworldnews.byethost5.com - 199.59.243.120

Known, to, have, responded, to, the, same, malicious IP (205.164.14.79), are, also, the, following, malicious, domains:
hxxp://fsdq.cn
hxxp://parked-domain.org
hxxp://fiverr.hk.tn
hxxp://hamzanori90.name-iq.com
hxxp://postgumtree.uk.tn
hxxp://caoliushequ.info
hxxp://housewives.byethost4.com
hxxp://nuichate.22web.org
hxxp://3rtz.byethost12.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.14.79):
MD5: dbca66955cac79008f9f1cd415d7e308
MD5: b452ca519f077307d68ff034567087c1
MD5: 70e8c79135b341eac51da0b5789744d3
MD5: a9f64c1404faf4a6fc81564c8dec22d9
MD5: b3737a1c34cb705f7d244c99afdc3a01

Once, executed, a, sample, malware (MD5:dbca66955cac79008f9f1cd415d7e308), phones, back, to, the, following, C&C, server, IPs:
hxxp://ibayme.eb2a.com - 205.164.14.79

Known, to, have, responded, to, the, same, malicious, IPs (199.59.241.181), are, also, the, following, malicious, domains:
hxxp://yn919.com
hxxp://wimp.it
hxxp://puqiji.com
hxxp://52style.com
hxxp://007guard.com
hxxp://10iski.10001mb.com
hxxp://11649.bodisparking.com
hxxp://13.get.themediafinder.com
hxxp://134205.aceboard.fr

Sample, detection, rate, for, a, malicious, executable:
MD5: f74a744d75c74ed997911d0e0b7e6f67

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mycommercialssecuritytool.com/in.php?affid=34100

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://protectyoursystemnowonline.com
hxxp://createyoursecurityonline.com
hxxp://commercialssecuritytools.com
hxxp://freecreateyoursecurity.com

Sample, URL, redirection, chain:
hxxp://ulions.com/yxg.php?p= - 104.28.22.34
    - hxxp://ppbmv4.xorg.pl/in.php?t=cc&d=04-02-2010_span&h=
        - hxxp://www1.nat67go4it.net/?uid=195&pid=3&ttl=5184c614d4b - 89.248.160.161
            - hxxp://www1.systemsecure.in/?p=

Know, to, have, responded, to, same, malicious, C&C, server, IP (104.28.22.34), are, also, the, following, malicious, domains:
hxxp://portlandultimate.com
hxxp://portablemineapplicationsub.tech
hxxp://indirimkuponlarimiz.com
hxxp://walkinclosetguys.com
hxxp://bryantanaka.com
hxxp://swisschecklist.com
hxxp://census.mnfurs.org
hxxp://duluthbeth.xyz

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (104.28.22.34):
MD5: 11dda0bbd2aef7944f990fcefbc91034
MD5: d0be24df3078866a277874dad09c98d9
MD5: 9ba06da9370037fd2ffe525d6164b367
MD5: 537bd45df702f90585eebab2a8bb3584
MD5: a9f61e9696ff7ff4bfc34f70549ffdd0

Once, executed, a, sample, malware (MD5:11dda0bbd2aef7944f990fcefbc91034), phones, back, to, the, following, C&C, server, IPs:
hxxp://audio-direkt.net
hxxp://servico-ind.com
hxxp://saios.net
hxxp://coopsupermarkt.nl
hxxp://fruitspot.co.za
hxxp://vitalur.by
hxxp://trinity-works.com

Once, executed, a, sample, malware (MD5:d0be24df3078866a277874dad09c98d9), phones, back, to, the, following, C&C, server, IPs:
hxxp://3asfh.net - 104.28.22.34

Once, executed, a, sample, malware, (MD5:a9f61e9696ff7ff4bfc34f70549ffdd0), phones, back, to the, following, malicious, C&C, server, IPs:
hxxp://link-list-uk.com
hxxp://racknstackwarehouse.com.au
hxxp://zeronet.co.jp
hxxp://sun-ele.co.jp
hxxp://slcago.org
hxxp://frederickallergy.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →