Historical OSINT - Summarizing 2 Years of Webroot's Threat Blog Posts Research

July 28, 2018
It's been several years since I last posted a quality update at the industry's leading threat-intelligence gathering Webroot's Threat Blog following a successful career as lead security blogger and threat-intelligence analyst throughout 2012-2014.

In this post I'll summarize two years worth of Webroot's Threat Blog research with the idea to provide readers with the necessary data information and knowledge to stay ahead of current and emerging threats.

01. January - 2012
02. February - 2012
03. March - 2012
04. April - 2012
05. May - 2012
06. June - 2012
07. July - 2012
08. August - 2012
09. September - 2012
10. October - 2012
11. November - 2012
12. December - 2012
12. January - 2013
12. February - 2013
13. March - 2013
14. April - 2013
15. May - 2013
16. June - 2013
17. July - 2013
18. August - 2013
19. September - 2013
20. October - 2013
21. November - 2013
21. December - 2013
22. January - 2014
23. February - 2014
24. March - 2014
24. May - 2014
Enjoy!
Continue reading →

Seeking Investor Contact!

July 24, 2018
Dear blog readers, I'm currently seeking a investor contact regarding an upcoming security project and wanted to find out whether you might be aware of an investor that would be willing to invest in my upcoming security project?

I can be reached at dancho.danchev@hush.com Continue reading →

Dancho Danchev's Blog Going Private - Request Access

May 24, 2018
Dear blog readers, it's been several years since I last posted a quality update following my disappearance in 2010. I wanted to take the time and thank everyone including researchers and colleagues who participated in the search including colleagues and vendors who offered expertise and advice including possible career opportunity.

As I've recently launched InfoWar Monitor 2.0 I decided that the time has come for me to take my blog to a new level by offering proprietary invite-only commercial access to selected readers who request access. The access guarantees unlimited access to daily cybercrime research information security topics coverage including an unlimited supply of actionable threat intelligence research on a daily basis including access to InfoWar Monitor 2.0 security podcast subscription security mailing list security newsletter a closed security community and a hacker E-zine released by the community including unlimited access to proprietary research reports and articles.

How to request access?
Users interested in requesting access can approach me with the following details:

Name:
Position:
How long have you been reading my blog?
How much would you be willing to invest to obtain access on a monthly basis?

I can be reached at dancho.danchev@hush.com

Enjoy! Continue reading →

Summarizing Webroot's Threat Blog Posts for January - 2012

May 22, 2018
In this post I'll summarize Webroot Threat Blog Posts for January, 2012. Feel free to check out some of the latest research published at the blog here and consider subscribing to its RSS feed.

01. Cybercriminals generate malicious Java applets using DIY tools
02. A peek inside the uBot malware bot
03. Researchers intercept a client-side exploits serving malware campaign
04. How phishers launch phishing attacks
05. A peek inside the Umbra malware loader
06. How malware authors evade antivirus detection
07. Inside AnonJDB – a Java based malware distribution platforms for drive-by downloads
08. Zappos.com hacked, 24 million users affected
09. Inside a clickjacking/likejacking scam distribution platform for Facebook
10. A peek inside the Cythosia v2 DDoS Bot
11. A peek inside the PickPocket Botnet
12. Mass SQL injection attack affects over 200,000 URLs
13. Email hacking for hire going mainstream
14. Millions of harvested emails offered for sale Continue reading →

Security News - Safe Browsing protection from even more deceptive attacks - Commentary

May 14, 2018
Google's security initiatives, continue, indicating, the search engine market's leader, ambitions, towards, building, a vibrant, ecosystem, for, protecting, end users, from malicious attacks, and, further, position, the company, as, an emerging, leader, whose, activities, contribute, to the, overall security level, of the entire ecosystem.
"Safe Browsing has been protecting over one billion people from traditional phishing attacks on the web for more than eight years. The threat landscape is constantly changing—bad actors on the web are using more and different types of deceptive behavior to trick you into performing actions that you didn’t intend or want, so we’ve expanded protection to include social engineering."

The latest, indication, of this, trend, is the company's, introduction, of, social engineering attack, warnings, fully capable, of preventing, widespread damage, and to prevent, a malicious attack, from taking, place, in the early stages, of the campaign. With malicious actors, continuing, to utilize, visual social engineering campaigns, to serve, malicious software, and potentially unwanted applications, compromising, the confidentiality, integrity, and, availability, of information, visual social engineering, will, continue, to represent, a growing attack vector, to be utilized, by malicious actors, that, needs, better, protective, mechanisms, on behalf, of ecosystem participants.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Continue reading →

Introduction to Dancho Danchev's Infowar Monitor 2.0

January 23, 2018
Dear blog readers it's been quite some time since I last posted a quality update following my dissapearance in 2010. I wanted to express my gratitude to everyone who participated in the search including colleagues and companies and wanted to say thanks for taking your time and effort to keep track and follow my research and disappearance.
.

As I've been busy working on Dancho Danchev's Blog - Mind Streams of Information Security Knowledge Infowar Monitor 2.0 I wanted to let you know that I've recently resumed my Twitter account following a successful career at Webroot Inc. including a short-term venture at GroupSense following a successful launch of my own company called Disruptive Individuals and Threat Data - the World's Most Comprehensive Threats Database including the Obmonix Platform - The World's Most Comprehensive Sensor Network, including a possible book writing project including a successful cyber security consultancy and a possible career opportunity request.

Let's take the time and effort to elaborate on what exactly InfoWar Monitor 2.0 aims to achieve including a detailed explanation of some of the key features of the newly launched portal-based type of research-based Information Security and Cybercrime Research and Threat Intelligence gathering community. Users interested in contributing with content including blog contribution including partnership sponsorship and possible advertising requests can approach me at dancho.danchev@hush.com

01. What is Inforwar Monitor 2.0?
Inforwar Monitor 2.0 aims to build the World's largest and most comprehensive community for Information Security, threat intelligence gathering and cybercrime research. Managed and operated by Dancho Danchev the World's leading expert in Information Security and cybercrime research and threat intelligence gathering the community seeks to provide information data and knowledge to thousands of users globally.

Among the key features include:
- Daily Security News Coverage
- Information Security Videos
- Security and Hacking eBook
- Security Newsletter
- Information Security Podcast
- Security and Hacking E-Zine
- Security Mailing List
- Daily Intelligence Brief
- Closed Security Community

02. What is Disruptive Individuals?
Disruptive Individuals is a research-intensive data-driven company successfully establishing the world's largest snapshot of malicious cybercrime activity for the purpose of offering the industry the world's most versatile portfolio of malicious cybercrime-driven services successfully positioning itself as the world's leading provider of real-time intelligence-driven services and product portfolio including cybercrime-research data malicious activity profiling services and custom-tailored intelligence assessments successfully positioning the company as the world's leading provider of cybercrime-data driven research-intensive intelligence data-driven company.



03. What is the Obmonix Platform?
The Obmonix platform aims to build the World's most versatile and comprehensive sensor network for intercepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of proprietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally empowering the operator law enforcement and the security industry with then necessary tactics techniques and procedures (TTPs) for successfully responding and monitoring cybercrime and cyber jihad activity globally leading to successful launch of the Disruptive Individuals startup successfully serving the needs of the Intelligence Community, the security industry and law enforcement agencies globally successfully anticipating an emerging set of malicious and fraudulent tactics techniques and procedures successfully protecting millions of users globally.

 04. What is Threat Data?
Threat Data is the industry's leading and most versatile JSON-capable threats database successfully empowering companies and security researchers with the necessary knowledge to stay ahead of current and emerging threats, further, positioning their company and enterprise on the top of its game.

- Russian Business Network coverage
- Koobface Botnet coverage
- Kneber Botnet coverage
- Hundreds of IOCs (Indicators of Compromise)
- Tactics Techniques and Procedures In-Depth Coverage
- Malicious and fraudulent infrastructure mapped and exposed
- Malicious and fraudulent Blackhat SEO coverage
- Malicious spam and phishing campaigns
- Malicious and fraudulent scareware campaigns
- Malicious and fraudulent money mule recruitment scams
- Malicious and fraudulent reshipping mule recruitment scams
- Web based mass attack compromise fraudulent and malicious campaigns
- Malicious and fraudulent client-side exploits serving campaigns

Potential users and clients interested in obtaining access to Threat Data including a possible trial and a sample can approach me at dancho.danchev@hush.com

Stay tuned! Continue reading →

Dissecting the Latest Koobface Facebook Campaign

January 20, 2018
The latest Koobface malware campaign at Facebook, is once again exposing a diverse ecosystem worth assessing in times of active migration to alternative ISPs tolerating or conveniently ignoring the malicious activities courtesy of their customers. The -- now removed -- binaries that the dropper was requesting were hosted at the American International Baseball Club in Vienna, indicating a compromise.

us.geocities .com/adanbates84/index.htm
lostart .info/js/js.js (79.132.211.51)
off34 .com/go/fb.php (79.132.211.51)
youtube-spyvideo .com/youtube_file.html (58.241.255.37)
ahdirz .com/movie1.php?id=638&n=teen (208.85.181.69)
top100clipz .com/m6/movie1.php?id=638&n=teen (208.85.181.67)
hq-vidz .com/movie1.php?id=638&n=teen (208.85.181.68)

The dropper then phones back home to : f071108 .com/fb/first.php (79.132.211.50) with the binaries hosted at a legitimate site that's been compromised :

aibcvienna.org/youtube/ bnsetup24.exe
aibcvienna.org/youtube/ tinyproxy.exe

Related fake Youtube domains participating :
catshof .com (79.132.211.51)
youtube-spy .info (94.102.60.119)
youtubehof .net (218.93.205.30)
youtube-spyvideo .com (58.241.255.37)
yyyaaaahhhhoooo.ocom .pl (67.15.104.83)
youtube-x-files .com (94.102.60.119)

The development of cybercrime platforms utilizing legitimate infrastructure only, has always been in the works. With spamming systems relying exclusively on the automatically registered email accounts at free web based providers, to the automatic bulk registration of hundreds of thousands of domains enjoying a particular domain registrar's weak anti-abuse policies, it would be interesting to monitor whether marginal thinking or improved OPSEC relying on compromised hosts will be favored in 2009.

Related posts:
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles Continue reading →

Project Proposal - Cybercrime Research - Seeking Investment

November 15, 2017
Dear blog readers, I'm currently seeking an investment regarding a cybercrime research project with the project proposal available on request.

Approach me at dancho.danchev@hush.com Continue reading →

Book Proposal - Seeking Sponsorship - Publisher Contact

November 15, 2017
Dear blog readers, as I'm currently busy writing a book, I'm currently seeking a publisher contact, with the book proposal available on request.
 
Approach me at ddanchev@cryptogroup.net Continue reading →

New Mobile Malware Spotted in the Wild, Hundreds of Users Affected

November 09, 2017
We've recently, intercepted, a currently, circulating, malicious, spam, campaign, affecting, hundreds, of users, globally, potentially, exposing, the, confidentiality, availability, and, integrity, of, their, devices, to, a, multi-tude, of, malicious, software. Largely, relying, on, a, multi-tude, of social engineering, vectors, the, cybercriminals, behind, the, campaign, have, managed, to, successfully, impersonate, Adobe Flash Player, users, into, thinking, that, they're, visiting, a, legitimate, Web
site, on, their, way, to, infect, their, devices, relying, on, bogus "Please update Flash on your device", messages.

Over, the, last, couple, of, years, we've, been, monitoring, an, increase, in rogue Google Play, type, of, Android, applications, capable, rogue online Web sites, tricking, tens, of, thousands, of, users, on, a, daily, basis, into, installation, rogue, applications, largely, relying, on, a, multi-tude, of, social engineering, vectors. Next, to, rogue, online, Web, sites, we've, been, also, actively, monitoring, an, increase, in, compromised, Web sites, serving, malicious, software, potentially, exposing, the, confidentiality, availability, and, integrity, of, their, devices, to, a, multi-tude, of, malicious, software. We've, been, also, busy, monitoring, an, increase, in, ongoing, monetizing, of, hijacked, traffic, type, of, underground, market, traffic, exchanges, with, more, cybercriminals, successfully, monetizing, the, hijacked, traffic, while, earning, fraudulent, revenue, in the, process.

In, this, post, we'll, profile, the, malicious, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related malicious MD5s known to have participated in the campaign:
MD5: 288ad03cc9788c0855d446e34c7284ea

Related malicious URLS known to have participated in the campaign:
hxxp://brutaltube4mobile.com - 37.1.200.202
hxxp://xxxvideotube.org - 5.45.112.27; 37.140.192.196; 184.82.244.166

Known to have responded to the same malicious C&C server IP (37.1.200.202), are, also, the following malicious domains:
hxxp://nudism-nudist.com
hxxp://yumail.site
hxxp://hot-images.xyz
hxxp://nudism-klub.com
hxxp://nudism-nudist.com
hxxp://family-naturism.org
hxxp://teen-nudism.com
hxxp://family-naturism.net
hxxp://teen-media.net
hxxp://01hosting.biz
hxxp://jp-voyeur.com
hxxp://link-protector.biz
hxxp://brutaltube4mobile.com
hxxp://adobeupdate.org
hxxp://australiamms.com
hxxp://brutaltube4mobile.com
hxxp://donttreadonmike.com
hxxp://german-torrent.com
hxxp://fondazion.com
hxxp://derechosmadre.org
hxxp://torsearch.net
hxxp://4mytelecharger55.net
hxxp://4mytelecharger66.net
hxxp://fondazion.net
hxxp://fondazion.org
hxxp://sevajug.org
hxxp://defilez2.net
hxxp://downloadfrance22.com
hxxp://derechosmadretierra.org

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IPs (brutaltube4mobile.com - 37.1.200.202):
MD5: 18327d619484112f81dc7da4169ba088
MD5: 090f7349fef4e1624393383e145d5982
MD5: d2e3d9d0e599cfce1af8b2777c3a071a

Related malicious MD5s known to have phoned back to the same C&C server IP (xxxvideotube.org - 5.45.112.27; 37.140.192.196; 184.82.244.166):
MD5: 288ad03cc9788c0855d446e34c7284ea

Once executed a sample malware phones back to the following C&C server IPs:
hxxp://5.196.121.148

Related malicious MD5s known to have phoned back to the same C&C server IP (5.196.121.148):
MD5: 7bef1c5e0dcf5f6fd152c0723993e378
MD5: 10e6c3f050b24583abf708d6afb34db2
MD5: 5a122660a3d54d9221500224f103d7b0

Thanks, to, the, overall, availability, of, mobile, affiliate, network, type, of, monetization, vectors, we, expect, to, continue, observing, an, increase, in, mobile, malware, type, of, fraudulent, and, rogue, Web sites, serving, malicious, software, to, unsuspecting, users, internationally.

We'll, continue, monitoring, the, market, segment, for, mobile, malware, and, post, updated, as, soon, as, new, developments, take, place.
Continue reading →

Introducing Obmonix - The World's Most Comprehensive Sensor Network

July 28, 2017
The world's leading expert in the field of the security cybercrime research and threat intelligence gathering presents the World's Most Comprehensive Sensor Network for offensive cybercrime/cyberterrorism fighting introducing active sensor deployment cybercrime/cyberterrorism forum and dark-web infiltration launching the Disruptive Individuals startup successfully disrupting and undermining the cybercrime/cyberterrorism ecosystem.

What is the Obmonix Platform?
The Obmonix platform aims to build the World's most versatile and comprehensive sensor network for intercepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of proprietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally empowering the operator law enforcement and the security industry with then necessary tactics techniques and procedures (TTPs) for successfully responding and monitoring cybercrime and cyber jihad activity globally leading to successful launch of the Disruptive Individuals startup successfully serving the needs of the Intelligence Community, the security industry and law enforcement agencies globally successfully anticipating an emerging set of malicious and fraudulent tactics techniques and procedures successfully protecting millions of users globally.


How you can help and contribute?
Feel free to join the Indiegogo funds raising campaign and stay tuned for the associated perks.

Looking forward to receiving your response at disruptive.individuals@gmail.com

Stay tuned! Continue reading →

Historical OSINT - Mac OS X PornTube Malware Serving Domains

May 29, 2017
This summary is not available. Please click here to view the post. Continue reading →

Historical OSINT - Massive Black Hat SEO Campaign Spotted in the Wild

May 29, 2017
Cybercriminals continue actively launching fraudulent and malicious blackhat SEO campaigns further acquiring legitimate traffic for the purpose of converting it into malware-infected hosts further spreading malicious software potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

We've recently intercepted a currently active malicious blackhat SEO campaign serving scareware to socially engineered users with the cybercriminals behind it earning fraudulent revenue largely relying on the utilization of an affiliate-network based revenue-sharing scheme.

In this post we'll profile the campaign, provide actionable intelligence on the infrastructure behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Known malicious domains known to have participated in the campaign:
hxxp://doremisan7.net?uid=213&pid=3&ttl=319455a3f86 - 67.215.238.189

Known malicious redirector known to have participated in the campaign:
hxxp://marketcoms.cn/?pid=123&sid=8ec7ca&uid=213&isRedirected=1 - 91.205.40.5 - Email: JeremyLRademacher@live.com

Related malicious domains known to have been parked within the same malicious IP (91.205.40.5):
hxxp://browsersafeon.com
hxxp://online-income2.cn
hxxp://applestore2.cn
hxxp://media-news2.cn
hxxp://clint-eastwood.cn
hxxp://stone-sour.cn
hxxp://marketcoms.cn
hxxp://fashion-news.cn

Known malicious domains known to have participated in the campaign:
hxxp://guard-syszone.net/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJWfZW
VilWWenGOIo6THodjXoGJdpqmikpVuaGVvZG1kbV%2FEkKE%3D - 206.53.61.73

hxxp://yourspywarescan15.com/scan1/?pid=123&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNPAFO - 85.12.24.12

Sample detection rate for sample malware:
MD5: 3d448b584d52c6a6a45ff369d839eb06
MD5: 54f671bb9283bf4dfdf3c891fd9cd700

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - A Diversified Portfolio of Pharmacautical Scams Spotted in the Wild

May 29, 2017
Cybercriminals continue actively speading fraudulent and malicious campaigns potentially targeting the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software further earning fraudulent revenue in the process of monetizing access to malware-infected hosts further spreading malicious and fraudulent campaigns potentially affecting hundreds of thousands of users globally.

We've recently came across to a currently active diversified portfolio of pharmaceutical scams with the cybercriminals behind it successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts including the active utilization of an affiliate-network based type of revenue sharing scheme.

In this post we'll profile the campaign, provide actionable intelligence, on the infrastructure behind it, and discuss in depth, the tactics techniques and procedures of the cybercriminals behind it.

hxxp://lightmcusic.com
hxxp://darkclosed.com
hxxp://raintable.com
hxxp://rainthing.com
hxxp://lamptrail.com
hxxp://rainopen.com
hxxp://newsmillion.com
hxxp://paintlamp.com
hxxp://newssilver.com
hxxp://singerspa.ru
hxxp://belllead.ru
hxxp://dealfence.ru
hxxp://beachpage.ru
hxxp://sweatybottle.ru
hxxp://superring.ru
hxxp://betaflash.ru
hxxp://petgal.ru
hxxp://beastball.ru
hxxp://chartarm.ru
hxxp://roomcoin.ru
hxxp://armsgun.ru
hxxp://keyhero.ru
hxxp://sisterlover.ru
hxxp://pitstops.ru
hxxp://ballnet.ru
hxxp://betacourt.ru
hxxp://moviecourt.ru
hxxp://bandrow.ru
hxxp://rainmcusic.com
hxxp://lightmcusic.com
hxxp://diskwind.com
hxxp://disklarge.com
hxxp://silverlarge.com
hxxp://totaldomainname.com
hxxp://mcusicmouse.com
hxxp://diskbig.com
hxxp://rainthing.com
hxxp://thunderhigh.com
hxxp://raintruck.com
hxxp://mcusictank.com
hxxp://diskdark.com
hxxp://thunderdark.com
hxxp://raintowel.com
hxxp://mcusicball.com
hxxp://diskwarm.com
hxxp://silverwarsm.com
hxxp://diskopen.com
hxxp://diskfashion.com
hxxp://goldlgs.com
hxxp://silverdarks.com
hxxp://silveropens.com
hxxp://goldapers.com
hxxp://goldslvers.com
hxxp://diskhot.com
hxxp://bluedrow.com
hxxp://flashdrow.com
hxxp://raindrow.com
hxxp://thunderdrow.com
hxxp://rainmcusic.com
hxxp://rainpen.com
hxxp://rainthing.com
hxxp://spotsoda.ru
hxxp://mediamultimedia.ru
hxxp://boozetuna.ru
hxxp://singerspa.ru
hxxp://eyepizza.ru
hxxp://ringmic.ru
hxxp://belllead.ru
hxxp://roselid.ru
hxxp://homemold.ru
hxxp://tuneworld.ru
hxxp://happendepend.ru
hxxp://fruitmind.ru
hxxp://groupmud.ru
hxxp://showbabe.ru
hxxp://juicetube.ru
hxxp://kidrace.ru
hxxp://zoomtrace.ru
hxxp://lawice.ru
hxxp://dealfence.ru
hxxp://wipeagree.ru
hxxp://coverimage.ru
hxxp://beachpage.ru
hxxp://waxylanguage.ru
hxxp://jazzedge.ru
hxxp://casemale.ru
hxxp://spotsoda.ru
hxxp://mediamultimedia.ru
hxxp://boozetuna.ru
hxxp://singerspa.ru
hxxp://eyepizza.ru
hxxp://kittyweb.ru
hxxp://bedrib.ru
hxxp://yourib.ru
hxxp://antthumb.ru
hxxp://ringmic.ru
hxxp://belllead.ru
hxxp://roselid.ru
hxxp://homemold.ru
hxxp://tuneworld.ru
hxxp://happendepend.ru
hxxp://fruitmind.ru
hxxp://groupmud.ru
hxxp://showbabe.ru
hxxp://juicetube.ru
hxxp://kidrace.ru
hxxp://zoomtrace.ru
hxxp://lawice.ru
hxxp://dealfence.ru
hxxp://wipeagree.ru
hxxp://coverimage.ru
hxxp://beachpage.ru
hxxp://waxylanguage.ru
hxxp://jazzedge.ru
hxxp://casemale.ru
hxxp://czarsale.ru
hxxp://sweatybottle.ru
hxxp://boxlane.ru
hxxp://rubyfire.ru
hxxp://radiohorse.ru
hxxp://sodakite.ru
hxxp://armissue.ru
hxxp://houraxe.ru
hxxp://smokeeye.ru
hxxp://anteye.ru
hxxp://salesbarf.ru
hxxp://shelfleg.ru
hxxp://superring.ru
hxxp://timematch.ru
hxxp://sewermatch.ru
hxxp://betaflash.ru
hxxp://wovenbath.ru
hxxp://imagebirth.ru
hxxp://shelfjack.ru
hxxp://ringmack.ru
hxxp://gigaknack.ru
hxxp://filetack.ru
hxxp://busybrick.ru
hxxp://giantdock.ru
hxxp://wormduck.ru
hxxp://roundtruck.ru
hxxp://labfolk.ru
hxxp://malespark.ru
hxxp://petgal.ru
hxxp://hitpal.ru
hxxp://beastball.ru
hxxp://baysmell.ru
hxxp://beachhill.ru
hxxp://giantpill.ru
hxxp://runtvenom.ru
hxxp://soaproom.ru
hxxp://chartarm.ru
hxxp://deedsum.ru
hxxp://firmcan.ru
hxxp://sofafan.ru
hxxp://chinqueen.ru
hxxp://lightpen.ru
hxxp://fishgain.ru
hxxp://shiptrain.ru
hxxp://canbin.ru
hxxp://roomcoin.ru
hxxp://caseion.ru
hxxp://miciron.ru
hxxp://metalcorn.ru
hxxp://roadbun.ru
hxxp://armsgun.ru
hxxp://landclown.ru
hxxp://weedego.ru
hxxp://kidsolo.ru
hxxp://waxsolo.ru
hxxp://hitpiano.ru
hxxp://keyhero.ru
hxxp://hitzero.ru
hxxp://ziptap.ru
hxxp://arealamp.ru
hxxp://sunnystamp.ru
hxxp://freeproshop.ru
hxxp://clanpup.ru
hxxp://silkyear.ru
hxxp://jarpeer.ru
hxxp://cobrariver.ru
hxxp://sisterlover.ru
hxxp://rocktower.ru
hxxp://yearshoes.ru
hxxp://grapefrogs.ru
hxxp://papercoins.ru
hxxp://pitstops.ru
hxxp://ginboss.ru
hxxp://greedpants.ru
hxxp://rulebat.ru
hxxp://kidssplat.ru
hxxp://havocfleet.ru
hxxp://ballnet.ru
hxxp://statezit.ru
hxxp://elfsalt.ru
hxxp://zooant.ru
hxxp://finksnot.ru
hxxp://bluffheart.ru
hxxp://wifechart.ru
hxxp://ladyskirt.ru
hxxp://betacourt.ru
hxxp://moviecourt.ru
hxxp://bluecourt.ru
hxxp://actbeast.ru
hxxp://waterfast.ru
hxxp://beachquest.ru
hxxp://passexist.ru
hxxp://rareyou.ru
hxxp://bandrow.ru
hxxp://applewax.ru
hxxp://rockpony.ru
hxxp://feetboy.ru
hxxp://arguebury.ru
hxxp://chairchevy.ru
hxxp://birthsea.com
hxxp://sourcegood.com
hxxp://lamplarsge.com
hxxp://trailhuge.com
hxxp://raintable.com
hxxp://platepeople.com
hxxp://tablebig.com
hxxp://lampbig.com
hxxp://traillong.com
hxxp://whitebirth.com
hxxp://trailbirth.com
hxxp://tabledisk.com
hxxp://lampdissk.com
hxxp://trucktowel.com
hxxp://lamptrail.com
hxxp://trailwarm.com
hxxp://paperwarm.com
hxxp://lampwasrm.com
hxxp://birthocean.com
hxxp://trailocean.com
hxxp://rainopen.com
hxxp://lampfashion.com
hxxp://newsmillion.com
hxxp://trailsummer.com
hxxp://mcusicpaper.com
hxxp://lamppapser.com
hxxp://newssilver.com
hxxp://platedrops.com
hxxp://lampcups.com
hxxp://tablemindss.com
hxxp://tablecupss.com
hxxp://newssweet.com
hxxp://trailbasket.com
hxxp://trailgift.com
hxxp://goldblow.com
hxxp://truckdrow.com
hxxp://roverkey.com
hxxp://protopsite.ru
hxxp://frontstand.com
hxxp://greystand.com
hxxp://ballmind.com
hxxp://mindlarge.com
hxxp://windlarge.com
hxxp://darklarge.com
hxxp://balltable.com
hxxp://listplate.com
hxxp://frontblue.com
hxxp://lightskye.com
hxxp://balllong.com
hxxp://frontlong.com
hxxp://greylong.com
hxxp://largebisg.com
hxxp://greywalk.com
hxxp://minddark.com
hxxp://largedark.com
hxxp://balldisk.com
hxxp://largetrail.com
hxxp://balltrail.com
hxxp://largewarm.com
hxxp://skyewarm.com
hxxp://listlap.com
hxxp://flowlap.com
hxxp://frontstop.com
hxxp://ballsilver.com
hxxp://flowsilver.com
hxxp://jobsilvesr.com
hxxp://fastpads.com
hxxp://jobpeoples.com
hxxp://bluewaris.com
hxxp://joblaps.com
hxxp://listdrops.com
hxxp://flowchairs.com
hxxp://backgrass.com
hxxp://greygrass.com
hxxp://greyfront.com
hxxp://dropslist.com
hxxp://longgrey.com
hxxp://backgrey.com
hxxp://frontgrey.com
hxxp://hatroad.com
hxxp://hatweather.com
hxxp://hatcool.com
hxxp://weatherfloor.com
hxxp://drinkfloor.com
hxxp://hatbrowse.com
hxxp://roadbrowse.com
hxxp://roadinternet.com
hxxp://whiterdes.com
hxxp://hatcools.com
hxxp://hatbrowses.com
hxxp://hatflow.com
hxxp://hatride.com
hxxp://whitefloors.com
hxxp://hatducks.com
hxxp://whitebrwses.com
hxxp://hattables.com
hxxp://hatfloos.com
hxxp://hatdrinks.com
hxxp://blowlight.com
hxxp://longwrite.com
hxxp://bridelamp.com
hxxp://bridelong.com
hxxp://bridefast.com
hxxp://bridebottle.com
hxxp://longletter.com
hxxp://brideword.com
hxxp://bridetowel.com
hxxp://screenchairs.com
hxxp://boxscreens.com
hxxp://screenbirth.com
hxxp://touchcup.com
hxxp://boxboxs.com
hxxp://boxlams.com
hxxp://touchchair.com
hxxp://screencup.com
hxxp://lamptool.com
hxxp://touchbirth.com
hxxp://weathersand.com
hxxp://summerwarms.com
hxxp://summerwall.com
hxxp://weathersummer.com
hxxp://warmruns.com
hxxp://weathercold.com
hxxp://weatherwarm.com
hxxp://warmskye.com
hxxp://weatherskye.com
hxxp://weatheropens.com
hxxp://weatherocean.com
hxxp://weatherrun.com
hxxp://rovercorner.com
hxxp://rangepeople.com
hxxp://rangesand.com
hxxp://rangecorner.com
hxxp://rangespeed.com
hxxp://roverweather.com
hxxp://rangekey.com
hxxp://roverfast.com
hxxp://roverroad.com
hxxp://rangerange.com
hxxp://rovertrack.com
hxxp://rangetunes.com
hxxp://socketpaper.com
hxxp://trailgold.com
hxxp://booksocket.com
hxxp://brushtrail.com
hxxp://brushround.com
hxxp://brushchair.com
hxxp://brushsocket.com
hxxp://brushfast.com
hxxp://socketfast.com
hxxp://tablebrush.com
hxxp://brushpaper.com
hxxp://brushopen.com
hxxp://sockettrail.com
hxxp://socketround.com
hxxp://brushplane.com
hxxp://sourcebrush.com
hxxp://tabletrail.com
hxxp://truckblus.com

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Google Sponsored Scareware Spotted in the Wild

May 29, 2017
Cybercriminals continue actively spreading malicious software while looking for alternative ways to acquire and monetize legitimate traffic successfully earning fraudulent revenue in the process of spreading malicious software.

We've recently came across to a Google Sponsored scareware campaign successfully enticing users into installing fake security software on their hosts further earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type of revenue sharing scheme.

In this post we'll profile the campaign, provide actionable intelligence, on the infrastructure, behind it and discuss in-depth, the tactics techniques and procedures of the cybercriminals behind it.

hxxp://www.google.com/aclk?sa=l&ai=Czd4NEnlLS-pWlrS1A-jBmIwO9pfjnQHOjKCvEI2B8woQAigIUPjA4pz8_____wFgyZajiqSkxBGgAabhse4DyAEBqgQhT9
CjnzChYHf5zQB4c8FB-fW9WUzgcUTQ4c7ciD4Gyxs0&num=5&sig=AGiWqty0Uq3Kr6U1Sb10olrq6C22JfNR_w&q=http://www.adwarepronow.com

hxxp://www.google.com/aclk?sa=L&ai=COLk5EnlLS-pWlrS1A-jBmIwO0YGZmwGz9aqwDbiw8bcBEAUoCFCnyNGE______8BYMmWo4qkpMQRyAEBqgQZT9
CTvAGhbX_5PQN_7QaAIk7HT3dQfrqLJQ&num=8amp;sig=AGiWqtyHmo4mgVkszSWtDUcT4dMRUAQnXg&q=http://www.antimalware-2010.com

Known malicious domains known to have participated in the campaign:
hxxp://www.adwarepronow.com/?gclid=CJ6d8LSGnZ8CFRMqagodmR_KaA - 209.216.193.112

Known malicious domains known to have participated in the campaign:
hxxp://www.antimalware-2010.com/ - 209.216.193.119

Sample detection rate for a sample malware:
MD5: 8328da91c8eba6668b3e72d547157ac7

Sample detection rate for a sample malware:
MD5: b74412ea403241c9c60482fd13540505

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://72.167.164.199/definitions/configuration.txt
hxxp://72.167.164.199/latestversion/AntiMalwarePro_appversion.txt

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - A Diversified Portfolio of Fake Security Software

May 29, 2017
Cybercriminals, continue, actively, launching, malicious, and, fraudulent, campaigns, further, spreading, malicious, software, potentially, exposing, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, a, currently, active, portfolio, of, fake, security, software, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203; 94.228.209.195), are, also, the, following, malicious, domains:
hxxp://thebest-antivirus00.com
hxxp://virusscannerpro0.com
hxxp://lightandfastscanner01.com
hxxp://thebest-antivirus01.com
hxxp://thebestantivirus01.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://thebest-antivirus11.com
hxxp://antispyware-module1.com
hxxp://antispywaremodule1.com
hxxp://antivirus-toolsr1.com
hxxp://thebest-antivirus1.com
hxxp://thebest-antivirusx1.com
hxxp://thebestantivirus02.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://lightandfastscanner22.com
hxxp://prosecureprotection2.com
hxxp://virusscannerpro2.com
hxxp://antivirus-toolsr2.com
hxxp://thebest-antivirusx2.com
hxxp://thebestantivirus03.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://antispyware-module3.com
hxxp://antispywaremodule3.com
hxxp://virusscannerpro3.com
hxxp://windowsantivirusserver3.com
hxxp://thebest-antivirusx3.com
hxxp://thebestantivirus04.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://antispyware-scann4.com
hxxp://antivirus-toolsr4.com
hxxp://thebest-antivirusx4.com
hxxp://thebestantivirus05.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://thebest-antivirusx5.com
hxxp://remove-spyware-16.com
hxxp://lightandfastscanner66.com
hxxp://antispywaremodule6.com
hxxp://antispyware-module7.com
hxxp://antispywaremodule7.com
hxxp://antivirus-toolsr7.com
hxxp://antispyware-scann8.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antispyware-module9.com
hxxp://antispywaremodule9.com
hxxp://antispyware-scann9.com
hxxp://virusscannerpro9.com
hxxp://antivirus-toolsr9.com
hxxp://thebest-antivirus9.com
hxxp://antiviruspro1scan.com
hxxp://antiviruspro2scan.com
hxxp://antiviruspro7scan.com
hxxp://antiviruspro8scan.com
hxxp://antiviruspro9scan.com
hxxp://antispyware6sacnner.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://prosecureprotection2.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://windowsantivirusserver3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antivirus-toolsr9.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (94.228.209.195), are, also, the, following, malicious, domains:
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://run-virusscanner4.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com

Related, fraudulent, and, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203), are, also, the, following, malicious, domains:
hxxp://anti-virus-system0.com
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://perform-antivirus-scan-1.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://antivirus-system1.com
hxxp://performspywarescan1.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://antivirus-scanner-3.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://gloriousantivirus2014.com
hxxp://run-virusscanner4.com
hxxp://smart-pcscanner05.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://perform-virus-scan5.com
hxxp://perform-antivirus-scan-6.com
hxxp://antivirus-scanner-6.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://antivirus-scan-server6.com
hxxp://perform-antivirus-scan-7.com
hxxp://perform-antivirus-test-7.com
hxxp://antivirus-win-system7.com
hxxp://antivirus-for-pc-8.com
hxxp://perform-antivirus-scan-8.com
hxxp://perform-antivirus-test-8.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://perform-antivirus-test-9.com
hxxp://perform-virus-scan9.com
hxxp://antispywareinfo9.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
hxxp://antispyware06scan.com
hxxp://antispywareinfo9.com
hxxp://antivirus-for-pc-2.com
hxxp://antivirus-for-pc-4.com
hxxp://antivirus-for-pc-6.com
hxxp://antivirus-for-pc-8.com
hxxp://antiviruspro8scan.com
hxxp://extra-antivirus-scan1.com
hxxp://extra-security-scanb1.com
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
hxxp://super-scanner-2004.com
hxxp://top-rateanrivirus0.com
hxxp://topantimalware-scanner7.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - A Portfolio of Fake/Rogue Video Codecs

May 29, 2017
Shall we expose a huge domains portfolio of fake/rogue video codecs dropping the same Zlob variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means?

Currently active Zlob malware variants promoting sites:
hxxp://pornqaz.com
hxxp://uinsex.com
hxxp://qazsex.com
hxxp://sexwhite.net
hxxp://lightporn.net
hxxp://xeroporn.com
hxxp://brakeporn.net
hxxp://sexclean.net
hxxp://delfiporn.net
hxxp://pornfire.net
hxxp://redcodec.net
hxxp://democodec.com
hxxp://delficodec.com
hxxp://turbocodec.net
hxxp://gamecodec.com
hxxp://blackcodec.net
hxxp://xerocodec.com
hxxp://ixcodec.net
hxxp://codecdemo.com
hxxp://ixcodec.com
hxxp://citycodec.com
hxxp://codecthe.com
hxxp://codecnitro.com
hxxp://codecbest.com
hxxp://codecspace.com
hxxp://popcodec.net
hxxp://uincodec.com
hxxp://xhcodec.com
hxxp://stormcodec.net
hxxp://codecmega.com
hxxp://whitecodec.com
hxxp://jetcodec.com
hxxp://endcodec.com
hxxp://abccodec.com
hxxp://codecred.net
hxxp://cleancodec.com
hxxp://herocodec.com
hxxp://nicecodec.com

Related MD5s, known, to, have, participated, in, the, campaign:
MD5: 30965fdbd893990dd24abda2285d9edc

Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the end of many other malware campaigns to come, which will inevitable be ending up to these domains. Continue reading →

Historical OSINT - A Portfolio of Exploits Serving Domains

May 29, 2017
With, the, rise, of, Web, malware, exploitation, kits, continuing, to, proliferate, cybercriminals, are, poised, to, continue, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, active,y utilization, of, client-side, exploits, further, spreaing, malicious, software, potentially, compromising, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software.

What, used, to, be, an, ecosystem, dominated, by, proprietary, DIY (do-it-yourself) malware and exploits, generating, tools, is, today's, modern, cybercrime, ecosystem, dominated, by, Web, malware, exploitation, kits, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, launching, a, fraudulent, and, malicious, campaign, potentially, affecting, hundreds, of, thousands, of, users, globally.

In, this, post, we'll, provide, actionable, intelligence, on, currently, active, IcePack, Web, malware, exploitation, kit, client-side, and, malware-exploits, serving, domains.

Related IcePack Web Malware Exploitation Kit domains:
hxxp://seateremok.com/xc/index.php
hxxp://lskdfjlerjvm.com/ice-pack/index.php  
hxxp://formidleren.dk/domain/mere.asp  
hxxp://webs-money.info/ice-pack/index.php  
hxxp://seateremok.com/xc/index.php
hxxp://greeetthh.com/ice-pack1/index.php
hxxp://58.65.235.153/~pozitive/ice/index.php
hxxp://iframe911.com/troy/us/sp/ice/index.php
hxxp://themusicmp3.info/rmpanfr/index.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (lskdfjlerjvm.com):
MD5: 4c0958f2f9f5ff2e5ac47e92d4006452
MD5: d955372c7ef939502c43a71ff1a9f76e
MD5: 118e24ea884d375dc9f63c986a15e5df
MD5: e825a7e975a9817441da9ba1054a3e6f
MD5: 71460d4a1c7c18ec672fed56d764ebe6

Once, executed, a, sample, malware (MD5: d955372c7ef939502c43a71ff1a9f76e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://tableshown.net - 208.100.26.234
hxxp://leadshown.net
hxxp://tablefood.ru
hxxp://tablefood.net - 180.210.34.47
hxxp://leadfood.net
hxxp://tablemeet.net
hxxp://leadmeet.net
hxxp://pointneck.net
hxxp://pointshown.net
hxxp://callshown.net - 212.61.180.100
hxxp://callneck.ru
hxxp://callneck.net
hxxp://ringshown.ru
hxxp://ringshown.net
hxxp://noneshown.net

We'll, continue, monitoring, the, campaigns, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

New Mobile Malware Spotted in the Wild, Hundreds of Users Affected

May 29, 2017
We've, recently, intercepted, a, currently, circulating, malicious, mobile, malware, potentially, compromising, the, confidentiality, availability, and, integrity, of, the, compromised, devices, further, spreading, malicious, software, on, the, affected, devices, with, the, cybercriminals, behind, it, potentially, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, revenue, sharing, scheme.

In, this, post, we'll, provide, actionable, intelligence, about, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, further, expand, the, malicious, infrastructure, behind, the, campaign, successfully, exposing, the, malicious, actors, behind, it.

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 12e6971511705b7396e4399ac46854f9
MD5: e7d6fef2f1b23cf39a49771eb277e697

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://61.160.234.133/date/getDate
hxxp://g.10086.cn/gamecms/wap/game/wyinfo/700144311000?channelId=12068000
hxxp://ccinchina.com
hxxp://117.135.133.9/source/appsource/15035916BaiduBrowser_Android_2-3-28-6_1000934d.apk?imei=
hxxp://117.135.131.9/push_4/push.action?imei=value
hxxp://61.160.242.35/pro_5/pro.action

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (61.160.234.133)
MD5: ec125a741919574b7de29889845fe648
MD5: 695db5f40c02fa4eaeda76882de6c1f8
MD5: 3281f34e42483b8a32f7a66dfed5a548
MD5: ccd0a5805a82fdccb3ebdbdc95b432e8
MD5: 07950552ddf728685b943254f390778d

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://agoldcomm.plat96.com
hxxp://push7.devopenserv.com
hxxp://cloud6.uuserv10.com

g.10086.cn, is, known, to, have, responded, to, 112.4.19.33; 221.181.195.141; 58.68.142.6; 180.150.163.149; 58.68.142.188; 58.68.142.203; 60.217.242.152; 58.68.142.232; 60.217.242.151; 112.90.217.110; 58.68.142.182; 58.68.142.183; 60.217.232.201; 58.68.142.237;59.151.7.195

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 15ddafe1b32dc0b476cdaac92cc3ea12
MD5: 60e7caba4395c77f88c72103aa3c14e2
MD5: 9c692a6b2fc5b0d9f468ce1a110bd296
MD5: 2beae563023a37559c3d0e2da577c517
MD5: d9f63c321e345b2b1c91a1259003cfed
MD5: 07950552ddf728685b943254f390778d

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://log6.devopenserv.com - 211.151.167.51
hxxp://cloud6.devopenserv.com
hxxp://pus7.devopenserv.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 37845effed5d773252f129bd3fce588a
MD5: 08beb447853aae8655f77ddc16a5766b
MD5: 16147ec72345631cc345af69b2640578
MD5: 4fcedf07023619b21358c259d11a90cb
MD5: ab36173205aa7aeb713956b1f9ec7b26

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://down.devopenserv.com
hxxp://cloud.devopenserv.com
hxxp://ck6.devopenserv.com
hxxp://rck6.devopenserv.com
hxxp://img14.devopenserv.com
hxxp://dl8.devopenserv.com
hxxp://dl14.devopenserv.com
hxxp://cloud6.devopenserv.com
hxxp://push7.devopenserv.com
hxxp://dp3.devopenserv.com
hxxp://cloud2.devopenserv.com
hxxp://ck2.devopenserv.com
hxxp://dp2.devopenserv.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →
Subscribe to: Comments (Atom)