Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2010 and I've recently intercepted a currently active malicious and fraudulent blakchat SEO campaign successfully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns.

In this post I'll profile the infrastructure behind the campaign and provide actionable intelligence on the infrastructure behind it.

Sample URL redirection chain:
hxxp://noticexsummary.com/re.php?lnk=1203597664 - 87.255.55.231
- hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677 - 66.207.172.196
= hxxps://secure-signupway.com/promo/join.aspx?siteid=3388

Related malicious domains known to have participated in the campaign:
hxxp://noticexsummary.com/

Related malicious domains known to have participated in the campaign:
hxxp://online-tv-on-your-pc.com/p2/index.asp?aff=11680&camp=unsub

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Yet Another Massive Blackhat SEO Campaign Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another diverse portfolio of blackhat SEO domains this time serving rogue security software also known as scareware to unsuspecting users with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type of revenue sharing scheme.

In this post I'll profile the infrastructure behind the campaign and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://arnalduatis.com
hxxp://batistaluciano.com
hxxp://bethemedia.net
hxxp://bride-beautiful.com
hxxp://burgessandsons.com
hxxp://carolinacane.com
hxxp://caulfieldband.com
hxxp://improvenewark.com
hxxp://marsmellow.info
hxxp://noodlesonline.com
hxxp://queenslumber.com
hxxp://thesolidwoodflooringcompany.com
hxxp://wirelessexpertise.com
hxxp://bigbangexpress.com
hxxp://bioresonantie.net
hxxp://clubipg.com
hxxp://djdior.com
hxxp://djektoyz.com
hxxp://getraenkepool.com
hxxp://hartmanpescar.com
hxxp://hetkaashuis.com
hxxp://menno.info
hxxp://pianoaccompanistcompetition.com
hxxp://soundwitness.org
hxxp:/strijkvrij.com Continue reading →

Historical OSINT - Profiling a Portfolio of Active 419-Themed Scams

It's 2010 and I've recently decided to provide actionable intelligence on a variety of 419-themed scams in particular the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community with the necessary data to track down and prosecute the malicious actors behind these campaigns.

Related malicious and fraudulent emails known to have participated in the campaign:
david_ikemba@supereme-loan-finance.com - 96.24.14.4
charles.maynard1@gmx.com - 218.31.134.111
mr.karimahmed2004@msn.com - 41.203.231.82
fedexdelivryservices@yahoo.com.hk - 89.187.142.72
chevrondisbursement@hotmail.com - 41.138.182.245
mrslindahilldesk00000@hotmail.co.uk - 41.138.188.45
natt.westt@live.com - 115.242.40.142
google11anniversary2010@live.com - 115.240.21.112
barjamessmith@qatar.io - 115.242.94.153
delata_ecobank@web2mail.com - 202.58.64.18
junhuan9@yahoo.cn - 68.190.243.51
fairlandindustryltd@mail.ru - 41.138.190.213
shkhougal@aol.com - 80.35.222.9
jamestimeswel@rogers.com - 203.170.192.4
alimubarakhm@hotmail.com - 115.134.5.245
godwinemefiele2010@hotmail.com - 41.211.229.65
skyebankplclagosnigera@gmail.com, skyebankplclagosnigera@zapak.com - 41.138.178.241
contact.alcchmb@sify.com - 116.206.153.50
officelottery94@yahoo.com.hk - 124.122.145.226
kadamluk@live.com - 41.217.65.14
garycarsonuk@w.cn - 220.225.213.221
stella_willson48@yahoo.co.uk - 82.196.5.120
trustlink@w.cn - 87.118.82.8
george201009@hotmail.com - 59.120.137.197
drmannsurmuhtarrr_155@yahoo.cn, mrstreasurecollinnsss@gmail.com - 82.114.78.222 Continue reading →

Historical OSINT - Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang

It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network.

In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind including the direction establishment of a direct connection between the gang's activities and a well-known Russian Business Network customer.

Related malicious domains known to have participated in the campaign:
hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166

Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones back to the following malicious C&C server IPs:
hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsimonkroon@gmail.com

Known domains known to have responded to the same malicious C&C server IPs:
hxxp://aahsdvsynrrmwnbmpklb.cn
hxxp://dlukhonqzidfpphkbjpb.cn
hxxp://barykcpveiwsgexkitsg.cn
hxxp://bfichgfqjqrtkwrsegoj.cn
hxxp://dhbomnljzgiardzlzvkp.cn

Once executed a sample malware phones back to the following malicious C&C service IPs:
hxxp://xmiueftbmemblatlwsrj.cn
hxxp://urodinam.net - which is a well known Koobface 1.0 C&C server domain IP also seen in the "Mass DreamHost Sites Compromise" exclusively profiled in this post.
hxxp://xmiueftbmemblatlwsrj.cn

Once executed a sample malware MD5: 66dc85ad06e4595588395b2300762660; MD5: 91944c3ae4a64c478bfba94e9e05b4c5 phones back to the following malicious C&C server IPs:
hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and observed in related analysis regarding the mass Embassy Web site compromise throughout 2007 and 2009.

Successfully dropping the following malicious Koobface MD5 hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe

Related malicious MD5s (MD known to have participated in the campaign:
MD5: 66dc85ad06e4595588395b2300762660
MD5: 8282ea8e92f40ee13ab716daf2430145

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://tehnocentr.chita.ru/.sys
hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild - Part Two

This summary is not available. Please click here to view the post. Continue reading →

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild

It's 2008 and I recently came across to a pretty decent portfolio of rogue and fraudulent malicious scareware-serving domains successfully acquiring traffic through a variety of black hat SEO techniques in this particular case the airplane crash of the Polish president.

Related malicious domains known to have participated in the campaign:
hxxp://sarahscandies.com
hxxp://armadasur.com
hxxp://gayribisi.com
hxxp://composerjohnbeal.com
hxxp://preferredtempsinc.com
hxxp://ojaivalleyboys.com
hxxp://homelinkmag.com
hxxp://worldwidestones.com
hxxp://silsilaqasmia.com
hxxp://vidoemo.com
hxxp://channhu.com
hxxp://ideasenfoco.com

Related malicious domains known to have participated in the campaign:
hxxp://homeownersmoneysaver.com
hxxp://preferredtempsinc.com
hxxp://sarahscandies.com
hxxp://channhu.com
hxxp://intheclub.com
hxxp://internetcabinetsdirect.com
hxxp://silentservers.com
hxxp://ojaivalleyboys.com

Related malicious domains known to have participated in the campaign:
hxxp://indigo-post.com
hxxp://jacksonareadiscgolf.com

Related malicious domains known to have participated in the campaign:
hxxp://werodink.com
hxxp://jingyi-plastic.com
hxxp://impressionsphotographs.com

Sample URL redirection chain:
hxxp://cooldesigns4u.co.uk/sifr.php
- hxxp://visittds.com/su/in.cgi?2 - 213.163.89.55 - Email: johnvernet@gmail.com
- hxxp://scaner24.org/?affid=184 - 91.212.127.19 - Email: bobarter@xhotmail.net

Redirectors parked on 213.163.89.55 (AS49544, INTERACTIVE3D-AS Interactive3D) include:
hxxp://google-analyze.org
hxxp://alioanka.com
hxxp://robokasa.com
hxxp://thekapita.com
hxxp://rbomce.com
hxxp://kolkoman.com
hxxp://nikiten.com
hxxp://rokobon.com
hxxp://odile-marco.com
hxxp://ramualdo.com
hxxp://omiardo.com
hxxp://nsfer.com
hxxp://racotas.com
hxxp://foxtris.com
hxxp://mongoit.com
hxxp://mangasit.com
hxxp://convart.com
hxxp://baidustatz.com
hxxp://google-analyze.cn
hxxp://statanalyze.cn
hxxp://reycross.cn
hxxp://m-analytics.net
hxxp://yahoo-analytics.net

We've already seen hxxp://google-analyze.org and hxxp://yahoo-analytics.net in several related mass compromise of related Embassy Web Sites.

We'll continue monitoring the campaign and post updates as new developments take place. Continue reading →

Historical OSINT - Massive Scareware Dropping Campaign Spotted in the Wild

It's 2008 and I've recently spotted a currently circulating malicious and fraudulent scareware-serving malicious domain portfolio which I'll expose in this post with the idea to share actionable threat intelligence with the security community further exposing and undermining the cybercrime ecosystem the way we know it potentially empowering security researchers and third-party vendors with the necessary data to stay ahead of current and emerging threats.

Related malicious domains known to have participated in the campaign:
hxxp://50virus-scanner.com
hxxp://700virus-scanner.com
hxxp://antivirus-test66.com
hxxp://antivirus200scanner.com
hxxp://antivirus600scanner.com
hxxp://antivirus800scanner.com
hxxp://antivirus900scanner.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://inetproscan031.com
hxxp://internet-scan020.com
hxxp://novirus-scan00.com
hxxp://stopvirus-scan11.com
hxxp://stopvirus-scan13.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan33.com
hxxp://virus66scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://antivirus-scan200.com
hxxp://antispy-scan200.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://antivirus-scan400.com
hxxp://antispy-scan400.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://antivirus-scan600.com
hxxp://antispy-scan600.com
hxxp://antivirus-scan700.com
hxxp://antispy-scan700.com
hxxp://av-scanner700.com
hxxp://antispy-scan800.com
hxxp://antivirus-scan900.com
hxxp://novirus-scan00.com
hxxp://stop-virus-010.com
hxxp://spywarescan010.com
hxxp://antispywarehelp010.com
hxxp://internet-scan020.com
hxxp://internet-scanner020.com
hxxp://insight-scan20.com
hxxp://internet-scanner030.com
hxxp://stop-virus-040.com
hxxp://internet-scan040.com
hxxp://insight-scan40.com
hxxp://internet-scan050.com
hxxp://internet-scanner050.com
hxxp://insight-scan60.com
hxxp://stop-virus-070.com
hxxp://internet-scan070.com
hxxp://internet-scanner070.com
hxxp://insight-scan80.com
hxxp://stop-virus-090.com
hxxp://internet-scan090.com
hxxp://internet-scanner090.com
hxxp://insight-scan90.com
hxxp://antispywarehelpk0.com
hxxp://inetproscan001.com
hxxp://novirus-scan01.com
hxxp://spyware-stop01.com
hxxp://antivirus-inet01.com
hxxp://stopvirus-scan11.com
hxxp://inetproscan031.com
hxxp://novirus-scan31.com
hxxp://antivirus-inet31.com
hxxp://novirus-scan41.com
hxxp://antivirus-inet41.com
hxxp://antivirus-inet51.com
hxxp://inetproscan061.com
hxxp://novirus-scan61.com
hxxp://inetproscan081.com
hxxp://novirus-scan81.com
hxxp://inetproscan091.com
hxxp://spyware-stopb1.com
hxxp://spyware-stopm1.com
hxxp://spyware-stopn1.com
hxxp://spyware-stopz1.com
hxxp://antispywarehelp002.com
hxxp://antispywarehelp022.com
hxxp://novirus-scan22.com
hxxp://antispywarehelpk2.com
hxxp://insight-scanner2.com
hxxp://spywarescan013.com
hxxp://stopvirus-scan13.com
hxxp://novirus-scan33.com
hxxp://stopvirus-scan33.com
hxxp://antispywarehelp004.com
hxxp://antispywarehelpk4.com
hxxp://spywarescan015.com
hxxp://novirus-scan55.com
hxxp://insight-scanner5.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan66.com
hxxp://antispywarehelpk6.com
hxxp://spywarescan017.com
hxxp://insight-scanner7.com
hxxp://antispywarehelp008.com
hxxp://spywarescan018.com
hxxp://stopvirus-scan18.com
hxxp://novirus-scan88.com
hxxp://stopvirus-scan88.com
hxxp://antivirus-test88.com
hxxp://antispywarehelpk8.com
hxxp://insight-scanner8.com
hxxp://insight-scanner9.com
hxxp://10scanantispyware.com
hxxp://20scanantispyware.com
hxxp://30scanantispyware.com
hxxp://60scanantispyware.com
hxxp://80scanantispyware.com
hxxp://2scanantispyware.com
hxxp://3scanantispyware.com
hxxp://5scanantispyware.com
hxxp://7scanantispyware.com
hxxp://8scanantispyware.com
hxxp://spyware200scan.com
hxxp://spyware500scan.com
hxxp://spyware800scan.com
hxxp://spyware880scan.com
hxxp://50virus-scanner.com
hxxp://90virus-scanner.com
hxxp://antivirus900scanner.com
hxxp://antivirus10scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://net001antivirus.com
hxxp://net011antivirus.com
hxxp://net111antivirus.com
hxxp://net021antivirus.com
hxxp://net-02antivirus.com
hxxp://net222antivirus.com
hxxp://net-04antivirus.com
hxxp://net-05antivirus.com
hxxp://net-07antivirus.com

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

HIstorical OSINT - Latvian ISPs, Scareware, and the Koobface Gang Connection

It's 2010 and we've recently stumbled upon yet another malicious and fraudulent campaign courtesy of the Koobface gang actively serving fake security software also known as scareware to a variety of users with the majority of malicious software conveniently parked within 79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio of fake security software.

In this post, I'll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Sample malware known to have participated in the campaign:
installer.1.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef - Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40 (22.50%)

Related malicious phone back C&C server IPs:
hxxp://av-plusonline.org/install/avplus.dll
hxxp://av-plusonline.org/cb/real.php?id=

Related malicious MD5s known to have participated in the campaign:
avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39%)

It's gets even more interesting as hxxp://fast-payments.com - 91.188.59.27 is parked within Koobface botnet's 1.0 phone back locations (hxxp://urodinam.net) and is also hosted within the same netblock at 91.188.59.10.

Sample related malicious URLs known to have participated in the campaign:
hxxp://urodinam.net/33t.php?stime=125558
- hxxp://91.188.59.10/opa.exe -MD5: d4aacc8d01487285be564cbd3a4abc76 - Downloader.VB.7.S; Mal/Koobface-B - Result: 10/40 (25%)

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://aburvalg.com/new1.php - 64.27.0.237
- hxxp://fucking-tube.net

The following domains use it as a name server:
hxxp://ns1.addedantivirus.com

Related malicius domains known to have responded to the same malicious name server:
hxxp://antiviralpluss.org
hxxp://antivirspluss.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://pretection-page.org
hxxp://sys-mesage.org
hxxp://av-plus-online.org
hxxp://av-plusonline.org
hxxp://avplus-online.org
hxxp://avplusonline.org
hxxp://avplussonline.org
hxxp://protecmesages.org
hxxp://protect-mesagess.org
hxxp://protectmesages.org
hxxp://protectmesagess.org
hxxp://protectmessages.org
hxxp://avplus24support.com
hxxp://searchwebway4.com
hxxp://searchwebway5.com
hxxp://searchwebway10.com
hxxp://searchwebway9.com
hxxp://searchwebway6.com

Related malicious URLs known to have participated in the campaign:
hxxp://avplus-online.org/buy.php?id=
- hxxp://fast-payments.com/index.php?prodid=antivirplus_02_01&afid=

Related malicious domains known to have participated in the campaign:
hxxp://antiviruspluss.org
hxxp://avplusscanner.org
hxxp://protection-messag.org
hxxp://antivirs-pluss.org
hxxp://antiviru-pluss.org
hxxp://antivirus-p1uss.org
hxxp://protection-mesage.org
hxxp://sysstem-mesage.org
hxxp://system-message.org
hxxp://antiviral-pluss.org
hxxp://av-onlinescanner.org
hxxp://avonlinescanner.org
hxxp://avonlinescannerr.org
hxxp://avp-scanner.org
hxxp://avp-scannerr.org
hxxp://avp-sscaner.org
hxxp://avp-sscannerr.org
hxxp://avplscaner-online.org
hxxp://avplscanerr-online.org
hxxp://avplsscannerr.org
hxxp://avplus-scanerr.org
hxxp://online-protection.org
hxxp://antivirupluss.org
hxxp://syssmessage.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://av-scanally.org
hxxp://av-scaner-online.org
hxxp://av-scaner-online3k.org
hxxp://av-scaner-onlineband.org
hxxp://av-scaner-onlinebody.org
hxxp://av-scaner-onlinebuzz.org
hxxp://av-scaner-onlinecabin.org
hxxp://av-scaner-onlinecrest.org
hxxp://av-scaner-onlinefolk.org
hxxp://av-scaner-onlineplan.org
hxxp://av-scaner-onlinesite.org
hxxp://iav-scaner-online.org
hxxp://netav-scaner-online.org
hxxp://techav-scaner-online.org
hxxp://antivirspluss.org
hxxp://sys-mesage.org
hxxp://antiviralpluss.org
hxxp://pretection-page.org
hxxp://av-scaner-onlinefairy.org
hxxp://av-scaner-onlinegrinder.org
hxxp://av-scaner-onlinehistory.org
hxxp://av-scaner-onlineicity.org
hxxp://av-scaner-onlinemachine.org
hxxp://av-scaner-onlinepeople.org
hxxp://av-scaner-onlineretort.org
hxxp://av-scaner-onlinereview.org
hxxp://av-scaner-onlinetopia.org
hxxp://directav-scaner-online.org
hxxp://expertav-scaner-online.org
hxxp://orderav-scaner-online.org
hxxp://speedyav-scaner-online.org
hxxp://thriftyav-scaner-online.org
hxxp://timesav-scaner-online.org
hxxp://411online-scanner-free.org
hxxp://dynaonline-scanner-free.org
hxxp://fastonline-scanner-free.org
hxxp://homeonline-scanner-free.org
hxxp://online-scanner-freebin.org
hxxp://online-scanner-freebuy.org
hxxp://online-scanner-freelook.org
hxxp://online-scanner-freemap.org
hxxp://online-scanner-freemeet.org
hxxp://online-scanner-freesite.org
hxxp://online-scanner-freetent.org
hxxp://online-scanner-freeu.org
hxxp://online-scanner-freevolt.org
hxxp://onlinescannerfree.org
hxxp://av-plus-online.org
hxxp://protecmesages.org
hxxp://av-onlicity.org
hxxp://av-online-scanner.org
hxxp://av-online-scannerbid.org
hxxp://av-online-scannercrest.org
hxxp://av-online-scannerfolk.org
hxxp://av-online-scannergate.org
hxxp://av-online-scannerland.org
hxxp://av-online-scannerpc.org
hxxp://av-online-scannersite.org
hxxp://av-online-scannerweek.org
hxxp://av-online-scannerwing.org
hxxp://infoav-online-scanner.org
hxxp://shopav-online-scanner.org
hxxp://theav-online-scanners.org
hxxp://avplus-online.org
hxxp://protectmesages.org
hxxp://av-scaner.org
hxxp://av-scaners.org
hxxp://av-scanner.org
hxxp://av-scanners.org
hxxp://avplussonline.org
hxxp://avscaner.org
hxxp://avscaners.org
hxxp://avscanner.org
hxxp://avscanners.org
hxxp://eav-scaner.org
hxxp://eav-scaners.org
hxxp://eav-scanner.org
hxxp://eav-scanners.org
hxxp://myav-scaner.org
hxxp://myav-scaners.org
hxxp://myav-scanner.org
hxxp://myav-scanners.org
hxxp://protectmessages.org
hxxp://avplusonline.org
hxxp://av-plusonline.org
hxxp://protect-mesagess.org

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Massive Blackhat SEO Campaign Courtesy of the Koobface Gang Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another massive blackhat SEO campaign courtesy of the Koobface gang successfully exposing hundreds of thousands of users to a multi-tude of malicious software.

In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tactics techniques and procedures of the cybercriminals behind it.

Sample domains known to have participated in the campaign:
hxxp://jhpegdueeunz.55fast.com
hxxp://vzhusyeeaubk.55fast.com
hxxp://cvzizliiustw.55fast.com
hxxp://zetaswuiouax.55fast.com
hxxp://shzopfioarpd.55fast.com
hxxp://nqpubruioeat.55fast.com
hxxp://krrepteievdr.55fast.com
hxxp://gtoancoiuyqv.55fast.com
hxxp://felopfooaydk.55fast.com
hxxp://dknejxaeozjb.55fast.com
hxxp://ljperwaaoxjs.55fast.com
hxxp://hxmagxaeulbn.55fast.com
hxxp://mueombooikgp.55fast.com
hxxp://gluezneoolhs.55fast.com
hxxp://ptpodseeanvk.55fast.com
hxxp://jgdeyraoojdr.55fast.com
hxxp://kjsetqaoojdr.55fast.com
hxxp://kvuelveuicmn.55fast.com
hxxp://ywoamnooikfp.55fast.com
hxxp://dnkopgioawss.55fast.com
hxxp://qjtepyaoigts.55fast.com
hxxp://fdsudpeeewam.55fast.com
hxxp://qumobxoiigst.55fast.com
hxxp://fkvahzaeibbz.55fast.com
hxxp://lxxikhiuutwm.55fast.com
hxxp://meboczoiikgy.55fast.com
hxxp://mevoxliiidyq.55fast.com
hxxp://hxvoysaoozhp.55fast.com
hxxp://wiaabcoookfs.55fast.com
hxxp://wlbatgeeiohc.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://narezxaauggf.55fast.com
hxxp://gdsetqaoocks.55fast.com
hxxp://ptxihhiiihpq.55fast.com
hxxp://ramilhueamxg.55fast.com
hxxp://vvnoxliiigsp.55fast.com
hxxp://ywweypeaeemz.55fast.com
hxxp://rqqetweeupwn.55fast.com
hxxp://fprewmaoojpn.55fast.com
hxxp://kbmahjiiigpw.55fast.com
hxxp://romozjuuurov.55fast.com
hxxp://tmxufseaacks.55fast.com
hxxp://viaegjiooeun.55fast.com
hxxp://znmasdiiicbc.55fast.com
hxxp://gdbiczooaoaw.55fast.com
hxxp://boqegkooouom.55fast.com
hxxp://xncoxloiiwrm.55fast.com
hxxp://flxowreuuhkb.55fast.com
hxxp://zzkihgiuupwb.55fast.com
hxxp://gxcobmeeuvls.55fast.com
hxxp://wygimweuizxz.55fast.com
hxxp://winowmeaoxhy.55fast.com
hxxp://hhpewmaoidtm.55fast.com
hxxp://nemoxloiixlh.55fast.com
hxxp://bvbowvooigtq.55fast.com
hxxp://pgmassuiixvx.55fast.com
hxxp://vbxoxkiiijst.55fast.com
hxxp://clnobhaoobzf.55fast.com
hxxp://proawnaoozxf.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://romwrpueerr.007gb.com
hxxp://rtperweaauux.5nxs.com
hxxp://prougpeeabzd.hostevo.com
hxxp://stwermoiigwc.10fast.net
hxxp://znmasdiiicbc.55fast.com
hxxp://gjxotyuuobmv.007sites.com

Sample malicious domains known to have participated in the campaign:
hxxp://dpfujhiuijhd.hostevo.com
hxxp://gfhizliiikjd.hostevo.com
hxxp://driozkuueqic.hostevo.com
hxxp://rrkihfuuuspr.hostevo.com
hxxp://xzkikhueeivf.hostevo.com
hxxp://trqawmaookgp.hostevo.com
hxxp://hggudseuerqn.hostevo.com
hxxp://phveflaeulmn.hostevo.com
hxxp://cvxiljiuuyrm.hostevo.com
hxxp://fdseffuueqiv.hostevo.com
hxxp://dsteyraaaxgr.hostevo.com
hxxp://pfjocbeuiznb.hostevo.com
hxxp://ccziljiuurab.hostevo.com

Sample malicious domains known to have participated in the campaign:
hxxp://jgfuspeeeauc.hostevo.com
hxxp://grioxhueoxlf.hostevo.com
hxxp://dpdilkiiihfy.hostevo.com
hxxp://miuonbaoifwv.hostevo.com
hxxp://fpteymoiuqmj.hostevo.com
hxxp://dyoovziuebvj.hostevo.com
hxxp://rpdojzaaesgg.hostevo.com
hxxp://zzkuhguuewib.hostevo.com
hxxp://bqyunruiaecw.hostevo.com
hxxp://sruoljiuurqb.hostevo.com
hxxp://stratreaaebk.hostevo.com
hxxp://kjsetwaookdt.hostevo.com
hxxp://prougpeeabzd.hostevo.com
hxxp://nrfitdioaoyd.hostevo.com
hxxp://cxligdueewoc.hostevo.com
hxxp://tqaawmaoamvj.hostevo.com
hxxp://qunoxliiifyw.hostevo.com
hxxp://zkfusteaanch.hostevo.com
hxxp://qumobcooozjf.hostevo.com
hxxp://sqqawmaaamvj.hostevo.com
hxxp://klguyraoojdr.hostevo.com
hxxp://fspespueeiez.hostevo.com
hxxp://sjcadjoaepfh.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://sjcadjoaepfh.55fast.com
hxxp://pkbadlaeujcv.55fast.com
hxxp://vnvocziiifst.55fast.com
hxxp://wauanbooikfy.55fast.com
hxxp://yovikdeaanch.55fast.com
hxxp://jvuelvaeukcc.55fast.com
hxxp://lkgufpeeaunz.55fast.com
hxxp://kjfufseeeiml.55fast.com
hxxp://bmmoxliiifdt.55fast.com
hxxp://nqtuxneuixbb.55fast.com
hxxp://wioabnaoikfp.55fast.com
hxxp://ssdikzaaaiiq.55fast.com
hxxp://rwaammaaeowm.55fast.com
hxxp://ljifsueaumz.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://lljifsueaumz.55fast.com
hxxp://nbzigpeaoksq.55fast.com
hxxp://mvjufraoidqb.55fast.com
hxxp://hgdupraoisqc.55fast.com
hxxp://khdudseeeauc.55fast.com
hxxp://fspetwaaabxh.55fast.com
hxxp://tqoavxoiidyq.55fast.com
hxxp://xeaubwuiardg.55fast.com
hxxp://nbvoncooolhp.55fast.com
hxxp://wexigpaoambl.55fast.com
hxxp://klhuggiuufdt.55fast.com
hxxp://dxwetteoigst.55fast.com
hxxp://glvashoaeygj.55fast.com
hxxp://xmoejcaeujxc.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://jfsfkfuueqw.007gb.com
hxxp://bbxcimoiify.007gb.com
hxxp://ljgjxkueewi.007gb.com
hxxp:///xzkgkguueaa.007gb.com
hxxp://wmhjvkuaabj.007gb.com
hxxp://yqbzmciuupt.007gb.com
hxxp://lvxvieaoizj.007gb.com
hxxp://srnvuioookf.007gb.com
hxxp://melhlhueeqe.007gb.com
hxxp://lkhjclueuwa.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://lkhjclueuwa.007gb.com
hxxp://bvgsfyaooxh.007gb.com
hxxp://xbkhceeuifd.007gb.com
hxxp://ywncmvoiojf.007gb.com
hxxp://kjptpwaaacl.007gb.com
hxxp://gpmcumooavx.007gb.com
hxxp://dpwnaioookf.007gb.com
hxxp://stqnaiaoihd.007gb.com
hxxp://fspygfuuerq.007gb.com
hxxp://wbgtsyeaamb.007gb.com
hxxp://fprmwoaaavl.007gb.com
hxxp://mmxlnvoiijd.007gb.com
hxxp://vvllnmooocl.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://vvllnmooocl.007gb.com
hxxp://zlgsgpeaabz.007gb.com
hxxp://ccjfxleeewq.007gb.com
hxxp://cvhfjguueqi.007gb.com
hxxp://lhprsraaack.007gb.com
hxxp://razzbciiupt.007gb.com
hxxp://rancoeooozh.007gb.com
hxxp://muczimoooxh.007gb.com
hxxp://tphotdioetdf.hostevo.com
hxxp://vvxifpeaocks.hostevo.com
hxxp://jjhillooolhf.hostevo.com
hxxp://bzxixliiudpr.hostevo.com
hxxp://xmvovxooozhp.hostevo.com
hxxp://proocziuuprm.hostevo.com
hxxp://qebovziuuswb.hostevo.com
hxxp://xzhusteaabzs.hostevo.com
hxxp://bbbovxiuifyq.hostevo.com

Sample malicious domains known to have participated in the campaign:
hxxp://dpretqaoocjy.hostevo.com
hxxp://ywaaqbaoozjs.5nxs.com
hxxp://fsyepteaaenl.5nxs.com
hxxp://jhgufpeeeaic.5nxs.com
hxxp://dsterqaaoczg.5nxs.com
hxxp://rivilhueeiuc.5nxs.com
hxxp://znouxneuaayd.5nxs.com
hxxp://kkgijguueonh.5nxs.com
hxxp://khsamvooihdt.5nxs.com
hxxp://nncikgueaflg.5nxs.com
hxxp://fdpixnaaaoiv.5nxs.com
hxxp://zzzikhiiihfy.5nxs.com
hxxp://sqaayteaaimz.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://tquambooilhs.5nxs.com
hxxp://gdtaqboiojdt.5nxs.com
hxxp://queoxliuudtq.5nxs.com
hxxp://vbcokloiikhs.5nxs.com
hxxp://raoadpiuigst.5nxs.com
hxxp://qevijfueeibj.5nxs.com
hxxp://kjlicvoooncj.5nxs.com
hxxp://sroavlueeixd.5nxs.com
hxxp://xxlijkiuuyqm.5nxs.com
hxxp://vvcijreaaenl.5nxs.com
hxxp://zzkigdueurab.5nxs.com
hxxp://zxkigdueeoel.5nxs.com
hxxp://tqoanvooijfy.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://wnxufpeaaevj.5nxs.com
hxxp:///ptaamboiihsw.5nxs.com
hxxp://vbxijhueurix.5nxs.com
hxxp://fpkijxiiidox.5nxs.com
hxxp://streqwaooxcg.5nxs.com
hxxp://ptyewmaoolgy.5nxs.com
hxxp://hgyeqboiihpw.5nxs.com
hxxp://cxjijgueeaez.5nxs.com
hxxp://woeobvoiihdt.5nxs.com
hxxp://bcxixjueuqmj.5nxs.com
hxxp://mmvobxoiihdr.5nxs.com
hxxp://prqawnaoozgy.5nxs.com
hxxp://xzkugsueeunk.5nxs.com
hxxp://vvbovxiiidym.5nxs.com
hxxp://qinozkiuidyw.5nxs.com
hxxp://tpdumweuughh.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://tpdumweuughh.5nxs.com
hxxp://zkfudpeaaech.5nxs.com
hxxp://vvcijfueeamk.5nxs.com
hxxp://jkhihdiuuypw.5nxs.com
hxxp://womancoiuyav.5nxs.com
hxxp://sfkoyfooepgh.5nxs.com
hxxp://zzhetqaooxkd.5nxs.com
hxxp://czjudyeaacjp.5nxs.com
hxxp://gssudpeaaecg.5nxs.com
hxxp://wiuobvooozjp.5nxs.com
hxxp://twaamnaookhd.5nxs.com
hxxp://bbvocloiigsr.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://dspugduuuytm.5nxs.com
hxxp://kljigdueeqic.5nxs.com
hxxp://gpioxhuuutav.5nxs.com
hxxp://wouavcooiyil.5nxs.com
hxxp://mevoxliuuyrm.5nxs.com
hxxp://xvcocxoiojfy.5nxs.com
hxxp://zljudyeaaunl.5nxs.com
hxxp://woaabcoiusst.5nxs.com
hxxp://dppudpeeewmh.5nxs.com
hxxp://zzhustueequk.5nxs.com
hxxp://quboczoiolgd.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://kdwetmoiuics.5nxs.com
hxxp://jgfudseeerqb.5nxs.com
hxxp://qunolhueeonx.5nxs.com
hxxp://khdusyeaaeez.5nxs.com
hxxp://bvcikgueequx.5nxs.com
hxxp://xzjupteaovzg.5nxs.com
hxxp://rmludpueoebj.5nxs.com
hxxp://pfyupteeeauz.5nxs.com
hxxp://qqreqnoeewhs.5nxs.com
hxxp://ysfuyraaaczs.5nxs.com
hxxp://ljdudyeaamcj.5nxs.com
hxxp://vbvovziiustm.5nxs.com
hxxp://gffugdueeibz.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://bnjdzkiuuyw.007gb.com
hxxp://dpppdpeeeii.007gb.com
hxxp://zzfdhdeeeoe.007gb.com
hxxp://hhhhzciuusa.007gb.com
hxxp://dpmlbkiuuta.007gb.com
hxxp://ccgsgpeaaev.007gb.com
hxxp://vbzxecoiuso.007gb.com
hxxp://nbkfhdeaack.007gb.com
hxxp://bmvcaoeeaoe.007gb.com
hxxp://xchfggiuewq.007gb.com
hxxp://jgypgpeaoxh.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://jgypgpeaoxh.007gb.com
hxxp://hdstpraoojd.007gb.com
hxxp://nnkkvziiigh.007gb.com
hxxp://qwyduquuoeo.007gb.com
hxxp://jhgdkzooobn.007gb.com
hxxp://ljyqweoiihf.007gb.com
hxxp://xzfdfsueaux.007gb.com
hxxp://kjfhzjueeae.007gb.com
hxxp://tanbuoeaanb.007gb.com
hxxp://rammooaaocx.007gb.com
hxxp://gsmxmlueoht.007gb.com
hxxp://xxjgkguueuu.007gb.com
hxxp://jgppfpeeaev.007gb.com
hxxp://xzfpfpeaozh.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://khsphdueaev.007gb.com
hxxp://wabnieoiikg.007gb.com
hxxp://rojshgeoisw.007gb.com
hxxp://zlhffgueaec.007gb.com
hxxp://quxxmnoiokd.007gb.com
hxxp://rpsdkzoeeqq.007gb.com
hxxp://rozfksaoiht.007gb.com
hxxp://vvzkcviiuru.007gb.com
hxxp://ptgdghueedq.007gb.com
hxxp://xvjhcliuufi.007gb.com
hxxp://ywqntweaeqo.007gb.com
hxxp://mubwqaaaoxl.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://quzjlgueeib.007gb.com
hxxp://fdyttteeaou.007gb.com
hxxp://xxjggseeeom.007gb.com
hxxp://robvimoiikg.007gb.com
hxxp://hgspsyeeanx.007gb.com
hxxp://nbzkckueein.007gb.com
hxxp://syfdgmoiipy.007gb.com
hxxp://nmkjzjueequ.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://nmkjzjueequ.007gb.com
hxxp://ytwqyteaaen.007gb.com
hxxp://kgdfkhuuuyq.007gb.com
hxxp://zbcvieaoocc.007gb.com
hxxp://sywrdpeeeie.007gb.com
hxxp://prnmwaaaamm.007gb.com
hxxp://djddhfuuilc.007gb.com
hxxp://wibnuboiusw.007gb.com
hxxp://muclmboiigd.007gb.com
hxxp://vvlkevoiidy.007gb.com
hxxp://xhprrteaaun.007gb.com
hxxp://bncvoeaaauu.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://ravhzluuewo.007gb.com
hxxp://gsywptaaabz.007gb.com
hxxp://xxkzbcoiijd.007gb.com
hxxp://mevirwaaovlf.hostevo.com
hxxp://roboxloiihdt.007sites.com
hxxp://rauonbooozkf.007sites.com
hxxp://ywiatreeewam.007sites.com
hxxp://nxfetmaoolfr.007sites.com
hxxp://gkmelbeuoear.007sites.com
hxxp://mmcigsueeexg.007sites.com
hxxp://vxxiljoioxxg.10fast.net
hxxp://jgsuspeeeaic.10fast.net
hxxp://qenocxiiihsr.10fast.net
hxxp://lklilliiigdt.10fast.net
hxxp://hgdepreaamzs.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://gffupteaaebj.10fast.net
hxxp:///kljigfuuugfp.10fast.net
hxxp://raianvoiokgy.10fast.net
hxxp://rtqerqeaamcg.10fast.net
hxxp://gfdugdeaavls.10fast.net
hxxp://ddterboiugsr.10fast.net
hxxp://jgpewnoiihpq.10fast.net
hxxp://kjfpfseeeqo.007gb.com
hxxp://wubcmciuuya.007gb.com
hxxp://quzkxvooift.007gb.coml
hxxp://nblhlheaaum.007gb.com
hxxp://cclxnciuupq.007gb.com
hxxp://nbhkckueeib.007gb.com
hxxp://hgddxliuudp.007gb.com
hxxp://winilhueuwiz.10fast.net
hxxp://queocliuupqv.10fast.net
hxxp://gdtaqboiihhs.10fast.net
hxxp://bbvovbaaancg.10fast.net
hxxp://fpramvoiiftm.10fast.net
hxxp://fjliljiiizhp.10fast.net
hxxp://gspedpeeeiel.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://fssukjaoanbx.5nxs.com
hxxp://ptaawviuuppw.5nxs.com
hxxp://llxozkoiikdq.5nxs.com
hxxp://kkkijguuuquz.5nxs.com
hxxp://womobciiiftn.5nxs.com
hxxp://vvcikgueequl.5nxs.com
hxxp://zzzoxcooozzl.5nxs.com
hxxp://wuuocziuupwn.5nxs.com
hxxp://hfyeqnoiiftm.5nxs.com
hxxp://sttewboookgy.5nxs.com
hxxp://ghhusteaozgt.5nxs.com
hxxp://fjzoqtuuukiw.5nxs.com
hxxp://muuaqciueomz.5nxs.com
hxxp://fsfugduuutav.5nxs.com
hxxp://jgdeywaoocks.5nxs.com
hxxp://raniljuuurix.5nxs.com
hxxp://pabikhueamcg.5nxs.com
hxxp://gsteqbooikdr.5nxs.com
hxxp://llhugfuuerab.5nxs.com
hxxp://dspeyyeeeauv.5nxs.com
hxxp://xzkixhuaoczg.5nxs.com
hxxp://rouawmaaammz.5nxs.com
hxxp://kxlijjiuuspt.5nxs.com
hxxp://xzliljiuifyw.5nxs.com
hxxp://vvvilhiueqac.5nxs.com
hxxp://tovikhiiufdt.5nxs.com
hxxp://ttretreeuhgs.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://ypserreeuytq.5nxs.com
hxxp://xxzijkiiikkf.5nxs.com
hxxp://bvzoknaoigpm.5nxs.com
hxxp://nnxihduuutqv.5nxs.com
hxxp://muzidyeeeevh.5nxs.com
hxxp://tpdufhiiidrn.5nxs.com
hxxp://ffpupteeeaqd.5nxs.com
hxxp://bbxigseeolpm.5nxs.com
hxxp://gsdugpeaeibj.5nxs.com
hxxp://pwteyyeaamcg.5nxs.com
hxxp://zxcoljiiigpw.5nxs.com
hxxp://bmacxoiixjs.5nxs.com
hxxp://twqawmaooczf.5nxs.com
hxxp://bbrartuauhjh.5nxs.com
hxxp://dtiolhueeexd.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://gdduhgiiikhd.5nxs.com
hxxp://ryquhfuuuypr.5nxs.com
hxxp://sfhijkiuusrn.5nxs.com
hxxp://staennaoolgy.5nxs.com
hxxp://vvvoczooolzg.5nxs.com
hxxp://bmnokgueequz.5nxs.com
hxxp://proocxoiigds.5nxs.com
hxxp://ptwepwaoozht.5nxs.com
hxxp://fsdufpeeeovg.5nxs.com
hxxp://dtlidwoiuyoz.5nxs.com
hxxp://kvyamboiuhsr.5nxs.com
hxxp://kvmardioetyp.5nxs.com
hxxp://taniljueuwul.5nxs.com
hxxp://jvnartuuixvx.5nxs.com
hxxp://qubijgiuutac.5nxs.com

Sample malicious domains known to have participated in the campaigns:
hxxp://qebocziuidfy.10fast.net
hxxp://gffudpeeeauc.10fast.net
hxxp://vbjustaiurox.10fast.net
hxxp://jgyuptaoutic.10fast.net
hxxp://lkhighueeevk.10fast.net
hxxp://ptpudreeeobz.10fast.net
hxxp://meeambaooxls.10fast.net
hxxp://yrreyraaovld.10fast.net
hxxp://kkdutwaoobzd.10fast.net
hxxp://czxitbouuquz.10fast.net
hxxp://lvbovnaoozjp.10fast.net
hxxp://wiiambaookdt.10fast.net
hxxp://zxkijgueaecg.10fast.net
hxxp://ywqawqaoovzh.10fast.net
hxxp://gzoukwuuizbv.10fast.net
hxxp://roiabcoiigpq.10fast.net
hxxp://vvlufseaavld.10fast.net
hxxp://hgpusyeaamxg.10fast.net
hxxp://kkkikziiifyq.10fast.net
hxxp://dtqaczoiuswb.10fast.net
hxxp://llzozxoiigpw.10fast.net
hxxp://nmcijkiuuobg.10fast.net
hxxp://mnxijliuusrm.10fast.net
hxxp://quuanbooikfy.10fast.net
hxxp://xxzijhuueuex.10fast.net
hxxp://gsyepyeaaubk.10fast.net
hxxp://tqoaqmaoigsr.10fast.net
hxxp://cvbocziiikgp.10fast.net
hxxp://gdyepteaancj.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://qibocziuewuz.10fast.net
hxxp://qrkargoaatsf.10fast.net
hxxp://zzdeymaoifyq.10fast.net
hxxp://noeancoiutac.10fast.net
hxxp://qunovnaaammb.10fast.net
hxxp://gffugdeeeibk.10fast.net
hxxp://cmvijsueenls.10fast.net
hxxp://tqaeryeaanxj.10fast.net
hxxp://xmuambiiifyt.10fast.net
hxxp://cvnanneeesff.10fast.net
hxxp://muuaqbooolfy.10fast.net
hxxp://qimacvaaetyr.10fast.net
hxxp://vxfutqaoihsw.10fast.net
hxxp://ywreyruuuhhg.10fast.net
hxxp://fdteyteeeoel.10fast.net
hxxp://ywianvoiupwc.10fast.net
hxxp://zlgeyraoobls.10fast.net
hxxp://zkhujdeaojpm.10fast.net
hxxp://kjfufduuutqm.10fast.net
hxxp://xxjudpueewiz.10fast.net
hxxp://rooewmeaamcg.10fast.net
hxxp://hffugdueeink.10fast.net
hxxp://xmcoxzoiikkd.10fast.net
hxxp://lllizkuiifyq.10fast.net
hxxp://xmuapsuiovnb.10fast.net
hxxp://tquanvoiuyqv.10fast.net
hxxp://kvnartuuujlk.10fast.net
hxxp://lllikhioozjf.10fast.net
hxxp://yrreypeeamck.10fast.net
hxxp://glhihfueaeck.10fast.net

Sample malicious domains known to have participate in the campaign:
hxxp://goadult.info/go.php?sid=13 -> -> hxxp://goadult.info/go.php?sid=9 -&gt -> hxxp://r2606.com/go/?pid=30937 -> which is a well known Koobface 1.0 command and control server domain.

Related malicious redirectors known to have participated in the campaign:
hxxp://goadult.info - 78.109.28.16 - tech@goadult.info
hxxp://go1go.net - 174.36.214.32 - tech@go1go.net
hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info Continue reading →

HIstorical OSINT - PhishTube Twitter Broadcast Impersonated Scareware Serving Twitter Accounts Circulating

This summary is not available. Please click here to view the post. Continue reading →

Historical OSINT - Hundreds of Bogus Bebo Accounts Serving Malware

It's 2010 and I've recently intercepted a wide-spread Bebo malicious malware-serving campaign successfully enticing users into interacting with the fraudulent and malicious content potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

Sample malicious domains known to have participated in the campaign:
hxxp://boss.gozbest.net/xd.html - 216.32.83.110
hxxp://tafficbots.com/in.cgi?6
hxxp://bolapaqir.com/in.cgi?2
hxxp://mybig-porn.com/promo4/?aid=1339

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Chinese Government Sites Serving Malware

It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it.

Compromised Chinese government Web site:
hxxp://nynews.gov.cn

Sample malicious domains known to have participated in the campaign:
hxxp://game1983.com/index.htm
hxxp://sp.070808.net/23.htm
hxxp://higain-hitech.com/mm/index.html

Currently affected Chinese government Web sites:
hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191
hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm
hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Calling Zeus Home

Remember ZeuS? The infamous crimeware-in-the-middle exploitation kit? In this post I'll provide historical OSINT on various ZeuS-themed malicious and fraudulent campaigns intercepted throughout 2008 and provide actionable intelligence on the infrastructure behind the campaign.

Related malicious domains known to have participated in the campaign:
hxxp://myxaxa.com/z/cfg.bin
hxxp://dokymentu.info/zeus/cfg.bin
hxxp://online-traffeng.com/zeus/cfg.bin
hxxp://malwaremodel.biz/zeus/cfg.bin
hxxp://giftcardsbox.com/web/cfg.bin
hxxp://d0rnk.com/cfg.bin
hxxp://rfs-group.net/cool/cfg.bin
hxxp://62.176.16.19/11/cfg.bin
hxxp://81.95.149.74/demo/cfg.bin
hxxp://66.235.175.5/.cs/cfg.bin
hxxp://208.72.169.152/web/cfg.bin
hxxp://antispyware-protection.com/web/cfg.bin
hxxp://s0s1.net/web/cfg.bin
hxxp://208.72.169.151/admin/cfg.bin
hxxp://1ntr0.com/zuzu/cfg.bin
hxxp://88.255.90.170/bt/fiz/cfg.bin
hxxp://58.65.235.4/web/conf/cfg.bin
hxxp://forgoogleonly.cn/open/cfg.bin
hxxp://194.1.152.172/11/cfg.bin

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - A Diverse Portfolio of Fake Security Software

In this post I'll profile a currently circulating circa 2008 malicious and fraudulent scareware-serving campaign successfully enticing users into interacting with rogue and fraudulent fake security software with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type of revenue-sharing scheme.

Related malicious domains known to have participated in the campaign:
hxxp://globals-advers.com
hxxp://alldiskscheck300.com
hxxp://multisearch1.com
hxxp://myfreespace3.com
hxxp://hottystars.com
hxxp://multilang1.com
hxxp://3gigabytes.com
hxxp://drivemedirect.com
hxxp://globala2.com/soft.php
hxxp://teledisons.com
hxxp://theworldnews5.com
hxxp://virtualblog5.com
hxxp://grander5.com
hxxp://5starsblog.com
hxxp://globalreds.com
hxxp://global-advers.com
hxxp://ratemyblog1.com
hxxp://greatvideo3.com
hxxp://beginner2009.com
hxxp://fastwebway.com
hxxp://blazervips.com
hxxp://begin2009.com
hxxp://megatradetds0.com
hxxp://securedonlinewebspace.com
hxxp://proweb-info.com
hxxp://security-www-clicks.com
hxxp://updatedownloadlists.com
hxxp://styleonlyclicks.cn
hxxp://informationgohere.com
hxxp://world-click-service.com
hxxp://secutitypowerclicks.cn
hxxp://securedclickuser.cn
hxxp://slickoverview.com
hxxp://viewyourclicks.com
hxxp://clickwww2.com
hxxp://clickadsystem.com
hxxp://becomepoweruser.cn
hxxp://clickoverridesystem.cn

Related malicious domains known to have participated in the campaign:
hxxp://protecteduser.cn
hxxp://internetprotectedweb.com
hxxp://clicksadssystems.com
hxxp://whereismyclick.cn/
hxxp://trustourclicks.cn
hxxp://goldenstarclick.cn
hxxp://defendedsystemuser.cn

Related malicious domains known to have participated in the campaign:
hxxp://drivemedirect.com
hxxp://virtualblog5.com
hxxp://fastwebway.com

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Gumblar Botnet Infects Thousands of Sites Serves Adobe Flash Exploits

According to security researchers the Gumblar botnet is making a comeback successfully affecting thousands of users globally potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious client-side exploits serving domains further dropping malicious software on the affected hosts.

In this post we'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Malicious URLs known to have participated in the campaign:
hxxp://ncenterpanel.cn/php/unv3.php
hxxp://ncenterpanel.cn/php/p31.php

Related malicious MD5s known to have participated in the campaign:
MD5: 3f5b905c86d4dcaab9c86eddff1e02c7

MD5: 61461d9c9c1954193e5e0d4148a81a0c
MD5: 65cd1da3d4cc0616b4a0d4a862a865a6
MD5: 7de29e5e10adc5d90296785c89aeabce

Sample URL redirection chain:
hxxp://gumblar.cn/rss/?id - 71.6.202.216 - Email: cuitiankai@googlemail.comi
hxxp://gumblar.cn/rss/?id=2
hxxp://gumblar.cn/rss/?id=3

Related malicious domains known to have participated in the campaign:
hxxp://martuz.cn - 95.129.145.58

With Gumblar making a come-back it's becoming evident that cybercriminals continuing utilizing the usual set of malicious and fraudulent tactics for the purpose of spreading malicious software and affecting hundreds of thousands of legitimate Web sites in a cost-effective and efficient way.

We'll continue monitoring the campaign and post updates and post updates as soon as new developments take place. Continue reading →

Historical OSINT - iPowerWeb Hacked Hundreds of Web Sites Affected

In 2008 it became evident that a widespread malware-embedded attack took place successfully affecting hundreds of iPowerWeb customers potentially exposing hundreds of legitimate Web sites to a multi-tude of malicious software courtesy of a well known Russian Business Network's hosting provider - HostFresh.

In this post we'll profile the campaign provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it. We'll also establish a direct connection between the campaign's infrastructure and the Russian Business Network.

Malicious URL: hxxp://58.65.232.33/gpack/index.php

Related malicious URls known to have participated in the campaign - hxxp://58.65.232.25/counter/getexe.php?h=11 hxxp://58.65.232.25/counter/getfile.php?f=pdf

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Introducing Threat Data - The World's Most Comprehensive Threats Database

Dear blog readers, I wanted to take the time and effort and introduce you to Threat Data - the World's Most Comprehensive Threats Database, a proprietary invite-only MISP-based data information and knowledge sharing community managed and operated by me which basically represents the vast majority of proprietary threat intelligence research that I produce on a daily basis these days.

Users and organizations familiar with my research may be definitely interested in considering the opportunity to obtain access to Threat Data including a possible sample including a possible trial of the service.

Find below a sample FAQ about Threat Data and consider obtaining access to ensure that you and your organization remains on the top of its game including ahead of current and emerging threats.

01. How to request access including a possible trial including API access?
Approach me at ddanchev@cryptogroup.net

02. How do obtain automated access?
The database is delivered daily/weekly/quarterly in MISP-friendly JSON-capable format including STIX coverage.

03. How to request a sample?
Users interested in requesting a sample can approach me at dancho.danchev@hush.com and I'd be more than happy to offer a recent threat intelligence research snapshot.

04. Tell me more about the pricing options?
Monthly subscriptions covering daily weekly and monthly updates start at $4,000 including guaranteed access to 24-32 analysis on a daily basis including active in-house all-source analysis guaranteeing that your organization remains on the top of its game by possessing the necessary data information and knowledge to stay ahead of current and emerging threats.

05. What does the database cover?
- Russian Business Network coverage
- Koobface Botnet coverage
- Kneber Botnet coverage
- Hundreds of IOCs (Indicators of Compromise)
- Tactics Techniques and Procedures In-Depth Coverage
- Malicious and fraudulent infrastructure mapped and exposed
- Malicious and fraudulent Blackhat SEO coverage
- Malicious spam and phishing campaigns
- Malicious and fraudulent scareware campaigns
- Malicious and fraudulent money mule recruitment scams
- Malicious and fraudulent reshipping mule recruitment scams
- Web based mass attack compromise fraudulent and malicious campaigns
- Malicious and fraudulent client-side exploits serving campaigns

The database also offers active malverising, scareware, rogueware, malware, phishing, spam, IM malware, mobile malware, mac OS X malware, android malware, blackhat SEO, money mule recruitment, reshipping mule recruitment, including ransomware coverage.

06. How often does it update?
Updates as issued on a daily weekly monthly basis guaranteeing unlimited access to in-house analysis all-source analysis guaranteeing access to daily weekly and monthly updates.

Enjoy! Continue reading →

Dancho Danchev's 2010 Disappearance - An Elaboration - Part Two

Continue reading →

Historical OSINT - Turkey's Chamber of Commerce Serving Malware

oi06.cn
elfah.net/h.js Continue reading →

Historical OSINT - Newly Launched Koobface Themed Campaign Spotted in the Wild

Related malicious URLs known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979

Once executed a sample malware phones back to a well known command and control server IPs:
hxxp://212.117.160.18 GET /install.php?id=02979

Parked at the same IP where crusade affiliates are were more scareware domains. Meanwhile, the Koobface gang is currently busy typosquatting my name for registering domains (Rancho Ranchev; Pancho Panchev) for instance hxxp://mayernews.com - Email: 1andruh.a1@gmail.com is registered using Danchev Danch. Continue reading →