Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 2021 - An OSINT Analysis - Part Three

0
August 16, 2021

An image is worth a thousand words.






















































































Stay tuned!

Continue reading →

Personally Identifiable Information Regarding Various Internationally Recognized Cyber Threat Actors - A 2021 Compilation - Free Download!

0
July 31, 2021

An image is worth a thousand words.

Go though my 230 pages 2021 compilation on some of the most high-profile and popular cybercrime gangs and cybercriminals internationally in the form of a cyber attack and cyber threat actor attribution information which could greatly improve your vendor's or organization's situational awareness in the world of cybercrime including cyber threat actor attribution campaigns.

Grab a copy from here.

Approach me at dancho.danchev@hush.com in case you're interested in discussing with me your cyber threat actor attribution or cyber attack or campaign attribution requirements and I would be happy to respond as soon as possible and assist with me knowledge and expertise in the field.

Stay tuned!
Continue reading →

Inquiry About My Disappearance Circa 2010 in Republic of Bulgaria and Possible Local Police Offers Kidnapping Attempt Report - An Analysis

0
July 31, 2021
Continue reading →

Dancho Danchev's "Personally Identifiable Information Regarding Various Internationally Recognized Cyber Threat Actors - A 2021 Compilation" Report Available! Request a Free Copy Today!

0
July 29, 2021

Dear blog readers,

This is Dancho. Are you a security researcher OSINT analyst threat intelligence analyst or LE officer or member of a security organization or a vendor that wants to catch up with some of the latest developments in the world of cyber threat actor attribution?

UPDATE: Here's the actual link.

I've just finished working on my 2021 compilation entitled "Personally Identifiable Information Regarding Various Internationally Recognized Cyber Threat Actors" which is available on request for free to blog readers who drop me a line at dancho.danchev@hush.com seeking access to the report. Grab a copy today!

Stay tuned!

Continue reading →

Two Persons on the U.S Secret Service Most Wanted Cybercriminals List Run a Managed Android Malware Enterprise Including a Black Energy DDoS Botnet - An OSINT Analysis

0
July 27, 2021
Dear blog readers,

This is Dancho. In this post I'll provide actionable intelligence on two individuals on the U.S Secret Service's Most Wanted Cybercriminals list in particular - Oleksandr Vitalyevich Ieremenko including Danil Potekhin for the purpose of assisting U.S Law Enforcement on its way to track down and prosecute the individuals behind these campaigns.

In this analysis I'll offer actionable intelligence on the fact that the first individual Oleksandr Vitalyevich Ieremenko is currently running a profitable managed android malware botnet business using the - hxxp://agressivex.com domain for his business and is currently on the U.S Sanctions List as well.





Sample personally identifiable information for Oleksandr Vitalyevich Ieremenko:

Personal Web Site: hxxp://k0x.ru

ICQ: 123424

Personal Email: uaxakep@gmail.com

Sample personal photos of Oleksandr Vitalyevich Ieremenko including Danil Potekhin:


Sample photo showing that Oleksandr Vitalyevich Ieremenko is known to have been running a Black Energy DDoS botnet:
\

Sample personal photo of Danil Potekhin:


Sampl,e personal Web site: hxxp://agressivex.com
Sample personal email: potekhinl4@bk.ru

Sample MD5 known to have participated in the campaign:
MD5: ecb347518230e54c773646075e2cc5ea269dcf8304ad102cee4aae75524e4736

Stay tuned!

Image Courtesy of VeriSign.
Continue reading →

Recommended Song of the Day!

0
July 22, 2021

Dear blog readers,

I've decided to share a high-profile and recently track with everyone to keep the spirit of the scene and the industry and to basically empower you to do your work more efficiency. Keep up the good work!

Stay tuned!

Continue reading →

Exposing a Currently Active WannaCry Ransomware Domains Portfolio - An OSINT Analysis for WhoisXML API

0
July 22, 2021

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The seventh white paper entitled "Exposing a Currently Active WannaCry Ransomware Domains Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on infamous WannaCry ransomware and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!

Continue reading →

Exposing a Currently Active Cyber Jihad Domains Portfolio - An OSINT Analysis for WhoisXML API

0
July 22, 2021

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The sixth white paper entitled "Exposing a Currently Active Cyber Jihad Domains Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on various cyber jihad themed and related domains including their owners and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!
Continue reading →

Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the Ashiyane Digital Security Team - An OSINT Analysis for WhoisXML API

0
July 22, 2021

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The fifth white paper entitled "Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the Ashiyane Digital Security Team - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on the domain portfolio owned and operated by the infamous Ashiyane Digital Security Team and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!
Continue reading →

Who's Behind the Conficker Botnet? - An OSINT Analysis for WhoisXML API

0
July 22, 2021

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The fourth white paper entitled "Who's Behind the Conficker Botnet? - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on infamous Conficker malware and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!
Continue reading →

Using Maltego and WhoisXML API's Real-Time and Historical WHOIS Database to Profile A Currently Active CoolWebSearch Domains Portfolio - An OSINT Analysis for WhoisXML API

0
July 22, 2021

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The third white paper entitled "Using Maltego and WhoisXML API's Real-Time and Historical WHOIS Database to Profile A Currently Active CoolWebSearch Domains Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on infamous CoolWebSearch spyware enterprise and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!
Continue reading →

Exposing a Currently Active NSO Spyware Group's Domain Portfolio - An OSINT Analysis for WhoisXML API

0
July 22, 2021

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The second white paper entitled "Exposing a Currently Active NSO Spyware Group's Domain Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on the recent NSO Spyware Group campaigns internationally and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!
Continue reading →

Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercriminals Internationally - An OSINT Analysis for WhoisXML API

0
July 22, 2021

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The first white paper entitled "Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercriminals Internationally" we took a sample data set consisting of well-known cybercriminal gang and lone cybercriminals personal email addresses which we obtained using Technical Collection and offered a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!
Continue reading →

Profiling "Nedasites" - A DDoS Attack Tool Campaign Aiming to Target Iran Prior to the 2009 Election - An OSINT Analysis

0
July 12, 2021

I've recently stumbled upon a unique DDoS tool which is basically enticing users into downloading it and launching DDoS attacks against a pre-defined list of Iran-based government and various other Iran-based targets which appears to have been originally released during the 2009 election in Iran.

In this post I'll provide actionable intelligence and discuss in-depth the campaign including the actual tool and provide the actual list of targeted URLs including the actual MD5 for the malicious DDoS tool and discuss in-depth the actual crowd-sourcing DDoS campaign which was originally lauched during the 2009 election in Iran.

It appears that back in 2009 a tiny group of folks including companies actually organized an online spree to help and support Iran's activists and protestors with technologies and access to free service which basically violates the law and should be considered a dangerous precendent in the context of assisting Iran-based activists and protestors. Therefore I've decided to take a deeper look inside the trend that took place internationally back in the 2009 Iran-based election and offer practical and relevant technical and actionable intelligence information on the actual infrastructure behind the campaign including its participants.

Related domains and URLs known to have been involved in the campaign:

https://lxkghnyg2owy6scd.onion

http://iran.whyweprotest.net/

http://haystack.austinheap.com/

http://www.haystacknetwork.com/

http://iproxyiran.tk/

http://iranpetitie.wordpress.com/

https://davepack.net/retweetforiran.html

https://iranfree.cryptocloud.net/

http://servers-info.com/

MD5: 25bc5507934756a836e574e9b43f8b3a - Detection rate

Sample official download location of the actual DDoS application:

https://sites.google.com/site/nedasites

Sample targeted URLs and domains list:

http://keyhannews.ir

http://www.iran-newspaper.com

http://www.irna.com

http://www.irna.ir

http://www2.irna.com

http://www5.irna.com

http://www.irna.net

http://www.tabnak.com

http://www.farsnews.com

http://english.farsnews.com

http://shahabnews.com

http://www.rajanews.com

http://www.khamenei.ir

http://www.ahmadinejad.ir

http://www.gerdab.ir

http://www.bornanews.com

http://www.bornanews.ir

http://www.leader.ir/langs/en

http://www.president.ir/fa/

http://www.mod.ir

http://www.isna.ir

http://www.justice.ir

http://www.presstv.ir

http://www.police.ir

http://mfa.gov.ir

http://sahandnews.com

http://www.farsnews.net

HAMSEDA.IR -- theplanet.com

HAMSHAHRIONLINE.IR -- cogentco.com

AYANDENEWS.COM -- theplanet.com

ASRIRAN.COM -- theplanet.com

SHIA-NEWS.COM -- theplanet.com

SHAFAF.IR -- theplanet.com

SIBNA.IR -- theplanet.com

SAYENEWS.COM -- theplanet.com

KAYHANNEWS.IR -- theplanet.com

RESALAT-NEWS.COM -- iweb.com

DEILAMNEWS.COM -- iweb.com

KHORASANNEWS.COM -- abac.com

JAHANNEWS.COM -- theplanet.com

JARASNEWS.COM -- theplanet.com

POOLNEWS.IR -- theplanet.com

PARSINE.COM -- theplanet.com

BUSHEHRNEWS.COM -- theplanet.com

TEBNA.COM -- theplanet.com

IWNA.IR -- theplanet.com

ALBORZNEWS.NET -- theplanet.com

ERAMNEWS.IR -- theplanet.com

AYANDENEWS.COM -- theplanet.com

JOMHOURIESLAMI.COM -- iweb.com

Something else that's also worth emphasizing on in terms of the Iran 2009 election is that the U.K's GCHQ has also been busy attempting to track down protestors including activists and has been busy working on an election specific and GCHQ owned URL shortening service which I managed to profile and expose here including the following still active Twitter accounts and URLs known to have been involved in the GCHQ campaign to monitor and track down Iran 2009 election protesters and activists:

https://twitter.com/2009iranfree

https://twitter.com/MagdyBasha123

https://twitter.com/TheLorelie

https://twitter.com/Jim_Harper

https://twitter.com/angelocerantola

https://twitter.com/recognizedesign

https://twitter.com/akhormani

https://twitter.com/FNZZ

https://twitter.com/GlenBuchholz

https://twitter.com/enricolabriola

https://twitter.com/katriord

https://twitter.com/ShahkAm147

https://twitter.com/Pezhman09

https://twitter.com/jimsharr

https://twitter.com/blackhatcode

Stay tuned!

Continue reading →

Upcoming Personal Memoir - Pre-Orders Accepted!

0
July 11, 2021
Continue reading →

Free Chapter - Upcoming Personal Memoir!

0
July 11, 2021
Continue reading →

Historical OSINT - An Analysis of the South Korean/U.S DDoS Attacks Circa 2009

0
July 09, 2021

 During the last couple of days, I was getting harder to resist not publishing some of literally moronic commentary on the DDos attacks, thankfully not made

by people I know in person or virtually. From the "we know they did it but we don't have data to prove it", to the very latest and most disturbing commment

by a U.S intelligence


Why disturbing? Because that's exactly what the person -- controversial to the common wisdom you don't need a team to launch this old school amateur-ish http

request flooder -- 

Key summary points:

- if such a small botnet with such a noisy and amateur-ish request flooder can shutdown the U.S FCC for days, I wonder what would have happened to the rest

of the sites in the target list if the size of the botnet and sophistication of DDoS techniques improved


Let me continue in this line of thought - or they secretly brainwash the Teletubies and infiltirate he hearts and minds of children across the globe, a future

generation of pro-North Korean youngerts. Or they could secretly become a Russian Business Network franchise, now try sending an abuse notice to the non-existent

North Korean ISPs. They could, 



The Web is abuzz with news reports regarding the ongoing DDoS (distributed denial of service attack)


The attacks which originally took off in the 4th of July weekend, target 26 Sourth Korean and American government sites and financial institutions.




The W32.Dozer comes in the form of an email attachment


Upon execution the trojan attempts to download the list of targets from three apparently compromised servers based in Germany, the U.S and Austria.



213.23.243.210 - Mannesmann Arcor Telecommunications AG & Co

216.199.83.203 - FDN.com 

213.33.116.41 - Telekom Austria Aktiengesellschaft


75.151.32.182


92.63.2.118

75.151.32.182

202.14.70.116

201.116.58.131

200.6.218.194

163.19.209.22

122.155.5.196

newrozfm.com

text string “get/China/DNS

The word china within the malware code, the

http://www.virustotal.com/analisis/7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643-1247001891

http://www.virustotal.com/analisis/1d1814e2096d0ec88bde0c0c5122f1d07d10ca743ec5d1a3c94a227d288f05a7-1246990042

http://www.virustotal.com/analisis/7c6c89b7a7c31bcb492a581dfb6c52d09dffca9107b8fd25991c708a0069625f-1246990249

http://www.virustotal.com/analisis/f9feee6ebbc3dc0d35eea8bf00fc96cf075d59588621b0132b423a4bbf4427d4-1247006555

Continue reading →
Subscribe to: Comments (Atom)