The DDoS Attack Against Bobbear.co.uk

July 08, 2022
When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't Continue reading →

Who's Behind the GPcode Ransomware?

July 08, 2022
So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :

Emails used by the GPcode authors where the infected victims are supposed to contact them :
content715@yahoo.com
saveinfo89@yahoo.com
cipher4000@yahoo.com
decrypt482@yahoo.com

Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838

Sample response email :
"Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"

Second sample response email this time requesting $200 :
"The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"

So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.

Here are some comments I made regarding cryptoviral extortion two years ago - Future Trends of Malware (on page 11; and page 21), worth going through. Continue reading →

Who's Behind the Georgia Cyber Attacks?

July 08, 2022
Of course the Klingons did it, or you were naive enough to even think for a second that Russians were behind it at the first place? Of the things I hate  most, it's lowering down the quality of the discussion I hate the most. Even if you're excluding all the factual evidence (Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail.

Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly explains why certain countries are lacking behind others with years in their inability to understand the rules of information warfare, or the basic premise of unrestricted warfare, that there are no rules on how to achieve your objectives.

So who's behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It's Russia's self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :

"civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency"

Next to the "blame the Russian Business Network for the lack of large scale implementation of DNSSEC" mentality, certain news articles also try to wrongly imply that there's no Russian connection in these attacks, and that the attacks are not "state-sponsored", making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was "why didn't they start the attacks earlier?!".

Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question - What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :

- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

- Don't know who did it, but I can assure you my kid was playing !synflood at that time

- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Departamental cyber warfare would never reach the flexibity state of people's information warfare where everyone is a cyber warrior given he's empowered with access to the right tools at a particular moment in time.

Related posts:
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Continue reading →

Dissecting the Koobface Worm's December Campaign

July 08, 2022
The Koobface Facebook worm -- go through an assessment of a previous campaign -- is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another time? But of course.

Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between centralizing the campaign's redirection domains on a single IP. For instance, taking advantage of free web counter whose publicly obtainable statistics -- the account has since been deleted -- allow us to not only measure the clickability of Koobface's campaign, but also, prove that they're actively multitasking by combining blackhat SEO and active spreading across several other social networking sites. Here are some of the key summary points for this campaign :

Key summary points :
- the hosting infrastructure for the bogus YouTube site and the actual binary is provided by several thousand dynamically changing malware infected IPs
- all of the malware infected hosts are serving the bogus YouTube site through port 7777
- the very same bogus domains acting as central redirection points from the November's campaign remain active, however, they've switched hosting locations
- if the visitor isn't coming from where she's supposed to be coming, in this case the predefined list of referrers, a single line of "scan ref" is returned with no malicious content displayed
- the campaign can be easily taken care of at least in the short term, but shutting down the centralized redirection points


What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook worm, according to their statistics -- go through a previously misconfigured malware campaign stats -- the majority of unique visitors from the December's campaign appear to have been coming from Friendster. As for the exact number of visitors hitting their web counter, counting as of  7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their web counter provides a relatively good sample.

On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php (58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fb.php doing the referrer checking and redirecting to the botnet hosts magic. Several other well known malware command and control locations are also parked at 58.241.255.37 :

jobusiness .org
a221008 .com
y171108 .com
searchfindand .com
ofsitesearch .com
fashionlineshow .com
anddance .info
firstdance .biz
prixisa .com
danceanddisc .com
finditand .com
findsamthing .com
freemarksearch .com
find-allnot .com
find-here-and-now .com
findnameby .com
anddance .info

These domains, with several exeptions, are actively participating in the campaign, with the easiest way to differentiate whether it's a Facebook or Bebo redirection, remaining the descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides within the statistics from their campaign :

Malware serving URLs part of Koobface worm's December's campaign, based on the identical counter used across all the malicious domains :
youtube-x-files .com
youtube-go .com
youtube-spy.5x .pl
youtube-files.bo .pl
youtube-media.none .pl
youtube-files.xh .pl
youtube-spy.dz .pl
youtube-files.esite .pl
youtube-spy.bo .pl
youtube-spy.nd .pl
youtube-spy.edj .pl
spy-video.oq .pl
shortclips.bubb .pl
youtubego.cacko .pl

asda345.blogspot .com
uholyejedip556.blogspot .com
ufyaegobeni7878.blogspot .com
uiyneteku20176.blogspot .com
ujoiculehe19984.blogspot .com
uinekojapab29989.blogspot .com
uhocuyhipam13345.blogspot .com

Geocities redirectors participating :
geocities .com/madelineeaton10/index.htm
geocities .com/charlievelazquez10/index.htm
geocities .com/raulsheppard18/index.htm

Sample malware infected hosts used by the redirectors :
92.241.134 .41:7777/?ch=&ea=
89.138.171 .49:7777/?ch=&ea=
92.40.34 .217:7777/?ch=&ea=
79.173.242 .224:7777/?ch=&ea=
122.163.103 .91:7777/?ch=&ea=
217.129.155 .36:7777/?ch=&ea=
84.109.169 .124:7777/?ch=&ea=
91.187.67 .216:7777/?ch=&ea=
84.254.51 .227:7777/?ch=&ea=
190.142.5 .32:7777/?ch=&ea=
190.158.102 .246:7777/?ch=&ea=
201.245.95 .86:7777/?ch=&ea=
78.90.85 .7:7777/?ch=&ea=
82.81.25 .144:7777/?ch=&ea=
78.183.143 .188:7777/?ch=&ea=
89.139.86 .88:7777/?ch=&ea=
85.107.190 .105:7777/?ch=&ea=
84.62.84 .132:7777/?ch=&ea=
78.3.42 .99:7777/?ch=&ea=
92.241.137 .158:7777/?ch=&ea=
77.239.21 .34:7777/?ch=&ea=
41.214.183 .130:7777/?ch=&ea=

90.157.250 .133:7777/dt/?ch=&ea=
89.143.27 .39:7777/?ch=&ea=
91.148.112 .179:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
124.105 .187.176:7777/?ch=&ea=
77.70.108  .163:7777/?ch=&ea=
190.198.162 .240:7777/?ch=&ea=
89.138.23 .121:7777/?ch=&ea=
190.46.50 .103:7777/?ch=&ea=
80.242.120 .135:7777/?ch=&ea=
94.191.140 .143:7777/?ch=&ea=
210.4.126 .100:7777/?ch=&ea=
87.203.145 .61:7777/?ch=&ea=
94.189.204 .22:7777/?ch=&ea=
92.36.242 .47:7777/?ch=&ea=
77.78.197 .176:7777/?ch=&ea=
94.189.149 .231:7777/?ch=&ea=
89.138.102 .243:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
79.175.101 .28:7777/?ch=&ea=
78.1.251 .26:7777/?ch=&ea=
201.236.228 .38:7777/?ch=&ea=
85.250.190 .55:7777/?ch=&ea=
211.109.46 .32:7777/?ch=&ea=
91.148.159 .174:7777/?ch=&ea=
87.68.71 .34:7777/?ch=&ea=
85.94.106 .240:7777/?ch=&ea=
195.91.82 .18:7777/?ch=&ea=
85.101.167 .197:7777/?ch=&ea=
193.198.167 .249:7777/?ch=&ea=
94.69.130 .191:7777/?ch=&ea=
79.131.26 .192:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=

119.234.7 .230:7777/?ch=&ea=
199.203.37 .250:7777/?ch=&ea=
89.142.181 .226:7777/?ch=&ea=
84.110.120 .82:7777/?ch=&ea=
119.234.7 .230:7777/?ch=&ea=
84.110.253 .163:7777/?ch=&ea=
82.81.163 .40:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
87.239.160 .132:7777/?ch=&ea=
79.113.8 .107:7777/?ch=&ea=
81.18.54 .6:7777/?ch=&ea=
118.169 .173.101:7777/?ch=&ea=
85.216.158 .209:7777/?ch=&ea=
219.92.170 .4:7777/?ch=&ea=
79.130.252 .204:7777/?ch=&ea=
93.136.53 .239:7777/?ch=&ea=
62.0.134 .79:7777/?ch=&ea=
79.138.184 .253:7777/?ch=&ea=
173.16.68 .18:7777/?ch=&ea=
190.155.56 .212:7777/?ch=&ea=
190.20.68 .136:7777/?ch=&ea=
119.235.96 .173:7777/?ch=&ea=
77.127.81 .103:7777/?ch=&ea=
190.132.155 .122:7777/?ch=&ea=
89.138.177 .91:7777/?ch=&ea=

79.178.111 .25:7777/?ch=&ea=
84.109.1 .15:7777/?ch=&ea=
89.0.157. 1:7777/?ch=&ea=
122.53.176 .43:7777/?ch=&ea=
200.77.63 .190:7777/?ch=&ea=
67.225.102 .105:7777/?ch=&ea=
119.94.171 .114:7777/?ch=&ea=
125.212.94 .80:7777/?ch=&ea=

Detection rate for the binary, identical across all infected hosts participating :
flash_update.exe (Win32/Koobface!generic; Win32.Worm.Koobface.W)
Detection rate : 28/38 (73.69%)
File size: 27136 bytes
MD5...: 3071f71fc14ba590ca73801e19e8f66d
SHA1..: 2f80a5b2575c788de1d94ed1e8005003f1ca004d

Koobface's social networks spreading model isn't going away, but it's domains definitely are.

Related posts:
Dissecting the Latest Koobface Facebook Campaign
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
 Continue reading →

Time to Say Goodbye!

0
July 06, 2022

Ho, Ho, Ho.

Merry Christmas or Christmas just came in earlier.

This is an official letter to all of my 5.6M readers since December, 2005 including an official letter to the U.S Security Industry including my current colleagues and friends from across the globe including the dark corners of the Web although there's no such thing as a dark corner of the web just like there's no such thing as free lunch including the fact that an OSINT conducted today is a tax payer's dollar saved somewhere.

The big news is this is going to be the last post.

I wanted to say big thanks to everyone who's been following my work even since I originally launched my personal blog back in December, 2005 and to my one and only employer in the world Webroot Inc. for hiring me and bringing me on board which basically resulted in a decent lifestyle for a period of several years including the renovation of my place.

What I'm left with after my retirement? A modest $150 social pension to take care of my mobile and Internet bills including some food which is a great advice for everyone involved in the field to know that it takes a bold man including a one-man show operation to take care of everything and then try to retire.








My advices for everyone in the industry include the following hots tips right and straight from the source:

- never fell victim into the "certificate crowd" myopia and the "more the merrier" mentality be yourself say everything and don't forget to do everything and never take credit for what you're doing and what you've been doing and always say cheers or hi to someone who says hi and cheers to your work and achievement

- don't forget the U.S is secretly hiring security bloggers to jump in the Information Warfare front if there's any which is naturally something that there is but only in case you know what you're up to in terms of getting yourself dazzled and embraced by any of the virtual domain dimensions that you choose for your Information and Cyber Warfare purposes and goal achieving projects

Best wishes to everyone who made it happen. And in a surreal universe remember that "diamonds degrade their quality. Bulletproof hosting services courtesy of the RBN are forever. Grab a copy of memoir from here including from Cryptome.org and consider going thought my research portfolio throughout the years here and stay tuned for the Second Edition of my Cyber Intelligence memoir which will be published in Bulgarian and made available exclusively to Bulgarian readers who might be interested in catching up in terms of what I've been up to during the years.

Don't forget if you ever need me for anything including a project that you want to work with me on including advice or just to say "hi" and thanks for all the hard work or anything in general feel free to drop me a line at dancho.danchev@hush.com which is my email address account which I check 24/7 and I'll make sure to send back a proper response.

Yours sincerely not necessarily exclusively and don't forget that although you know my name you should not necessary do your best to look up my "number".
Continue reading →

Historical OSINT - Profiling a Compilation of Known Apophis Exploit Kit C&C Public Domains - An OSINT Analysis

0
July 01, 2022

I've been recently digging into several archives in terms of looking for actionable threat intelligence based on my research circa 2010 with the idea to enrich it in 2022 and collerate it with several of my proprietary databases for threat intelligence and OSINT related materials in terms of fighting and responding to cybercrime hence the results which is an active domain portfolio of Apophis exploit and phishing kit which you can check out in terms of OSINT threat intelligence enrichment.

Sample Apophis C&C domains circa 2010 based on my research include:

hxxp://mystabcounter.info

hxxp://555traff.biz

hxxp://555traff.org

hxxp://555traff.net

hxxp://911traff.com

hxxp://911traff.org

hxxp://911traff.com

hxxp://555traff.ws

hxxp://nod32-spl.net

hxxp://kusik-tusik-trf.com

hxxp://spamh0use.com

hxxp://norton-av2007.com

Sample domain registrant email address account known to have been used in the campaign:

slhdns@gmail.com

Related malicious and fraudulent domains known to have been involved in the campaign include:

hxxp://free-adult-movies.us

hxxp://ellweb.biz

hxxp://flightlesson.us

hxxp://e-on.us

hxxp://masteryourselfandothers.biz

hxxp://sexychannal.biz

hxxp://fkooo.biz

hxxp://le-showroom.biz

hxxp://elwebbz.biz

hxxp://sensorama.us

hxxp://healingmassage.us

hxxp://lisa19.biz

hxxp://free-games-downloads.biz

hxxp://emaszyny.biz

hxxp://free-bizzz.biz

hxxp://ellwebs.biz

hxxp://fsone.us

hxxp://banddindependence.biz

hxxp://freestylecamera.biz

hxxp://wtter.biz

hxxp://little-lolitas.biz

hxxp://a-1express.us

hxxp://sex-total.biz

hxxp://misterfixit.us

hxxp://pantie-fetish.biz

hxxp://wantedbabes.biz

hxxp://papmperedchef.biz

hxxp://webmailccisd.us

hxxp://funi-games.biz

hxxp://karatzikos.biz

hxxp://fuckphotos.biz

hxxp://best-oem-sellers.biz

hxxp://powerstocks.biz

hxxp://connect-group.biz

hxxp://pptsys.biz

hxxp://lambrakis.biz

hxxp://hsmvstatefl.us

hxxp://computerselectronics.us

hxxp://premierprop.biz

hxxp://coloriez.biz

hxxp://crazy-holiday.biz

hxxp://images-porno.biz

hxxp://talentsmodels.biz

hxxp://sukebe.biz

hxxp://taydo.biz

hxxp://texas--holdem.biz

hxxp://mr-rx.biz

hxxp://cptraders.biz

hxxp://financialcareer.biz

hxxp://smallgirls.biz

hxxp://plastercrafts.biz

hxxp://lchs.us

hxxp://poopka.biz

hxxp://solarnet.biz

hxxp://hormonetreatment.us

hxxp://spammed.us

hxxp://photos-pucelles.biz

hxxp://signaturehomesstyles.biz

hxxp://marbleworks.biz

hxxp://simplyuniforms.biz

hxxp://pinballsites.biz

hxxp://cuyahogacouny.us

hxxp://pinkpoodlepets.biz

hxxp://cuyahagacounty.us

hxxp://rachaels.biz

hxxp://kentonkyschools.us

hxxp://iginteinc.biz

hxxp://caimon.us

hxxp://lonestarjewelry.biz

hxxp://vietghost.us

hxxp://igniteing.biz

hxxp://buytickets1.us

hxxp://agame.biz

hxxp://uighurlar.biz

hxxp://joshosler.biz

hxxp://variance.us

hxxp://qudos.biz

hxxp://ketsamil.us

hxxp://quebecauction.biz

hxxp://verumcom.biz

hxxp://privatpornoz.biz

hxxp://trasy.biz

hxxp://fightnight.us

hxxp://trueterm.biz

hxxp://arablusic.us

hxxp://cdcover.us

hxxp://httpimageshack.us

hxxp://iprosper.us

hxxp://prepaid2u.biz

hxxp://kylakeproperty.us

hxxp://printsmart.us

hxxp://inmarcet.biz

hxxp://privatevoicemail.us

hxxp://koicarp.us

hxxp://11burogu.biz

hxxp://traivan.us

hxxp://eroxia.us

hxxp://assmat.biz

hxxp://sauvageonne.biz

hxxp://articlexchange.biz

hxxp://scottsphotography.biz

hxxp://project-management-tools.biz

hxxp://mini-games.biz

hxxp://aqarium-fish.biz

hxxp://imageashack.us

hxxp://beanb.biz

hxxp://rmpnfotec.biz

hxxp://azadari.biz

hxxp://europauto.biz

hxxp://autosourse.biz

hxxp://rowanlaw.us

hxxp://autocadsites.biz

hxxp://renewpcstore.biz

hxxp://whatswhat.us

hxxp://f0reverhealthy.biz

hxxp://boa-constrictor.biz

hxxp://f-chan.us

hxxp://bestemateur.biz

hxxp://everysearch.us

hxxp://wnetwork.biz

hxxp://fanmial.biz

hxxp://brutalfemdom.biz

hxxp://realitywise.biz

hxxp://breadmaker.biz

hxxp://realy-models.biz

hxxp://webform.us

hxxp://lolabbs.biz

hxxp://weknow.us

hxxp://jlove.us

hxxp://zowmebel.biz

hxxp://1001night.biz

hxxp://zodiacpowerring.biz

hxxp://wwwsignaturehomestyles.biz

hxxp://a-deco.biz

hxxp://analized.us

hxxp://ishikari.biz

hxxp://xteenx.biz

hxxp://ffivideo.biz

hxxp://allthingscatholic.us

hxxp://puffgames.biz

hxxp://actiongames.us

hxxp://ffunny-games.biz

hxxp://coasthomes.biz

hxxp://clearhabor.biz

hxxp://at-crew.biz

hxxp://animal-info.biz

hxxp://anoria.biz

hxxp://cl55.biz

hxxp://amitenergy.biz

hxxp://bestcounter.biz

hxxp://bionexus.biz

hxxp://4only.biz

hxxp://bellgard.biz

hxxp://bairo.biz

hxxp://banjosites.biz

hxxp://clthumane.biz

hxxp://autorepairmanuels.biz

hxxp://city-info.biz

hxxp://anywhere-wireless.biz

hxxp://casadellabomboniera.biz

hxxp://centerforrenewal.biz

hxxp://cuteloblog.biz

hxxp://buckneranimalclinic.biz

hxxp://bona-stto.biz

hxxp://1sp.biz

hxxp://easycalender.biz

hxxp://etudiantes-vicieuses.biz

hxxp://fannygames.biz

hxxp://bizibypass.biz

hxxp://ddl-warez.biz

hxxp://fainmail.biz

hxxp://farmersandmerchantsbank.biz

hxxp://atomakayan.biz

hxxp://youxxx.us

hxxp://wmata.us

hxxp://mailarlingtonva.us

hxxp://sexyblackpussy.biz

hxxp://funnygamse.biz

hxxp://funnygaes.biz

hxxp://freetgp.biz

hxxp://www4usonly.biz

hxxp://hena.biz

hxxp://gentrees.biz

hxxp://ignitein.biz

hxxp://hentai-movie.biz

hxxp://igniteic.biz

hxxp://headcutterssalon.biz

hxxp://fuunny-games.biz

hxxp://igniteenergy.biz

hxxp://hrna.biz

hxxp://free-voyeur-cam.biz

hxxp://goldenretire.biz

hxxp://inkkraft.biz

hxxp://heproject.biz

hxxp://funny-gemes.biz

hxxp://ice-out.biz

hxxp://adogslife.biz

hxxp://alterego3d.biz

hxxp://americanriverbikes.biz

hxxp://ecstazy.biz

hxxp://harna.biz

hxxp://africantradebeads.biz

hxxp://funy-game.biz

hxxp://free-gay-movies.biz

hxxp://inginteinc.biz

hxxp://wwwsexbabes.biz

hxxp://wwwmoscarossa.biz

hxxp://wwwsearch.biz

hxxp://funygame.biz

hxxp://fuuny-game.biz

hxxp://e-dict.biz

hxxp://interskay.biz

hxxp://bbw-fat-woman.biz

hxxp://sexbabs.biz

hxxp://youniquedesigns.biz

hxxp://visiongloval.biz

hxxp://seekme.biz

hxxp://pamperedcheff.biz

hxxp://streetdrugs.biz

hxxp://northportrealtor.biz

hxxp://young-peaches.biz

hxxp://boysvids.us

hxxp://coolchasers.us

hxxp://avse.us

hxxp://clearsil.us

hxxp://celebmovie.us

hxxp://myffl.biz

hxxp://sexbabez.biz

hxxp://sexbabies.biz

hxxp://free-search.biz

hxxp://free-voyeur-web.biz

hxxp://sukuname.biz

hxxp://mattun.biz

hxxp://wmclick.biz

hxxp://jun1.biz

hxxp://try-this-search.biz

hxxp://best-search.us

hxxp://topkds.biz

hxxp://traffmoney.biz

hxxp://no-nudes.biz

hxxp://ownmyhome.us

hxxp://teenboyboy.biz

hxxp://may5.biz

hxxp://kisslola.biz

hxxp://mature-sex-pic.biz

hxxp://logocorean.biz

hxxp://medsbymail.biz

hxxp://melissacam.biz

hxxp://mcommuniti.biz

hxxp://katreen.biz

hxxp://nextdoorteens.us

hxxp://viasatelital.us

hxxp://onestoplettingshop.biz

hxxp://hotmapouka.biz

hxxp://agsoftware.biz

hxxp://bun1.biz

hxxp://bsabikesites.biz

hxxp://fragments.biz

hxxp://lovely-nymphets.biz

hxxp://proliferator.biz

hxxp://puertolaboca.us

hxxp://blackandpussy.biz

hxxp://ford-dealers.biz

hxxp://hlplmanhds.biz

hxxp://baosteel.biz

hxxp://begard.biz

hxxp://erotik-geschichten.biz

hxxp://djahmet.biz

hxxp://fonny-games.biz

hxxp://togetherwestand.us

hxxp://fantasy4u.us

hxxp://tympani.us

hxxp://victoryautosales.us

hxxp://veld.us

hxxp://hartlandschool.us

hxxp://whisperedsecrets.us

hxxp://receptor.us

hxxp://sese.us

hxxp://industrialwoodproducts.us

hxxp://cutyourexpenses.us

hxxp://first-school.us

hxxp://cutexpenses.us

hxxp://future4.us

hxxp://tvdirectory.us

hxxp://fashioncamp.us

hxxp://madebyyou.us

hxxp://justleather.us

hxxp://iamhot.us

hxxp://datedetective.us

hxxp://phonetranslators.us

hxxp://eurosport.us

hxxp://lloll.us

hxxp://embelsira.us

hxxp://mainsqueezelove.biz

hxxp://privatporn.biz

hxxp://porn-photo.biz

hxxp://radim.us

hxxp://porn-fotos.biz

hxxp://niceleads.biz

hxxp://spaceresort.us

hxxp://filmscore.us

hxxp://hatachi.us

hxxp://lanciasites.biz

hxxp://needcracks.us

hxxp://muddle.us

hxxp://negaheno.biz

hxxp://truyennguoilon.us

hxxp://net-gams.biz

hxxp://videospornoblog.biz

hxxp://chezbaycakes.biz

hxxp://vb3.biz

hxxp://n0-ip.biz

hxxp://nailwarehouse.biz

hxxp://mynameislolita.biz

hxxp://mountainlakeresort.us

hxxp://hardcore-family-incest.biz

hxxp://hi-web.biz

hxxp://passace.com

hxxp://smartergirl.com

hxxp://howtofixyourharley.com

hxxp://sirevil.us

hxxp://mychices.biz

hxxp://sfondipc.biz

hxxp://wealth-4-u.biz

hxxp://avenge.biz

hxxp://arlingonva.us

hxxp://americawide.us

hxxp://11xp.us

hxxp://arlintonva.us

hxxp://animefans.us

hxxp://genescan.us

hxxp://hallmarkkeepsake.com

hxxp://sundaramusic.com

hxxp://gros-culs.biz

hxxp://moneyconnection.biz

hxxp://graephillips.biz

hxxp://wwwbiehealth.us

hxxp://hollywoodmadam.us

hxxp://enblock.biz

hxxp://oynuyoruz.biz

hxxp://sexbabys.biz

hxxp://nop-ip.biz

hxxp://klinische-forschung.biz

hxxp://grupxtrem.biz

hxxp://vestalgirls.biz

hxxp://nudeliving.us

hxxp://buellsites.biz

hxxp://mcclaincountyassessor.us

hxxp://went2.us

hxxp://mcpsk12md.us

hxxp://muenzversand.biz

hxxp://nighteen.biz

hxxp://customelectronics.us

hxxp://hocsinhvn.biz

hxxp://city-realtor.biz

hxxp://no-p.biz

hxxp://transsahara.biz

hxxp://net-ganes.biz

hxxp://bevardclerk.us

hxxp://netgamez.biz

hxxp://healthfoodsstore.us

hxxp://hiphopcharts.us

hxxp://ebookgenerator.biz

hxxp://ni-ip.biz

hxxp://dataspot.biz

hxxp://moregirls.biz

hxxp://uscharts.us

hxxp://pampredchef.biz

hxxp://carefreehomesep.us

hxxp://fuun-games.biz

hxxp://kellyeducationalservices.us

hxxp://hollywoodsbest.us

hxxp://vintage-furniture.us

hxxp://pamperedche.biz

hxxp://cinacast.us

hxxp://gethitsfrom.us

hxxp://celebrityfuckfest.biz

hxxp://gentle-boys.biz

hxxp://trique-porno.biz

hxxp://pamperedchf.biz

hxxp://carwithheart.biz

hxxp://pamparedchef.biz

hxxp://soccersites.biz

hxxp://pamperchief.biz

hxxp://cutmyexpenses.us

hxxp://girlsseekingboys.com

hxxp://curiosity-shop.biz

hxxp://pamperedcef.biz

hxxp://thebookpeddler.us

hxxp://ozgurboard.us

hxxp://deshimasala.biz

hxxp://pamepredchef.biz

hxxp://shopedmap.biz

hxxp://goshoppingnow.biz

hxxp://dailycash.biz

hxxp://pamoeredchef.biz

hxxp://sleepygirls.us

hxxp://sexpain.biz

hxxp://japanese-kimonos.biz

hxxp://kwbw.biz

hxxp://knifesites.biz

hxxp://top-girlie.biz

hxxp://pcconnect.biz

hxxp://tiket2u.biz

hxxp://magicvideo.biz

hxxp://tankslapper.biz

hxxp://wolrdventures.biz

hxxp://555traff.biz

hxxp://assitante-maternelle.biz

hxxp://ambitenrgy.biz

hxxp://wcw2008.com

hxxp://yourxxxblog.biz

hxxp://ls-dreams.biz

hxxp://deai-joho.biz

hxxp://theadvanced348pills.biz

hxxp://privatporns.biz

hxxp://worldaventures.biz

hxxp://max-models.biz

hxxp://majornet.biz

hxxp://worldventrures.biz

hxxp://realincome4realpeople.biz

hxxp://miffi.biz

hxxp://lolitaskingdom.biz

hxxp://ratemyass.biz

hxxp://themillenium.biz

hxxp://love2005.biz

hxxp://worldventuers.biz

hxxp://worldventues.biz

hxxp://provoke.biz

hxxp://realadvanced348pills.biz

hxxp://wwwpartylite.biz

hxxp://armorgames.biz

hxxp://lampsites.biz

hxxp://labtesting.biz

hxxp://zagevqsoii.biz

hxxp://wwwherna.biz

hxxp://wwwsmartvalue.biz

hxxp://premierorlandoshow.biz

hxxp://xtremescooters.biz

hxxp://pharmaceu.biz

hxxp://patylite.biz

hxxp://pianosites.biz

hxxp://xgarden.biz

hxxp://xmature.biz

hxxp://wwwpamperedchef.biz

hxxp://logocorea.biz

hxxp://traffstats.biz

hxxp://myspaze.biz

hxxp://smartvalu.biz

hxxp://myangelfuns.biz

hxxp://pfshop.biz

hxxp://sinon.biz

hxxp://partylight.biz

hxxp://piscali.biz

hxxp://ventriloserver.biz

hxxp://vintage-lingerie.biz

hxxp://busybee-discounts.biz

hxxp://mycoices.biz

hxxp://tstats.biz

hxxp://rmpinfotecc.biz

hxxp://ruslolitas.biz

hxxp://only4us.biz

hxxp://rmpinfote.biz

hxxp://mo-ip.biz

hxxp://pamperechef.biz

hxxp://superfreak.biz

hxxp://mychoises.biz

hxxp://pamperedcheif.biz

hxxp://rock0em.biz

hxxp://videonymphets.biz

hxxp://lovers-lane.biz

hxxp://rmpinfotac.biz

hxxp://wisconsinapartment.biz

hxxp://sweet-girls.biz

hxxp://pameredchef.biz

hxxp://whiteslave.biz

hxxp://herohona.biz

hxxp://minecharm.biz

hxxp://skysat.biz

hxxp://boxmain.biz

hxxp://dynds.biz

hxxp://dremer.biz

hxxp://dragonpalace.biz

hxxp://doina-sirbu.biz

hxxp://4useonly.biz

hxxp://cccp-top.biz

hxxp://panoromicworld.biz

hxxp://ganntproject.biz

hxxp://sextop.biz

hxxp://pamperedhef.biz

hxxp://virtualzone.biz

hxxp://serendipityboutique.biz

hxxp://photololita.biz

hxxp://parylite.biz

hxxp://rmpinfotce.biz

hxxp://partlite.biz

hxxp://panperedchef.biz

hxxp://sexlagoon.biz

hxxp://mcmmunity.biz

hxxp://statrafongon.biz

hxxp://stockservice.biz

hxxp://jobsinmotors.biz

hxxp://torrent-portal.biz

hxxp://simwork.biz

hxxp://simmaster.biz

hxxp://partyite.biz

hxxp://opse.biz

hxxp://shocknews.biz

hxxp://worldvenures.biz

hxxp://funnigames.biz

Sample malicious MD5s known to have been involved in the campaign include:

375e8a6dd1b666f09f3602ed2e8e05eb

4634d5e104a26616b6666a43b5b1416c

014a6e2a4cc62df769c923f236f2934e

c7a2350a62497f743401946fd63ca25b

b118c68b72595f9c15bdce8fc77fea37

a616b67adbdad8870e751384dd070db5

ccd7b6b6a59bb9925e0af66d60de1e6d

d4627cf4de6a5905dde5df2e69f8944b

0de4b76312dc01ff2d2f473465020619

5ca52919915bbad976fef4165b3f4800

381b27cb8b9976e6820345a49d93fc3b

3cab5169156f2d062b84c519cf2b1802

bbf664bd279580aa717fcff0246b762c

06d0c3af7b80ea0001a5270d59348282

e4e494eff71ad9f14b1a369522fb4c94

Stay tuned!
Continue reading →

Search Engine for Hackers/Analysts/Bloggers/OSINT Analysts and Threat Intelligence Experts! Here We Go!

0
July 01, 2022
Dear blog readers,
This is Dancho. I wanted to take the time and effort and introduce you to my latest project which is a publicly accessible search engine for hackers security analysts security bloggers OSINT analysts and threat intelligence analysts that are looking for a custom-based search engine to serve all of their security and research needs taking advantage of high-quality security and threat intelligence resources.

My primary idea behind launching and managing this project would be to maintain it on a daily basis with real-time high quality resources where I hope that you'll find the actual community driven search engine relevant and informative.





Stay tuned!

Continue reading →

Seeking Cyber Security and Threat Intelligence Experts To Work On Collaborative Sharepoint and Microsoft Access Cyber Threat Actor Database! Approach Me Today!

0
June 29, 2022

Dear blog readers,

Here's the big news and I sincerely hope that you'll approach me at dancho.danchev@hush.com to discuss this project where the ultimate goal would be to come up with a commercial database including the necessary daily and weekly including monthly updates in terms of high-quality data and information on the bad guys including their online infrastructure including detailed information on their online whereabouts in a structured Microsoft Access database which we can eventually convert into a Windows Application where the ultimate goal would be to come up the actual information at the first place and then possibly introduce an API which other users can use including users who might want to purchase the full database. Feel like joining the project and working with me on the initial project taxonomy including to join the actual data entry process in your free time? Drop me a line at dancho.danchev@hush.com

Stay tuned!

Continue reading →

Rogue iFrame Injected Web Sites Lead to the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake Mobile Malware

0
June 28, 2022

A currently ongoing malicious campaign relying on injected iFrames at legitimate Web sites, successfully segments mobile traffic, and exposes mobile users to fraudulent legitimately looking variants of the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake mobile malware.

Let's dissect the campaign, expose the domains portfolio currently/historically known to have been involved in this campaign, as well as list all the malicious MD5s known to have been pushed by it.

iFrame injected domains containing the mobile traffic segmentation script parked on the same IP:
asphalt7-android.org - 93.170.109.193
fifa12-android.org
gta3-android.org
fruit-ninja-android.org
wildblood-android.org
osmos-android.org
moderncombat-android.org
minecraft-android.org
googlanalytics.ws
getinternet.ws
ddlloads.com
googlecount.ws
opera-com.com
opgrade.ws
statuses.ws
ya-googl.ws
yadirect.ws
yandex-google.ws



Sample mobile malware MD5s pushed by the campaign:
MD5: e77f3bffe18fb9f5a1b1e5e6a0b8aaf8
MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2
MD5: 9348b5a13278cc101ae95cb2a88fe403
MD5: f4966c315dafa7e39ad78e31e599e8d0
MD5: 6f839dd29d2c7807043d06ba19e9c916
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Phone back location: hxxp://depositmobi.com/getTask.php/task=updateOpening&s= - 93.170.107.130

Parked on the same IP (93.170.107.130) are also the following domains participating in the campaign's infrastructure:
123diskapp.com
1gameminecraft.ru
2010mobile.ru
absex.ru
ammla.info
and4mobiles.ru
android-apk-file.ru
android-games-skachat.ru.com
android-key.ru
android-market-apk.ru
android-market-cools.ru
android-vk.com
android7s.ru
androidcool.tk
androiderus.com
androidnns.ru
androidone.net
androidperfomance.com
androids-market.ru
androidupos.ru
24-android.ru
online-android.ru
moiandroid.ru
ktozdesj.ru
super-androids.ru

The following malicious mobile malware MD5s are known to have phoned back to the same IP in the past:
MD5: 572b07bd031649d4a82bb392156b25c6
MD5: 9685ff439e610fa8f874bf216fa47eee
MD5: 6d9dd3c9671d3d88f16071f1483faa12
MD5: 276b77b3242cb0f767bfba0009bcf3e7
MD5: aefdbdee7f873441b9d53500e1af34fa

What's also worth emphasizing on is that we've also got a decent number of malicious Windows samples known to have phoned back to the same IP in the past, presumably in an attempt by fellow cybercriminals to monetize the traffic through an affiliate program.
MD5: bac8f2c5d0583ee8477d79dc52414bf5
MD5: a1ae35eadf7599d2f661a9ca7f0f2150
MD5: 419fdb78356eaf61f9445cf828b3e5cf
MD5: abce96eaa7c345c2c3a89a8307524001
MD5: 93d11dc11cccc5ac5a1d57edce73ea07
MD5: 53bbad9018cd53d16fb1a21bd4738619
MD5: 15f3eca26f6c8d12969ffb1dbeead236
MD5: 72c6c14f9bab8ff95dbaf491f2a2aff6
MD5: a282b40d654fee59a586b89a1a12cac2
MD5: e0798c635d263f15ab54a839bf6bac7f
MD5: 7b1d8820cc012deac282fc72471310bd
MD5: 21fdbb9e9e13297ae12768764e169fb4
MD5: 47fa4a3a7d94dad9fac1cbdc07862496
MD5: 5e9321027c73175cf6ff862019c90af7
MD5: cfbaccc61dc51b805673000d09e99024
MD5: 8bc4dd1aff76fd4d2513af4538626033
MD5: f6a622f76b18d3fa431a34eb33be4619
MD5: c068d11293fc14bebdf3b3827e0006ac
MD5: d68338a37f62e26e701dfe45a2f9cbf2
MD5: e1c9562b6666d9915c7748c25376416f
MD5: 1dccd14b23698ecc7c5a4b9099954ae4
MD5: 47601e9f8b624464b63d499af60f6c18

Actual download location of a sample mobile malware sample:
hxxp://mediaworks3.com/getfile.php?dtype=dle&u=getfl&d=FLVPLayer - 78.140.131.124


The following mobile malware serving domains are also known to have responded to the same IP (78.140.131.124) in the past:
4apkser.ru
absex.ru
agw-railway.com
androedis.ru
android-apk-file.ru
android-update.name
android6s.ru
android7s.ru
androidappfile.name
androidaps.ru
androidbizarre.com
androidilve.ru
androidovnloads.com
androidupss.ru
apk-load.ru
apkzona.ru
bali-special.ru
com-opera.com
dml-site.ru
download-opera.com

As well as the following malicious MD5s:
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Thanks to the commercial availability of DIY iFrame injecting platforms, the current commoditization of hacked/compromised accounts across multiple verticals, the efficiency-oriented mass SQL injection campaigns, as well as the existence of beneath the radar malvertising campaigns, cybercriminals are perfectly positioned to continue monetizing mobile traffic for fraudulent/malicious purposes.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization Scheme Through Parked Domains

0
June 28, 2022

Bogus content populating Scribd, centralized malicious/typosquatted/parked domains/fraudulent infrastructure, combined with dozens of malware samples phoning back to this very same infrastructure to monetize the fraudulently generated traffic, it doesn't get any better than this, does it?

URL redirection chain:
hxxp://papaver.in/shocking/scr68237 -> hxxp://dsnetservices.com/?epl=98EbooDNwLit-qQViA4tbYD7JMZAQuEUyV387pMYNBODms0CdAg9qAe5QvBgKTO6xW6jHW1iYo5F8yDIvYx
7Aavd8wLHmZwHDIltbG4Eta-GVtiO3i9LlnzyK0YgWmT2BOaEeaipahFlE8yB7mCEBrQzXXtQBVUSIMGIEwTo9iUp0IyDUOM
0mZKYzSpf6qGlAAgYN_vvwAA4H8BAABAgFsLAADgPokxWVMmWUExNmhaQqAAAADw -> monetization through Google/MSN

 


Domain names reconnaissance:
papaver.in - 69.43.161.176 - Email: belcanto@hushmail.com - Belcanto Investment Group
dsnetservices.com - 208.73.211.152 - Email: admin@overseedomainmanagement.com - Oversee Domain Management, LLC

 
The following related domains are also registered with the same email (belcanto@hushmail.com):
4cheapsmoke.com
777payday.com
aboutforexincome.com
agroindusfinance.com
atvcrazy.com
bbbamericashop.com
bizquipleasing.com
cashforcrisis.com
cashmores-caravans.com
cashswim.com
cheapbuyworld.com
cheaptobbacco.com
cheapuc.com
debtheadaches.com
debtonatorct.com
gcecenter.com
goldforcashevents.com
studioshc.com
thestandardjournal.com
travelgurur.com
atlanticlimos.net
bethelgroup.net
caravanningnews.net
casting-escort.net
cheapersales.net
couriernetwork.net
dragonarttattoo.net
girlgeniusonline.net
madameshairbeauty.net
manchester-escort.net
mygirlythings.net
vocabhelp.net
cheapmodelships.com
financialdebtfree.com
mskoffice.com
cashacll.com
apollohealthinsurance.com
nieportal.com
playfoupets.com
wducation.com
carwrappingtorino.net
crewealexultras.net
diamondsmassage.net
isleofwightferries.org
migliojewellery.org
mind-quad.org
moneyinfo.us
2daysdietslim.com
999cashlline.com
capitalfinanceome.com
capitlefinanceone.com
captialfinanceone.com
carehireinsurance.com
cashadvaceusa.com
cashadvancesupprt.com
cashdayday.com
cashgftingxpress.com
cashginie.com
cashsoltionsuk.com
cathayairlinescheapfare.com
cheapaddidastops.com
cheapaparmets.com
cheapariaoftguns.com
cheapcheapcompters.com
cheapdealsinmalta.com
cheapdealsorlando.com
cheapeestees.com
cheapetickete.com
cheapeygptholidays.com
cheapfaresairlines.com
cheap-flighs.com
cheapflyithys.com
cheapfreestylebmx.com
cheapgoldjewelery.com
cheaphnoels.com
cheapholidaysites.com
cheaphotellakegeorge.com
cheaplawnbowls.com
cheapm1a1airsoft.com
cheapmetalsticksdiablo.com
cheapmpwers.com
cheapmsells.com
cheapotickeds.com
cheapottickets.com
cheapprotien.com
cheapryobicordlesstools.com
cheap-smell.com
cheapsmellscom.com
cheapsmes.com
cheapsscents.com
cheapstockers.com
cheapsummerdresser.com
cheaptents4sale.com
cheaptertextbooks.com
cheaptikesps.com
cheaptrainfairs.com
cheaptstickts.com
cheaptunictops.com
cheapuksupplement.com
cheapversaceclothes.com
cheapviagra4u.com
cliutterdiet.com
cocheaptickets.com
dailcheapreads.com
dcashstudious.com
debtinyou.com
diabetesdietsplans.com
dietaetreino.com
dietcetresults.com
dietcheff.com
dietdessertndgos.com
dietemaxbrasil.com
dietopan.com
discoveryremortgages.com
dmrbikescheap.com
ferrrycheap.com
financeblogspace.com
firstleasingcompanyofindia.com
firstresponcefinance.com
forexdirecotery.com
forexfacdary.com
foreximegadroid.com
forextrading2u.com
iitzcash.com
insanelycheapfights.com
insurancenbanking.com
inevenhotel.net
islamic-bank.us
italyonlinebet.com
m3motorsite.com


Out of the hundreds of domains known to have phoned back to the same IP in the past, the following are particularly interesting:
motors.shop.ebay.com-cars-trucks-9722711.1svvo.net
motors.shop.ebay.com-trucks-cars-922.1svvo.net
paupal.it
paypa.com.login.php.nahda-online.com
paypal-secure.bengalurban.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.3.webrocha.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.4.webrocha.com
paypal.com.update.service.cgi.bin.webscr.cmd.login-submit.modernstuf.com
paypal.com.update.service.cgi.bin.webscr.cmd.login.submit.modernstuf.com
paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cv27bc.
darealsmoothvee.com
paypal.it.bengalurban.com

Malicious MD5s known to have made HTTP (monetization) requests to the same IP (69.43.161.176):
MD5: 7fa7500cd90bd75ae52a47e5c18ba800
MD5: 84b28cf33dee08531a6ece603ca92451
MD5: f04ce06f5b1c89414cb1ff9219401a0e
MD5: b2019625e4fd41ca9d70b07f2038803e
MD5: 6cfb98ac63b37c20529c43923bcb257c
MD5: 04641dbafe3d12b00a6b0cd84fba557f
MD5: 02476b31f2cdc2b02b8ef1e0072d4eb2
MD5: 0d5a69fa766343f77630aa936bb64722
MD5: 57f7520b3958031336822926ed0d10b5
MD5: 00d08b163a86008cbe3349e4794ae3c0
MD5: 8dd2223da1ad1a555361c67794eb7e24
MD5: 737309010740c2c1fba3d989233c199c
MD5: eb3043e13dd8bb34a4a8b75612fe401e
MD5: eb4737492d9abcc4bd43b12305c4b2fc
MD5: 6257b9c3239db33a6c52a8ecb2135964
MD5: 481366b6e867af0d47a6642e07d61f10
MD5: d58b7158b3b1fb072098dba98dd82ed5
MD5: 9dd425b00b851f6c63ae069abbbec037
MD5: 6b0c07ce5ff1c3a47685f7be9793dce5
MD5: b2b5e82177a3beb917f9dd1a9a2cf91c
MD5: 05070da990475ac3e039783df4e503bc
MD5: c332dd499cdba9087d0c4632a76c59f0
MD5: 0768764fbbeb84daa5641f099159ee7f
MD5: 843b44c77e47680aa4b274eee1aad4e7
MD5: 36f92066703690df1c11570633c93e73
MD5: 0504b00c51b0d96afd3bea84a9a242a2
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: fa13c7049ae14be0cf2f651fb2fa74ba
MD5: ba5e47e0ed7b96a34b716caee0990ea3
MD5: e67e56643f73ed3f6027253d9b5bdfac
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: 0ab654850416e347468a02ca5a369382
MD5: 4e372e5d1e2bd3fa68b85f6d1f861087
MD5: 696a9b85230a315cfe393d9335cae770
MD5: 04343c3269c33a5613ac5860ddb2ab81
MD5: 384a496cd4c2bc1327c225e19edbee54
MD5: a44b2380cdac36f9dfb460f8fbff3714
MD5: 9e2a83adb079048d1c421afaf56a73a6
MD5: e377c7ad8ab55226e491d40bf914e749
MD5: 46c7c70e30495b4b60be1c58a4397320
MD5: 841890281b7216e8c8ea1953b255881e
MD5: 4392f490e6ee553ff7a7b3c4bd1dd13f
MD5: eeeda63bec6d2704cf6f77f2fb8431cd
MD5: b68e183884ce980e300c93dfa375bb1f
MD5: 7990fb5c676bbcd0a6168ea0f8a0c1d7
MD5: adc250439474d38212773e161dadd6b4
MD5: 075ae09c016df3c7eb3d402d96fc2528
MD5: d03b5bf4a905879d9b93b6e81fc1ca55
MD5: 00c62c8a9f2cf7140b67acec477e6a14
MD5: b228fae216a9564192fa2153ae911d54
MD5: 2f778fc3a22b7d5feb0a357c850bdd0d
MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a
MD5: 526c1f10f94544344de12abec96cf96f
MD5: 4d8ddc8d5f6698a6690985ca86b3de00
MD5: 1a7bb0c9b79d1604b4de5b0015202d02
MD5: 528be69afad5a5e6beb7b40aeb656160
MD5: 1769f1b5beae58c09e5e1aac9249f5de
MD5: 6fb86421ea607ed6c912a3796739ce9b
MD5: 22e36b887946e457964a2a28a756a1cd
MD5: 31a7816a1458321736979e0cfdd3d20f
MD5: 113572249856fc5f2848d1add06dc758
MD5: a8a002732c5a4959afbf034d37992b5d
MD5: 413a9116362ab8fb9ba622cc98c788b1
MD5: 4abb29fe3ec3239d93f7adbc8cb70259
MD5: 989bea3435e5ac5b8951baa07d356526
MD5: 9a966076f114fbffc5cdbf5a90b3fd01
MD5: 14e64da2094ab1aae13d162107c504ec
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e
MD5: 63b922c94338862e7b9605546af2ef14
MD5: 19ba1497f088d850bd3902288bb3bd92
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e

Malicious MD5s known to have made HTTP (monetization) requests to the same IP (208.73.211.152):
MD5: db0aac72ed6d56497e494418132d7a41
MD5: aa47bd20f8a00e354633d930a3ebcb19
MD5: a957e914f697639df7dfb8483a88483b
MD5: a0b7b01a0574106317527e436e515fd3
MD5: 3d0d834fe7ca583ca6ed056392f4413d
MD5: fa342104b329978cba33639311afe446
MD5: f3b3e8b98bdfb6673da6d39847aec1b3
MD5: 3ef52b2fd086094b591eb01bc32947c8
MD5: 128e70484a9f19ab9096fb9b1969bf89
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22
MD5: 6fc317b6f66d73903ffe8d12df72e5f7
MD5: 3800a4a6d6620aa15db7ea717b4d10f5
MD5: 830bbfcaa499de30ab08a510ce4cbba2
MD5: 085afd7f26f388bd62bc53ed430fbbc6
MD5: 3035e120ce08f1824817e0d6eaecc806
MD5: d4db511618c52272e58f4c334414ed6e
MD5: dc4ab086d50dcdcd5ae060acfe9bddca
MD5: c2bc9e266857537699fd10142658bf31
MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb
MD5: b6bb96470ef67c26c0a0e8a4d145c169
MD5: f5aa326e0b5322d7ac47a379e1e1c1f8
MD5: dc0f5c01d8deaabe9d57d31f9daf50b9
MD5: 4a42c42e7acd9ff32ebb18efc2d5b801
MD5: a254b2824867e05d52c60e0464121588
MD5: 7e612f7ac81ccddb368d3c9e47c9942a
MD5: 66cec28f23b692ff2019c70a76894c41

This case is a great example of one of the core practices when profiling cybercrime incidents and campaigns -> sample everything, as what you're originally seeing is just the tip of the iceberg.

Related posts:
Click Fraud, Botnets and Parked Domains - All Inclusive
A Commercial Click Fraud Tool

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Is Koobface Botnet's Master KrotReal Back in Business? Try the Adult Entertainment Industry First!

0
June 28, 2022
This summary is not available. Please click here to view the post. Continue reading →

Exposing an Indian Police Spyware Cyber Operation that Fabricated Evidence on the PCs of Indian Activists - An OSINT Enrichment Analysis

0
June 27, 2022

This is what happens when you're cheap. Guess which are the major IoCs (Indicators of Compromise) in this cyber attack campaign featured on Wired.com? Keep reading this OSINT enrichment analysis and find out the actual true Indicators of Compromise.

Sample Gmail accounts known to have been involved in the campaign include:

jagdish.meshraam@gmail.com

drsnehapatil64@gmail.com

sinhamuskaan04@gmail.com

jennifergonzales789@gmail.com

payalshastri79@gmail.com

Sample malicious domains known to have been involved in the campaign:

researchplanet.zapto.org

socialstatistics.zapto.org

duniaenewsportal.ddns.net

Sample domain registrant email address accounts known to have been involved in the campaign include:

harpreet.singh1984@yahoo.com

marlenecharlton@outlook.com

abadaba@eml.cc

REUBEN123@RISEUP.NET

Related malicious domains known to have been involved in the campaign include:

hxxp://greenpeacesite.com

hxxp://new-agency.us

hxxp://chivalkarstone.com

hxxp://newmms.ru

hxxp://gayakwaad.com

hxxp://bbcworld-news.net

hxxp://newsinbbc.com

Sample responding IPs for known malicious domains known to have been involved in the campaign:

208.48.81.179

36.86.63.182

64.15.205.100

64.15.205.101

198.105.254.11

167.160.46.164

208.48.81.134

209.99.40.223

185.205.210.23

5.1.82.106

69.195.129.70

69.195.129.72

104.239.213.7

146.112.61.106

52.4.209.250

141.8.224.134

216.120.146.200

141.8.224.126

192.154.103.67

34.246.254.156

72.52.179.174

199.59.242.153

199.59.243.220

199.59.240.200

75.2.122.238

217.26.70.230

192.64.147.152

103.254.155.203

208.73.211.250

8.5.1.33

91.217.90.201

166.78.106.200

98.124.245.24

146.148.34.125

8.5.1.49

54.210.47.225

109.236.90.147

199.191.50.21

199.59.243.200

185.82.202.155

185.117.66.188

185.117.74.47

185.117.74.28

185.45.193.14

Sample malicious MD5s known to have been involved in the campaign include:

619c707672fc36279f7983f95387e5fdcaff56c58620b23e6dc47dd200add9b7

7533597d2ed0a0e2b981ae1b0d79a37d5343fe790bc3116e036b9b8f3d6b3fe8

22d72a14a1c9837d1c57b9393e88dee4cf21a98eb446008393ac04afa3edc712

5d28df67b12a990af0300120747c8606604c22c6959d31c8706ff8040175414a

18f9e34af21f5b5186e4c6367b86d268fcf0ec41e0879d06bbb9d0ef5c4dc3a2

4dbb14ff2836733b34594956c4234d2a54c04257710dd31a0884b1926d35d7bc

e179f03dd608b090bec933fa62d3714b6deda6c1629eec6bf82f2df55aa22307

e6da12f819a7f50608b1f6a16f1dd6c08c906cd060244cbb1e5b0eb9ab5e75b5

828de55ffbfb1c1b6ffcbb56b838486dbaecc9b41a0d111fcca290978ed05e95

76970287697bb7601970bcd5d5cfa60e1c6558b60046501b885d203eda9c9b44

99131b4fdedbf01721eed38ad685a305140feb73a6d0fb8cc48f1fad3143be92

221dde812ab1c734cd308da2ed8ead6033c6772864d383317fa2526a58e803ae

f6b4f5f05907caf6eaf58109500144d69a798f177f6ac3cb32648fadb304192c

5ede813e52c325fec54d1d8cb9e6b63118f64fce0585c1da4263cbf4a00e1651

4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774

94fa3ff2ef14ae0fcd461c89f90deae5ed6417a238ec5131ef6cb80400de0586

261f13f9e6d08869b41dca972016f177e1cefada9155d806a18f590c3f487a5f

ca2f1df3639a5b5896d98aa70eb68507abf1cea6aba8fe054671cdd0711faf9e

095ec879f323a0a3eceb97013125880d49ac701eef568e3b010fdddb1333941f

11cef331557eb693e718d27b6a7211a98d3982117a03ec1491db8098ea3cec00

16b5c74fb55f52ae0ae4328f65b2bf3bbe3e5ee34268c1d32a247a0a1dfa3186

21d24e08889f75461a7ce6f21fc612a701bca35da1a218cf3cdd6e23f613bb4d

31a3e3aba03b553d0f23f10b06ade30ae053cd667a8cc9660f310705ee471b68

5a4aca57541954195953066a4be96dfb19776ba099d72f8f1d3677581594606e

88b92d985b7d616c93c391731c1e4a6d3c8323fdcbf31cfc4d340e27253913a7

ac4d5d938009fd44b2f7587986862ab2278887a17d32f748278445b625b3efd9

b09ca9d48a0455ed5e02a56aabeb397c41fb63320244719749e0741da72e79c4

b1b6e133aa320669c772ec7e5fd6fbe4cb3edca13ad5351f14df3c1f13939d09

de302a61e5f07b0e65753355d44d22181a2742ac3a92aa058bdcd00cc4dab788

e3dea449bf74434ee1c9cdc04ca68b8f3c9bac357768e07df303433f257d3b9a

ea5f37e1feab670171963aa83b235c772202b2d4bb7289dd45302c3851dbd6f9

Stay tuned!

Continue reading →

DDanchev is for Hire! - Who Wants to Hire Me in Europe?

0
June 27, 2022

Folks, 

After a decade of fighting bad guys I've decided to finally look for a way to relocate and begin a fresh start in my professional security blogger/cybercrime researcher/OSINT analyst and threat intelligence analyst career path by seeking a permanent position anywhere in Europe from anyone who's interested in directly hiring me and offering relocation and accommodation assistance on a short notice where I can basically relocate and begin the position without a period of three days prior to signing a contract and receiving the necessary relocation and accommodation assistance and let's not forget that someone should meet me at the airport and say hi.

The current situation:

- I'm based in Bulgaria holding a Bulgarian citizenship

- I'm willing to relocate anywhere in Europe for a security blogger/cybercrime researcher/OSINT analyst and threat intelligence analyst position

- I work primary using email which is dancho.danchev@hush.com where you can reach me 24/7 and expect a brief response three hours prior to sending your message

- My CV is available as PDF here and here's my LinkedIn Profile just in case you need it for anything

My requirements:

- I need only a direct hire proposition where you're 100% sure that you're interested in working with me

- I need a contract in advance before I travel on a short notice approximately three days prior to signing the contract

- I need relocation assistance in the form of an airplane ticket including accommodation assistance where I need a place to crash work and live in your country

How to approach me:

Send me an email at dancho.danchev@hush.com and I'll shortly get back to you to discuss

Looking forward to receiving your email. Let's make this happen!

Continue reading →
Subscribe to: Comments (Atom)