A Peek Inside a Mass SQL Injection Scanning and Exploiting IRC Botnet - An Analysis

Who would have thought? A mass SQL injection scanning and remotely exploitable including fuzzing capabilities built-in IRC-based botnet? I've decided to share with everyone some sample screenshots on the process with the idea to raise everyone's awareness that what used to be once a rocket science is today's reality in specific back in 2008 when I originally took these screenshots.

Sample screenshots include:

Stay tuned!

Continue reading →

A Peek Inside the Spack Web Malware Exploitation Kit - An Analysis

Dear blog readers,

I've decided to share with everyone several sample screenshots of the infamous Spack web malware exploitation kit with the idea to raise everyone's awareness on the ease of use and easy to implement mass client-side exploitation tools on a mass scale.

Sample screenshots include:

Stay tuned!

Continue reading →

A Peek Inside a Milw0rm Syndicating Remote Execution Flaws Exploitable IRC Scanning Botnet - An Analysis

Who would have thought? An IRC based botnet that's directly syndicating remotely exploitable flaws and actually scanning for them using an IRC based bothet? Takes you back doesn't it? This has been a daily practice since practically 2008 and I've decided to share some sample screenshots of the process in action.

Sample screenshots include:

Stay tuned!

Continue reading →

A Peek Inside the Xedant Human Emulator Spam Tool - An Analysis

Dear blog readers,

In need of a decent example of a sophisticated spam tool that's truly capable to bypass any web site's anti-spam defense including basically any known CAPTCHA including to also automate the process to the point where the actual bad guys behind the infamous Xedant human emulator are truly capable of causing widespread spam havoc internationally? Think about the Xedant human emulator tool circa 2008.

Sample screenshots include:

Stay tuned!

Continue reading →

A Peek Inside the Xrumer Spam Tool - An Analysis

Who would have thought? It's an unknown period of time within the cybercrime ecosystem and I've decided to share exclusive screenshots of the infamous Xrumer spam tool which basically used to and continues to dominate the spam marketplace by possessing a variety of advanced and sophisticated features making it easy for everyone to enter the world of spam globally.

Sample screenshots include:

Stay tuned!

Continue reading →

A Peek Inside A Web Malware Exploitation Kit - An Analysis

Dear blog readers,

I've decided to share with everyone yet another post part of the "an image is worth a thousand words" blog posts series. Takes you back doesn't it? In this post I've decided to share with everyone a never released and published before screenshots of a well known web malware exploitation kit with the idea to showcase the ease of use and easy to implement client-side exploit vulnerabilities exploitation on a mass scale.

Sample screenshots include:

Stay tuned!

Continue reading →

A Peek Inside the Zalupko Accounting Data Stealing Malicious Software Botnet - An Analysis

Who would have thought? Takes you back doesn't it? As I've been going deep inside my old threat intelligence archive circa 2008 I've decided to share with everyone several never published or released before screenshots of the Zalupko accounting data stealing malicious software release botnet with the idea to raise everyone's spirit in the field of fighting cybercrime and doing research and possibly take your research motivation higher.

Sample screenshots include:

Stay tuned!

Continue reading →

Exposing Russian Business Network's Mykhaylo Sergiyovich Rytikov's AbdAllah Internet Hizmetleri Bulletproof Hosting Provider on U.S Secret Service's Most Wanted Cybercriminals List

I've decided to share with everyone some actionable intelligence on one of the Russian Business Network's primary franchise networks in Turkey namely AbdAllah Internet Hizmetleri which back in the day used to be responsible for some pretty decent bulletproof hosting malicious and fraudulent cybercrime activity in particular to offer actionable intelligence on Mykhaylo Sergiyovich Rytikov it's owner who's currently on U.S Secret Service's most wanted cybercriminals list.

Known domains affiliated with AbdAllah Internet Hizmetleri:

hxxp://tiket[.]cc

hxxp://abdulla[.]cc

hxxp://privateforum[.]cn - upomajuliya745@gmail.com; xpj88kf@gmail.com; 316411856@qq.com

Related known domains affiliated with AbdAllah Internet Hizmetleri:

hxxp://ns1[.]srv4u[.]biz

hxxp://bulletproof-service[.]com - Email: support@hosting-offshore.biz - 202.83.212.250

hxxp://tarahost[.]net - Email: konstantin@karyaev.com -  89.108.73.93

Related domains known to have been registered by the same domain registrant:

hxxp://all-mafia[.]net

hxxp://shampanskoe[.]info

hxxp://mashost[.]org

hxxp://flexi-domains[.]com

hxxp://5pagess[.]net

hxxp://extrasoft[.]biz

hxxp://golovolomka[.]info

hxxp://optical-coatings[.]info

hxxp://polevoi[.]info

hxxp://belorussia[.]info

hxxp://3alab[.]com

hxxp://prezervativ[.]org

hxxp://brodyaga[.]net

hxxp://skramedia[.]com

hxxp://tarafree[.]com

hxxp://mp3-mmf[.]com

hxxp://myproga[.]net

hxxp://extrahost[.]su

hxxp://garanthost[.]com

hxxp://grand-host[.]net

hxxp://technormativ[.]info

hxxp://xp-hosting[.]net

hxxp://kredits[.]cn

hxxp://tarahost[.]biz

hxxp://tarahost[.]org

hxxp://optical-coatings-design[.]info

hxxp://extrasoft-outsourcing[.]info

hxxp://pm-tost[.]net

hxxp://pm-sotovik[.]net

hxxp://pm-ranlix[.]net

hxxp://pm-holland[.]net

hxxp://swlu[.]info

hxxp://valdiss[.]info

hxxp://karyaev[.]com

hxxp://x450[.]info

hxxp://grand-host[.]biz

hxxp://flexi-classifieds[.]com

hxxp://flexi-sitebuilder[.]com

hxxp://flexi-projects[.]com

hxxp://bloggast[.]info

hxxp://pereezd-pro[.]info

hxxp://eduaction[.]info

hxxp://wmnakovalnya[.]com

hxxp://retro80x[.]com

hxxp://tarafree[.]net

hxxp://skramedia[.]org

hxxp://oldactors[.]net

hxxp://tarahost[.]net

hxxp://janimation[.]net

hxxp://tarahost[.]com

hxxp://skramedia[.]biz

hxxp://vv-want[.]info

hxxp://skramedia[.]net

hxxp://olimp-sport[.]com

hxxp://youhouse[.]biz

hxxp://kroleki[.]com

hxxp://extrasoft-projects[.]info

hxxp://zelenaya[.]com

hxxp://cazinowm[.]com

hxxp://extrasoft-outsourcing[.]net

Related domains known to have been involved with AbdAllah Internet Hizmetleri:

hxxp://magic-jackpot-cas[.]com

hxxp://euro-vip-casino[.]com

hxxp://royal-casino-vip[.]com

hxxp://sexrusfuck[.]com

hxxp://royal-cas-vip[.]com

hxxp://2400-usd-casino[.]com

hxxp://royalcasino-vip[.]com

hxxp://2400usd-casino[.]net

hxxp://eurocasino-vip[.]com

hxxp://sinlife[.]cn

hxxp://byron-consulting-group[.]com

hxxp://28-07[.]com

hxxp://28-07[.]net

hxxp://job-consults[.]org

hxxp://837-86[.]org

hxxp://expressdeal[.]biz

hxxp://cron[.]li

hxxp://crons[.]cc

hxxp://cronos[.]mn

hxxp://crinc[.]mn

hxxp://crinc[.]li

hxxp://ultrasmoke[.]cn

hxxp://supersmoke[.]cn

hxxp://globalsmoke[.]cn

hxxp://937-86[.]org

hxxp://cronco[.]li

hxxp://tradegroup-ha[.]com

hxxp://ha-tradegroup[.]com

hxxp://crinc[.]jp

hxxp://tradegroup-ha[.]net

hxxp://investmentcron[.]cn

hxxp://glb-soft[.]com

hxxp://croninv[.]cc

hxxp://cronis[.]cn

hxxp://crons[.]ac

hxxp://cronn[.]eu

hxxp://dkebooks[.]com

hxxp://cronoi[.]cc

hxxp://jieod[.]com

hxxp://midgejs[.]com

hxxp://crin[.]ac

hxxp://aoejf[.]com

hxxp://yseac[.]com

hxxp://kaserid[.]com

hxxp://crin[.]cc

hxxp://jekdoe[.]com

hxxp://ujeose[.]com

hxxp://masiwer[.]com

hxxp://reusiwe[.]com

hxxp://kaoeds[.]com

hxxp://iwoser[.]com

hxxp://planet0day[.]biz

hxxp://xeirod[.]com

hxxp://neusoas[.]com

hxxp://geoepd[.]com

hxxp://efuyr[.]com

hxxp://ziude[.]com

hxxp://polsenstanford[.]com

hxxp://heyud[.]com

hxxp://woqkr[.]com

hxxp://seiudr[.]com

hxxp://aosier[.]com

hxxp://dueor[.]com

hxxp://crins[.]ac

hxxp://verbespecially[.]com

hxxp://fivejoy[.]com

hxxp://riverwomen[.]com

hxxp://trianglesentence[.]com

hxxp://floorside[.]com

hxxp://developtail[.]com

hxxp://womanfinish[.]com

hxxp://alwaysfell[.]com

hxxp://differcollect[.]com

hxxp://goodalso[.]com

hxxp://kingbrought[.]com

hxxp://findcharacter[.]com

hxxp://chanceexpect[.]com

hxxp://beardictionary[.]com

hxxp://forwardfield[.]com

hxxp://tinydown[.]com

hxxp://jobwhether[.]com

hxxp://numeralcity[.]com

hxxp://cronin[.]jp

hxxp://equalcatch[.]com

hxxp://streamwho[.]com

hxxp://selectmonth[.]com

hxxp://propercame[.]com

hxxp://grewsoil[.]com

hxxp://townslip[.]com

hxxp://stationheavy[.]com

hxxp://charactereven[.]com

hxxp://milk0soft[.]com

hxxp://goldverb[.]com

hxxp://windowlisten[.]com

hxxp://bqgqnfc[.]cn

hxxp://wrbhnuw[.]cn

hxxp://a9da6[.]org

hxxp://04ccc408[.]org

hxxp://bdb7beb6[.]org

hxxp://scalespread[.]com

hxxp://thencloud[.]com

hxxp://figurespoke[.]com

hxxp://fullfraction[.]com

hxxp://propertytall[.]com

hxxp://beautyfig[.]com

hxxp://hadover[.]com

hxxp://followsalt[.]com

hxxp://staysay[.]com

hxxp://herexcept[.]com

hxxp://thanscore[.]com

hxxp://humanthus[.]com

hxxp://branchfelt[.]com

hxxp://areacountry[.]com

hxxp://meetduring[.]com

hxxp://movestood[.]com

hxxp://stillverb[.]com

hxxp://suggesteye[.]com

hxxp://preparebut[.]com

hxxp://hurrysound[.]com

hxxp://cookcompare[.]com

hxxp://0daycod[.]biz

hxxp://europeansmoke[.]cn

hxxp://sprybog[.]net

hxxp://taybaol[.]com

hxxp://polsenstanford[.]com

hxxp://bconsgroup[.]com 

Continue reading →

Exposing a Currently Active and Spreading Cobalt Strike Serving Malicious Software Campaign

I've just came across to a currently circulating Cobalt Strike serving malicious software campaign and I've decided to share the details with everyone reading this blog.

Original malware hosting location: hxxp://bsctech[.]ac[.]th/css/43[.]exe

MD5: d8d8cb60d196a26765261b1ca8604d1e

Sample C&C server IPs known to have been involved in the campaign include:

hxxp://5[.]253[.]234[.]40 -> hxxp://5[.]253[.]234[.]40/activity -> hxxp://5[.]253[.]234[.]40/activity/submit[.]php

Sample geolocation of the known C&C server IP:

Sample C&C server domains known to have been involved in the campaign include:

hxxp://bpltjykhm[.]online

hxxp://51lqm[.]online

Continue reading →

A Peek Inside a Zunker Botnet C&C Administration Panel - An OSINT Analysis

As I've been digging deep inside an old threat intelligence and technical collection archive and I've decided to share several screenshots worth everyone's while.

The following is basically several sample screenshots courtesy of the Zunker botnet C&C command and control interface which back in the day used to dominate the threat landscape including the sophisticated cybercrime ecosystem with some pretty interesting and sophisticated features.

Sample screenshots include:

Continue reading →

Happy Holidays From The (Not) Republic of Bulgaria - An Analysis - Part Two

Can you slap it? Do you know that your degree of education is proportional with the price size of your t-shirt which means that we're not interested in counting that much I mean the almighty dollar which you can't behold yourself to all of its mightiness? "Give me a moron and I'll beat him" instead of "Give me an IP and I'll move the earth" type of mentality? Are you a retard or are you a moron or are you a dipshit where the word cannot really behold itself to its almighty awesomeness? Try the two of these as you're only a low waged moron that cannot really count anything between one or two which means the actual times you'll get slapped by someone who'll eventually find out and seek your responsibility for your general moronic attitude. It means that you're a retard.

Stay tuned!

Continue reading →

Exposing a Portfolio of Currently Active Malware Serving Domain and URLs - An Analysis

Dear blog readers, 

Interested in finding out the latest and very greatest malicious software download locations for research purposes? Check out the following compilation courtesy of my compiled exclusively using public sources.

Grab the compilation from here.

Stay tuned!

Continue reading →

Exposing a Portfolio of Fake News Disinformation and Misinformation Web Site Domains - A Compilation

Dear blog readers,

I've decided to share with everyone a currently active domain portfolio of fake news disinformation and misinformation web sites which I obtained using technical collection with the idea to assist everyone in their cyber attack campaign attribution efforts.

Download the compilation here.

Stay tuned!

Continue reading →

My Official 256GB Research Compilation - An Analysis

UPDATE:

Here's the actual link.

Dear blog readers,

Hot off the press. Grab the Torrent.

Sample photo:

Stay tuned!

Continue reading →

The Profile of a Bulgarian Dipshit DANS Agent Vasil Stanev from Troyan Bulgaria - A Case Study on Local Mockery Corruption Kidnapping Robbery and Home Molestation Attempt - An Analysis

Special thanks.

Continue reading →

Exposing the "Data Leaks" Paradise - An Analysis

In a world dominated by a countless number of malicious and fraudulent cyber threat actor adversaries including the rise of the "penetration testing" crowd whose ultimately goal is to actually lower down the entry barriers into the World of Information Security potentially resulting in thousands of ethical and unethical penetration testing aware users across the globe who have the capacity and the potential to target thousands of legitimate Web sites in an attempt to take advantage of the "low-hanging fruit" it should be clearly noted that throughout the past couple of years a new generation of wannabe hackers and information security enthusiasts began to take place namely the rise of the data breach and data leaks community within the Information Security Industry whose ultimately goal is to actually obtain access to compromised and potentially leaked database of confidential records including high-profile data leaks in the context of government-based leaked data that will be later on eventually traded and attempted to be taken advantage of in the context of launching targeted phishing and malware-spreading campaigns potentially affecting hundreds of thousands of users in the process.

Sample uses of these stolen and compromised databases includes:

- setting the foundation for a successful spear-phishing campaigns

- setting the foundations for successful targeted malware and exploits serving campaigns

- setting the foundations for successful widespread spam and botnet propagation campaigns

- attempting to monetize the stolen database by selling access it to

- attempting to use double layer monetization for the stolen database by attempting to sell access to it including to the actual owners of the database who might be interested in obtaining a copy of it

- biased exclusivity and double layer monetization combination where the attacker might only sell the database to its actual owner and actually get rid of it once they receive the payment

The very notion that cybercriminals including white hat security experts and cybercrime fighters will eventually attempt to obtain access to for instance a compromised cybercrime forum for the purpose of exposing the personal details of its users that also include to possibly track down and geolocate including to actually profile and prosecute some of its members should be definitely considered as an old-fashioned trend in the actual fight against cybercrime online with more users and researchers joining the fight including the actual cybercriminals who might take additional measures to actually protect and prevent possible data leaks including various other OPSEC (Operational Security) type of measures in terms of positioning their cybercrime-friendly forum community as a invite-only or actually launching it in a a vetted and invite-only fashion.

What's should be clearly noted is that with the mainstream media continuing to raise awareness on the existence of high-profile hacking groups and hackers including the rise of the Anonymous crowd it should be clearly noted that wannabe and potential hackers would continue trying to steal the necessary media attention and actual "know-how" from high-profile hacking groups and individual hackers involved in high-profile data leaks and data breaches.

I believe that on the majority of occasions it's just ransomware that's making the headlines including its way into corporate networks thanks to the so called initial access brokers who on the majority of occasions are known to have been also outsourcing their hacking and network compromise needs to third-parties who would basically do an Attack Surface Reconnaissance on the Web and will attempt to find a weak spot into the corporate network of the targeted victim but would also attempt to data mine and harvest publicly accessible and obtainable email address accounts for the purpose of doing active social engineering reconnaissance that also includes the attempt to obtain accounting data belonging to these company individuals including to launch spear phishing attack campaigns against their infrastructure in an attempt to obtain access to their email address accounts home PCs and networks including related services ultimately attempting to compromise the security of the targeted network and the company in question.

Stay tuned!

Continue reading →