Exposing the Warzone RAT (Remote Access Tool) Enterprise - An OSINT Analysis

This just in.

Here's the analysis.
 

 

 

 

hxxp://www.warzone.ws/

Personal emails: solmyr@warzone.ws; ebase03@hotmail.com

XMPP/Jabber ID: solmyr@xmpp.jp

Telegram: solwz; sammysamwarzone

Skype: vuln.hf

Facebook account: https://www.facebook.com/il.meli.5

Sample photos of Warzone RAT (Remote Access Tool):

Sample photos of Daniel Meli:

Continue reading →

From the "Dipshitness is Cool But Is It Relevant" Department?

From the "we' hate you. "We" don't want to see you. You don't exist and we don't want to see or hear anything about you department.

Cheers!

Continue reading →

The Troyan, Bulgaria Local Dipshit Leader Gipsy King That "Killed" Them All

Writing dipshit "poetry" and singing it "all" constitutes illegal and dipshit activity. Guess what? You're somehow supposed to be master of it.

Continue reading →

Profiling the xDedic Cybercrime Service Enterprise

My latest white paper for WhoisXML API.

The popular cybercrime-friendly xDedic service was recently shut down and in this analysis we’ll take an in-depth look inside the Internet-connected infrastructure of the xDedic cybercrime-friendly enterprise and will offer practical and relevant technical insights making it easier for fellow researchers vendors and law enforcement to keep track of their current and historical including upcoming online activities.

Sample domains:
hxxp://xdedic.biz
hxxp://xdedic.ac
hxxp://xdedic.tk

Known responding IPs:
194.12.255.28
81.25.59.80
125.209.101.190
41.74.66.229
186.2.163.126
91.220.101.43
41.164.71.116
104.21.31.62
172.67.175.56
104.31.84.191
104.31.85.191
185.214.10.111
93.158.215.185
87.236.215.18
5.135.26.102
176.123.6.191

Personally identifiable information:
Email: support@xdedic.biz, abuse@xdedic.ac
Jabber Supports: support@xdedic.tk, support2@xdedic.tk
ICQ 591-20-47

Related personally identifiable information:

support@e-investhost.com

Name Server: NS1.E-INVESTHOST.COM
Name Server: NS10.E-INVESTHOST.COM
Name Server: NS2.E-INVESTHOST.COM
Name Server: NS20.E-INVESTHOST.COM
Name Server: NS21.E-INVESTHOST.COM
Name Server: NS3.E-INVESTHOST.COM
Name Server: NS4.E-INVESTHOST.COM
Name Server: NS5.E-INVESTHOST.COM
Name Server: NS6.E-INVESTHOST.COM
Name Server: NS7.E-INVESTHOST.COM
Name Server: NS8.E-INVESTHOST.COM
Name Server: NS9.E-INVESTHOST.COM

Current related domain registrations:
infox.sg
getmobiledevices.com
trustpharms.com
start55555.com
elevrus24.com

Known responding IPs:
141.105.69.219
80.93.188.78
158.255.1.56
88.208.35.36
88.208.57.120
188.126.76.59
46.229.164.15
185.26.230.134
62.152.53.50
209.99.40.222
103.18.40.182

Historic related domain registrations:
mstroy.pro
viagraovernightdelivery.biz
kuechenmarkt.moscow
baf.moscow
xdedic.biz
kurgan-45.info
rrwiki.biz
legioneer.biz

Known responding IPs:
209.99.40.219
104.21.31.62
172.67.175.56
74.220.207.139
5.135.26.102
91.220.101.43
104.31.84.191
104.31.85.191
41.164.71.116
194.12.255.28
81.25.59.80
125.209.101.190
41.74.66.229
186.2.163.126
185.84.110.74
185.84.110.75
185.84.110.72
185.84.110.73
185.84.110.70
185.84.110.71
185.84.110.65
185.84.110.66
185.84.110.84
185.84.110.85
185.84.110.82
185.84.110.83

Related domain registrations:

xdedic.biz
wertor.info
adminin.mobi
swap-money.biz
fedumps.pro
gossipgel.com
viagra-purchase.org
goodfinance-blog.com
q-seo.biz
ed-generics-online.com
hotnpapers.com
buycytotecnow.com
pharmaplus.biz
buyingamoxicillin.com
buyingclomid.com
amtrustpills.com
site-in-top.biz
omerta.cc
xdedic.biz
wertor.info
adminin.mobi
ed-generics-online.com
buycytotecnow.com
swap-money.biz
fedumps.pro
gossipgel.com
viagra-purchase.org
goodfinance-blog.com
q-seo.biz
pharmaplus.biz

Known responding IPs:

91.195.240.117
193.187.128.22
18.215.128.143
193.187.128.60
52.4.209.250
149.202.225.167
18.213.250.117
91.227.18.166
172.67.164.204
194.190.153.138
104.31.70.227
212.47.196.170
195.140.147.9
104.31.71.227
51.161.1.45
89.111.178.107
45.156.119.4
209.99.40.220
40.117.174.224
89.111.176.101
178.154.240.197
89.111.176.224
194.85.61.76
38.11.201.106
38.165.108.130
204.12.207.178
192.151.154.52
104.21.31.62
156.253.118.74
186.2.163.126
5.135.26.102
91.220.101.43
172.67.175.56
119.28.6.251
104.31.84.191
72.52.178.23
104.31.85.191
150.95.54.165
41.164.71.116
150.95.255.38
194.12.255.28
185.28.193.195
81.25.59.80
159.253.25.197
125.209.101.190
159.253.28.197
41.74.66.229
187.134.45.172
89.35.39.50
190.133.29.139
209.99.40.223
189.245.138.156
141.8.224.169
187.204.88.251
91.237.88.232
201.119.124.139
186.50.114.86
201.119.9.63
186.48.59.8
170.178.183.18
103.224.182.242
75.2.18.233
165.3.150.34
154.221.230.198
169.148.17.239
154.201.195.229
179.25.249.159
155.159.237.68
2.88.87.18
160.124.92.248
186.50.124.35
15.197.210.240
178.73.236.178
210.230.244.170
141.8.224.93
91.209.77.20
188.120.239.86
184.168.221.55
208.91.197.206
185.53.179.8
141.8.224.183
85.114.137.19
52.200.243.123
52.20.104.240
52.71.117.99
107.23.160.218
162.214.81.12
103.50.163.86
52.71.185.125
52.6.86.86
54.210.33.190
54.236.123.224
107.23.198.240
52.4.72.137
23.20.239.12
54.174.212.152
54.208.174.161

Continue reading →

Conti Ransomware Gang's Russia-Based Music Album Labels and Plastika Recording Studio - An OSINT Analysis

I recently came across to another image courtesy of Conti ransomware gang's internal and publicly accessible leaked communication which I data mined with the idea to come up with a proper analysis and connect the dots which in this case appear that a member of the Conti ransomware gang who's responsible for their advertising and marketing creative is also busy doing advertising and marketing creative for other clients companies and organizations in this specific case Russia-based rap and hip artists and their album covers.

Is this the case? Let's find out.

Original Russia-based Artist album cover screenshot found by data mining Conti ransomware gang's publicly accessible leaked internal communication

Original Russian Music Artist SAYTEE SAI - Nikita Zharinov – Born on10 January 2002 - hxxp://vk.com/kidsocial Album Cover Part of the PLASTIKA Russia-Based Recording Studio

Sample personal photos of Nikita Zharinov:

Artwork courtesy of: W8D8DIGITAL - hxxp://www.instagram.com/w8d8w8d8/

hxxp://vk.com/w8d8w8d8 -> hxxp://vk.com/lungo999 -> Alexey Plyushkin - Born - 11 April 1994

Related images:

Sample personal photos of the owner and the advertising and marketing creative developer for the album cover – W8D8DIGITAL:

Sample photo of Flowers a Capella recording studio also based on the same address:

Sample personal photo of Oleg Dyachenko:

Sample personal photo of Oleg Khruschev:

 

Flowers a Capella -> Oleg Dyachenko - Born 10 February -> hxxp://vk.com/where.oreo; hxxp://vk.com/id234109753

Олег Хрущев - Born 14 February -> hxxp://vk.com/lezhatpluslezhat; hxxp://vk.com/id166833144 (Oleg Khruschev)

+7 (912) 629-76-36

улица Кирова, 9, Екатеринбург

hxxp://t.me/flowersacapellastudio -> hxxp://t.me/kreasttik

hxxp://vk.com/whoisplutok9

hxxp://vk.com/id654906170 -> hxxp://vk.com/flowers.since2023

Continue reading →

Dancho Danchev's Law Enforcement and OSINT Operation "Uncle George" - A 2024 Update

What leads us to conclude while and when data mining publicly accessible forum communities used by cybercriminals?

It's their digital footprint which often comes invaluable when doing research such as for instance the following user IDs.

Sample personally identifiable XMPP/Jabber and email address accounts obtained by data mining a publicly accessible cybercrime-friendly forum community:

112233[.]exploit.im
1ntersect[.]mail.ru
365pills[.]richim.org
492962059[.]xmpp.ru
6262217[.]qip.ru
6262217[.]xmpp.jp
a10ne[.]exploit.im
activemoney[.]jabba.biz
adm[.]likeboss.biz
admin[.]multi-vpn.biz
administrator[.]d-2018.com
adv_supp[.]creep.im
advertisement[.]cryptomus.com
affiliate[.]Pharmaexpressrx.com
affiliate_support[.]clicklead.ru
affiliates[.]affmy.com
affiliates[.]faphouse.com
affsupp[.]jabber.ru
ager[.]paytechnique.com
aleksa[.]azinomoney.com
alex_popup[.]mail.ru
alexander.margulis[.]fxclub.org
alphacrew[.]protonmail.com
amusing[.]jabber.me
andls[.]rambler.ru
andy.g[.]pharmcash.net
andy[.]tjabb.com
angel4you21[.]qip.ru
annie[.]7bitpartners.com
arbitrage[.]webmoney.ru
arrish[.]jabber.ru
av[.]profitpixels.com
avd[.]247camsupport.com
big.t[.]exploit.im
big.t[.]thesecure.biz
bigtomas[.]sj.ms
brightmean[.]xmpp.jp
brightmean008[.]gmail.com
business[.]prime4pay.com
case[.]tacolo.co
commercialsites[.]react.org
consult[.]1jabber.com
contact[.]mondiad.com
contacts[.]byoffers.com
corsair[.]onlinesup.com
crewprime[.]protonmail.com
cryptoscanone[.]gmail.com
D007D007[.]gmail.com
dasjfkhsd[.]yandex.ru
Den.evilin[.]gmail.com
drbucks.support.2[.]jabber.no
educashion[.]jabber.ru
edu-money[.]jabber.ru
edu-profit[.]jabber.ru
edward[.]bourgaffiliateprogram.com
edward[.]im.solname.com
elchip[.]lryq.com
elen[.]imonetizeit.com
eugenia[.]adtrafico.com
evasupport[.]jabber.org
exfan.org[.]gmail.com
FinanceCPA[.]yandex.ru
forfind[.]xmpp.ru
hello[.]ipgate.io
help[.]coinshop24.org
hiddmark[.]gmail.com
hola[.]lospollos.com
hola[.]tacolo.co
info[.]edu-money.com
info[.]ezmob.com
info[.]hidmark.com
info[.]hidmark.ru
info[.]proxy-solutions.net
info[.]smmpanelus.com
info[.]softservice.org
info[.]tapgerine.com
ipillcash[.]jabber.ru
ipillcash[.]protonmail.com
john[.]tjabb.com
kate[.]bizprofits.com
kekc[.]im.solname.com
kristy[.]bongacash.com
krok[.]jabber.ru
lapochkalena13[.]gmail.com
leha78job[.]gmail.com
liza[.]bestseospace.com
liza[.]bourgaffiliateprogram.com
liza[.]im.solname.com
lucky-max[.]xmpp.jp
luna[.]traffcore.com
mailienteam[.]yahoo.com
markexchanger[.]xmpp.ru
melanie[.]bourgaffiliateprogram.com
melanie[.]im.solname.com
mikle[.]ipca-security.com
mmp[.]jabber.at
moneypartner[.]protonmail.com
mraffbiz[.]jabber.ru
mudilo[.]xmpp.ru
mxdor12[.]mail.ru
n1oise[.]mail.ru
nicegram[.]appvillis.com
npharma-security[.]opsecsecurity.com
optimizations[.]i.ua
order[.]shahan.pro
palumbo.eu11[.]gmail.com
partners[.]edu-revenue.com
partners[.]newretropartners.com
partners[.]runetki.com
paysover[.]proton.me
paywayrx[.]protonmail.com
pc_techsupport[.]jabber.ru
pharma-security[.]opsecsecurity.com
pharmempire[.]jabbim.com
plugins[.]wordpress.org
poleveter707[.]gmail.com
psi[.]brandshield.com
psi-2022[.]brandshield.com
robystudio[.]gmail.com
romochka.volkov.91[.]inbox.ru
ru.traf.suda[.]gmail.com
rxsupport[.]jabbim.com
s1[.]hotsecure.biz
s2[.]hotsecure.biz
segaldseo[.]gmail.com
senderproject[.]ya.ru
seodmitriyc[.]gmail.com
seolink.orders[.]gmail.com
seomen[.]jabber.at
sergey.gnadm[.]gmail.com
sharon[.]now.cn
shevjul[.]gmail.com
smm20401[.]yandex.ru
stas.b[.]affstream.com
storebucks[.]yandex.ru
support[.]7offers.ru
support[.]adnitro.pro
support[.]adspower.net
support[.]adtrafico.com
support[.]advanced.name
support[.]advertise.ru
support[.]affiliate.top
support[.]alientarget.su
support[.]azinomoney.com
support[.]bestchange.com
support[.]clicklq.com
support[.]cryptoexchanger.org
support[.]cryptomus.com
support[.]educashion.net
support[.]edu-money.com
support[.]edu-profit.com
support[.]enot.io
support[.]essaypartner.com
support[.]evadav.com
support[.]freechange.cc
support[.]gamblingcraft.com
support[.]help24x7.me
support[.]jabber-a.com
support[.]jabbis.com
support[.]justproxy.biz
support[.]kadam.net
support[.]keitaro.io
support[.]medconvert.com
support[.]media-kings.com
support[.]mirexpay.com
support[.]multi-vpn.biz
support[.]oxyproxy.pro
support[.]partnersdbbet.com
support[.]paysale.net
support[.]payv.com
support[.]pelicanprogram.com
support[.]proxy5.ru
support[.]ProxyWins.com
support[.]smmchat.com
support[.]srv24.net
support[.]tacolo.co
support[.]the-smartlink.com
support[.]traffcore.com
support[.]trafficstore.pro
support[.]yochange.com
t3leads[.]jabber.org
tacoloco_team[.]outlook.com
tanya[.]adtrafico.com
tes[.]react.org
titanseo[.]gmail.com
trollsgrot[.]gmail.com
tv7892[.]gmail.com
usec[.]jabber.vg
vad42833[.]gmail.com
vanessa[.]bestseospace.com
vanessa[.]bourgaffiliateprogram.com
vanessa[.]im.solname.com
vasilshop[.]xmpp.jp
vasyashop1[.]gmail.com
vera-simfoniya[.]mail.ru
vittelor86[.]gmail.com
voyeur.traffic[.]gmail.com
webkazna[.]jabb3r.org
webkazna[.]xmpm.pw
webkazna_1[.]xmpp.jp
webkazna2[.]exploit.im
welcomepartnershelp[.]gmail.com
write8004[.]gmail.com
xwab[.]bk.ru
ZakazatBanner[.]yandex.ru
zombi[.]jaberrx.com

Related:

DetectiveAgencyOfficial[.]proton.me
dumpstv[.]exploit.im
elliotsnitzer[.]hotmail.com
fasol[.]isgeek.info
fl3008830[.]gmail.com
hackcore[.]thesecure.biz
ideal_docs[.]exploit.im
info[.]betelnut.ie
jabber[.]jabber.com
jeosenco[.]gmail.com
joshuakrudy[.]gmail.com
Kerlim[.]jabb3r.de
Liamdaves[.]protonmail.com
lucifer6[.]exploit.im
Mrgenji[.]jabber.calyxinstitute.org
mulamoose[.]xmpp.jp
n7269[.]xmpp.jp
neizvestnost74[.]exploit.im
nelliotsnitzer[.]hotmail.com
ninfo[.]betelnut.ie
njoshuakrudy[.]gmail.com
nmulamoose[.]xmpp.jp
noneflone[.]jabb.im
nPauldugan[.]proton.me
ntsar[.]thesecure.biz
ntylerlewis40[.]yahoo.com
oliviam[.]5222.de
oneflone[.]jabb.im
Pauldugan[.]proton.me
peachesncreme_77[.]yahoo.com
peterwt50[.]yahoo.com
procrd[.]exploit.im
procrd[.]gajim.org
REDLINEVIP[.]protonmail.com
sclassadmin[.]exploit.im
siebermr[.]gmail.com
support[.]abcproxy.com
support[.]anonrdp.com
t.cases750[.]gmail.com
tsar[.]thesecure.biz
tylerlewis40[.]yahoo.com
vasilshop[.]xmpp.jp
vasyashop1[.]gmail.com
zedpoint[.]tutanota.com
zedpoint[.]vipole.com

Related:

CConscience[.]xmpp.jp
evil_angel[.]xmpp.jp
lafontain3[.]xmpp.jp
zipshop[.]xmpp.jp
crave[.]jabber.cz
dedmakarr[.]jabber.ru
jabberadrastos[.]sj.ms
johnsnowisalive4[.]jabber.hot-chilli.net
lawton_supp_en[.]public-jabber.me
lawton_supp_ru[.]public-jabber.me
banality[.]creep.im
banalitybiz[.]exploit.im
cardvilla[.]exploit.im
Ego[.]creep.im
reallibrarian[.]exploit.im
zipshop[.]exploit.im

Continue reading →

Assessing the Current State of Cyber and Cyber Military Deception Concepts Online - Part Two

So here it goes.

This is the second part. Check out part one here. If it's going to be a cyber warfare doctrine make sure that China and Russian didn't copy it acting as copycats basically positioning themselves over a decade ago in military and cyberspace operations thinking. If that's the case then I'll do my best to elaborate more on my understanding and the actual practice of cyber deception and cyber military deception in cyberspace.

Some of the key principles that I'll outline in the second part of this series of blog posts include:

As I've already mentioned the process and the practice of misperception it should be also clearly noted and emphasized on that the basic concept of misperception of individuals and organizations in cyberspace launched and operated by an information operation can be basically on purposely proposed by an information operation or the individual or an organization that's managing it.

Yet another highly relevant concept in terms of cyber deception and cyber military deception has to do with in a context of hiding the real and actual information or a fact for the purpose of building an information operation around this idea and actual process which also has to do with.

- Hiding the Real

This is a fairly interesting concept where the primary concept would have to do with with a bit a sensitive topic the concealment of an individual an item or an organization's own characteristics or a pattern be a pattern of behavior or a pattern of activity which could also mean and include the introduction of new characteristics or pattern of behavior or its on purpose or operation-based exclusion of certain characteristics where the ultimate goal would be to raise uncertainty or work in a classified or sensitive fashion.

- Showing the False

This is a very important concept where the primary purpose would be to disinform on the true state of an adversary's or an individual or an organization's true understanding of a specific concept where the ultimate goal would be to disinform a specific individual or an organization including possibly to introduce a new concept or practice also known as showing the false which could also reach a pattern based behavior both in the context of an individual or an organization's behavior.  

- Pre-defined target response reaction

The primary goal here would be to create a mechanism where a specific party could expect a specific party's response in a specific way or a manner where the ultimate response could be both classified or sensitive and whether the actual response could be both surprising or hiding the real or showing the false.

- Pre-defined perception determination

Believe it or not this doesn't necessary require an expert or a specialist in the field as believe it or not it would undermine the very concept behind this practice which has to do with on purposely positioning yourself as knowledge based party in a specific situation where the ultimate response would be by something that you know or perceive to know as an expert or a specialist or as a position in the field.

- Hide or Show assets decionary model

A bit of an interesting practice that greatly reminds me a moment in time when you could really "IM me a Strike Order" where the ones who would ultimately know and understand the adversary could have a could to properly respond and strike back in a professional and specific manner.

Stay tuned!

Continue reading →

Conti Ransomware Gang's Web Properties Domain Reconnaissance - An OSINT Analysis

The following is a set of domain name reconnaissance for Conti Ransomware Gang's related web properties.

Sample domains:

hxxp://aes[.]one - Kirill Borzov - Email: borzoff_k[.]grr[.]la; 89531976767@mail[.]ru

Sample URL: hxxp:/aes[.]one/files/d/e0t/1u4lg8iu6deal10c4k13lei1q7/94290198d07d9e0e/

Related domains:hxxp:/ запчасти71[.]рус - Email: 89531976767[.]mail[.]ru
hxxp:/continews[.]click - 89[.]45[.]4[.]98; 86[.]106[.]20[.]166; 146[.]70[.]71[.]184

Related Conti domains known to have been parked on the same IP (89[.]45[.]4[.]98):
hxxp:/continews[.]club
hxxp:/continews[.]xyz
hxxp:/contirecovery[.]click
hxxp:/contirecovery[.]best - 185[.]14[.]30[.]76

Related Conti domains known to have been parked on the same IP (185[.]14[.]30[.]76):
hxxp:/contirecovery[.]top
hxxp:/contirecovery[.]icu

Related Conti domains known to have been parked on the same IP (185[.]14[.]30[.]76):
hxxp://bet4rate[.]com - Anton Petrov - Email: a[.]lexboesky@gmail[.]com

Related domains known to have been registered using a[.]lexboesky@gmail[.]com include:
hxxp:/bet4rate[.]fr
hxxp:/bet4forum[.]com
hxxp:/nbaforecast[.]com
hxxp:/mlbforecasts[.]com
hxxp:/forecastpackage[.]com
hxxp:/betforrate[.]com
hxxp:/betspackage[.]com
hxxp:/analytics4sport[.]net
hxxp:/analytics4sport[.]org
hxxp:/sport4[.]us
hxxp:/4sport[.]us
hxxp:/bet4rate[.]com
hxxp:/center4sportanalytics[.]com
hxxp:/sport4analysis[.]com

Working spreadsheet:
hxxp:/docs[.]google[.]com/spreadsheets/d/1pI71arcyNDmcCZPfGFDFc0o9GJlrcJOycBWZEyrfjlA/edit

Working Google Drive account:
https://drive[.]usercontent[.]google[.]com/download?id=1TzaiXSmdZpSUvm_quI4DjiedpxAQ05mo

Related domains:
hxxp:/dropfiles[.]me - hxxp:/xchange[.]cash

Continue reading →

From the Deepest and Ugliest and Most Irrelevant and Cheap Corners of the Universe - Yavor Kolev

Dipshit. Continue reading →