How Str0ke From Milw0rm Got Compromised?

An image is worth a thousand words.

I just came across a video which appears that I have obtained using Technical Collection back in the good old school days in 2009 which clearly indicates that str0ke from Milw0rm got compromised using the Bitfrost trojan horse and the attacker even recorded a video out of it.

One of the most important things when dealing with your job is to always keep in mind and take the necessary in-depth and multi layered approach to prevent and properly respond to possible security incidents that could take place in your environment.

Sample video:

Continue reading →

Edward Snowden's IoCs

I'm retiring.

Personal domain: hxxp://lavabit.com

Personal email address account:

Ed_Snowden@lavabit.com

edsnowden@lavabit.com

Lavabit's BitCoin address:

1Bqqy3SxZ27ZUogEeiKHYqPsmFwuRTErMu

Known domain registration:

hxxp://ismtgoxsolvent.com - 97.74.42.79; 50.63.202.93

Possible related domain registrations:

hxxp://mtgox-creditors.com

hxxp://mtgox-prod.net

hxxp://mtgox-reabilitation.com

hxxp://mtgox-rehabilitation.com

hxxp://mtgox-claim.xyz - Email: johndoe77887@gmail.com

hxxp://mtgox-legal.com

hxxp://mtgox-recovery.com

hxxp://mtgox-gift.pro

hxxp://mtgox-refund.com

hxxp://mtgox-prod.com

hxxp://ismtgoxsolvent.com

hxxp://xn--mtgox-glubiger-dib.de

hxxp://mtgox-lawsuit.com

hxxp://mtgox-token.com

Possible related domain registrations:

hxxp://mtgox-prod.net

hxxp://mtgox-refund.com

hxxp://mtgox-reabilitation.com

hxxp://mtgox-prod.com

hxxp://xn--mtgox-glubiger-dib.de

hxxp://l8.ai

hxxp://mtgox-recovery.com

hxxp://mtgox-rehabilitation.com

hxxp://ronniediagnosticenterltd.com.ng

hxxp://easypay.com.ng

hxxp://mtgox-token.com

hxxp://mtgox-gift.pro

hxxp://mtgox-com.us

hxxp://mtgox-chat.com

hxxp://mtgox.us

hxxp://mtgox-bank.com

hxxp://mtgox-china.net

hxxp://777zg.com

hxxp://mtgox-support.com

hxxp://mtgox-china.com

hxxp://mtgox-wallets.info

hxxp://gox.com

hxxp://ismtgoxsolvent.com

hxxp://mtgox-lawsuit.com

hxxp://mtgox-legal.com

hxxp://mtgox-creditors.com

hxxp://mtgox-claim.xyz

hxxp://mtgox-chat.tk

Continue reading →

Exposing a SEC's EDGAR Securities Hacking Fraud Scheme Incident - And Where's the Beef?

Do you need a true Hollywood story where the hacker "knew the news" in advance before widespread publication and made some revenue in the process?

Here's the deal. With Oleksandr Vitalyevich Ieremenko currently on U.S Secret Service's Most Wanted Cybercriminals list with a $1M reward for a SEC EDGAR hacking incident fraudulent scheme here's a pretty good and decent "where's the beef" analysis on the topic.

Sample analysis:

Handle: Zl0m; Lamarez; Ded.MCz; l@m@rEz

Email: lamarez@mail.ru; uaxakep@gmail.com - xeljanzusa.com - 62.109.25.228 (SecureWorks analysis); 62.109.1.69

Commpany: 2016 Кзерокс

Phone: +7 951 366 17 17

ICQ: 123424; 108117

Web Money: 258807111393

Related URLs:

hxxp://lamarez.livejournal.com

hxxp://ageline.ru/lamarez.php

hxxp://k0x.ru/md5.salt.tx

hxxp://k0x.ru/_bot.exe - 82.146.60.59

hxxp://k0x.ru/black_energy_31337_/stat.php

http://k0x.ru/siicywu36dswh/addddos.php

hxxp://xtoolz.ru

hxxp://cup.su

hxxp://xwarez.us

hxxp://defaces.ru

hxxp://deface.biz

hxxp://wape.biz

Sample photos of Oleksandr Vitalyevich Ieremenko:

Related photos of Oleksandr Vitalyevich Ieremenko:

Continue reading →

What is Nassef from Darkode Up To?

In this post I'll elaborate more on some of the current activities of a well known Darkode forum member namely Nassef which we can clearly see here in the Darkode repository of research.

Known email: xavi-linuxer@live.com

Sample currently active known domain registrations:

hxxp://tonymontana.su

hxxp://hack-mirror.net

hxxp://tonymontana.cards

hxxp://tonymontana.cash

hxxp://tonymontana.biz

Sample photos of related Darkode members:

Sample personal photo of Eric L Crocker also known as Phastman

Sample personal photo of Phillip R Fleitz also known as Strife

Related posts:

• Exposing the Darkode Forum Bust and the Associated Individuals Behind It - Or How I Almost Got Kidnapped? - An OSINT Analysis
• Domain Portfolio Operated by Sp3cial1st from Darkode

What we have here are several E-Shops for stolen credit card numbers part of his brand franchise including a web site defacement mirror run by him.

Known Darkode domains:

hxxp://darkode.com - 81.27.98.152 - briankrebson@gmail.com

hxxp://darkode.pro

hxxp://darkode.com

hxxp://darkode.me

hxxp://darkode.cc

hxxp://darkode.su - Email: ctouma2@gmail.com

Known Darkode personal email address account:

darkode.notice@gmail.com

Full names of Darkode members:

Johan Anders Gudmunds

Morgan C Culbertson

Eric L Crocker

Naveed Ahmed

Phillip R Fleitz

Dewayne Watts

Murtaza Saifuddin

Daniel Placek

Matjaz Skorjanc

Florencio Carro Ruiz

Mentor Leniqi

Rory Stephen Guidry

We also have an interesting malicious infrastructure discovery in the context of TA505, Darkode (hxxp://darkode.su; ctouma2@gmail.com) and the following portfolio of malicious domains.

hxxp://arculus.su

hxxp://bestsup.su

hxxp://abcstore.su

hxxp://usdcoin.su

hxxp://loads.su

hxxp://adsk.su

hxxp://newbond.su

hxxp://moserant.su

hxxp://huntersinternational.su

hxxp://exploit.su

hxxp://mazurax.su

hxxp://mocaverse.su

hxxp://firemarket.su

hxxp://accounts-login.su

hxxp://drkatzen.su

hxxp://zeebira.su

hxxp://fedex-tracking.su

hxxp://officesupportdoc.com

hxxp://amazon-security-deutschland-safer-certification-info.com

hxxp://aspendok.com

hxxp://trailandra.com

hxxp://flumenco.com

hxxp://agliesc.com

hxxp://technicalpreviews.com

hxxp://thipissney.com

hxxp://paalai.su

hxxp://portfolio-metamask.su

hxxp://allbridge.su

hxxp://manta.su

hxxp://commerzebank.net

hxxp://aerulonoured.su

hxxp://aswurdaes.su

hxxp://cerofixt.su

hxxp://loads.su - semik@protonmail.com; gendir@dtrs.ru; vlayura@yandex.ru

Related personally identifiable information on Matjaz Skorjanc - Iserdo -  ButterFly Bot which was also a well known Darkode member:

mafioso@xmpp.jp

hxxp://lizardstresser.su

k@exploit.im

hackerx24@hotmail.fr

duckylord@priv.in

hxxp://80.242.123.196

hxxp://142.11.230.18/b.php

smile@tsec.pro

Related ButterFly Bot personally identifiable email address accounts:

weke79@hotmail.com

iserdo@gmail.com

admin@1337crew.info

wg.fatal@gmail.com

gov.hack@gmail.com

jernej_5@hotmail.com

waisted.time@hotmail.com

netkairo@hotmail.com

floxter@hotmail.com

hamlet1917@hotmail.com

ice@iceman.in

leniqi.mentor@siol.net

icemangjk@hotmail.com

Related URL:

hxxp://bfsystems.net

hxxp://webmail.ngulesh.info

Related domain (wg.fatal@gmail.com) registrations:

hxxp://voc.cash

hxxp://deepbluesecurity.nl

hxxp://threatforce.net

hxxp://erc20collector.com

hxxp://b2bradio.net

hxxp://intelhub.link

Related domain (ice@iceman.in) registrations:

hxxp://albaname.com

hxxp://albahost.net

hxxp://albaname.net

hxxp://mpuq.net

Related domain (weke79@hotmail.com) registrations:

hxxp://jbcine.com

hxxp://futboltele.com

hxxp://clinicablanco.com

hxxp://clinica-blanco.com

Related domain (hamlet1917@hotmail.com) registrations:

hxxp://tamiflux.net

Continue reading →