Malware Serving Campaign Intercepted, Hundreds of Users Affected

We've recently intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, their PCs, to, a, variety, of, malicious, software, compromising, the, integrity, confidentiality, and, availability, of, their, devices.

In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious URLs, known, to, have, participated, in, the, campaign:
hxxp://gv.com.my/0gcgs - 210.48.153.240
hxxp://test.glafuri.net/yxk6s - 176.223.121.193
hxxp://australiancheerleader.com.au/jsc1okam - 103.254.138.242

Related malicious MD5s known to have participated in the campaign:
MD5: c1f95adbcaf520bf182f9014970d33e5

Known to have phoned back to the same C&C server (210.48.153.240) are also the following malicious MD5s:
MD5: 8ea223d68856ba857a485b506259ae00
MD5: 8697121c56d20b602cd866dd1c0c1791
MD5: d668ee452efb2f1dd0dafc3f44b003e9
MD5: b1eedb69ad38d2e9ff3d5165163f1d0f

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php

Related malicious C&C servers, known, to, have, participated, in, the, campaign:
hxxp://pariachat.ir
hxxp://mahshahrchat.top
hxxp://tandischat.xyz
hxxp://irancell-chat.ir
hxxp://shokolatt.ir
hxxp://mahshahrchat.ir
hxxp://roznazchat.com

Related malicious MD5s known to have participated in the campaign:
MD5: 47223a926f70206de5aa9e9f4f4182f0

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php
hxxp://91.200.14.139/userinfo.php
hxxp://104.131.182.103/userinfo.php
hxxp://164.132.40.47/userinfo.php
hxxp://tjpdcrsbkyqscdue.info/userinfo.php - 69.195.129.70

Related malicious MD5s known to have phoned back to the same C&C server IP (91.200.14.139):
MD5: 47223a926f70206de5aa9e9f4f4182f0

Known to have phoned back to the same C&C server IP (69.195.129.70) are also the following malicious MD5s:
MD5: cd867fa29b9cd9b4d16f96aecb179521
MD5: ec12c2a033b3a381a86072c20a0527f2
MD5: d27ecf75aeb611297ed5b9f70b9773f0
MD5: 3b6ad5215f20452417e4af71eefe7bc9
MD5: b75580959b8eef6574ac029333afafa5

Once executed, a, sample, malware, phones, back, to, the, following C&C server IPs:
hxxp://insamertojertoq.cc/in0odrfqwbio0sa
hxxp://tbiimhetdqyn.com/in0odrfqwbio0sa
hxxp://pmiqpskfkwkc.com/in0odrfqwbio0sa
hxxp://osghqrdmlyhh.net/in0odrfqwbio0sa
hxxp://lltlsiirjjjj.com/in0odrfqwbio0sa

Related malicious MD5s known to have participated in the campaign:
MD5: 90eb8948513e21a8c87f8295ac7e81f5

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently intercepted, a, currently, circulating, malicious, campaign, exposing, users, to, a, variety, of malicious software, potentially, exposing, the, confidentiality, integrity, and availability, of, their, devices.

In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: beff48e790ed35ba081ea5d852e27c98
MD5: e200e630ad3af2e91f10608577e0ece3

Once executed a sample malware phones back to the following C&C server:
hxxp://ksa-sef.com - 166.62.28.116; 107.180.50.244

Related malicious MD5s known to have phoned back to the same C&C server (166.62.28.116; 107.180.50.244):
MD5: c235a6e9700eb647f64113afa7bf028e
MD5: 3e00678672854c59c95eb4e800ec70a7
MD5: a24ba1d529ed33b86d04901f7b8e0d0a

MD5: ce22495bb5dda49a3953b7280b9032ef
MD5: 94885422e458fae7d83f0765c3cfa799
MD5: 180ff0b7620d525a2359f419b29a055e

Once executed a sample malware phones back to the following C&C server:
hxxp://92.222.71.26/userinfo.php

Related malicious MD5s, known, to, have, phoned, back, to the, same, C&C server:
MD5: ea662c74e0cc7f798b9cfa73754e0458
MD5: a33b472659cba92a620e21797118a96d
MD5: 41f7c6937803e18c58e435c86771a381
MD5: cd1bb597d3d9ba25bc983f9be72f78ae
MD5: 92530421468a7532a57757bb1d5c967a

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://188.127.231.124
hxxp://92.222.71.26
hxxp://107.181.174.15

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://orgyyeetrcy.biz
hxxp://kfcsrdphvavgvmds.work
hxxp://dqtfhkgskushlum.org
hxxp://nxmdtliospnbnveuk.pw
hxxp://ahhjmkwfnjkitu.biz
hxxp://gxaabswsxvdohead.su
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info
hxxp://qgbikqjraxhtndbl.biz
hxxp://omlsxegqnuqgpctp.click
hxxp://dinbfdccx.work

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://92.222.71.26
hxxp://188.127.231.124

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://omlsxegqnuqgpctp.click
hxxp://dqtfhkgskushlum.org
hxxp://gxaabswsxvdohead.su
hxxp://evesynbkcji.info
hxxp://kfcsrdphvavgvmds.work
hxxp://ahhjmkwfnjkitu.biz
hxxp://dinbfdccx.work
hxxp://nxmdtliospnbnveuk.pw
hxxp://orgyyeetrcy.biz
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info

Once executed, a, sample. malware, phones, back, to, the, following C&C servers:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://188.127.231.124

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently, intercepted, a currently, circulating, malicious, campaign, exposing, users, to, a variety, of, malicious, software, exposing, the, confidentiality, integrity, and availability, of, their devices.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: bd4ed8b3b5d37f34fb63ce2798c585e9
MD5: 1c2c8894ab12a38b7420c7e04ed690f3

MD5: 7e3410e3b74866b02f8c8d6a3220aa23
MD5: 427ec5aef2a0ca2b2c8edbf24f1aeb8f
MD5: 770c77bfa64dc89638d5ac07ca6d1246
MD5: 3670576f507327fc4cbec45d0b3b6d2e

MD5: 5a3d1953631d1e78af6390c88a4ea434
MD5: 7322362d952eb63c07b9585107604a90

MD5: d9f63a6944648646343be1b7fbebe734
MD5: 611a6489bb7c9357765b8dd00f00d953
MD5: c81a88af87dfd05f5f757eea56d83fb8
MD5: 381a9b123d2b43ae8ff617d708bcfce8
MD5: a3bbf048865c48d2b2d5c8973d8a95d3
MD5: 66f31f76a5633e8a16ffe763093b546b

MD5: ac74bdca918dc6416cfa4e710d238f43
MD5: b169837db80e53c4564b62c0a4b9eba3
MD5: b334c20de944bb15cc8ac6aa59215e73
MD5: 677aa8cba92cdda2ec80b61fb7052813
MD5: 7b366d1273c65d0be63b7d68b268d3b8

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://sklasse-b.in.ua/777/gate.php - 217.12.201.60

Known to have phoned back to the same C&C server IP (217.12.201.60) are also the following malicious MD5s:
MD5: e070535dd1ca923d1b12a71307b2639a
MD5: 3092a0a15dceb494a62eb00ea1c51283
MD5: 90123fd7978d42c2cd0a1fdc62651eb6
MD5: 553bed2a3cab5f1ec98bbec6dc151dd3
MD5: 947efe328858d816a77ef6b103097097

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://apimobiapps.com/api/app.php - 54.72.9.115; 37.1.210.139

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 7e6429d92bf457f5580457260c92d615
MD5: f89ee0bd2fa97380ceedbfe5bf3d5c93

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 886d621a5abeea5609ae813b50ea35a5
MD5: 576da1ff48ae7d4ce092698c20bb9c2c
MD5: 1c93b5c33585ab60c61c698713a6446d
MD5: 6afea2ece23b57fe3d3076ca799c18fe
MD5: 9a43a4bee370f7ae3759a5633b0ee40a

Once executed a sample malware phones back to the following C&C server:
hxxp://dh005.com - 54.72.9.115; 172.99.89.215
hxxp://parkingcrew.net - 185.53.179.29
hxxp://quickdomainfwd.com - 208.91.196.46

We'll continue, monitoring, the campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've recently intercepted a currently circulating, malicious, campaign, affecting, hundreds, of Google Play users, potentially, exposing, the confidentiality, integrity, and availability, of their devices, to, a variety, of malicious, software.

In this, post, we'll, profile, the campaign, provide, malicious MD5s, expose, the infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 3f57dfe0ca2440bf03fda3e3b1295edc

Once executed the sample phones back to the following C&C server:
hxxp://37.1.207.31/api/?id=5

Related malicious MD5s known to have been downloaded from the same C&C server (37.1.207.31):
MD5: 1fa7df305b49f03e9ecf05fbb9cf74b8
MD5: 52b256f04bc9f5f003e9f292e6fabcc2
MD5: 76cc87289fa2a2363b42551b180c05de
MD5: 4ac2c20905c9761b863fdc9e737ea3d5
MD5: be0493f06f55ef7daf30e7e4d9cd03db

Related malicious MD5s known to have phoned back to the same C&C server (37.1.207.31):
MD5: 6ebe7504bcc4003c5b224801e961848c
MD5: 6f918766c935c7a472c9518c5b4aa7ba
MD5: 4d083b01c850c418e97c2fcf4031eff5
MD5: 2ce8dc9e399dc90d54d151aefec97091
MD5: 8f524b8daa68063af05313870ba198cd

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Intercepted, Hundreds of Users Affected

We've, recently, intercepted, a currently, circulating, malicious, campaign, exposing, Google Play, users, to, a variety, of malicious, software, exposing, the confidentiality, integrity, and availability, of, their, devices, to, a multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: f6aedc30fdab1b0a0bfebb3d51cb82ea

Related malicious MD5s known to have participated in the campaign:
MD5: ff844a8bb40da72b5c9f3a8c3cda7c9d051921e6
MD5: 83e56809b1662be002f4e1c4bcd3aef90d060d8f
MD5: 7c3f693d0b0ea6c6fdbb078e56d7e71ffaf648b8
MD5: 9e36414341e4dbaa113980f7d900e0ac4baa4103
MD5: 21266e72c8becbb439cb6d77f174b5eccefa2769

Once executed a sample malware phones back to the following C&C server:
hxxp://193.201.224.22
hxxp://85.143.221.46
hxxp://85.143.219.118

Known to have phoned back to the same C&C server IP(193.201.224.22) are also the following malicious MD5s:
MD5: 99f66211f75ace7d103fc2fbc147cd8c
MD5: ab712f0c6339d2c33cf34df44da972b8
MD5: d66f59cd897e5992c4dca3c6f6d198ce
MD5: 635fbe342c0732294db648e36b8e0a58

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently intercepted, yet, another, malicious, mobile, malware, exposing, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5 known to have been part of the campaign:
MD5: febc8518183e13114e7e4da996e64270

Once executed a sample malware phones back to the following C&C server:
hxxp://adultix.ru - 91.200.14.105; 185.87.51.121; 94.142.141.18
hxxp://xxxmobiletubez.com - 54.72.130.67; 89.144.14.59

Known to have responded to the same malicious C&C server IP (91.200.14.105) are also the following malicious domains:
hxxp://adultix.ru
hxxp://pixtrxxx.com
hxxp://coreectway.com
hxxp://filingun.com.ua

Known to have responded to the same malicious C&C server IP (185.87.51.121):
hxxp://adultix.ru
hxxp://updsandr.com

Related malicious MD5s known to have phoned back to the same malicious C&C server IP (185.87.51.121):
MD5: 662e459a0b3a08f5632934565e8d898e

Known to have responded to the same malicious C&C server IP (94.142.141.18) are also the following malicious domains:
hxxp://updforphone.com
hxxp://adultix.ru

Related malicious MD5s, know, to, have, phoned, back, to, the, same, C&C server IP (91.200.14.105):
MD5: 034f764d5d87d15680fff0256a7cf3f0
MD5: 6a5320f495250ab5e1965fcc3814ef06
MD5: 5a324d1e2dd88a57df0ae34ef1c8c687
MD5: d8f1b92d104c4e68e86f99e7f855caf8
MD5: 1b31d8db32fb7117d7cf985940a10c54

Known to have phoned back to the same malicious C&C server IP (54.72.130.67) are also the following malicious MD5s:
MD5: 007dbbed15e254cba024ea1fb553fbb2
MD5: 0b6c1377fc124cc5de66f39397d0a502
MD5: 2cfba1bce9ee1cfe1f371bcf1755840d
MD5: 26004eacdd59dcc4fd5fd82423079182
MD5: 2a1cfc13dac8cea53ce8937ee9b7a2fe

Once executed a sample malware phones back to the following C&C server:
hxxp://toolkitgold.org (54.72.130.67)

We'll continue monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, yet, another, malicious, malware-serving, campaign, targeting, Google Play, and, exposing, unsuspecting, users, to, a, variety, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Known malicious MD5s, used, in, the, campaign:
MD5: 6f37c58e5513264fd43c6dd21b6dff32
MD5: 933171dbfc5bf49cadfb8c6698a86cec
MD5: d1ab7350b4e12d8ac567f4f937c10b87
MD5: bd33b1133cb5376b660f02c340eea578

Once executed, sample, malware, phones, back, to, the, following C&C server:
hxxp://beest-gamess.com - 85.25.217.151

Known C&C servers, used, in, the, campaign:
hxxp://ldatjgf.goog-upps.pw - 50.30.36.1
hxxp://uwiaoqx.marshmallovw.com/ - 209.126.117.83
hxxp://google-market2016.com - 217.12.223.34

Known to have responded to the same malicious C&C server IP (50.30.36.1), are, also, the, following, malicious, domains:
hxxp://iaohzcd.goog-upps.pw
hxxp://datjgf.goog-upps.pw
hxxp://lrbixtp.goog-upps.pw
hxxp://wqhdzry.goog-upps.pw
hxxp://tqbkmoy.goog-upps.pw

Known to have responded to the same malicious C&C server IP (209.126.117.83), are, also, the, following, malicious, domains:
hxxp://uppdate-android.com
hxxp://ysknauo.android-update17.pw
hxxp://updateosystem.online
hxxp://updateosystem.site
hxxp://rfdgqsc.update-android-8.xyz
hxxp://updateosystem.com
hxxp://gyfwlxt.update-android-4.xyz
hxxp://update-android-4.xyz
hxxp://update-android-0.xyz
hxxp://update-android-1.xyz
hxxp://iauxelv.marshmallovw.com
hxxp://xklzogn.installingmarshmallow.com
hxxp://ytprkmg.marshmallovw.com
hxxp://zknmvga.android-update15.pw
hxxp://btxiqkw.installingmarshmallow.com
hxxp://dqhukoe.installingmarshmallow.com
hxxp://klmtifg.installingmarshmallow.com
hxxp://rxebgnj.installingmarshmallow.com
hxxp://srwflih.installingmarshmallow.com
hxxp://vtgqfcy.marshmallovw.com
hxxp://xvyhwri.marshmallovw.com
hxxp://zxvmqas.installingmarshmallow.com
hxxp://neqmcij.android-update14.pw
hxxp://sdljykc.android-update14.pw
hxxp://absdfvo.android-update15.pw
hxxp://android-update15.pw
hxxp://android-update16.pw
hxxp://awsvgdq.android-update15.pw
hxxp://azhdoxi.android-update15.pw
hxxp://czrptsq.android-update15.pw
hxxp://deluvgs.android-update15.pw
hxxp://dywsaxz.android-update15.pw
hxxp://ebadrwp.android-update15.pw
hxxp://eoiqnwt.android-update15.pw
hxxp://fcibqkz.android-update15.pw
hxxp://fjrklxo.android-update15.pw
hxxp://fwmlsgc.android-update15.pw
hxxp://gldkxub.android-update15.pw
hxxp://hdnloxt.android-update15.pw
hxxp://hdukcea.android-update15.pw
hxxp://hykpbgt.android-update15.pw
hxxp://kbvdqfy.android-update15.pw
hxxp://ljpwbdo.android-update15.pw
hxxp://nbuxlte.android-update15.pw
hxxp://nlezybf.android-update15.pw
hxxp://puafoqt.android-update15.pw
hxxp://qantucb.android-update15.pw
hxxp://qsdmgot.android-update15.pw
hxxp://qzudjyw.android-update15.pw
hxxp://rwfhycb.android-update15.pw
hxxp://rykvsme.android-update15.pw
hxxp://sacjpvl.android-update15.pw
hxxp://sejmxda.android-update15.pw
hxxp://smbanpz.android-update15.pw
hxxp://spjuoza.android-update15.pw
hxxp://srfulbg.android-update15.pw
hxxp://tngezrs.android-update15.pw
hxxp://tnhfaux.android-update15.pw
hxxp://txeyzld.android-update15.pw
hxxp://vzjoasl.android-update15.pw
hxxp://wobsmtc.android-update15.pw
hxxp://xmhgfas.android-update15.pw
hxxp://yufwkqm.android-update15.pw
hxxp://zuxvsqd.android-update15.pw
hxxp://android-update14.pw
hxxp://android-update17.pw
hxxp://anejzpi.android-update17.pw
hxxp://avdeymo.android-update15.pw
hxxp://beswdhm.android-update14.pw
hxxp://blisztk.android-update16.pw
hxxp://bmedkfx.android-update17.pw
hxxp://cgloekx.android-update17.pw
hxxp://cmkxsbu.android-update15.pw
hxxp://cxzmjty.android-update15.pw
hxxp://duyzpsk.android-update15.pw
hxxp://eikjgwc.android-update16.pw
hxxp://ekogdhq.android-update17.pw
hxxp://fldsxwj.android-update15.pw
hxxp://fpgsduq.android-update14.pw
hxxp://gfaulvq.android-update16.pw
hxxp://iaupbtn.android-update15.pw
hxxp://ilcskyb.android-update15.pw
hxxp://ingvbqf.android-update15.pw
hxxp://iqtudlh.android-update14.pw
hxxp://ivpjbnq.android-update17.pw
hxxp://ixzgoue.android-update15.pw
hxxp://jbyxoeq.android-update17.pw
hxxp://jdgrvtx.android-update14.pw
hxxp://jugbhve.android-update15.pw
hxxp://jvintuc.android-update15.pw
hxxp://jznwbmh.android-update15.pw
hxxp://kcbwfmx.android-update17.pw
hxxp://kjqpdli.android-update16.pw
hxxp://lbqzsmf.android-update17.pw
hxxp://ldjgqys.android-update14.pw
hxxp://lmbdrht.android-update14.pw
hxxp://lxbkact.android-update17.pw
hxxp://lyaibec.android-update16.pw
hxxp://movqcrj.android-update14.pw
hxxp://moxeuyn.android-update16.pw
hxxp://mtnvpux.android-update14.pw
hxxp://ncmokfd.android-update16.pw
hxxp://nmhbjwc.android-update16.pw
hxxp://ntlrqih.android-update17.pw
hxxp://nxuivhl.android-update16.pw
hxxp://okthyij.android-update14.pw
hxxp://omcpusk.android-update17.pw
hxxp://oryudhs.android-update17.pw
hxxp://ozdkhwj.android-update16.pw
hxxp://ozfkcgn.android-update14.pw
hxxp://peytxrn.android-update16.pw
hxxp://piolzns.android-update16.pw
hxxp://pqunxfj.android-update17.pw
hxxp://pwkjdar.android-update14.pw
hxxp://qblgpyw.android-update17.pw
hxxp://qfzpmbu.android-update17.pw
hxxp://qlshbur.android-update16.pw
hxxp://qpylhtb.android-update15.pw
hxxp://qzawjve.android-update14.pw
hxxp://riwgvyc.android-update14.pw
hxxp://rklsxfb.marshmallovw.com
hxxp://rucgswq.android-update14.pw
hxxp://sfvguep.android-update17.pw
hxxp://sitgerx.android-update17.pw
hxxp://skzjiec.android-update17.pw
hxxp://snficje.android-update14.pw
hxxp://spjiceq.android-update15.pw
hxxp://tjvbpwq.android-update17.pw
hxxp://tzchpkn.android-update17.pw
hxxp://uavqkrn.android-update17.pw
hxxp://ucbfjtk.android-update14.pw
hxxp://ueinloh.android-update14.pw
hxxp://ugyszlh.android-update14.pw
hxxp://uryoief.android-update16.pw
hxxp://vcxsejr.android-update17.pw
hxxp://vdymzep.android-update15.pw
hxxp://vtdywbe.android-update14.pw
hxxp://vwmispo.android-update16.pw
hxxp://wcvfhkq.android-update16.pw
hxxp://wtboiys.android-update17.pw
hxxp://xcndzit.android-update15.pw
hxxp://xpnqioe.android-update17.pw
hxxp://xzhvitg.android-update14.pw
hxxp://xztrkdj.android-update17.pw
hxxp://yajfspe.android-update17.pw
hxxp://ysknauo.android-update16.pw
hxxp://yxtsncz.android-update16.pw
hxxp://zbmjfxp.android-update15.pw
hxxp://zmvsaxw.android-update16.pw
hxxp://zprvoew.android-update14.pw
hxxp://zqfcsyb.android-update14.pw
hxxp://anmwfig.marshmallovw.com
hxxp://bgeomtx.marshmallovw.com
hxxp://bltferk.marshmallovw.com
hxxp://bwiuozv.marshmallovw.com
hxxp://dastgqu.marshmallovw.com
hxxp://eulcitb.marshmallovw.com
hxxp://fedtvwb.marshmallovw.com
hxxp://fxqynok.android-update17.pw
hxxp://guoiswy.marshmallovw.com
hxxp://gzqxynp.android-update17.pw
hxxp://hufgenk.marshmallovw.com
hxxp://jbpxute.marshmallovw.com
hxxp://kilrezj.android-update17.pw
hxxp://lhcijag.android-update17.pw
hxxp://mocadgb.marshmallovw.com
hxxp://ocqdbal.marshmallovw.com
hxxp://qckexfp.android-update17.pw
hxxp://qzrcaeo.marshmallovw.com
hxxp://revbfau.marshmallovw.com
hxxp://smlerhq.marshmallovw.com
hxxp://syirtxe.android-update17.pw
hxxp://syvkjho.android-update17.pw
hxxp://tejyocm.marshmallovw.com
hxxp://uahtwly.marshmallovw.com
hxxp://uwiaoqx.marshmallovw.com
hxxp://uxvwzip.android-update17.pw
hxxp://wvbcpkg.marshmallovw.com
hxxp://yhfkpmj.marshmallovw.com
hxxp://zjbvrqm.marshmallovw.com
hxxp://zlubmxn.marshmallovw.com
hxxp://zrdesip.marshmallovw.com
hxxp://yctfgmn.marshmallovw.com
hxxp://atyblhn.installingmarshmallow.com
hxxp://bhizvxk.installingmarshmallow.com
hxxp://ctjhgnr.installlingmarshmallow.com
hxxp://glrsudo.installingmarshmallow.com
hxxp://hiovmga.installlingmarshmallow.com
hxxp://jnwxdur.installingmarshmallow.com
hxxp://jnzglas.installingmarshmallow.com
hxxp://jrqbhiw.installingmarshmallow.com
hxxp://lzdapuf.installlingmarshmallow.com
hxxp://mvypoqg.marshmallovw.com
hxxp://ntgmcyx.installingmarshmallow.com
hxxp://owtubye.installingmarshmallow.com
hxxp://rfnjxhe.installingmarshmallow.com
hxxp://xkihgqr.installingmarshmallow.com
hxxp://xmvpguk.installlingmarshmallow.com
hxxp://ygzaunj.installingmarshmallow.com
hxxp://zkodxep.installingmarshmallow.com
hxxp://zyrxwhd.installingmarshmallow.com
hxxp://installingmarshmallow.com
hxxp://installlingmarshmallow.com
hxxp://marshmallovw.com
hxxp://mkxlwut.google-update2017.com
hxxp://brpcwlntjxfskqydzoguivaemh.google-market2016.com
hxxp://jyxqnuz.installlingmarshmallow.com
hxxp://google-update2017.com
hxxp://market-place2017.com
hxxp://market-update2016.com
hxxp://market-update2017.com
hxxp://vknghqw.market-update2017.com
hxxp://update-android2017.com
hxxp://google-android2016.ru
hxxp://google-place2016.ru
hxxp://google-place2017.ru
hxxp://google-app2016.com
hxxp://google-market2016.com
hxxp://android-market2016.com
hxxp://jofzevxmadlwcnpysbhuriqktg.android-market2016.com
hxxp://androidosupdate.com
hxxp://lvizyxjqoukbrfhtmawegpdscn.androidos-60-update.com
hxxp://androidos-60-update.com
hxxp://androidosupdate6.com
hxxp://androidosupdate6-0.com
hxxp://android-update-6google.com
hxxp://android-update-60-google.com
hxxp://android-update6google.com
hxxp://android-update-6-google.com
hxxp://android-update-6.com

Known to have responded to the same malicious C&C server IP (217.12.223.34), are, also, the, following, malicious, domains:
hxxp://android-market2016.com
hxxp://google-app2016.com
hxxp://google-market2016.com
hxxp://update-player2016.com

Known to have responded to the same malicious C&C server IP (85.25.217.151) are, also, the, following, malicious, domains:
hxxp://varr.site
hxxp://varra.top
hxxp://varra.xyz
hxxp://ugugur.com
hxxp://alavar-gamess.com
hxxp://beest-gamess.com
hxxp://krakatao-giraffe.com
hxxp://marine-selling.com
hxxp://quick-sshopping.com
hxxp://shopping-marine.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, mobile, malware, exposing, unsuspecting, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Known malicious MD5s, participating, in, the, campaign:
MD5: 27ad60e62ff86534c0a9331e9451833d
MD5: 78fbac978d9138651678eb63e7dfd998

Malicious C&C server, part, of, the, campaign:
hxxp://apk.longxigame.com - 123.138.67.91; 106.119.191.98

Known to have been downloaded from the same malicious C&C server IP (123.138.67.91), are, also, the, following, malicious, MD5s:
MD5: a6c9a8cfa41b608573f8a9adf767daa0
MD5: a5d98369590bd2e001ac3e2986b3d7e9
MD5: 8c5e6c7bc945877740f10e91e9640f70
MD5: e82c58593e787193b5e19810b7ab504e
MD5: 814d7d6701f00c7b96c7026b5561911c

Known to have responded, to, the, same, malicious, C&C server (apk.longxigame.com), are, also, the, following, malicious, domains:
hxxp://103.243.139.241
hxxp://113.105.245.118
hxxp://183.61.13.192
hxxp://183.61.180.216
hxxp://183.61.180.217
hxxp://106.119.191.98
hxxp://221.233.135.196
hxxp://218.60.119.245
hxxp://218.60.119.30
hxxp://118.123.202.27
hxxp://118.123.202.28
hxxp://218.60.119.244
hxxp://119.84.112.118
hxxp://119.84.112.121
hxxp://220.181.105.232
hxxp://27.221.30.76
hxxp://220.181.105.231
hxxp://27.221.30.77
hxxp://60.2.226.246
hxxp://60.2.226.248
hxxp://121.29.8.235
hxxp://60.28.226.51
hxxp://116.55.241.217
hxxp://124.95.157.252
hxxp://124.160.136.232
hxxp://124.160.136.233
hxxp://218.60.119.243
hxxp://218.60.119.252
hxxp://218.60.119.29
hxxp://122.225.34.233
hxxp://122.225.34.234
hxxp://171.111.154.243
hxxp://124.95.157.253
hxxp://202.100.74.248
hxxp://221.204.186.231
hxxp://221.204.186.232
hxxp://182.140.238.123
hxxp://218.107.196.223
hxxp://218.107.196.224
hxxp://122.227.164.225
hxxp://122.227.164.226
hxxp://122.228.95.171
hxxp://122.228.95.172
hxxp://123.129.244.23
hxxp://123.129.244.24
hxxp://210.22.60.224
hxxp://125.76.247.230
hxxp://125.76.247.231
hxxp://42.81.4.91
hxxp://42.81.4.92
hxxp://117.25.155.17
hxxp://61.154.126.29
hxxp://116.55.241.218
hxxp://106.119.191.97
hxxp://171.111.154.242
hxxp://180.96.17.157
hxxp://180.96.17.160
hxxp://117.25.155.18
hxxp://121.207.229.135
hxxp://61.154.126.28
hxxp://121.207.229.136
hxxp://222.85.26.249
hxxp://222.85.26.250
hxxp://59.46.4.221
hxxp://59.46.4.222
hxxp://183.61.13.191
hxxp://103.243.139.239
hxxp://122.141.227.183
hxxp://114.80.174.98
hxxp://114.80.174.99
hxxp://202.100.74.245
hxxp://58.216.17.111
hxxp://175.6.3.149
hxxp://175.6.3.176
hxxp://61.147.118.229
hxxp://60.28.226.41
hxxp://124.112.127.77
hxxp://124.112.127.78
hxxp://124.238.232.242
hxxp://124.238.232.241
hxxp://112.90.32.242
hxxp://112.90.32.241
hxxp://123.138.67.91
hxxp://123.138.67.92
hxxp://122.141.227.182
hxxp://121.29.8.217
hxxp://42.81.4.83
hxxp://218.107.196.236
hxxp://112.67.242.110
hxxp://112.90.32.232

Known malicious MD5s known to have phoned back to the same C&C server (123.138.67.91):
MD5: 4efbe7fe86f63530d83ae7af5a3dc272
MD5: d8a3466addf81f2afeb2ca81c49d7361
MD5: 06e37b0c4a77bfa6a1052c4dd50afd9b
MD5: ed89d5977e334045500d0415154976b6

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://api.baizhu.cc - 120.76.122.200
hxxp://cdn.baizhu.cc - 123.138.67.91

Once executed a sample malware phones back to the following C&C servers:
hxxp://yscq.v1game.cn (203.130.58.30)
hxxp://pic.v1.cn (123.138.67.92)
hxxp://img.g.v1.cn (203.130.58.30)
hxxp://static.v1game.cn (203.130.58.30)
hxxp://pay.v1game.cn (211.151.85.249)

We'll continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Intercepted, Thousands of Users Affected

We've, recently, intercepted, yet, another, malicious, malware, campaign, affecting, Google Play, exposing, unsuspecting, users, to, a milti-tude, of malicious, software.

In this post, we'll profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s, known, to, have, participated, in, the, campaign:
MD5: 1c87344c24d8316c8f408a6f0396aa43
MD5: 390e66ffaccaa557a8d5c43c8f3a20a9
MD5: 8e2f8c52f4bb8a4e7f8393aa4a0536e1
MD5: ada4b19d5348fecffd8e864e506c5a72

Once executed, a sample, malware, phones, back, to, the, following C&C, servers:
hxxp://telbux.pw - 176.9.138.114

Malicious MD5s, known, to, have, been, downloaded, from, the, same, C&C server IP (176.9.138.114):
MD5: f8471c153414b65bbeb80880dc30da0a
MD5: 5955411fe84c10fa6af7e40bf40dcdac
MD5: ec3e5125190d76c19ca1c0c9172ac930
MD5: 0551f10503369f12cd975468bff6d16a
MD5: 1127390826a9409f6fd7ad99c4d4af18

Once executed, a, sampled, malware, phones, back, to, the, following, C&C server:
hxxp://144.76.70.213
hxxp://joyappstech.biz - 136.243.240.229

We'll, continue, monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, yet, another, malicious, campaign, utilizing, Google Play, for, the, purpose, of, serving, malicious, software, to, unsuspecting, users.

In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 3e57ef2802977c3c852a94bab131c84b

Known C&C servers, part, of, the, campaign:
hxxp://localbitcoinsfast.com - 198.105.215.251
hxxp://newdesigns2016.biz - 190.97.166.230

Once executed, the, sample, phones, back, to, the, following, C&C server:
hxxp://netspendexpress.biz - 68.71.49.24

Known to have phoned back to the same malicious C&C server IP (198.105.215.251), are, also, the, following, malicious, MD5s:
MD5: c1b3912711dceab2cfb86f920eb69919

Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://drone.hosterbox.com (68.71.49.24; 68.71.49.25; 142.4.12.128)

Known malicious MD5s, known, to, have, phoned, back, to, the, same C&C server IP (68.71.49.24):
MD5: 7453f9445512e48357d91491b0e32134
MD5: 138c9475d4dc80185d4d3dd612c89d50
MD5: 2be0a8f626430d6c3c9588b55253ef95

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Intercepted, Thousands of Users Affected

We've recently intercepted a new mobile malware, variant, targeting, users, internationally, and exposing, their, devices, to, a, multi-tude, of malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the infrastructure, behind, it, and discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Sample malicious MD5s used in the campaign:
MD5: 4f1696cc06bdab9508ba3434edab2f49
MD5: 15ef763ba561eb91b5790906505f0f79

MD5: 890dfd6b50b7ca870ceb04762725b8a6
MD5: 4a3b68aeb96ef0f26f855f6afb688a3c
MD5: c729ce2babce74998726257f167da62e
MD5: 3db50821ff074a70dcbc5c31c0a78e14

Once executed, a sample, malware, phones back to the following C&C server:
hxxp://alfabrong.eu/data/id=39759ac6-0898-424b-9e0d-790edfaa700e - 5.101.117.79; 5.187.4.15

Known to have responded to the same malicious C&C server (5.101.117.79) are also the following malicious domains:
hxxp://bugstracking.xyz
hxxp://bugstrucking.xyz
hxxp://ssd850pro.pw
hxxp://forclonabster.eu
hxxp://bugtracking.biz
hxxp://directplaytds.com
hxxp://forclonabster.xyz
hxxp://alfabrong.eu
hxxp://innotion.pw

Known to have responded to the same malicious C&C server (5.187.4.15) are also the following malicious C&C servers:
hxxp://alfabrong.eu
hxxp://hyperlabs.biz
hxxp://nkprus.ru
hxxp://programmiandroid.org

We'll continue monitoring the campaign, and, will, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've recently, intercepted, yet, another, mobile, malware, variant, affecting, Google Play, with, the, cybercriminals, behind, it, exposing, its, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Malicious MD5s used in the campaign:
MD5: 7f55e0b91f5151328e779a3a425fc241
MD5: 91139d1dfa5df1f18c7f40192b2c49ce

Once executed, a, sample, phones, back, to, the, following, C&C, server:
hxxp://mob-stats.com - 5.149.252.2

Known C&C server, used, in, the, campaign:
hxxp://update-sys-android.com/upd.php - 192.99.99.186

Once executed, a, sample, malware, phones, back, to, the, following, C&C, servers:
hxxp://counter.wapstart.ru - 185.127.149.76; 81.19.95.17
hxxp://goalez.com - 91.219.195.3; 91.219.194.43; 91.219.194.8

Known to have phoned back to the same C&C server (185.127.149.76; 81.19.95.17), are, also, the, following, malicious, MD5s:
MD5: c8afecd653d4b0b7ea48de13d6001a31
MD5: bfdb43b0f44a986c2cb495c38746cd23

Once executed, a, sample, malware, phones, back, to, the, following C&C servers:
hxxp://kingwar.mgates.ru - 148.251.154.17
hxxp://counter.wapstart.ru - 185.127.149.76

Known, to, have, phoned, back, to, the, same, malicious, C&C, server (91.219.195.3), are, also, the following, malicious, MD5s:
MD5: 3ad15daf656a06bf850ea6973192ae47
MD5: 117b8362a54ece041307a136aceeb92c
MD5: 4dbdfaf3e8f5a09a7a4b82024f1c1072
MD5: 1521e73bb153f31015ab037f979602bc
MD5: 25318484bab66e0e8762c9fc5a1f888d

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://forces.may-trade.ru - 185.82.216.58
hxxp://plusfiles.890m.com - 91.219.195.3

Known to have been downloaded from the same malicious C&C server IP (91.219.194.8) are also the following malicious MD5s:
MD5: 31ad2a5a5d02e6c5e55817386b8eec01
MD5: 0815607c938c4f2088569be34ff57141
MD5: f629111b34e8e4d97ee26d2c6b19db96
MD5: 29d87de6b476fc1a873962ae04bbe206
MD5: a27158c55555ff2953e0a54a9996713d

Known to have phoned back to the same malicious C&C server IP (91.219.194.43), are, also, the, following, malicious, MD5s:
MD5: 76dd60b9f406be3b808db6fca2d856ff
MD5: ad33371a2495a0f9236c988f7024edb1

Once executed, a, sample, malware, phones, back, to, the, following, C&C server IPs:
hxxp://mu.sanek.com - 208.73.211.168
hxxp://muforum.info - 91.219.194.43
hxxp://best-hoster-group.ru - 91.219.193.252
hxxp://best-hoster.ru - 91.219.193.252
hxxp://freeller.net - 91.219.193.254
hxxp://hostagent.ru - 77.222.40.254
hxxp://ksdnewr.com - 192.64.147.242

We'll continue, monitoring, the, campaign, and post, updates, as soon, as new, developments, take, place. Continue reading →

Malicious Campaign Affects Hundreds of Web Sites, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious, campaign, affecting, hundreds, of Web sites, and exposing, users, to, a, multi-tude, of, malicious, software.

In this post, we'll profile, the campaign, provide malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Malicious URLs used in the campaign:
hxxp://default7.com - 199.48.227.25
hxxp://test246.com - 54.208.99.166
hxxp://test0.com - 72.52.4.119
hxxp://distinctfestive.com - 54.208.99.166
hxxp://ableoccassion.com - 54.208.99.166

Sample malware used in the campaign:
MD5: 9854f14ca653ee7c6bf6506d823f7371

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://intva31.homelandcustom.info (52.6.18.250)

Known to have phoned back to the same malicious C&C server IP (54.208.99.166), are, also, the, following, malicious, MD5s:
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://ii55.net (69.172.201.153)
hxxp://rwai.net (54.208.99.166)

Known to have phoned back to the same malicious C&C server IP (69.172.201.153) are also the following malicious MD5s:
MD5: 5979f69be8b6716c0832b6831c398914
MD5: a27083ff19b187cbc64644bc10d2af11
MD5: b9306bb08ac502c7bcaf3d7e0cd9d846
MD5: cd34980dda700d07b93eef7910a2a8be
MD5: b708860e7962b10e26568c9b037765df

Known to have phoned back to the same malicious C&C server IP (54.208.99.166) are also the following malicious MD5s:
MD5: 9854f14ca653ee7c6bf6506d823f7371
MD5: 90a88230d5b657ced3b2d71162a33cff
MD5: 70465233d93aa88868d7091454592a80
MD5: f8e21525c6848f45e4ab77aee05f0a28

Related malicious MD5s known to have phoned back to the same malicious C&C server (54.208.99.166):
MD5: fd368af200fd835687997ca2a4a0389b
MD5: c0379cda1717d1e05c938f8e06c04a46
MD5: 60eef5b116579d75b272a61e40716bc0
MD5: 8481f23748358fbfd5c36cea53c90793
MD5: 0953f8ec3f0001b3e5f3490203135def

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Mobile Malware Hits Google Play, Thousands of Users Affected

We've recently, intercepted, a currently, ongoing, malicious, campaign, that's utilizing, Google Play, for, the purpose, of, serving, malicious, software, to, unsuspecting, users.

In this, post, we'll, profile, the campaign, provide malicious MD5s, expose, the, malicious, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to be part, of the, malicious, campaign:
MD5: 4cbc7513072a1c0b03f7cedc6d058af4
MD5: 4defc5803de76f506bfc3a6c2c90bd87
MD5: 13647981b37f0c038e096c58b8962f95

Once, executed, the, sample, phones, back, to, the, following, C&C servers:
hxxp://petrporosya.com/123/ - 185.106.92.110
hxxp://78.46.123.205/111/inj/paypal/paypal.php

Known to have responded to the same malicious C&C server IP (185.106.92.110) is also the following malicious C&C server:
hxxp://traktorporosya.com

Related malicious MD5s known to have phoned back to the same malicious C&C server (185.106.92.110):
MD5: a765d6c0c046ffb88f825b3189f02148
MD5: 48cd9d9e03f92743b673a0c8ce58704a
MD5: 58f02914791f1e3075d574e288c80a26
MD5: 09f3f1bd2e91fb5af0c71db307777bbb
MD5: 568ef0fb4d645350b65edb031f4ade2f
MD5: d06ec8b877e2f0f73c4533c4c105acb8

Related malicious MD5s known to have phoned back to the same malicious C&C server (78.46.123.205):
MD5: 32c8af7e7e9076b35dde4d677b14e594
MD5: 27e4b9ae53c2300723c267cf67b930bf

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Threat Intelligence - An Adaptive Approach to Information Security

This article will detail the basics of threat intelligence gathering discuss various threat intelligence gathering methodologies discuss the basics of threat intelligence gathering as well as discuss various proactive threat intelligence gathering methodologies in the context of proactive security defense

01. Overview of Threat Intelligence

Threat intelligence is a multi-disciplinary approach to collecting processing and disseminating actionable threat intelligence for the purpose of ensuring that an organizations security defense is actively aware of threats facing its infrastructure so that an adequate and cost-effective strategy can be formulated to ensure the confidentiality integrity and availability of the information. Threat Intelligence is the process of collecting processing and disseminating actionable intelligence for the purpose of ensuring that an organizations infrastructure remains properly secured from threats facing its infrastructure. The collection phrase can be best described as the process of obtaining processing and analyzing actionable threat intelligence for the purpose of processing and disseminating the processed data. The collection phrase consists of actively obtaining real-time threat intelligence data for the purpose of processing enriching and assessing the data for the purpose of processing and disseminating the data.

The collection phrase consists of active monitoring of sources of interest including various public and privately closed community sources for the purpose of establishing an active threat intelligence gathering program foundation. The collection phrase consists of assessing and selecting a diverse set of primary and secondary public and privately closed sources for the purpose of establishing a threat intelligence gathering model. The collection phrase consists of assessing and selecting primary and secondary public and privately closed sources for the purpose of establishing an active threat intelligence collection model. The collection phrase consists of assessing the primary secondary public and privately closed sources for the purpose of establishing an active threat intelligence gathering collection model. The collection phase consists of assessing and selecting the primary and secondary public and privately closed sources for the purpose of establishing the foundations of the collection phrase.

The processing phrase consists of actively selecting processing tools and methodologies for the purpose of setting the foundations for a successful processing of the data. The processing phase consists of actively processing the threat intelligence gathering collected data for the purpose of establishing the foundations for a successful processing of the data. The processing phase consists of collecting the processed data for the purpose of establishing the foundations for a successful processing of the collected data for the purpose of processing and enriching the processed data. The processing phase consists of active collection enrichment and processing of the collected data for the purpose of active processing of the collected data. The processing phase consists of active selection of primary and secondary public and privately closed sources for the purpose of processing the collected data for the purpose of enriching and processing the collected data. The processing phase consists of active real-time aggregation of actionable threat intelligence data for the purpose of establishing the foundations of active processing and enrichment of the processed data for the purpose of processing and enriching of the processed data.

The dissemination phase consists of active processing and dissemination of the processed data for the purpose of communicating the actionable intelligence for the purpose of ensuring that an organizations defense is actively aware of the threats facing its infrastructure and security defense mechanisms. The dissemination phase consists of active distribution of the processed and enriched actionable intelligence for the purpose of active dissemination of the processed and enriched data. The dissemination phase consists of active dissemination and enrichment of the processed data for the purpose of establishing the foundations of an active threat intelligence gathering process. The dissemination phase consists of active communication and distribution of the processed and enriched data for the purpose of communicating the processed and enriched data across the organizations security defense mechanisms.

02. Threat Intelligence Methodologies

Numerous threat intelligence methodologies are currently available for an organization to take advantage of on its way to properly secure its infrastructure taking into consideration a proactive security response. Among the most common data acquisition strategies remains the active data acquisition through forum and communities monitoring including the active monitoring of private forums and communities. Carefully selecting and primary and secondary sources of information is crucial for maintaining the necessary situational awareness to stay ahead of threat facing the organizations infrastructure including the establishment of an active response response through an active threat intelligence gathering program. Among the most common threat intelligence acquisition methodologies remains the active data acquisition through primary and secondary forums and communities including the data acquisition through private and secondary community based type of acquisition platforms.

Among the most common threat intelligence data acquisition strategies remains the active team collaboration in terms of data acquisition data processing and data dissemination for the purpose of establishing an active organizations security response proactively responding to the threats facing an organizations infrastructure. Among the most common data acquisition strategies in terms of threat intelligence gathering methodologies remains the active enrichment of the sources of information to include a variety of primary and secondary sources including private and community based primary and secondary sources.

03. Proactive Threat Intelligence Methodologies

Anticipating the emerging threat landscape greatly ensures an organizations successful implementation of a proactive security type of defense ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Properly understanding the threat landscape greatly ensures that a proactive response can be properly implemented for the purpose of ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Taking into consideration the data obtained through an active threat intelligence gathering program greatly ensures that a proactive security response can be adequately implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.

Among the most common threat acquisition tactics remains the active understanding of the threats facing an organizations security infrastructure to ensure that an adequate response can be properly implemented ensuring that an organizations defense remains properly protected from the threats facing its infrastructure. Among the most common threat intelligence gathering methodologies remains the active team collaboration to ensure that an active enrichment process can be properly implemented further ensuring that an organizations defense can be properly protected from the threats facing its infrastructure. Based on the information acquired through an active threat intelligence gathering acquisition processing and dissemination program further ensuring that an organizations infrastructure can be properly protected from the threats facing its infrastructure.

04. The Future of Threat Intelligence

The future of threat intelligence gathering largely relies on a successful set of threat intelligence gathering methodologies active data acquisition processing and dissemination strategies including the active enrichment of the processed data for the purpose of ensuring that an organizations security defense remains properly in place. The future of threat intelligence largely relies on the successful understanding of multiple threat vectors for the purpose of establishing an organizations security defense. Relying on a multi-tude of enrichment processes including the active establishment of an an active threat intelligence gathering acquisition processing and dissemination program greatly ensures that a proactive team-oriented approach can be implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.

05. Conclusion

Threat Intelligence acquisition processing and dissemination remains a largely proactive response to a growing set of emerging threats facing an organizations infrastructure where the active establishment of an active threat intelligence gathering acquisition processing and dissemination remains an active response to a growing set of security threats facing an organization's infrastructure. Properly ensuring that an organization's security defense remains properly secured from the threats facing its infrastructure ensures that an organizations security defense remains properly in place further ensuring that a successful information security strategy can be properly implemented and that an organization's security defense can be properly put in place.

If you would like to receive additional information regarding a possible threat intelligence program evaluation facing your company's infrastructure including additional information regarding the threat landscape discussing the threats facing your organizations infrastructure you can approach me at dancho.danchev@hush.com Continue reading →

Malicious Client-Side Exploits Serving Campaign Intercepted, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious campaign, utilizing, a variety, of compromised, Web sites, for, the purpose, of serving, malicious software, to socially engineered, users.

In this post, we'll profile, the campaign, the infrastructure, behind, it, provide, actionable, intelligence, MD5s, and, discuss, in depth, the tactics, techniques, and procedures, of, the cybercrimnals, behind it.

Sample malicious URL:
hxxp://directbalancejs.com/module.so - 37.48.116.208; 31.31.204.161

hxxp://2-eco.ru
hxxp://2401.ru
hxxp://24xxx.site
hxxp://3502050.ru
hxxp://6553009.xyz
hxxp://7032949.ru
hxxp://academing.ru
hxxp://academyfinance.ru
hxxp://activelifelab.com
hxxp://advokat-mikheev.ru
hxxp://advokatstav.ru
hxxp://akvahim98.ru
hxxp://al-minbar.ru
hxxp://allesmarket.com
hxxp://alltrump.ru
hxxp://altropasso.ru
hxxp://ambertao.info
hxxp://ambertao.org
hxxp://ancra.ru
hxxp://andr-6-update.ru
hxxp://android-new.ru
hxxp://androidid-6-new.ru
hxxp://angrymultik.ru
hxxp://animaciyafoto.ru
hxxp://animaciyaonline.ru
hxxp://animaciyastiker.ru
hxxp://animationline.ru
hxxp://animehvost.ru
hxxp://anyen.ru
hxxp://anywifi.online
hxxp://apple-pro.moscow
hxxp://appliancerepairmonster.com
hxxp://aptechka.farm
hxxp://arbosfera.ru
hxxp://archsalut.ru
hxxp://arstd.ru
hxxp://aslanumarov.ru
hxxp://atlanted.ru
hxxp://aurispc.ru
hxxp://avangardmaster.ru
hxxp://aviacorp24.ru
hxxp://awpashko.com

Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MDSs:
MD5: c3754018dab05b3b8aac5fe8100076ce

Once executed the sample phones back to the following C&C server:
hxxp://info-get.ru - 31.31.204.161

Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MD5s:
MD5: 4ff9bd7a045b0fe42a8f633428a59732
MD5: 46b1eaae5b53668a7ac958aecf4e57c3
MD5: d643025c5d0a2a2940502f4b15ca1801
MD5: 75dce2d84540153107024576bfce08fc
MD5: a23235ed940a75f997c127f59b09011d

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Malware Campaign Using Google Docs Intercepted, Thousands of Users Affected

We've recently intercepted, a malicious campaign, utilizing, Google Docs, for, the purpose, of spreading, malicious software, potentially, exposing, the confidentiality, integrity, and availability, of the, targeted hosts.

In this, post, we'll profile, the malicious campaign, expose, the malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.

Sample malicious URL:
hxxp://younglean.cba.pl/lean/ - 95.211.80.4

Sample malicious URL hosting locations:
hxxp://ecku.cba.pl/js/bin.exe
hxxp://mondeodoslubu.cba.pl/js/bin.exe
hxxp://piotrkochanski.cba.pl/js/bin.exe
hxxp://szczuczynsp.cba.pl/122/091.exe

Known to have responded to the same malicious (95.211.80.4) are also the following malicious domains:
hxxp://barbedosgroup.cba.pl
hxxp://brutalforce.pl
hxxp://christophar-hacker.pl
hxxp://moto-przestrzen.pl
hxxp://eturva.y0.pl
hxxp://lingirlie.com
hxxp://ogladajmecz.com.pl
hxxp://oriflamekonkurs2l16.c0.pl
hxxp://umeblowani.cba.pl
hxxp://webadminvalidation.cba.pl
hxxp://adamr.pl
hxxp://alea.cba.pl
hxxp://artbymachonis.cba.pl
hxxp://beqwqgdu.cba.pl
hxxp://bleachonline.pl
hxxp://facebook-profile-natalia9320.j.pl
hxxp://fllrev1978.cba.pl
hxxp://gotowesms.pl
hxxp://kbvdfuh.cba.pl
hxxp://maplka1977.c0.pl
hxxp://nagrobkiartek.pl
hxxp://nyzusbojpxnl.cba.pl
hxxp://okilh1973.cba.pl
hxxp://pucusej.cba.pl
hxxp://sajtom.pl
hxxp://tarnowiec.net.pl
hxxp://techtell.pl
hxxp://testujemypl.cba.pl
hxxp://lawendowawyspa.cba.pl
hxxp://younglean.cba.pl
hxxp://delegaturaszczecin.cba.pl
hxxp://metzmoerex.cba.pl
hxxp://kmpk.c0.pl
hxxp://500plus.c0.pl
hxxp://erxhxrrb1981.cba.pl
hxxp://exztwsl.cba.pl
hxxp://fafrvfa.cba.pl
hxxp://fastandfurios.cba.pl
hxxp://filmonline.cba.pl
hxxp://fragcraft.pl
hxxp://fryzjer.cba.pl
hxxp://hgedkom1973.cba.pl
hxxp://luyfiv1972.cba.pl
hxxp://oliviasekulska.com
hxxp://opziwr-zamosc.pl
hxxp://ostro.ga
hxxp://rodzina500plus.c0.pl
hxxp://roknasilowni.tk
hxxp://vfqqgr1971.cba.pl

Sample malicious MD5s known to have phoned back to the same malicious IP (95.211.80.4):
MD5: 495f05d7ebca1022da2cdd1700aeac39
MD5: 68abd8a3a8c18c59f638e50ab0c386a4
MD5: 65b4bdba2d3b3e92b8b96d7d9ba7f88e
MD5: 64b5c6b20e2d758a008812df99a5958e
MD5: a0869b751e4a0bf27685f2f8677f9c62

Once executed the sample phones back to the following C&C servers:
hxxp://smartoptionsinc.com - 216.70.228.110
hxxp://ppc.cba.pl - 95.211.80.4
hxxp://apps.identrust.com - 192.35.177.64
hxxp://cargol.cat - 217.149.7.213
hxxp://bikeceuta.com - 91.142.215.77

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Analyzing the Bill Gates Botnet - An Analysis

We've, recently, intercepted, a high-profile, Linux-based, botnet-driven, type of, malicious, software, that's capable, of launching, a multitude of malicious attacks, on, compromised servers, potentially, exposing, the, integrity, confidentiality, and, availability, of, the compromised servers. Malicious attackers, often rely, on the use of compromised servers, for, the purpose, of, utilizing the access for malicious purposes, including, the capability, to launch malicious DDoS (Denial of Service Attack) attacks, and the ability, to spread additional malicious software, to potential users, including the capability to monetize access to the service, by, launching, DDoS for hire type of malicious and fraudulent services, including, the capability to launch high performance DDoS attacks.

In this post, we'll, profile, and analyze, the Bill Gates botnet, provide, actionable intelligence, on, the infrastructure, behind it, and, discuss, in depth, the tactics, techniques, and procedures, of the cybercriminals, behind it.

Malicious MD5s known to be part of the Bill Gates botnet:
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 0d79802eeae43459ef0f6f809ef74ecc
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: a89c089b8d020034392536d66851b939
MD5: a5b9270a317c9ef0beda992183717b33

Known Bill Gates botnet C&C server:
hxxp://dgnfd564sdf.com - 122.224.34.42; 122.224.50.37

Malicious C&C servers known to be part of the Bill Gates botnet:
202.103.178.76
121.12.110.96
112.90.252.76
112.90.22.197
112.90.252.79

Known to have responded to the same malicious IP (122.224.50.37) are also the following malicious domains:
hxxp://lfs99.com
hxxp://chchong.com
hxxp://uc43.net
hxxp://59wgw.com
hxxp://frade8c.com
hxxp://96hb.com
hxxp://cq670.com
hxxp://776ka.com

Malicious MD5s known to have phoned back to the same C&C server IP (122.224.50.37):
MD5: 6739ca4a835c7976089e2f00150f252b
MD5: eb234cee4ff769f2b38129bc164809d2
MD5: dc893d16316489dffa4e8d86040189b2
MD5: 0c1cac2a019aa1cc2dcc0d3b17fc4477
MD5: b7765076af036583fc81a50bd0b2a663

Known to have responded to the same malicious IP (122.224.34.42) are also the following malicious domains:
hxxp://76.wawa11.com
hxxp://903.wawa11.com
hxxp://904.wawa11.com
hxxp://905.wawa11.com
hxxp://906.wawa11.com
hxxp://907.wawa11.com
hxxp://91ww.0574yu.com
hxxp://9911sf.com
hxxp://901.t772277.com
hxxp://aisf.jux114.com
hxxp://520.wawa11.com
hxxp://awooolsf.com
hxxp://2288game.com
hxxp://588bc.com
hxxp://488game.com
hxxp://588bc.com

Malicious MD5s known to have been downloaded from the same malicious C&C server IP (122.224.34.42):
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 9a77f1ad125cf34858be5e438b3f0247

Malicious MD5s known to have been phoned back to the same malicious C&C server IP(122.224.34.42):
MD5: 815e453b6e268addf6a6763bfe013928

Once executed the sample phones back to the following malicious C&C server IPs:
hxxp://awooolsf.com/222.txt - 122.224.34.42
hxxp://xxx.com/download/xx.exe - 67.23.112.226

Known to have responded to the same malicious IP (67.23.112.226) are also the following malicious domains:
hxxp://falconglobalimpex.com
hxxp://deschatz-army.net
hxxp://m.xxx.com
hxxp://xxx.com
hxxp://xxxsites.com
hxxp://t.xxx.com
hxxp://m.xxx.org
hxxp://m.xxxsites.com
hxxp://xxx.org

Known to have been downloaded from the same malicious IP (67.23.112.226) are also the following malicious MD5s:
MD5: b4b483eb0d25fa3a9ec589eb11467ab8

Known to have phoned back to the same malicious C&C server (67.23.112.226) are also the following malicious MD5s:
MD5: 53a7fc24cb19463f8df3f4fe3ffd79b9
MD5: 268b8bcacec173eace3079db709b9c69
MD5: 0faf6988dfeaa98241c19fd834eca194
MD5: 87f8ffeb17a72fda7cf28745fa7a6be8
MD5: c973f818a5f9326c412ac9c4dfaeb0bd

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users Affected

We've recently intercepted, a currently ongoing malicious malvertising attack, affecting thousands of users globally, potentially exposing their PCs, to, a multitude of malicious software, compromising, the, integrity, confidentiality, and, availability, of, their, PCs.

The campaign relies on the Angler Web malware exploitation kit, for, the, purpose of serving malicious software, on the, PCs, of, affected users exposing, their, PCs, to, a multitude, of, malicious software, potentially leading, to, a compromise, of, their, PCs. Once, users, visit, a legitimate Web site, part, of the, campaign, their, PCs, automatically become, part, of the botnet, operated, by, the, cybercriminals, behind it, with, the, campaign, relying, on, the, use, of, the, exploitation, of, a well known, client-side, vulnerability.

Cybercriminals, often, rely, on, the, use, of, compromised, accounting, data, obtained, through, active data mining, of, a botnet's infected population, for, the purpose, of, embedding, malicious, client-side exploits, on well known, and highly popular, Web sites, next, to, the, active, client-side, exploitation, of, known, vulnerabilities, found, on public, and well, known, Web sites. Yet, another highly popular attack vector, remains, the use, of compromised, advertiser network publisher's account, for, the, purpose, of taking advantage, of, the publisher's, already established, clean, network, reputation.

In this post, we'll profile, the, malicious campaign, provide, actionable, intelligence, for, the, infrastructure, behind it, provide, malicious MD5s, as, well, as, discuss, in depth, the, tactics, techniques, and procedures, utilized, by, the, cybercriminals, behind it.

Sample detection rate for the Trojan.Win32.Waldek.gip malware:
MD5: f2b92d07bb35f1649b015a5ac10d6f05

Once executed the sample phones back to:
hxxp://datanet.cc/extra/status.html - 146.185.251.154

Malicious URLs, used, in the, campaign:
hxxp://gamergrad.top/track/k.track?wd=48&fid=2 - 104.24.112.169
hxxp://talk915.pw/track/k.track?wd=48&fid=2 - 104.27.190.84

Known to have responded to the same IP (146.185.251.154) are also the following malicious domains:
hxxp://crenwat.cc
hxxp://oldbog.cc
hxxp://datanet.cc
hxxp://glomwork.cc
hxxp://speedport.cc
hxxp://myhostclub.cc
hxxp://terminreg.cc
hxxp://currentnow.cc
hxxp://copyinv.cc
hxxp://lableok.cc
hxxp://agentad.cc
hxxp://appclone.cc
hxxp://tune4.cc
hxxp://objects.cc

Once executed, the, sample, phones, back, to the, following, C&C server:
hxxp://188.138.70.19

Known to have responded to the same IP (188.138.70.19) are also the following malicious domains:
hxxp://alfatrade.cxaff.com
hxxp://affiliates.alfatrade.com

Known to have phoned back to the same malicious C&C server, are, also, the following malicious MD5s:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a384337cad9335b34d877dd4c59c73ce
MD5: e7b7b7664e89be18bcf2b79cc116731f
MD5: d712ddbc9b4fb27d950be93c1e144cce

Related malicious MD5s known to have phoned back to the same C&C server:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a2bd512e438801a2aa1871a2ac28e5bd
MD5: f01f9ded34cfe21098a2275563cf0d9d
MD5: e7b7b7664e89be18bcf2b79cc116731f

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Hundreds of Google Play Apps Compromised, Lead to Mobile Malware

Malicious attackers, have, managed, to, infiltrate, and populate, Google Play, with, hundreds, of rogue, applications, exposing, users, to mobile, malware, compromising, the, integrity, of, their, devices, and, exposing, them, to, misleading, advertisements. Once, a socially, engineered, user, obtains, the, application, and, execute, it, their, device, the malware, phones, back, to, a malicious URL, exposing, the, integrity, confidentiality, and, availability, of, the, device.

Malicious attackers, often, rely, on, a variety of social engineering tactics, to, obtain, access, to, a user's device, including, the use, of, compromised, publisher's accounts, obtained, through, data mining, of botnet's of infected, population. Once, access, to, a particular, publisher's account, is, obtained, the malicious attackers, would, attempt, to use, a do-it-yourself, type, of, mobile, malware, generating tool, for, the, purpose, of, modifying, a legitimate, application, for, the, purpose, of, obtaining, access, to, a user's device.

Malicious attackers, are, also, known, to rely, on secondary, marketplaces, for, the, purpose, of, attempting, to, obtain, access, to user's, device, with, the, secondary, marketplaces, populated, with, rogue, and compromised, applications.

Once, a, socially, engineered, user, obtains, an, application, their, device, automatically, becomes, part, of, a, malicious attacker's, botnet, with, the malicious, attackers, relying on, a multitude, of monetization techniques, while, earning, fraudulently, obtained, revenue, in, the, process. Malicious attackers, are, also, known, to, rely, on, rogue, and, fraudulent, affiliate networks, for, the, purpose, of, monetizing, access, to, the, obtained, hosts, through, a, variety, of, rogue, advertising, networks, largely, set, up, for, the, purpose, of, earning, fraudulent, revenue, for, the, malicious attackers.

These affiliate networks, are, known, to, provide, managed, support, including, the, systematic, rotation of the command and control, server, and, the, availability, of, various, templates, empowering, malicious attackers, with, access, to, a, variety, of, fraudulent techniques, allowing, them, to, easily, monetize, access, to, the, infected hosts.

In this post, we'll profile, profile, the, Android.Spy.277.origin, mobile, malware, found, on hundreds, of applications, at Google Play, expose, the, malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in, depth, the, various tactics, techniques, and procedures, utilized, by, malicious, attackers, for, the purpose, of, spreading, mobile, malware, attempting, to, trick, users, into, executing, malicious software, on their, devices.

Sample detection rate for a sample malware:
MD5: a51d7f8413aa3857a4682fa631d39054

Once executed the sample phones back to the following C&C server:
hxxp://startappexchange.com - 184.26.136.91; 184.26.136.113

The same malicious C&C server (startappexchange.com) is also known to have responded to the following IPs:
23.15.5.200
23.63.227.171
95.101.2.24
23.62.239.19
96.6.122.67
23.15.5.205
23.62.236.98
61.213.181.153
23.63.227.208
23.63.227.192
23.3.13.65
96.6.122.74
23.3.13.58
23.62.236.74
184.50.232.74
184.84.243.57
217.7.48.104
217.7.48.192
80.157.151.48
80.157.151.67
67.135.105.35
23.61.194.186
88.221.134.192
88.221.134.211
23.0.160.8
95.101.0.24
95.101.0.50
2.21.243.57
2.21.243.64
23.0.160.51
184.29.105.43
173.223.232.66
184.29.105.83
96.16.98.113
107.14.46.80
62.208.24.33
217.65.36.6

Related malicious MD5s known to have phoned back to the same C&C server:
MD5: 53958d60a2d52c99ad305ec105d47486
MD5: 45eaa4fc36c9a69b3ac78ddce7800daa
MD5: b355ed6fa08ef0415d4e7c6bc602f9a8
MD5: e4c7d87b7b20ae9555c6efe6466b32e6
MD5: 83a449691ff40cf9d3c8c4d7119aaea7

This post has been reproduced from Dancho Danchev's blog. Continue reading →