Historical OSINT - Google Docs Hosted Rogue Chrome Extension Serving Campaign Spotted in the Wild

December 24, 2016
In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, malware-infected, hosts, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Docs, while, successfully, enticing, socially, engineered, users, into, clicking, on, bogus, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, exposing, socially, engineered, users, to, a, rogue, Chrome Extension.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, redirection, chain:
https://1364757661090.docs.google.com/presentation/d/1w5eh2rh6i0pbuVjb4_MzBNPEovRw3f6qiho7AshTcHI/htmlpresent?videoid=1364757661199 -> http://www.worldvideos.us/chrome.php -> https://chrome.google.com/webstore/detail/high-solution/jokhejlfefegeolonbckggpfggipmmim

Related, malicious, domain, reconnaissance:
hxxp://worldvideos.us - 89.19.10.194
ns1.facebookhizmetlerim.com
ns2.facebookhizmetlerim.com

Responding to 89.19.10.194 are also the following fraudulent domains part of the campaign's infrastructure:
hxxp://e-sosyal.biz
hxxp://facebookhizmetlerim.com
hxxp://facebookmedya.biz
hxxp://facebooook.biz
hxxp://fbmedyahizmetleri.com
hxxp://sansurmedya.com
hxxp://sosyalpaket.com
hxxp://worldmedya.net
hxxp://youtubem.biz

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (208.73.211.70):
hxxp://396p4rassd2.youlovesosoplne.net
hxxp://5q14.zapd.co
hxxp://airmats.com
hxxp://amciksikis.com
hxxp://anaranjadaverzochte.associate-physicians.org
hxxp://autorepairmanual.org
hxxp://blackoutblinds.com
hxxp://blog.jmarkafghans.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (208.73.211.70):
MD5: 584a779ae8cdea13611ff45ebab517ae
MD5: cea89679058fe5a5288cfacc1a64e431
MD5: 62eee7a0bed6e958e72c0edf9da17196
MD5: 160793c37a5aa29ac4c88ba88d1d7cc2
MD5: 46079bbcfcd792dfcd1e906e1a97c3a6

Once, executed, a, sample, malware (MD5: 584a779ae8cdea13611ff45ebab517ae), phones, back, to, the, following, C&C, server, IPs:
hxxp://zhutizhijia.com - 208.73.211.70

Once, executed, a, sample, malware (MD5: cea89679058fe5a5288cfacc1a64e431), phones, back, to, the, following, C&C, server, IPs:
hxxp://aieov.com - 208.73.211.70

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (141.8.224.239):
hxxp://happysocks.7live7.org
hxxp://hiepdam.org
hxxp://hyper-path.com
hxxp://interfacelife.com
hxxp://iowa.findanycycle.com
hxxp://massachusetts.findanyboat.com
hxxp://diptnyc.com

Related, maliciuos, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (141.8.224.239):
MD5: ddf27e034e38d7d35b71b7dc5668ffce
MD5: 6ba6451a9c185d1d07323586736e770e
MD5: 854ea0da9b4ad72aba6430ffa6cc1532
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: bf78b0fcfc8f1a380225ceca294c47d8

Once, executed, a, sample, malware (MD5:ddf27e034e38d7d35b71b7dc5668ffce), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://srv.desk-top-app.info - 141.8.224.239

Once, executed, a, sample, malware (MD5:6ba6451a9c185d1d07323586736e770e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://premiumstorage.info - 141.8.224.239

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49
hxxp://wentstate.net - 141.8.224.93
hxxp://musicnews.net - 176.74.176.187
hxxp://spendstate.net

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (89.19.10.194):
hxxp://liderbayim.com
hxxp://blacksport.org
hxxp://liderbayim.com
hxxp://2sosyal-panelim.com
hxxp://sosyal-panelim.com
hxxp://darknessbayim.com
hxxp://hebobayi.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - FTLog Worm Spreading Across Fotolog

December 24, 2016
In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multu-tude, of, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, the, malware-infected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, monetizing, access, to, the, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a currently, circulating, malicious, spam, campaign, targeting, the, popular, social, network, Web, site, Fotolog, successfully, enticing, socially, engineered, users, into, interacting, with, malicious, links, while, monetizing, access, to, the, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.


Sample, URL, redirection, chain:
hxxp://bit.ly/cBTsWo
        - hxxp://zwap.to/001mk
            - hxxp://www.cepsaltda.cl/uc/red.php?u=1 - 216.155.72.44
                - hxxp://supatds.cn/go.php?sid=1 - 92.241.164.1
                    - hxxp://www.cepsaltda.cl/uc/rcodec.php
                        - hxxp://cepsaltda.cl/uc/codec/divxcodec.exe

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: c6dbc58e0db3c597c4ab562ad9710a38

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Massive Black Hat SEO Campaing Serving Scareware Spotted in the Wild

December 24, 2016
In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, acquiring, and, hijacking, traffic, for, the, purpose, of, converting, it, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, serving, fake, security, software, also, known, as, scareware, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, compromised, Web, sites:
hxxp://yushikai.co.uk
hxxp://www.heart-2-heart.nl
hxxp://www.stichtingkhw.nl
hxxp://burgessandsons.com
hxxp://marsmellow.info
hxxp://broolz.co.uk
hxxp://bodyscope.co.uk
hxxp://janschnoor.de
hxxp://goodluckflowers.com
hxxp://www.frank-carillo.com
hxxp://www.strijkvrij.com
hxxp://www.fotosiast.nl
hxxp://www.senbeauty.nl
hxxp://www.menno.info
hxxp://www.kul.fm

Sample, URL, redirection, chain:
hxxp://onotole.iblogger.org/2.html - 199.59.243.120; 205.164.14.79; 199.59.241.181 -> hxxp://mycommercialssecuritytool.com/index.php?affid=34100 - 89.248.171.48 - Email: Kathryn.D.Jennings@gmail.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://myatmoe.iblogger.org
hxxp://creditreport.iblogger.org
hxxp://movieddlheaven.iblogger.org
hxxp://cv-bruno-brocas.iblogger.org
hxxp://islife.iblogger.org
hxxp://iblogger.iblogger.org
hxxp://dressshirt.iblogger.org
hxxp://allians.iblogger.org
hxxp://rapid-weight-loss.iblogger.org
hxxp://breastaugm.iblogger.org
hxxp://uila.iblogger.org
hxxp://oh-tv.iblogger.org
hxxp://brudnopis.iblogger.org
hxxp://learnenglish.iblogger.org
hxxp://motivatedcats.iblogger.org
hxxp://robert.iblogger.org
hxxp://testforask.iblogger.org
hxxp://poormanguides.iblogger.org
hxxp://gelbegabeln.iblogger.org
hxxp://nuagerouge.iblogger.org
hxxp://chicos-on-line.iblogger.org
hxxp://hypnosisworld.iblogger.org
hxxp://tennis.iblogger.org
hxxp://ibu.iblogger.org
hxxp://turkifsa.iblogger.org
hxxp://amandacooper.iblogger.org
hxxp://tw.iblogger.org
hxxp://whedon.iblogger.org
hxxp://han.iblogger.org
hxxp://scclab.iblogger.org
hxxp://besftfoodblogger.iblogger.org
hxxp://premiummenderacunt.iblogger.org
hxxp://seobook.iblogger.org
hxxp://bestjackets.iblogger.org
hxxp://kidszone.iblogger.org
hxxp://liker2fb.iblogger.org
hxxp://vipin.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://palermo.iblogger.org
hxxp://forum.bay.de.iblogger.org
hxxp://online-guard.iblogger.org
hxxp://juhjsd.iblogger.org
hxxp://asulli.iblogger.org
hxxp://youtubetranscription.iblogger.org
hxxp://praza.iblogger.org
hxxp://free-worlds.iblogger.org
hxxp://mlm.iblogger.org
hxxp://myleskadusale.iblogger.org
hxxp://ninjapearls.iblogger.org
hxxp://bassian.iblogger.org
hxxp://d3-f21-w-14.iblogger.org
hxxp://mlk.iblogger.org
hxxp://pe.iblogger.org
hxxp://connor54321.iblogger.org
hxxp://smx.iblogger.org
hxxp://17fire.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://generalsurgery.iblogger.org
hxxp://megafon.iblogger.org
hxxp://dasefx.iblogger.org
hxxp://ysofii.iblogger.org
hxxp://priv8.iblogger.org
hxxp://kahramanmaras.iblogger.org
hxxp://kaoojcjl.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://dla-kobiet.iblogger.org
hxxp://karinahart.iblogger.org
hxxp://mariucciaelasuaombra.iblogger.org
hxxp://signinbay.de.iblogger.org
hxxp://pitstop.iblogger.org
hxxp://colorless.iblogger.org
hxxp://directorio.iblogger.org
hxxp://odenaviva.iblogger.org
hxxp://e-money.iblogger.org
hxxp://digicron.iblogger.org
hxxp://slotomania-hackers.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://bestoksriy.iblogger.org
hxxp://teamsite.iblogger.org
hxxp://mateaplicada.iblogger.org
hxxp://tmgames.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://priv8.iblogger.org
hxxp://sharepointdotnetwiki.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://seobook.iblogger.org
hxxp://jawwal.iblogger.org
hxxp://tomsplace.iblogger.org
hxxp://shreyo.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://beitypedia.iblogger.org
hxxp://dutcheastindies.iblogger.org
hxxp://cramat-satu.iblogger.org
hxxp://misc.iblogger.org
hxxp://espirito-de-aventura.iblogger.org
hxxp://tomksoft.iblogger.org
hxxp://mymovies.iblogger.org

Known, to, have, responded, to, the, same, malicious, IP (199.59.243.120) are, also, the, following, malicious, domains:
hxxp://brendsrnzwrn.cuccfree.com
hxxp://caraccidentlawyer19.us
hxxp://colombiavirtualtours.com
hxxp://dailydigest.cn
hxxp://drugaddiction569.us
hxxp://earnonline.cn
hxxp://epicor.in
hxxp://glhgk.com
hxxp://iroopay.com
hxxp://kajianislam.us

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (199.59.243.120):
MD5: c7bd669a416a8347aeba6117d0040217
MD5: ae89e09f52db7f9d69b9b9c40dbf35f9
MD5: b4399fc8f1de723d452b05ec474ca651
MD5: c779d9f4e9992ad5ffcd2353bb003a51
MD5: cc6efabb0a26c729f126b12be717de47

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://theworldnews.byethost5.com - 199.59.243.120

Known, to, have, responded, to, the, same, malicious IP (205.164.14.79), are, also, the, following, malicious, domains:
hxxp://fsdq.cn
hxxp://parked-domain.org
hxxp://fiverr.hk.tn
hxxp://hamzanori90.name-iq.com
hxxp://postgumtree.uk.tn
hxxp://caoliushequ.info
hxxp://housewives.byethost4.com
hxxp://nuichate.22web.org
hxxp://3rtz.byethost12.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.14.79):
MD5: dbca66955cac79008f9f1cd415d7e308
MD5: b452ca519f077307d68ff034567087c1
MD5: 70e8c79135b341eac51da0b5789744d3
MD5: a9f64c1404faf4a6fc81564c8dec22d9
MD5: b3737a1c34cb705f7d244c99afdc3a01

Once, executed, a, sample, malware (MD5:dbca66955cac79008f9f1cd415d7e308), phones, back, to, the, following, C&C, server, IPs:
hxxp://ibayme.eb2a.com - 205.164.14.79

Known, to, have, responded, to, the, same, malicious, IPs (199.59.241.181), are, also, the, following, malicious, domains:
hxxp://yn919.com
hxxp://wimp.it
hxxp://puqiji.com
hxxp://52style.com
hxxp://007guard.com
hxxp://10iski.10001mb.com
hxxp://11649.bodisparking.com
hxxp://13.get.themediafinder.com
hxxp://134205.aceboard.fr

Sample, detection, rate, for, a, malicious, executable:
MD5: f74a744d75c74ed997911d0e0b7e6f67

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mycommercialssecuritytool.com/in.php?affid=34100

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://protectyoursystemnowonline.com
hxxp://createyoursecurityonline.com
hxxp://commercialssecuritytools.com
hxxp://freecreateyoursecurity.com

Sample, URL, redirection, chain:
hxxp://ulions.com/yxg.php?p= - 104.28.22.34
    - hxxp://ppbmv4.xorg.pl/in.php?t=cc&d=04-02-2010_span&h=
        - hxxp://www1.nat67go4it.net/?uid=195&pid=3&ttl=5184c614d4b - 89.248.160.161
            - hxxp://www1.systemsecure.in/?p=

Know, to, have, responded, to, same, malicious, C&C, server, IP (104.28.22.34), are, also, the, following, malicious, domains:
hxxp://portlandultimate.com
hxxp://portablemineapplicationsub.tech
hxxp://indirimkuponlarimiz.com
hxxp://walkinclosetguys.com
hxxp://bryantanaka.com
hxxp://swisschecklist.com
hxxp://census.mnfurs.org
hxxp://duluthbeth.xyz

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (104.28.22.34):
MD5: 11dda0bbd2aef7944f990fcefbc91034
MD5: d0be24df3078866a277874dad09c98d9
MD5: 9ba06da9370037fd2ffe525d6164b367
MD5: 537bd45df702f90585eebab2a8bb3584
MD5: a9f61e9696ff7ff4bfc34f70549ffdd0

Once, executed, a, sample, malware (MD5:11dda0bbd2aef7944f990fcefbc91034), phones, back, to, the, following, C&C, server, IPs:
hxxp://audio-direkt.net
hxxp://servico-ind.com
hxxp://saios.net
hxxp://coopsupermarkt.nl
hxxp://fruitspot.co.za
hxxp://vitalur.by
hxxp://trinity-works.com

Once, executed, a, sample, malware (MD5:d0be24df3078866a277874dad09c98d9), phones, back, to, the, following, C&C, server, IPs:
hxxp://3asfh.net - 104.28.22.34

Once, executed, a, sample, malware, (MD5:a9f61e9696ff7ff4bfc34f70549ffdd0), phones, back, to the, following, malicious, C&C, server, IPs:
hxxp://link-list-uk.com
hxxp://racknstackwarehouse.com.au
hxxp://zeronet.co.jp
hxxp://sun-ele.co.jp
hxxp://slcago.org
hxxp://frederickallergy.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Haiti-themed Blackhat SEO Campaign Serving Scareware Spotted in the Wild

December 23, 2016
In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, spreading, malicious, software, largely, relying, on, a, pre-defined, set, of, compromised, hosts, for, the, purpose, of, spreading, malicious, software, further, expanding, a, specific, botnet's, infected, population, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, infected, hosts, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

In, this, post, we'll, profile, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, affected, Web, sites:
hxxp://austinluce.co.uk
hxxp://naukatanca.co.uk
hxxp://truenorthinnovation.co.uk
hxxp://robsonsofwolsingham.co.uk
hxxp://daviddewphotography.co.uk

Sample, URL, redirection, chain:
hxxp://sciencefirst.com/?red=haiti-earthquake-donate
    - hxxp://otsosute.freehostia.com/c.html
        - hxxp://scan-now24.com/go.php?id=2022&key=4c69e59ac&d=1

Sample, URL, redirection, chain:
hxxp://lipsticpi.ru/sm/r.php
    - hxxp://uscaau.com/back.php
        - hxxp://sekuritylistsite.com/hitin.php?land=20&affid=94801
            - hxxp://mypremiumantyspywarepill.com/hitin.php?land=20&affid=94801
                - hxxp://mypremiumantyspywarepill.com/index.php?affid=94801

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: ebc956abadefdac794ebcd1898ea07cf

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: d65a5d1ab98bd690dccd07cb6eebcba3

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mypremiumantyspywarepill.com/in.php?affid=94801
hxxp://greatnorthwill.com/?mod=vv&i=1&id=11-18

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://getholidaypresent0.com - 204.12.225.83
hxxp://getholidaypresent2.com
hxxp://getholidaypresent3.com
hxxp://scan-now22.com
hxxp://scan-now23.com
hxxp://scan-now24.com
hxxp://santaclaus4.com
hxxp://getholidaypresent5.com
hxxp://getholidaypresent7.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://freeantyviruspillblog.com - 213.163.91.240
hxxp://newgoodantyspywarepill.com
hxxp://mypremiumantyspywarepill.com
hxxp://freegoodantyviruspill.com
hxxp://freeantyspywarepillshop.com
hxxp://thevirustoolbox.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Zeus and Client-Side Exploit Serving Facebook Phishing Campaign Spotted in the Wild

December 23, 2016
In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercrimianals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, thousands, of, newly, affected, users, globally, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, botnet's, population, largely, relying, on, the, utilization, of, affiliate-based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, impersonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, type, of, fraudulent, revenue, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, exploitation, chain:
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
    - hxxp://wqdfr.salefale.com/index.php - 62.193.127.197
        - hxxp://spain.salefale.com/index.php

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://salefale.com - 112.137.165.114
    - hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru
       
Sample, detection, rate, for, the, malicious, executable:
MD5: e96c8d23e3b64d79e5e134a9633d6077
MD5: 19d9cc4d9d512e60f61746ef4c741f09

Once, executed, a, sample, malware, phones back to:
hxxp://makotoro.com

Related, malicious, C&C, server, IPs, known, to, have, participated, in, the, campaign:
hxxp://91.201.196.99
hxxp://91.201.196.77
hxxp://91.201.196.101
hxxp://91.201.196.35
hxxp://91.201.196.75
hxxp://91.201.196.76
hxxp://91.201.196.38
hxxp://91.201.196.34
hxxp://91.201.196.37

Related, malicious, C&C, server, IPs (212.175.173.88), known, to, have, participated, in, the, campaign:
hxxp://downloads.fileserversa.org
hxxp://downloads.fileserversc.org
hxxp://downloads.fileserversd.org
hxxp://downloads.portodrive.org
hxxp://downloads.fileserversj.org
hxxp://downloads.fileserversk.org
hxxp://downloads.fileserversm.org
hxxp://downloads.fileserversn.org
hxxp://downloads.fileserverso.org
hxxp://downloads.fileserversq.org
hxxp://downloads.fileserversr.org
hxxp://auth.facebook.com.megavids.org
hxxp://auth.facebook.com.fileserversl.com
hxxp://auth.facebook.com.legomay.com
hxxp://auth.facebook.com.crymyway.com
hxxp://auth.facebook.com.portodrive.net
hxxp://auth.facebook.com.modavedis.net
hxxp://auth.facebook.com.migpix.net
hxxp://auth.facebook.com.legomay.net
hxxp://auth.facebook.com.crymyway.net
hxxp://downloads.megavids.org
hxxp://downloads.regzavids.org
hxxp://downloads.vedivids.org
hxxp://downloads.restpictures.org
hxxp://downloads.modavedis.org
hxxp://downloads.fileserverst.org
hxxp://downloads.fileserversu.org
hxxp://downloads.regzapix.org
hxxp://downloads.reggiepix.org
hxxp://downloads.migpix.org
hxxp://downloads.restopix.org
hxxp://downloads.legomay.org
hxxp://downloads.vediway.org
hxxp://downloads.compoway.org
hxxp://downloads.restway.org
hxxp://downloads.crymyway.org
hxxp://downloads.fileserversa.com
hxxp://downloads.fileserversb.com
hxxp://downloads.fileserversc.com
hxxp://downloads.fileserversd.com
hxxp://downloads.fileserverse.com
hxxp://downloads.fileserversf.com
hxxp://downloads.fileserversg.com
hxxp://downloads.fileserversh.com
hxxp://downloads.fileserversi.com
hxxp://downloads.fileserversj.com
hxxp://downloads.fileserversk.com
hxxp://downloads.fileserversl.com
hxxp://downloads.fileserversm.com
hxxp://downloads.fileserversn.com
hxxp://downloads.fileserverso.com
hxxp://downloads.fileserversp.com
hxxp://downloads.fileserversq.com
hxxp://downloads.fileserversr.com
hxxp://downloads.regzavids.com
hxxp://downloads.vedivids.com
hxxp://downloads.restpictures.com
hxxp://downloads.modavedis.com
hxxp://downloads.fileserverss.com
hxxp://downloads.fileserverst.com
hxxp://downloads.fileserversu.com
hxxp://downloads.regzapix.com
hxxp://downloads.reggiepix.com
hxxp://downloads.migpix.com
hxxp://downloads.legomay.com
hxxp://downloads.vediway.com
hxxp://downloads.compoway.com
hxxp://downloads.crymyway.com
hxxp://downloads.fileserversa.net
hxxp://downloads.fileserversb.net
hxxp://downloads.fileserversc.net
hxxp://downloads.fileserversd.net
hxxp://downloads.fileserverse.net
hxxp://downloads.portodrive.net
hxxp://downloads.fileserversf.net
hxxp://downloads.fileserversg.net
hxxp://downloads.fileserversh.net
hxxp://downloads.fileserversi.net
hxxp://downloads.fileserversj.net
hxxp://downloads.fileserversk.net
hxxp://downloads.fileserversl.net
hxxp://downloads.fileserversm.net
hxxp://downloads.fileserversn.net
hxxp://downloads.fileserverso.net
hxxp://downloads.fileserversp.net
hxxp://downloads.fileserversq.net
hxxp://downloads.fileserversr.net
hxxp://downloads.regzavids.net
hxxp://downloads.vedivids.net
hxxp://downloads.tastyfiles.net
hxxp://downloads.restpictures.net
hxxp://downloads.modavedis.net
hxxp://downloads.fileserverss.net
hxxp://downloads.fileserverst.net
hxxp://downloads.fileserversu.net
hxxp://downloads.regzapix.net
hxxp://downloads.reggiepix.net
hxxp://downloads.migpix.net
hxxp://downloads.legomay.net
hxxp://downloads.vediway.net
hxxp://downloads.compoway.net
hxxp://downloads.restway.net
hxxp://downloads.crymyway.net

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection

December 23, 2016
In, a, cybercrime, dominated, by, fraudulent, propositions, historical, OSINT, remains, a, crucial, part, in, the, process, of, obtaining, actionable. intelligence, further, expanding, a, fraudulent, infrastructure, for, the, purpose, of, establishing, a, direct, connection, with, the, individuals, behind, it. Largely, relying, on, a, set, of, tactics, techniques, and, procedures, cybercriminals, continue, further, expanding, their, fraudulent, infrastructure, successfully, affecting, hunreds, of, thousands, of, users, globally, further, earning, fraudulent, revenue, in, the, process, of, committing, fraudulent, activity, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

In, this, post, we'll, discuss, a, black, hat, SEO (search engine optimization), campaign, intercepted, in, 2009, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, successfully, establishing, a, direct, connection, with, the, Koobface, gang.


The, Koobface, gang, having, successfully, suffered, a, major, take, down, efforts, thanks, to, active, community, and, ISP (Internet Service Provider), cooperation, has, managed, to, successfully, affect, a, major, proportion, of, major, social, media, Web, sites, including, Facebook, and, Twitter, for, the, purpose, of, further, spreading, the, malicious, software, served, by, the, Koobface, gang, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, fake, security, software, and, the, reliance, on, a, fraudulent, affiliate-network, based, type, of, monetizing, scheme.


Largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, including, social, media, propagation, black, hat, SEO (search engine optimization), and, client-side, exploits, the, Koobface, gang, has, managed, to, successfully, affect, hundreds, of, thousands, of, users, globally, successfully, populating, social, media, networks, such, as, Facebook, and, Twitter, with, rogue, and, bogus, content, for, the, purpose, of, spreading, malicious, software, and, earning, fraudulent, revenue, in, the, process, largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, affiliate-network, based, traffic, monetizing, scheme.

Let's, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, with, the, Koobface, gang, and, the, Koobface, botnet's, infrastructure.

Sample URL, redirection, chain:
hxxp://flash.grywebowe.com/elin5885/?x=entry:entry091109-071901; -> http://alicia-witt.com/elin1619/?x=entry:entry091112-185912 -> hxxp://indiansoftwareworld.com/index.php?affid=31700 - 213.163.89.56


Sample, detection, rate, for, a, malicious, executable:MD5: bd7419a376f9526719d4251a5dab9465


Sample, URL, redirection, chain, leading, to, client-side, exploits:
hxxp://loomoom.in/counter.js - 64.20.53.84 - the front page says "We are under DDOS attack. Try later".
hxxp://firefoxfowner.cn/?pid=101s06&sid=977111 -> hxxp://royalsecurescana.com/scan1/?pid=101s6&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZT0xMjUxNMkNPAhN

Sample, detection, rate, for, a, malicious, executable:
MD5: a91a1bb995e999f27ffc5d9aa0ac2ba2

 Once, executed, a, sample, malware, phones, back, to:
hxxp://systemcoreupdate.com/download/timesroman.tif - 213.136.83.234


Sample, URL, redirection, chain:
hxxp://oppp.in/counter.js - 64.20.53.83 - the same message is also left "We are under DDOS attack. Try later"
hxxp://johnsmith.in/counter.js - 64.20.53.86
hxxp://gamotoe.in/counter.js
hxxp://polofogoma.in/counter.js
hxxp://jajabin.in/counter.js
hxxp://dahaloho.in/counter.js
hxxp://gokreman.in/counter.js
hxxp://freeblogcounter2.com/counter.js
hxxp://lahhangar.in/counter.js
hxxp://galorobap.in/counter.js

 Sample, directory, structure, for, the, black, hat, SEO (search engine optimization), campaign:
hxxp://images/include/bmblog
hxxp://bmblog/category/art/
hxxp://images/style/bmblog
hxxp://photos/archive/bmblog/
hxxp://templates/img/bmblog
hxxp://phpsessions/bmblog
hxxp://Index_archivos/img/bmblog/
hxxp://bmblog/category/hahahahahah/
hxxp://gallery/include/bmblog

Sample, malicious, domains, participating, in, the, campaign:
pcmedicalbilling.com - Email: sophiawrobertson@pookmail.com
securitytoolnow.com - Email: ronaldmpappas@dodgit.com
securitytoolsclick.net - Email: ruthdtrafton@dodgit.com
security-utility.net - Email: richardrmccullough@trashymail.com

Historically on the same IP were parked the following, now responding to 91.212.107.37 domains:
online-spyware-remover.biz - Email: robertsimonkroon@gmail.com
online-spyware-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.biz  - Email: robertsimonkroon@gmail.com
spyware-online-remover.com - Email: robertsimonkroon@gmail.com
spyware-online-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.net - Email: robertsimonkroon@gmail.com
spyware-online-remover.org - Email: robertsimonkroon@gmail.com
tubepornonline.biz - Email: robertsimonkroon@gmail.com
tubepornonline.org - Email: robertsimonkroon@gmail.com


Sample, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://antyspywarestore.com/index.php?affid=90400
hxxp://newsecuritytools.net/index.php?affid=90400 - 78.129.166.11 - Email: joyomcdermott@gmail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 0feffd97ffe3ecc875cfe44b73f5653b
MD5: a0d9d3127509272369f05c94ab2acfc9

Naturally, it gets even more interesting, in particular the fact the very same robertsimonkroon@gmail.com used to register the domains historically parked at the IP that is currently hosting the scareware domains part of the massive blackhat SEO campaign -- the very same domains (hxxp://firefoxfowner.cn), were also in circulation on Koobface infected host, in a similar fashion when the domains used in the New York Times malvertising campaign were simultaneously used in blackhat SEO campaigns managed by the Koobface gang -- have not only been seen in July's scareware campaigns -- but also, has been used to register actual domains used as a download locations for the scareware campaigns part of the Koobface botnet's scareware business model.


Parked, at, the, same, malicious, IP (91.212.107.37), are, also, the, following, malicious, domains:
hxxp://free-web-download.com
hxxp://web-free-download.com
hxxp://iqmediamanager.com
hxxp://oesoft.eu
hxxp://unsoft.eu
hxxp://losoft.eu
hxxp://tosoft.eu
hxxp://kusoft.eu

Sample, detection, rate, for, a, malicious, executable:
MD5: 29ff816c7e11147bb74570c28c4e6103
MD5: e59b66eb1680c4f195018b85e6d8b32b
MD5: b34593d884a0bc7a5adb7ab9d3b19a2c

The overwhelming evidence of underground multi-tasking performed by the Koobface gang, it's connections to money mule recruitment scams, high profile malvertising attacks, and current market share leader in blackhat SEO campaigns, made, the, group, a, prominent, market, leader, within, the, cybercrime, ecosystem, having, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, earning, hundreds, of, thousands, in, fraudulent, revenue, in, the, process.

Related posts:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign Continue reading →

Historical OSINT - Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign

December 23, 2016
There's no such thing as free porn, unless there are client-side, exploits, served.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, end, users, into, clicking, on, malware-serving, client-side, exploits, embedded, content, for, the, purpose, of, affecting, a, socially, engineered, user''s, host, further, monetizing, access, by, participating, in, a, rogue, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, malicious, URL, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/HytucztXRs.html? -> hxxp://aboutg.dothome.co.kr/bbs/theme_1_1_1.php -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=6 -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=14 -> hxxp://meganxoxo.com - 74.222.13.2 - associated, name, servers: ns1.tube310.info; ns2.tube310.info - 74.222.13.24

Parked there (74.222.13.2) are also:
hxxp://e-leaderz.com - Email: seoproinc@gmail.com
hxxp://babes4you.info - 74.222.13.25
hxxp://tubexxxx.info
hxxp://my-daddy.info - 74.222.13.25

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://eroticahaeven.info
hxxp://freehotbabes.info
hxxp://freepornportal.info
hxxp://hot-babez.info
hxxp://sex-sexo.info
hxxp://tube310.info
hxxp://tube323.info

The exploitation structure is as follows:
hxxp://meganxoxo.com/xox/go.php?sid=6 -> hxxp://kibristkd.org.tr/hasan-ikizer/index01.php -> hxxp://fd1a234sa.com/js - 79.135.152.26 -> hxxp://asf356ydc.com/qual/index.php - CVE-2008-2992; CVE-2009-0927; CVE-2010-0886 -> hxxp://asf356ydc.com/qual/52472f502b9688d3326a32ed5ddd5d2c.js ->  hxxp://asf356ydc.com/qual/abe9c321312b206bffa798ef9d5b6a9b.php?uid=206369 -> hxxp://188.243.231.39/public/qual.jar ->  hxxp://asf356ydc.com/qual/load.php/0a3584217553d6fccbd74cfb73e954b6?forum=thread_id -> hxxp://asf356ydc.com/download/stat.php -> hxxp://asf356ydc.com/download/load/load.exe

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886
    - hxxp://jfkweb.chez.com/bud2.html
        - hxxp://jfkweb.chez.com/4.html
            - hxxp://wemhkr3t4z.com/qual/load/myexebr.exe
                - hxxp://asf356ydc.com/download/index.php
                    - hxxp://89.248.111.71/qual/load.php?forum=jxp&ql
                        - hxxp://asf356ydc.com/qual/index.php

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://qual/10964108e3afab081ed1986cde437202.js
hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php?spn=2&uid=213393&
hxxp://qual/index.php?browser_version=6.0&uid=213393&browser=MSIE&spn=2

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://download/banner.php?spl=javat
hxxp://download/j1_ke.jar
hxxp://download/j2_93.jar

parked on 89.248.111.71, AS45001, Interdominios_ono Grupo Interdominios S.A.
wemhkr3t4z.com - Email: fole@fox.net - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
hxxp://alhatester.com/cp/file.exe - 204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 208.73.211.247; 208.73.211.249; 208.73.211.246; 208.73.211.233; 208.73.211.238; 208.73.211.208

Known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs, are, also, the, following, malicious, MD5s:
MD5: 89fb419120d1443e86d37190c8f42ae8
MD5: 3194e6282b2e51ed4ef186ce6125ed73
MD5: 7f42da8b0f8542a55e5560e86c4df407
MD5: f8bdc841214ae680a755b2654995895e
MD5: ed8062e152ccbe14541d50210f035299

Once, executed, a, sample, malware (MD5: 89fb419120d1443e86d37190c8f42ae8), phones, back, to, the, following, C&C, server, IPs:
hxxp://gremser.eu
hxxp://bibliotecacenamec.org.ve
hxxp://fbpeintures.com
hxxp://postgil.com
hxxp://verum1.home.pl
hxxp://przedwislocze.internetdsl.pl
hxxp://iskurders.webkursu.net
hxxp://pennthaicafe.com.au
hxxp://motherengineering.com
hxxp://krupoonsak.com

Once, executed, a, sample, malware (MD5: 3194e6282b2e51ed4ef186ce6125ed73), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://get.enomenalco.club
hxxp://promos-back.peerdlgo.info
hxxp://get.cdzhugashvili.bid
hxxp://doap.ctagonallygran.bid
hxxp://get.gunnightmar.club
hxxp://huh.adowableunco.bid
hxxp://slibby.ineddramatiseo.bid

Once, executed, a, sample, malware (MD5: 7f42da8b0f8542a55e5560e86c4df407), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://acemoglusucuklari.com.tr
hxxp://a-bring.com
hxxp://tn69abi.com
hxxp://gim8.pl
hxxp://sso.anbtr.com

Once, executed, a, sample, malware (MD5: f8bdc841214ae680a755b2654995895e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.secdls.com
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com
hxxp://api.v2.sslsecure4.com
hxxp://api.v2.sslsecure5.com
hxxp://api.v2.sslsecure6.com
hxxp://api.v2.sslsecure7.com
hxxp://api.v2.sslsecure8.com

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://v00d00.org/nod32/grabber.exe - - 67.215.238.77; 67.215.255.139; 184.168.221.87

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (67.215.238.77):
MD5: 1233c86d3ab0081b69977dbc92f238d0

Known, to, have, responded, to, the, same, malicious, IPs, are, also, the, following, malicious, domains:
hxxp://blog.symantecservice37.com
hxxp://agoogle.in
hxxp://adv.antivirup.com
hxxp://cdind.antivirup.com

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://v00d00.org/nod32/update.php

Known, to, have, responded, to, the, same, malicious, IPs (67.215.255.139), are, also, the, following, malicious, domains:
hxxp://lenovoserve.trickip.net
hxxp://proxy.wikaba.com
hxxp://think.jkub.com
hxxp://upgrate.freeddns.com
hxxp://webproxy.sendsmtp.com
hxxp://yote.dellyou.com
hxxp://lostself.dyndns.info
hxxp://dellyou.com
hxxp://mtftp.freetcp.com
hxxp://ftp.adobe.acmetoy.com
hxxp://timeout.myvnc.com
hxxp://fashion.servehalflife.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (67.215.255.139):
MD5: e76aa56b5ba3474dda78bf31ebf1e6c0
MD5: 4de5540e450e3e18a057f95d20e3d6f6
MD5: 346a605c60557e22bf3f29a61df7cd21
MD5: ae9fefda2c6d39bc1cec36cdf6c1e6c4
MD5: da84f1d6c021b55b25ead22aae79f599

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (184.168.221.87), are, also, the, following, malicious, domains:
hxxp://teltrucking.com
hxxp://capecoraldining.org
hxxp://carsforsaletoronto.com
hxxp://joeyboca.com
hxxp://meeraamacids.com
hxxp://orangepotus.com
hxxp://palmerhardware.com
hxxp://railroadtohell.com

Related, malicious, MD5s, known, to, have, phoned, back, the, same, malicious, C&C, server, IPs (184.168.221.87):MD5: 037f8120323f2ddff3c806185512538c
MD5: 44f0e8fe53a3b489cb5204701fa1773d
MD5: 8a053e8d3e2eafc27be9738674d4d5b0
MD5: 9efc79cd75d23070735da219c331fe4d
MD5: ed81b9f1b72e31df1040ccaf9ed4393f

Once, executed, a, sample, malware (MD5: 037f8120323f2ddff3c806185512538c), phones, back, to, the, following, C&C, server, IPs:
hxxp://porno-kuba.net/emo/ld.php?v=1&rs=1819847107&n=1&uid=1

Once, executed, a, sample, malware, (MD5: 44f0e8fe53a3b489cb5204701fa1773d), phones, back, to, the, following, C&C, server, IPs:
hxxp://mhc.ir
hxxp://naphooclub.com
hxxp://mdesigner.ir
hxxp://nazarcafe.com
hxxp://meandlove.com
hxxp://nakhonsawangames.com
hxxp://mevlanacicek.com
hxxp://meeraprabhu.com
hxxp://micr.ae
hxxp://myhyderabadads.com
hxxp://cup-muangsuang.net

Sample, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://portinilwo.com/nhjq/n09230945.asp
    - hxxp://portinilwo.com/botpanel/sell2.jpg
        - hxxp://portinilwo.com/boty.dat
            - hxxp://91.188.60.161/botpanel/sell2.jpg
                - hxxp://91.188.60.161/botpanel/ip.php

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
asf356ydc.com - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, domains, known, to, have, participated, in, the, campaign:
asf356ydc.co
kaljv63s.com
sadkajt357.com

We'll, continue, monitoring, the, fraudulent, infrastructure, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

New Service Offerring Fake Documents on Demand Spotted in the Wild

December 21, 2016
In, a, cybercrime, ecosystem, dominated, by, multiple, underground, market, participants, and, hundreds, of, fraudulent, propositions, cybercriminals, continue, successfully, monetizing, access, to, malware-infected, hosts, for, the, purpose, of, earning, fraudulent, revenue, in, the, process, largely, relying, on, a, set, of, DIY (do-it-yourself), managed, cybercrime-friendly, services, successfully, monetizing, access, to, malware-infected, hosts, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

We've recently, intercepted, a, newly, launched, managed, on, demand, underground, market, type, of, service, proposition, offering, access, to, fake, documents, and, IDs, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, commiting, fraudulent, activities, while, earning, fraudulent, revenue, in, the, process, successfully, monetizing, access, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process.

In, this, post, we'll, profile, the, service, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.





















In, a, cybercrime, ecystem, populated, by, hundreds, of, fraudulent, propositions, cybercriminals, continue, actively, launching, managed, cybercrime-friendly, services, successfully, monetizing, access, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process. Largely, relying, on, a, diverse, set, of, tactics, techniques, and, procedures, cybercriminals, continue, successfully, launching, managed, cybercrime-friendly, services, successfully, empowering, novice, cybercriminals with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, earning, fraudulet, revenue, in, the, process, while, successfully, monetizing, access, to, malware-infected hosts, successfully, earning, fraudulent, revenue, in, the, process.

The, market, segment, for, fake, IDs, and, fake, documents, continues, flourishing, largely, thanks, to, a, diverse, set, of, underground, market, segment, cybercrime-friendly, managed, services, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, to, fruther, commit, cybercrime, while, earning, fraudulent, revenue, in, the, process, while, successfully, monetizing, access, to, malware-infected, hosts. In, a, market, segment, dominated, by, commiditized, underground, market, cybercrime-friendly, propositions, cybercriminals, continue, actively, populating, the, market, segment, for, fake, IDs, and, fake, documents, with, hundreds, of, fraudulent, propositions, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, to, further, commit, fraudulent, activity, while, earning, fraudulent, revenue, in, the, process.

We'll, continue, monitoring, the, market, segment, for, fake, documents, and, IDs, and, post, updates, as, soon, as, new, developments, take, place.

Related posts:
New Cybercrime-Friendly Service Offers Fake Documents and Bills on Demand
Cybercriminals Offer Fake/Fraudulent Press Documents Accreditation On Demand
Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID Cards
Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market Segment
Newly Launched 'Scanned Fake Passports/IDs/Credit Cards/Utility Bills' Service Randomizes and Generates Unique Fakes On The Fly
A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports Continue reading →

New Mobile Malware Hits Google Play, Hundreds of Users Affected

September 24, 2016
We've, recently, intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, Google, Play, users, potentially, exposing, their, devices, to, a, multi-tide, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, devices. Largely, relying, on a, set, of, social, engineering, vectors, cybercriminals, continue, populating, Google, Play, with, hundreds, of, malicious, releases, successfully, bypassing, Google, Play's, security, mechanisms.

Thanks, to, a, vibrant, cybercrime, ecosystem, stolen, and, compromised, accounting, data, continues, to, represent, an, underground, market, commodity, successfully, empowering, novice, cybercriminals, with, the, necessary, tools, and, know-how, to, continue, launching, malicious, attacks. Largely, relying, on, a, set, of, social, engineering, vectors, cybercriminals, continue, to, successfully, compromise, and, take, advantage, of, stolen, publisher's, account, successfully, bypassing, Google, Play's, security, mechanisms, potentially, exposing, hundreds, of, thousands, of, users, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related malicious MD5s known to have participated in the campaign:
MD5: 3c4f56ebf48a0b47bffec547804d94f4
MD5: 8a81ef6673321bddc557c486bce2a025
MD5: 789cb05effb586bda98e87e71e340c39
MD5: 505e4d58c53d47245aa89c0fd7cded83
MD5: c7bb64012126e7f75feb5d021e755903

Once, executed, a, sample, malware (MD5: 3c4f56ebf48a0b47bffec547804d94f4), phones, back, to, the, following, C&C, server, IPs:
hxxp://art.hornymilfporna.com/g/getasite/
hxxp://art.hornymilfporna.com/z/orap/
hxxp://art.hornymilfporna.com/z/z2/
hxxp://art.hornymilfporna.com/z/z5/

Related malicious MD5s known to have phoned back to the same C&C server IP (art.hornymilfporna.com):
MD5: ee329ffcd6fe835bfdc0ec1a7f033584

Related malicious MD5s known to have phoned back to the same C&C server IP (hornymilfporna.com - 54.72.9.51; 104.27.188.20; 104.24.124.113):
MD5: d990fe6ed56e5f087dfc4c1ad09e2591
MD5: d129b79a68dd362714a4d35f9901c661
MD5: d74aab1f688c670c172c3767a17c4953
MD5: 5f8a4de87409b399d262bd0ae0a908d7
MD5: 189803a93cde9e0c401ac386c154328f

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server IPs:
hxxp://fullset.link
hxxp://allmodel-pro.com
hxxp://sso.anbtr.com
hxxp://xsso.allmodel-pro.com
hxxp://fullset.info
hxxp://groupmodel.biz

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
212.61.180.100
195.22.28.222
212.61.180.100
54.72.9.51

Once, executed, a, sample, malware (MD5: 8a81ef6673321bddc557c486bce2a025), phones, back, to, the, following, C&C, server, IPs:
hxxp://cinar.pussyteenx.com/g/getasite/ - 8.5.1.44; 46.45.168.84
hxxp://cinar.pussyteenx.com/z/orap/
hxxp://cinar.pussyteenx.com/z/z2/
hxxp://cinar.pussyteenx.com/z/z5/

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):
MD5: b9a2447a5b292566b4998c5d996f488b

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):
MD5: f8205b4b9ae5d8ac8bf7b3996a6be408
MD5: a73138a8275b68296bfcf0ed39b2665c
MD5: ff06679eb18932e31f8b05d92a48b4eb
MD5: 107993dce5417356d40279feb2be0017
MD5: d5ed564fd2f4c10e3a26df9342a09545

Once, executed, a, sample, malware (MD5: f8205b4b9ae5d8ac8bf7b3996a6be408), phones, back, to, the, following, C&C, server, IPs:
hxxp://englishmeasure.net
hxxp://eitherdinner.net
hxxp://englishdinner.net
hxxp://eitherafraid.net
hxxp://englishafraid.net
hxxp://eithercircle.net
hxxp://englishcircle.net
hxxp://expectwheat.net
hxxp://becausewheat.net
hxxp://expectanger.net
hxxp://becauseanger.net
hxxp://expectalways.net
hxxp://becausealways.net
hxxp://expectforest.net
hxxp://becauseforest.net
hxxp://personwheat.net
hxxp://machinewheat.net
hxxp://personanger.net
hxxp://machineanger.net
hxxp://personalways.net
hxxp://machinealways.net
hxxp://personforest.net
hxxp://machineforest.net
hxxp://suddenwheat.net
hxxp://foreignwheat.net
hxxp://suddenanger.net
hxxp://foreignanger.net
hxxp://suddenalways.net
hxxp://foreignalways.net
hxxp://suddenforest.net
hxxp://foreignforest.net
hxxp://whetherwheat.net
hxxp://rightwheat.net
hxxp://whetheranger.net
hxxp://rightanger.net
hxxp://whetheralways.net
hxxp://rightalways.net
hxxp://whetherforest.net
hxxp://rightforest.net
hxxp://figurewheat.net
hxxp://thoughwheat.net
hxxp://figureanger.net
hxxp://thoughanger.net
hxxp://figurealways.net
hxxp://thoughalways.net
hxxp://figureforest.net
hxxp://thoughforest.net
hxxp://picturewheat.net
hxxp://cigarettewheat.net
hxxp://pictureanger.net
hxxp://cigaretteanger.net
hxxp://picturealways.net
hxxp://cigarettealways.net
hxxp://pictureforest.net
hxxp://cigaretteforest.net
hxxp://childrenwheat.net
hxxp://familywheat.net
hxxp://childrenanger.net
hxxp://familyanger.net
hxxp://childrenalways.net
hxxp://familyalways.net
hxxp://childrenforest.net
hxxp://familyforest.net
hxxp://eitherwheat.net
hxxp://englishwheat.net
hxxp://eitheranger.net
hxxp://englishanger.net
hxxp://eitheralways.net
hxxp://englishalways.net
hxxp://eitherforest.net
hxxp://englishforest.net
hxxp://expectschool.net
hxxp://becauseschool.net
hxxp://expectwhile.net
hxxp://becausewhile.net
hxxp://expectquestion.net
hxxp://becausequestion.net
hxxp://expecttherefore.net
hxxp://becausetherefore.net
hxxp://personschool.net
hxxp://machineschool.net
hxxp://personwhile.net
hxxp://machinewhile.net
hxxp://personquestion.net
hxxp://machinequestion.net

Once, executed, a, sample, malware (MD5: a73138a8275b68296bfcf0ed39b2665c), phones, back, to, the, following, C&C, server, IPs:
hxxp://figurefather.net
hxxp://thoughfather.net
hxxp://figureapple.net
hxxp://thoughapple.net
hxxp://figurebuilt.net
hxxp://thoughbuilt.net
hxxp://figurecarry.net
hxxp://thoughcarry.net
hxxp://picturefather.net
hxxp://cigarettefather.net
hxxp://pictureapple.net
hxxp://cigaretteapple.net
hxxp://picturebuilt.net
hxxp://cigarettebuilt.net
hxxp://picturecarry.net
hxxp://cigarettecarry.net
hxxp://childrenfather.net
hxxp://familyfather.net
hxxp://childrenapple.net
hxxp://familyapple.net
hxxp://childrenbuilt.net
hxxp://familybuilt.net
hxxp://childrencarry.net
hxxp://familycarry.net
hxxp://eitherfather.net
hxxp://englishfather.net
hxxp://eitherapple.net
hxxp://englishapple.net
hxxp://eitherbuilt.net
hxxp://englishbuilt.net
hxxp://eithercarry.net
hxxp://englishcarry.net
hxxp://expectmeasure.net
hxxp://becausemeasure.net
hxxp://expectdinner.net
hxxp://becausedinner.net
hxxp://expectafraid.net
hxxp://becauseafraid.net
hxxp://expectcircle.net
hxxp://becausecircle.net
hxxp://personmeasure.net
hxxp://machinemeasure.net
hxxp://persondinner.net
hxxp://machinedinner.net
hxxp://personafraid.net
hxxp://machineafraid.net
hxxp://personcircle.net
hxxp://machinecircle.net
hxxp://suddenmeasure.net
hxxp://foreignmeasure.net
hxxp://suddendinner.net
hxxp://foreigndinner.net
hxxp://suddenafraid.net
hxxp://foreignafraid.net
hxxp://suddencircle.net
hxxp://foreigncircle.net
hxxp://whethermeasure.net
hxxp://rightmeasure.net
hxxp://whetherdinner.net
hxxp://rightdinner.net
hxxp://whetherafraid.net
hxxp://rightafraid.net
hxxp://whethercircle.net
hxxp://rightcircle.net
hxxp://figuremeasure.net
hxxp://thoughmeasure.net
hxxp://figuredinner.net
hxxp://thoughdinner.net
hxxp://figureafraid.net
hxxp://thoughafraid.net
hxxp://figurecircle.net
hxxp://thoughcircle.net
hxxp://picturemeasure.net
hxxp://cigarettemeasure.net
hxxp://picturedinner.net
hxxp://cigarettedinner.net
hxxp://pictureafraid.net
hxxp://cigaretteafraid.net
hxxp://picturecircle.net
hxxp://cigarettecircle.net
hxxp://childrenmeasure.net
hxxp://familymeasure.net
hxxp://childrendinner.net
hxxp://familydinner.net
hxxp://childrenafraid.net
hxxp://familyafraid.net
hxxp://childrencircle.net
hxxp://familycircle.net
hxxp://eithermeasure.net
hxxp://englishmeasure.net
hxxp://eitherdinner.net
hxxp://englishdinner.net
hxxp://eitherafraid.net
hxxp://englishafraid.net
hxxp://eithercircle.net
hxxp://englishcircle.net
hxxp://expectwheat.net
hxxp://becausewheat.net
hxxp://expectanger.net
hxxp://becauseanger.net
hxxp://expectalways.net
hxxp://becausealways.net
hxxp://expectforest.net
hxxp://becauseforest.net
hxxp://personwheat.net
hxxp://machinewheat.net
hxxp://personanger.net
hxxp://machineanger.net
hxxp://personalways.net
hxxp://machinealways.net
hxxp://personforest.net
hxxp://machineforest.net
hxxp://suddenwheat.net
hxxp://foreignwheat.net
hxxp://suddenanger.net
hxxp://foreignanger.net
hxxp://suddenalways.net
hxxp://foreignalways.net
hxxp://suddenforest.net
hxxp://foreignforest.net
hxxp://whetherwheat.net
hxxp://rightwheat.net
hxxp://whetheranger.net
hxxp://rightanger.net
hxxp://whetheralways.net
hxxp://rightalways.net
hxxp://whetherforest.net
hxxp://rightforest.net
hxxp://figurewheat.net
hxxp://thoughwheat.net
hxxp://figureanger.net

Once, executed, a, sample, malware, phones, back, to the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://195.22.28.199
hxxp://184.168.221.55
hxxp://208.100.26.234
hxxp://184.168.221.35
hxxp://98.124.243.42
hxxp://208.100.26.234
hxxp://184.168.221.104
hxxp://173.236.80.218
hxxp://195.22.26.248
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://98.130.238.135

Once, executed, a, sample, malware (MD5: ff06679eb18932e31f8b05d92a48b4eb), phones, back, to, the, following, C&C, server, IPs:
hxxp://strengthbecame.net
hxxp://stillbecame.net
hxxp://strengthcontain.net
hxxp://stillcontain.net
hxxp://strengthbasket.net
hxxp://stillbasket.net
hxxp://movementsettle.net
hxxp://outsidesettle.net
hxxp://movementlanguage.net
hxxp://outsidelanguage.net
hxxp://movementdevice.net
hxxp://outsidedevice.net
hxxp://movementbefore.net
hxxp://outsidebefore.net
hxxp://buildingsettle.net
hxxp://eveningsettle.net
hxxp://buildinglanguage.net
hxxp://eveninglanguage.net
hxxp://buildingdevice.net
hxxp://eveningdevice.net
hxxp://buildingbefore.net
hxxp://eveningbefore.net
hxxp://storesettle.net
hxxp://mightsettle.net
hxxp://storelanguage.net
hxxp://mightlanguage.net
hxxp://storedevice.net
hxxp://mightdevice.net
hxxp://storebefore.net
hxxp://mightbefore.net
hxxp://doctorsettle.net
hxxp://prettysettle.net
hxxp://doctorlanguage.net
hxxp://prettylanguage.net
hxxp://doctordevice.net
hxxp://prettydevice.net
hxxp://doctorbefore.net
hxxp://prettybefore.net
hxxp://fellowsettle.net
hxxp://doublesettle.net
hxxp://fellowlanguage.net
hxxp://doublelanguage.net
hxxp://fellowdevice.net
hxxp://doubledevice.net
hxxp://fellowbefore.net
hxxp://doublebefore.net
hxxp://brokensettle.net
hxxp://resultsettle.net
hxxp://brokenlanguage.net
hxxp://resultlanguage.net
hxxp://brokendevice.net
hxxp://resultdevice.net
hxxp://brokenbefore.net
hxxp://resultbefore.net
hxxp://preparesettle.net
hxxp://desiresettle.net
hxxp://preparelanguage.net
hxxp://desirelanguage.net
hxxp://preparedevice.net
hxxp://desiredevice.net
hxxp://preparebefore.net
hxxp://desirebefore.net
hxxp://strengthsettle.net
hxxp://stillsettle.net
hxxp://strengthlanguage.net
hxxp://stilllanguage.net
hxxp://strengthdevice.net
hxxp://stilldevice.net
hxxp://strengthbefore.net
hxxp://stillbefore.net
hxxp://movementfound.net
hxxp://outsidefound.net
hxxp://movementspring.net
hxxp://outsidespring.net
hxxp://movementsuccess.net
hxxp://outsidesuccess.net
hxxp://movementbanker.net
hxxp://outsidebanker.net
hxxp://buildingfound.net
hxxp://eveningfound.net
hxxp://buildingspring.net
hxxp://eveningspring.net
hxxp://buildingsuccess.net
hxxp://eveningsuccess.net
hxxp://buildingbanker.net
hxxp://eveningbanker.net
hxxp://storefound.net
hxxp://mightfound.net
hxxp://storespring.net
hxxp://mightspring.net
hxxp://storesuccess.net
hxxp://mightsuccess.net
hxxp://storebanker.net
hxxp://mightbanker.net
hxxp://doctorfound.net
hxxp://prettyfound.net
hxxp://doctorspring.net
hxxp://prettyspring.net
hxxp://doctorsuccess.net
hxxp://prettysuccess.net
hxxp://doctorbanker.net
hxxp://prettybanker.net
hxxp://fellowfound.net
hxxp://doublefound.net
hxxp://fellowspring.net
hxxp://doublespring.net
hxxp://fellowsuccess.net
hxxp://doublesuccess.net
hxxp://fellowbanker.net
hxxp://doublebanker.net
hxxp://brokenfound.net
hxxp://resultfound.net
hxxp://brokenspring.net
hxxp://resultspring.net
hxxp://brokensuccess.net
hxxp://resultsuccess.net
hxxp://brokenbanker.net
hxxp://resultbanker.net
hxxp://preparefound.net
hxxp://desirefound.net
hxxp://preparespring.net
hxxp://desirespring.net
hxxp://preparesuccess.net
hxxp://desiresuccess.net
hxxp://preparebanker.net
hxxp://desirebanker.net
hxxp://strengthfound.net
hxxp://stillfound.net
hxxp://strengthspring.net
hxxp://stillspring.net
hxxp://strengthsuccess.net
hxxp://stillsuccess.net
hxxp://strengthbanker.net
hxxp://stillbanker.net
hxxp://movementairplane.net
hxxp://outsideairplane.net
hxxp://movementstraight.net
hxxp://outsidestraight.net
hxxp://movementguard.net
hxxp://outsideguard.net
hxxp://movementfence.net
hxxp://outsidefence.net
hxxp://buildingairplane.net
hxxp://eveningairplane.net
hxxp://buildingstraight.net
hxxp://eveningstraight.net
hxxp://buildingguard.net
hxxp://eveningguard.net
hxxp://buildingfence.net
hxxp://eveningfence.net
hxxp://storeairplane.net
hxxp://mightairplane.net
hxxp://storestraight.net
hxxp://mightstraight.net
hxxp://storeguard.net
hxxp://mightguard.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://98.124.243.39
hxxp://195.22.28.198
hxxp://216.239.34.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66
hxxp://81.21.76.62
hxxp://50.63.202.55
hxxp://208.91.197.25
hxxp://5.2.189.251
hxxp://195.22.28.198

Once, executed, a, sample, malware (MD5: 107993dce5417356d40279feb2be0017), phones, back, to, the, following, C&C, server, IPs:
hxxp://movementindustry.net
hxxp://outsideindustry.net
hxxp://movementbecame.net
hxxp://outsidebecame.net
hxxp://movementcontain.net
hxxp://outsidecontain.net
hxxp://movementbasket.net
hxxp://outsidebasket.net
hxxp://buildingindustry.net
hxxp://eveningindustry.net
hxxp://buildingbecame.net
hxxp://eveningbecame.net
hxxp://buildingcontain.net
hxxp://eveningcontain.net
hxxp://buildingbasket.net
hxxp://eveningbasket.net
hxxp://storeindustry.net
hxxp://mightindustry.net
hxxp://storebecame.net
hxxp://mightbecame.net
hxxp://storecontain.net
hxxp://mightcontain.net
hxxp://storebasket.net
hxxp://mightbasket.net
hxxp://doctorindustry.net
hxxp://prettyindustry.net
hxxp://doctorbecame.net
hxxp://prettybecame.net
hxxp://doctorcontain.net
hxxp://prettycontain.net
hxxp://doctorbasket.net
hxxp://prettybasket.net
hxxp://fellowindustry.net
hxxp://doubleindustry.net
hxxp://fellowbecame.net
hxxp://doublebecame.net
hxxp://fellowcontain.net
hxxp://doublecontain.net
hxxp://fellowbasket.net
hxxp://doublebasket.net
hxxp://brokenindustry.net
hxxp://resultindustry.net
hxxp://brokenbecame.net
hxxp://resultbecame.net
hxxp://brokencontain.net
hxxp://resultcontain.net
hxxp://brokenbasket.net
hxxp://resultbasket.net
hxxp://prepareindustry.net
hxxp://desireindustry.net
hxxp://preparebecame.net
hxxp://desirebecame.net
hxxp://preparecontain.net
hxxp://desirecontain.net
hxxp://preparebasket.net
hxxp://desirebasket.net
hxxp://strengthindustry.net
hxxp://stillindustry.net
hxxp://strengthbecame.net
hxxp://stillbecame.net
hxxp://strengthcontain.net
hxxp://stillcontain.net
hxxp://strengthbasket.net
hxxp://stillbasket.net
hxxp://movementsettle.net
hxxp://outsidesettle.net
hxxp://movementlanguage.net
hxxp://outsidelanguage.net
hxxp://movementdevice.net
hxxp://outsidedevice.net
hxxp://movementbefore.net
hxxp://outsidebefore.net
hxxp://buildingsettle.net
hxxp://eveningsettle.net
hxxp://buildinglanguage.net
hxxp://eveninglanguage.net
hxxp://buildingdevice.net
hxxp://eveningdevice.net
hxxp://buildingbefore.net
hxxp://eveningbefore.net
hxxp://storesettle.net
hxxp://mightsettle.net
hxxp://storelanguage.net
hxxp://mightlanguage.net
hxxp://storedevice.net
hxxp://mightdevice.net
hxxp://storebefore.net
hxxp://mightbefore.net
hxxp://doctorsettle.net
hxxp://prettysettle.net
hxxp://doctorlanguage.net
hxxp://prettylanguage.net
hxxp://doctordevice.net
hxxp://prettydevice.net
hxxp://doctorbefore.net
hxxp://prettybefore.net
fhxxp://ellowsettle.net
hxxp://doublesettle.net
hxxp://fellowlanguage.net
hxxp://doublelanguage.net
fhxxp://ellowdevice.net
hxxp://doubledevice.net
hxxp://fellowbefore.net
hxxp://doublebefore.net
hxxp://brokensettle.net
hxxp://resultsettle.net
hxxp://brokenlanguage.net
hxxp://resultlanguage.net
hxxp://brokendevice.net
hxxp://resultdevice.net
hxxp://brokenbefore.net
hxxp://resultbefore.net
hxxp://preparesettle.net
hxxp://desiresettle.net
hxxp://preparelanguage.net
hxxp://desirelanguage.net
hxxp://preparedevice.net
hxxp://desiredevice.net
hxxp://preparebefore.net
hxxp://desirebefore.net
hxxp://strengthsettle.net
hxxp://stillsettle.net
hxxp://strengthlanguage.net
hxxp://stilllanguage.net
hxxp://strengthdevice.net
hxxp://stilldevice.net
hxxp://strengthbefore.net
hxxp://stillbefore.net
hxxp://movementfound.net
hxxp://outsidefound.net
hxxp://movementspring.net
hxxp://outsidespring.net
hxxp://movementsuccess.net
hxxp://outsidesuccess.net
hxxp://movementbanker.net
hxxp://outsidebanker.net
hxxp://buildingfound.net
hxxp://eveningfound.net
hxxp://buildingspring.net
hxxp://eveningspring.net
hxxp://buildingsuccess.net
hxxp://eveningsuccess.net
hxxp://buildingbanker.net
hxxp://eveningbanker.net
hxxp://storefound.net
hxxp://mightfound.net
hxxp://storespring.net
hxxp://mightspring.net
hxxp://storesuccess.net
hxxp://mightsuccess.net
hxxp://storebanker.net
hxxp://mightbanker.net
hxxp://doctorfound.net
hxxp://prettyfound.net
hxxp://doctorspring.net
hxxp://prettyspring.net
hxxp://doctorsuccess.net
hxxp://prettysuccess.net
hxxp://doctorbanker.net
hxxp://prettybanker.net
hxxp://fellowfound.net
hxxp://doublefound.net
hxxp://fellowspring.net
hxxp://doublespring.net
hxxp://fellowsuccess.net
hxxp://doublesuccess.net
hxxp://fellowbanker.net
hxxp://doublebanker.net
hxxp://brokenfound.net
hxxp://resultfound.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://207.148.248.143
hxxp://50.63.202.56
hxxp://208.100.26.234
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://98.124.243.39
hxxp://195.22.28.199
hxxp://216.239.32.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66

Once, executed, a, sample, malware (MD5: d5ed564fd2f4c10e3a26df9342a09545), phones, back, to, the, following, C&C, server, IPs:
hxxp://desiredress.net
hxxp://strengthcatch.net
hxxp://stillcatch.net
hxxp://strengtheearly.net
hxxp://stilleearly.net
hxxp://strengthpublic.net
hxxp://stillpublic.net
hxxp://strengthdress.net
hxxp://stilldress.net
hxxp://expectlength.net
hxxp://becauselength.net
hxxp://expectnotice.net
hxxp://becausenotice.net
hxxp://expectindeed.net
hxxp://becauseindeed.net
hxxp://expectduring.net
hxxp://becauseduring.net
hxxp://personlength.net
hxxp://machinelength.net
hxxp://personnotice.net
hxxp://machinenotice.net
hxxp://personindeed.net
hxxp://machineindeed.net
hxxp://personduring.net
hxxp://machineduring.net
hxxp://suddenlength.net
hxxp://foreignlength.net
hxxp://suddennotice.net
hxxp://foreignnotice.net
hxxp://suddenindeed.net
hxxp://foreignindeed.net
hxxp://suddenduring.net
hxxp://foreignduring.net
hxxp://whetherlength.net
hxxp://rightlength.net
hxxp://whethernotice.net
hxxp://rightnotice.net
hxxp://whetherindeed.net
hxxp://rightindeed.net
hxxp://whetherduring.net
hxxp://rightduring.net
hxxp://figurelength.net
hxxp://thoughlength.net
hxxp://figurenotice.net
hxxp://thoughnotice.net
hxxp://figureindeed.net
hxxp://thoughindeed.net
hxxp://figureduring.net
hxxp://thoughduring.net
hxxp://picturelength.net
hxxp://cigarettelength.net
hxxp://picturenotice.net
hxxp://cigarettenotice.net
hxxp://pictureindeed.net
hxxp://cigaretteindeed.net
hxxp://pictureduring.net
hxxp://cigaretteduring.net
hxxp://childrenlength.net
hxxp://familylength.net
hxxp://childrennotice.net
hxxp://familynotice.net
hxxp://childrenindeed.net
hxxp://familyindeed.net
hxxp://childrenduring.net
hxxp://familyduring.net
hxxp://eitherlength.net
hxxp://englishlength.net
hxxp://eithernotice.net
hxxp://englishnotice.net
hxxp://eitherindeed.net
hxxp://englishindeed.net
hxxp://eitherduring.net
hxxp://englishduring.net
hxxp://expectclear.net
hxxp://becauseclear.net
hxxp://expectgeneral.net
hxxp://becausegeneral.net
hxxp://expectinclude.net
hxxp://becauseinclude.net
hxxp://expectnorth.net
hxxp://becausenorth.net
hxxp://personclear.net
hxxp://machineclear.net
hxxp://persongeneral.net
hxxp://machinegeneral.net
hxxp://personinclude.net
hxxp://machineinclude.net
hxxp://personnorth.net
hxxp://machinenorth.net
hxxp://suddenclear.net
hxxp://foreignclear.net
hxxp://suddengeneral.net
hxxp://foreigngeneral.net
hxxp://suddeninclude.net
hxxp://foreigninclude.net
hxxp://suddennorth.net
hxxp://foreignnorth.net
hxxp://whetherclear.net
hxxp://rightclear.net
hxxp://whethergeneral.net
hxxp://rightgeneral.net
hxxp://whetherinclude.net
hxxp://rightinclude.net
hxxp://whethernorth.net
hxxp://rightnorth.net
hxxp://figureclear.net
hxxp://thoughclear.net
hxxp://figuregeneral.net
hxxp://thoughgeneral.net
hxxp://figureinclude.net
hxxp://thoughinclude.net
hxxp://figurenorth.net
hxxp://thoughnorth.net
hxxp://pictureclear.net
hxxp://cigaretteclear.net
hxxp://picturegeneral.net
hxxp://cigarettegeneral.net
hxxp://pictureinclude.net
hxxp://cigaretteinclude.net
hxxp://picturenorth.net
hxxp://cigarettenorth.net
hxxp://childrenclear.net
hxxp://familyclear.net
hxxp://childrengeneral.net
hxxp://familygeneral.net
hxxp://childreninclude.net
hxxp://familyinclude.net
hxxp://childrennorth.net
hxxp://familynorth.net
hxxp://eitherclear.net
hxxp://englishclear.net
hxxp://eithergeneral.net
hxxp://englishgeneral.net
hxxp://eitherinclude.net
hxxp://englishinclude.net
hxxp://eithernorth.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://208.100.26.234
hxxp://195.22.28.199
hxxp://162.255.119.249
hxxp://208.100.26.234
hxxp://98.124.243.44

Once, executed, a, sample, malware (MD5: 789cb05effb586bda98e87e71e340c39), phones, back, to, the, following, C&C, server, IPs:
hxxp://diyar.collegegirlteen.com/g/getasite/ - 46.45.168.84
hxxp://diyar.collegegirlteen.com/z/orap/
hxxp://diyar.collegegirlteen.com/z/z2/
hxxp://diyar.collegegirlteen.com/z/z5/

Related, malicious, MD5s, known, to, have, phoned, back, to, the, following, C&C, server, IPs:
MD5: acd62483446c7ed057f312784bfddd61

Once, executed, a, sample, malware (MD5: 505e4d58c53d47245aa89c0fd7cded83), phones, back, to, the, following, C&C, server, IPs:
hxxp://van.cowteen.com/g/getasite/ - 46.45.168.84
hxxp://van.cowteen.com/z/orap/
hxxp://van.cowteen.com/z/z2/
hxxp://van.cowteen.com/z/z5/

Related. malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP:
MD5: 13f2e7b3141b84666e0209e140663ef2

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://w.bestmobile.mobi/ - 104.31.66.169; 104.31.67.169; 104.28.0.226; 104.28.1.226

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs:
MD5: 92bd8e7e58816bcb14f9dcbf839178ca
MD5: 1ee44596b174edb55c4bc497c1fe5f34
MD5: 443f732e406b3d96e53184917525e14a
MD5: a24fad894881b746c48420b019a225cf
MD5: 7c8a8f96c5b31e6ccae936ddc5226c91

Once, executed, a, sample, malware (MD5: a24fad894881b746c48420b019a225cf), phones, back, to, the, following, C&C, server, IPs:
hxxp://au.umeng.co - 140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195; 211.151.139.211; 211.151.139.210
hxxp://au.umeng.com/api/check_app_update - 140.205.134.243; 140.205.170.6; 140.205.250.51; 140.205.230.45; 140.205.155.238; 110.173.196.195; 211.151.151.6; 211.151.139.210;
211.151.139.211

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (au.umeng.co - 140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195; 211.151.139.211; 211.151.139.210):
MD5: 65a6f1e29b09ba7caa98a9763593aedb
MD5: 102111b9024b71f6ab584d22abdbc589
MD5: 9ad137e51a5b6b2288c774a74a7e80da
MD5: a70595e99b3471216404400b736eaf7c
MD5: 3d3360250c96dff33e177121113b5a3f

Once, executed, a, sample, malware, phones, back, to, the, same, C&C, server, IPs:
hxxp://211.139.191.223
hxxp://221.179.35.113

Once, executed, a, sample, malware, phones, back, to, the, same, C&C, server, IPs:
hxxp://115.28.174.189/hft/rq.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs:
MD5: c0464c5193dec0980a07fa2e50deffb1

We'll, continue, monitoring, the, market, segment, for, mobile, malware, and, post, updates, as, soon, as, new, developments, take, place.
Continue reading →
Subscribe to: Comments (Atom)