Historical OSINT - Massive Scareware Dropping Campaign Spotted in the Wild

It's 2008 and I've recently spotted a currently circulating malicious and fraudulent scareware-serving malicious domain portfolio which I'll expose in this post with the idea to share actionable threat intelligence with the security community further exposing and undermining the cybercrime ecosystem the way we know it potentially empowering security researchers and third-party vendors with the necessary data to stay ahead of current and emerging threats.

Related malicious domains known to have participated in the campaign:
hxxp://50virus-scanner.com
hxxp://700virus-scanner.com
hxxp://antivirus-test66.com
hxxp://antivirus200scanner.com
hxxp://antivirus600scanner.com
hxxp://antivirus800scanner.com
hxxp://antivirus900scanner.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://inetproscan031.com
hxxp://internet-scan020.com
hxxp://novirus-scan00.com
hxxp://stopvirus-scan11.com
hxxp://stopvirus-scan13.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan33.com
hxxp://virus66scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://antivirus-scan200.com
hxxp://antispy-scan200.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://antivirus-scan400.com
hxxp://antispy-scan400.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://antivirus-scan600.com
hxxp://antispy-scan600.com
hxxp://antivirus-scan700.com
hxxp://antispy-scan700.com
hxxp://av-scanner700.com
hxxp://antispy-scan800.com
hxxp://antivirus-scan900.com
hxxp://novirus-scan00.com
hxxp://stop-virus-010.com
hxxp://spywarescan010.com
hxxp://antispywarehelp010.com
hxxp://internet-scan020.com
hxxp://internet-scanner020.com
hxxp://insight-scan20.com
hxxp://internet-scanner030.com
hxxp://stop-virus-040.com
hxxp://internet-scan040.com
hxxp://insight-scan40.com
hxxp://internet-scan050.com
hxxp://internet-scanner050.com
hxxp://insight-scan60.com
hxxp://stop-virus-070.com
hxxp://internet-scan070.com
hxxp://internet-scanner070.com
hxxp://insight-scan80.com
hxxp://stop-virus-090.com
hxxp://internet-scan090.com
hxxp://internet-scanner090.com
hxxp://insight-scan90.com
hxxp://antispywarehelpk0.com
hxxp://inetproscan001.com
hxxp://novirus-scan01.com
hxxp://spyware-stop01.com
hxxp://antivirus-inet01.com
hxxp://stopvirus-scan11.com
hxxp://inetproscan031.com
hxxp://novirus-scan31.com
hxxp://antivirus-inet31.com
hxxp://novirus-scan41.com
hxxp://antivirus-inet41.com
hxxp://antivirus-inet51.com
hxxp://inetproscan061.com
hxxp://novirus-scan61.com
hxxp://inetproscan081.com
hxxp://novirus-scan81.com
hxxp://inetproscan091.com
hxxp://spyware-stopb1.com
hxxp://spyware-stopm1.com
hxxp://spyware-stopn1.com
hxxp://spyware-stopz1.com
hxxp://antispywarehelp002.com
hxxp://antispywarehelp022.com
hxxp://novirus-scan22.com
hxxp://antispywarehelpk2.com
hxxp://insight-scanner2.com
hxxp://spywarescan013.com
hxxp://stopvirus-scan13.com
hxxp://novirus-scan33.com
hxxp://stopvirus-scan33.com
hxxp://antispywarehelp004.com
hxxp://antispywarehelpk4.com
hxxp://spywarescan015.com
hxxp://novirus-scan55.com
hxxp://insight-scanner5.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan66.com
hxxp://antispywarehelpk6.com
hxxp://spywarescan017.com
hxxp://insight-scanner7.com
hxxp://antispywarehelp008.com
hxxp://spywarescan018.com
hxxp://stopvirus-scan18.com
hxxp://novirus-scan88.com
hxxp://stopvirus-scan88.com
hxxp://antivirus-test88.com
hxxp://antispywarehelpk8.com
hxxp://insight-scanner8.com
hxxp://insight-scanner9.com
hxxp://10scanantispyware.com
hxxp://20scanantispyware.com
hxxp://30scanantispyware.com
hxxp://60scanantispyware.com
hxxp://80scanantispyware.com
hxxp://2scanantispyware.com
hxxp://3scanantispyware.com
hxxp://5scanantispyware.com
hxxp://7scanantispyware.com
hxxp://8scanantispyware.com
hxxp://spyware200scan.com
hxxp://spyware500scan.com
hxxp://spyware800scan.com
hxxp://spyware880scan.com
hxxp://50virus-scanner.com
hxxp://90virus-scanner.com
hxxp://antivirus900scanner.com
hxxp://antivirus10scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://net001antivirus.com
hxxp://net011antivirus.com
hxxp://net111antivirus.com
hxxp://net021antivirus.com
hxxp://net-02antivirus.com
hxxp://net222antivirus.com
hxxp://net-04antivirus.com
hxxp://net-05antivirus.com
hxxp://net-07antivirus.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

HIstorical OSINT - Latvian ISPs, Scareware, and the Koobface Gang Connection

It's 2010 and we've recently stumbled upon yet another malicious and fraudulent campaign courtesy of the Koobface gang actively serving fake security software also known as scareware to a variety of users with the majority of malicious software conveniently parked within 79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio of fake security software.

In this post, I'll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Sample malware known to have participated in the campaign:
installer.1.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef - Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40 (22.50%)

Related malicious phone back C&C server IPs:
hxxp://av-plusonline.org/install/avplus.dll
hxxp://av-plusonline.org/cb/real.php?id=

Related malicious MD5s known to have participated in the campaign:
avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39%)

It's gets even more interesting as hxxp://fast-payments.com - 91.188.59.27 is parked within Koobface botnet's 1.0 phone back locations (hxxp://urodinam.net) and is also hosted within the same netblock at 91.188.59.10.

Sample related malicious URLs known to have participated in the campaign:
hxxp://urodinam.net/33t.php?stime=125558
- hxxp://91.188.59.10/opa.exe -MD5: d4aacc8d01487285be564cbd3a4abc76 - Downloader.VB.7.S; Mal/Koobface-B - Result: 10/40 (25%)

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://aburvalg.com/new1.php - 64.27.0.237
- hxxp://fucking-tube.net

The following domains use it as a name server:
hxxp://ns1.addedantivirus.com

Related malicius domains known to have responded to the same malicious name server:
hxxp://antiviralpluss.org
hxxp://antivirspluss.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://pretection-page.org
hxxp://sys-mesage.org
hxxp://av-plus-online.org
hxxp://av-plusonline.org
hxxp://avplus-online.org
hxxp://avplusonline.org
hxxp://avplussonline.org
hxxp://protecmesages.org
hxxp://protect-mesagess.org
hxxp://protectmesages.org
hxxp://protectmesagess.org
hxxp://protectmessages.org
hxxp://avplus24support.com
hxxp://searchwebway4.com
hxxp://searchwebway5.com
hxxp://searchwebway10.com
hxxp://searchwebway9.com
hxxp://searchwebway6.com

Related malicious URLs known to have participated in the campaign:
hxxp://avplus-online.org/buy.php?id=
- hxxp://fast-payments.com/index.php?prodid=antivirplus_02_01&afid=

Related malicious domains known to have participated in the campaign:
hxxp://antiviruspluss.org
hxxp://avplusscanner.org
hxxp://protection-messag.org
hxxp://antivirs-pluss.org
hxxp://antiviru-pluss.org
hxxp://antivirus-p1uss.org
hxxp://protection-mesage.org
hxxp://sysstem-mesage.org
hxxp://system-message.org
hxxp://antiviral-pluss.org
hxxp://av-onlinescanner.org
hxxp://avonlinescanner.org
hxxp://avonlinescannerr.org
hxxp://avp-scanner.org
hxxp://avp-scannerr.org
hxxp://avp-sscaner.org
hxxp://avp-sscannerr.org
hxxp://avplscaner-online.org
hxxp://avplscanerr-online.org
hxxp://avplsscannerr.org
hxxp://avplus-scanerr.org
hxxp://online-protection.org
hxxp://antivirupluss.org
hxxp://syssmessage.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://av-scanally.org
hxxp://av-scaner-online.org
hxxp://av-scaner-online3k.org
hxxp://av-scaner-onlineband.org
hxxp://av-scaner-onlinebody.org
hxxp://av-scaner-onlinebuzz.org
hxxp://av-scaner-onlinecabin.org
hxxp://av-scaner-onlinecrest.org
hxxp://av-scaner-onlinefolk.org
hxxp://av-scaner-onlineplan.org
hxxp://av-scaner-onlinesite.org
hxxp://iav-scaner-online.org
hxxp://netav-scaner-online.org
hxxp://techav-scaner-online.org
hxxp://antivirspluss.org
hxxp://sys-mesage.org
hxxp://antiviralpluss.org
hxxp://pretection-page.org
hxxp://av-scaner-onlinefairy.org
hxxp://av-scaner-onlinegrinder.org
hxxp://av-scaner-onlinehistory.org
hxxp://av-scaner-onlineicity.org
hxxp://av-scaner-onlinemachine.org
hxxp://av-scaner-onlinepeople.org
hxxp://av-scaner-onlineretort.org
hxxp://av-scaner-onlinereview.org
hxxp://av-scaner-onlinetopia.org
hxxp://directav-scaner-online.org
hxxp://expertav-scaner-online.org
hxxp://orderav-scaner-online.org
hxxp://speedyav-scaner-online.org
hxxp://thriftyav-scaner-online.org
hxxp://timesav-scaner-online.org
hxxp://411online-scanner-free.org
hxxp://dynaonline-scanner-free.org
hxxp://fastonline-scanner-free.org
hxxp://homeonline-scanner-free.org
hxxp://online-scanner-freebin.org
hxxp://online-scanner-freebuy.org
hxxp://online-scanner-freelook.org
hxxp://online-scanner-freemap.org
hxxp://online-scanner-freemeet.org
hxxp://online-scanner-freesite.org
hxxp://online-scanner-freetent.org
hxxp://online-scanner-freeu.org
hxxp://online-scanner-freevolt.org
hxxp://onlinescannerfree.org
hxxp://av-plus-online.org
hxxp://protecmesages.org
hxxp://av-onlicity.org
hxxp://av-online-scanner.org
hxxp://av-online-scannerbid.org
hxxp://av-online-scannercrest.org
hxxp://av-online-scannerfolk.org
hxxp://av-online-scannergate.org
hxxp://av-online-scannerland.org
hxxp://av-online-scannerpc.org
hxxp://av-online-scannersite.org
hxxp://av-online-scannerweek.org
hxxp://av-online-scannerwing.org
hxxp://infoav-online-scanner.org
hxxp://shopav-online-scanner.org
hxxp://theav-online-scanners.org
hxxp://avplus-online.org
hxxp://protectmesages.org
hxxp://av-scaner.org
hxxp://av-scaners.org
hxxp://av-scanner.org
hxxp://av-scanners.org
hxxp://avplussonline.org
hxxp://avscaner.org
hxxp://avscaners.org
hxxp://avscanner.org
hxxp://avscanners.org
hxxp://eav-scaner.org
hxxp://eav-scaners.org
hxxp://eav-scanner.org
hxxp://eav-scanners.org
hxxp://myav-scaner.org
hxxp://myav-scaners.org
hxxp://myav-scanner.org
hxxp://myav-scanners.org
hxxp://protectmessages.org
hxxp://avplusonline.org
hxxp://av-plusonline.org
hxxp://protect-mesagess.org

We'll continue monitoring the campaign and post updates as soon as new developments take place.

Historical OSINT - Massive Blackhat SEO Campaign Courtesy of the Koobface Gang Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another massive blackhat SEO campaign courtesy of the Koobface gang successfully exposing hundreds of thousands of users to a multi-tude of malicious software.

In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tactics techniques and procedures of the cybercriminals behind it.

Sample domains known to have participated in the campaign:
hxxp://jhpegdueeunz.55fast.com
hxxp://vzhusyeeaubk.55fast.com
hxxp://cvzizliiustw.55fast.com
hxxp://zetaswuiouax.55fast.com
hxxp://shzopfioarpd.55fast.com
hxxp://nqpubruioeat.55fast.com
hxxp://krrepteievdr.55fast.com
hxxp://gtoancoiuyqv.55fast.com
hxxp://felopfooaydk.55fast.com
hxxp://dknejxaeozjb.55fast.com
hxxp://ljperwaaoxjs.55fast.com
hxxp://hxmagxaeulbn.55fast.com
hxxp://mueombooikgp.55fast.com
hxxp://gluezneoolhs.55fast.com
hxxp://ptpodseeanvk.55fast.com
hxxp://jgdeyraoojdr.55fast.com
hxxp://kjsetqaoojdr.55fast.com
hxxp://kvuelveuicmn.55fast.com
hxxp://ywoamnooikfp.55fast.com
hxxp://dnkopgioawss.55fast.com
hxxp://qjtepyaoigts.55fast.com
hxxp://fdsudpeeewam.55fast.com
hxxp://qumobxoiigst.55fast.com
hxxp://fkvahzaeibbz.55fast.com
hxxp://lxxikhiuutwm.55fast.com
hxxp://meboczoiikgy.55fast.com
hxxp://mevoxliiidyq.55fast.com
hxxp://hxvoysaoozhp.55fast.com
hxxp://wiaabcoookfs.55fast.com
hxxp://wlbatgeeiohc.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://narezxaauggf.55fast.com
hxxp://gdsetqaoocks.55fast.com
hxxp://ptxihhiiihpq.55fast.com
hxxp://ramilhueamxg.55fast.com
hxxp://vvnoxliiigsp.55fast.com
hxxp://ywweypeaeemz.55fast.com
hxxp://rqqetweeupwn.55fast.com
hxxp://fprewmaoojpn.55fast.com
hxxp://kbmahjiiigpw.55fast.com
hxxp://romozjuuurov.55fast.com
hxxp://tmxufseaacks.55fast.com
hxxp://viaegjiooeun.55fast.com
hxxp://znmasdiiicbc.55fast.com
hxxp://gdbiczooaoaw.55fast.com
hxxp://boqegkooouom.55fast.com
hxxp://xncoxloiiwrm.55fast.com
hxxp://flxowreuuhkb.55fast.com
hxxp://zzkihgiuupwb.55fast.com
hxxp://gxcobmeeuvls.55fast.com
hxxp://wygimweuizxz.55fast.com
hxxp://winowmeaoxhy.55fast.com
hxxp://hhpewmaoidtm.55fast.com
hxxp://nemoxloiixlh.55fast.com
hxxp://bvbowvooigtq.55fast.com
hxxp://pgmassuiixvx.55fast.com
hxxp://vbxoxkiiijst.55fast.com
hxxp://clnobhaoobzf.55fast.com
hxxp://proawnaoozxf.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://romwrpueerr.007gb.com
hxxp://rtperweaauux.5nxs.com
hxxp://prougpeeabzd.hostevo.com
hxxp://stwermoiigwc.10fast.net
hxxp://znmasdiiicbc.55fast.com
hxxp://gjxotyuuobmv.007sites.com

Sample malicious domains known to have participated in the campaign:
hxxp://dpfujhiuijhd.hostevo.com
hxxp://gfhizliiikjd.hostevo.com
hxxp://driozkuueqic.hostevo.com
hxxp://rrkihfuuuspr.hostevo.com
hxxp://xzkikhueeivf.hostevo.com
hxxp://trqawmaookgp.hostevo.com
hxxp://hggudseuerqn.hostevo.com
hxxp://phveflaeulmn.hostevo.com
hxxp://cvxiljiuuyrm.hostevo.com
hxxp://fdseffuueqiv.hostevo.com
hxxp://dsteyraaaxgr.hostevo.com
hxxp://pfjocbeuiznb.hostevo.com
hxxp://ccziljiuurab.hostevo.com

Sample malicious domains known to have participated in the campaign:
hxxp://jgfuspeeeauc.hostevo.com
hxxp://grioxhueoxlf.hostevo.com
hxxp://dpdilkiiihfy.hostevo.com
hxxp://miuonbaoifwv.hostevo.com
hxxp://fpteymoiuqmj.hostevo.com
hxxp://dyoovziuebvj.hostevo.com
hxxp://rpdojzaaesgg.hostevo.com
hxxp://zzkuhguuewib.hostevo.com
hxxp://bqyunruiaecw.hostevo.com
hxxp://sruoljiuurqb.hostevo.com
hxxp://stratreaaebk.hostevo.com
hxxp://kjsetwaookdt.hostevo.com
hxxp://prougpeeabzd.hostevo.com
hxxp://nrfitdioaoyd.hostevo.com
hxxp://cxligdueewoc.hostevo.com
hxxp://tqaawmaoamvj.hostevo.com
hxxp://qunoxliiifyw.hostevo.com
hxxp://zkfusteaanch.hostevo.com
hxxp://qumobcooozjf.hostevo.com
hxxp://sqqawmaaamvj.hostevo.com
hxxp://klguyraoojdr.hostevo.com
hxxp://fspespueeiez.hostevo.com
hxxp://sjcadjoaepfh.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://sjcadjoaepfh.55fast.com
hxxp://pkbadlaeujcv.55fast.com
hxxp://vnvocziiifst.55fast.com
hxxp://wauanbooikfy.55fast.com
hxxp://yovikdeaanch.55fast.com
hxxp://jvuelvaeukcc.55fast.com
hxxp://lkgufpeeaunz.55fast.com
hxxp://kjfufseeeiml.55fast.com
hxxp://bmmoxliiifdt.55fast.com
hxxp://nqtuxneuixbb.55fast.com
hxxp://wioabnaoikfp.55fast.com
hxxp://ssdikzaaaiiq.55fast.com
hxxp://rwaammaaeowm.55fast.com
hxxp://ljifsueaumz.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://lljifsueaumz.55fast.com
hxxp://nbzigpeaoksq.55fast.com
hxxp://mvjufraoidqb.55fast.com
hxxp://hgdupraoisqc.55fast.com
hxxp://khdudseeeauc.55fast.com
hxxp://fspetwaaabxh.55fast.com
hxxp://tqoavxoiidyq.55fast.com
hxxp://xeaubwuiardg.55fast.com
hxxp://nbvoncooolhp.55fast.com
hxxp://wexigpaoambl.55fast.com
hxxp://klhuggiuufdt.55fast.com
hxxp://dxwetteoigst.55fast.com
hxxp://glvashoaeygj.55fast.com
hxxp://xmoejcaeujxc.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://jfsfkfuueqw.007gb.com
hxxp://bbxcimoiify.007gb.com
hxxp://ljgjxkueewi.007gb.com
hxxp:///xzkgkguueaa.007gb.com
hxxp://wmhjvkuaabj.007gb.com
hxxp://yqbzmciuupt.007gb.com
hxxp://lvxvieaoizj.007gb.com
hxxp://srnvuioookf.007gb.com
hxxp://melhlhueeqe.007gb.com
hxxp://lkhjclueuwa.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://lkhjclueuwa.007gb.com
hxxp://bvgsfyaooxh.007gb.com
hxxp://xbkhceeuifd.007gb.com
hxxp://ywncmvoiojf.007gb.com
hxxp://kjptpwaaacl.007gb.com
hxxp://gpmcumooavx.007gb.com
hxxp://dpwnaioookf.007gb.com
hxxp://stqnaiaoihd.007gb.com
hxxp://fspygfuuerq.007gb.com
hxxp://wbgtsyeaamb.007gb.com
hxxp://fprmwoaaavl.007gb.com
hxxp://mmxlnvoiijd.007gb.com
hxxp://vvllnmooocl.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://vvllnmooocl.007gb.com
hxxp://zlgsgpeaabz.007gb.com
hxxp://ccjfxleeewq.007gb.com
hxxp://cvhfjguueqi.007gb.com
hxxp://lhprsraaack.007gb.com
hxxp://razzbciiupt.007gb.com
hxxp://rancoeooozh.007gb.com
hxxp://muczimoooxh.007gb.com
hxxp://tphotdioetdf.hostevo.com
hxxp://vvxifpeaocks.hostevo.com
hxxp://jjhillooolhf.hostevo.com
hxxp://bzxixliiudpr.hostevo.com
hxxp://xmvovxooozhp.hostevo.com
hxxp://proocziuuprm.hostevo.com
hxxp://qebovziuuswb.hostevo.com
hxxp://xzhusteaabzs.hostevo.com
hxxp://bbbovxiuifyq.hostevo.com

Sample malicious domains known to have participated in the campaign:
hxxp://dpretqaoocjy.hostevo.com
hxxp://ywaaqbaoozjs.5nxs.com
hxxp://fsyepteaaenl.5nxs.com
hxxp://jhgufpeeeaic.5nxs.com
hxxp://dsterqaaoczg.5nxs.com
hxxp://rivilhueeiuc.5nxs.com
hxxp://znouxneuaayd.5nxs.com
hxxp://kkgijguueonh.5nxs.com
hxxp://khsamvooihdt.5nxs.com
hxxp://nncikgueaflg.5nxs.com
hxxp://fdpixnaaaoiv.5nxs.com
hxxp://zzzikhiiihfy.5nxs.com
hxxp://sqaayteaaimz.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://tquambooilhs.5nxs.com
hxxp://gdtaqboiojdt.5nxs.com
hxxp://queoxliuudtq.5nxs.com
hxxp://vbcokloiikhs.5nxs.com
hxxp://raoadpiuigst.5nxs.com
hxxp://qevijfueeibj.5nxs.com
hxxp://kjlicvoooncj.5nxs.com
hxxp://sroavlueeixd.5nxs.com
hxxp://xxlijkiuuyqm.5nxs.com
hxxp://vvcijreaaenl.5nxs.com
hxxp://zzkigdueurab.5nxs.com
hxxp://zxkigdueeoel.5nxs.com
hxxp://tqoanvooijfy.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://wnxufpeaaevj.5nxs.com
hxxp:///ptaamboiihsw.5nxs.com
hxxp://vbxijhueurix.5nxs.com
hxxp://fpkijxiiidox.5nxs.com
hxxp://streqwaooxcg.5nxs.com
hxxp://ptyewmaoolgy.5nxs.com
hxxp://hgyeqboiihpw.5nxs.com
hxxp://cxjijgueeaez.5nxs.com
hxxp://woeobvoiihdt.5nxs.com
hxxp://bcxixjueuqmj.5nxs.com
hxxp://mmvobxoiihdr.5nxs.com
hxxp://prqawnaoozgy.5nxs.com
hxxp://xzkugsueeunk.5nxs.com
hxxp://vvbovxiiidym.5nxs.com
hxxp://qinozkiuidyw.5nxs.com
hxxp://tpdumweuughh.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://tpdumweuughh.5nxs.com
hxxp://zkfudpeaaech.5nxs.com
hxxp://vvcijfueeamk.5nxs.com
hxxp://jkhihdiuuypw.5nxs.com
hxxp://womancoiuyav.5nxs.com
hxxp://sfkoyfooepgh.5nxs.com
hxxp://zzhetqaooxkd.5nxs.com
hxxp://czjudyeaacjp.5nxs.com
hxxp://gssudpeaaecg.5nxs.com
hxxp://wiuobvooozjp.5nxs.com
hxxp://twaamnaookhd.5nxs.com
hxxp://bbvocloiigsr.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://dspugduuuytm.5nxs.com
hxxp://kljigdueeqic.5nxs.com
hxxp://gpioxhuuutav.5nxs.com
hxxp://wouavcooiyil.5nxs.com
hxxp://mevoxliuuyrm.5nxs.com
hxxp://xvcocxoiojfy.5nxs.com
hxxp://zljudyeaaunl.5nxs.com
hxxp://woaabcoiusst.5nxs.com
hxxp://dppudpeeewmh.5nxs.com
hxxp://zzhustueequk.5nxs.com
hxxp://quboczoiolgd.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://kdwetmoiuics.5nxs.com
hxxp://jgfudseeerqb.5nxs.com
hxxp://qunolhueeonx.5nxs.com
hxxp://khdusyeaaeez.5nxs.com
hxxp://bvcikgueequx.5nxs.com
hxxp://xzjupteaovzg.5nxs.com
hxxp://rmludpueoebj.5nxs.com
hxxp://pfyupteeeauz.5nxs.com
hxxp://qqreqnoeewhs.5nxs.com
hxxp://ysfuyraaaczs.5nxs.com
hxxp://ljdudyeaamcj.5nxs.com
hxxp://vbvovziiustm.5nxs.com
hxxp://gffugdueeibz.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://bnjdzkiuuyw.007gb.com
hxxp://dpppdpeeeii.007gb.com
hxxp://zzfdhdeeeoe.007gb.com
hxxp://hhhhzciuusa.007gb.com
hxxp://dpmlbkiuuta.007gb.com
hxxp://ccgsgpeaaev.007gb.com
hxxp://vbzxecoiuso.007gb.com
hxxp://nbkfhdeaack.007gb.com
hxxp://bmvcaoeeaoe.007gb.com
hxxp://xchfggiuewq.007gb.com
hxxp://jgypgpeaoxh.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://jgypgpeaoxh.007gb.com
hxxp://hdstpraoojd.007gb.com
hxxp://nnkkvziiigh.007gb.com
hxxp://qwyduquuoeo.007gb.com
hxxp://jhgdkzooobn.007gb.com
hxxp://ljyqweoiihf.007gb.com
hxxp://xzfdfsueaux.007gb.com
hxxp://kjfhzjueeae.007gb.com
hxxp://tanbuoeaanb.007gb.com
hxxp://rammooaaocx.007gb.com
hxxp://gsmxmlueoht.007gb.com
hxxp://xxjgkguueuu.007gb.com
hxxp://jgppfpeeaev.007gb.com
hxxp://xzfpfpeaozh.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://khsphdueaev.007gb.com
hxxp://wabnieoiikg.007gb.com
hxxp://rojshgeoisw.007gb.com
hxxp://zlhffgueaec.007gb.com
hxxp://quxxmnoiokd.007gb.com
hxxp://rpsdkzoeeqq.007gb.com
hxxp://rozfksaoiht.007gb.com
hxxp://vvzkcviiuru.007gb.com
hxxp://ptgdghueedq.007gb.com
hxxp://xvjhcliuufi.007gb.com
hxxp://ywqntweaeqo.007gb.com
hxxp://mubwqaaaoxl.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://quzjlgueeib.007gb.com
hxxp://fdyttteeaou.007gb.com
hxxp://xxjggseeeom.007gb.com
hxxp://robvimoiikg.007gb.com
hxxp://hgspsyeeanx.007gb.com
hxxp://nbzkckueein.007gb.com
hxxp://syfdgmoiipy.007gb.com
hxxp://nmkjzjueequ.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://nmkjzjueequ.007gb.com
hxxp://ytwqyteaaen.007gb.com
hxxp://kgdfkhuuuyq.007gb.com
hxxp://zbcvieaoocc.007gb.com
hxxp://sywrdpeeeie.007gb.com
hxxp://prnmwaaaamm.007gb.com
hxxp://djddhfuuilc.007gb.com
hxxp://wibnuboiusw.007gb.com
hxxp://muclmboiigd.007gb.com
hxxp://vvlkevoiidy.007gb.com
hxxp://xhprrteaaun.007gb.com
hxxp://bncvoeaaauu.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://ravhzluuewo.007gb.com
hxxp://gsywptaaabz.007gb.com
hxxp://xxkzbcoiijd.007gb.com
hxxp://mevirwaaovlf.hostevo.com
hxxp://roboxloiihdt.007sites.com
hxxp://rauonbooozkf.007sites.com
hxxp://ywiatreeewam.007sites.com
hxxp://nxfetmaoolfr.007sites.com
hxxp://gkmelbeuoear.007sites.com
hxxp://mmcigsueeexg.007sites.com
hxxp://vxxiljoioxxg.10fast.net
hxxp://jgsuspeeeaic.10fast.net
hxxp://qenocxiiihsr.10fast.net
hxxp://lklilliiigdt.10fast.net
hxxp://hgdepreaamzs.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://gffupteaaebj.10fast.net
hxxp:///kljigfuuugfp.10fast.net
hxxp://raianvoiokgy.10fast.net
hxxp://rtqerqeaamcg.10fast.net
hxxp://gfdugdeaavls.10fast.net
hxxp://ddterboiugsr.10fast.net
hxxp://jgpewnoiihpq.10fast.net
hxxp://kjfpfseeeqo.007gb.com
hxxp://wubcmciuuya.007gb.com
hxxp://quzkxvooift.007gb.coml
hxxp://nblhlheaaum.007gb.com
hxxp://cclxnciuupq.007gb.com
hxxp://nbhkckueeib.007gb.com
hxxp://hgddxliuudp.007gb.com
hxxp://winilhueuwiz.10fast.net
hxxp://queocliuupqv.10fast.net
hxxp://gdtaqboiihhs.10fast.net
hxxp://bbvovbaaancg.10fast.net
hxxp://fpramvoiiftm.10fast.net
hxxp://fjliljiiizhp.10fast.net
hxxp://gspedpeeeiel.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://fssukjaoanbx.5nxs.com
hxxp://ptaawviuuppw.5nxs.com
hxxp://llxozkoiikdq.5nxs.com
hxxp://kkkijguuuquz.5nxs.com
hxxp://womobciiiftn.5nxs.com
hxxp://vvcikgueequl.5nxs.com
hxxp://zzzoxcooozzl.5nxs.com
hxxp://wuuocziuupwn.5nxs.com
hxxp://hfyeqnoiiftm.5nxs.com
hxxp://sttewboookgy.5nxs.com
hxxp://ghhusteaozgt.5nxs.com
hxxp://fjzoqtuuukiw.5nxs.com
hxxp://muuaqciueomz.5nxs.com
hxxp://fsfugduuutav.5nxs.com
hxxp://jgdeywaoocks.5nxs.com
hxxp://raniljuuurix.5nxs.com
hxxp://pabikhueamcg.5nxs.com
hxxp://gsteqbooikdr.5nxs.com
hxxp://llhugfuuerab.5nxs.com
hxxp://dspeyyeeeauv.5nxs.com
hxxp://xzkixhuaoczg.5nxs.com
hxxp://rouawmaaammz.5nxs.com
hxxp://kxlijjiuuspt.5nxs.com
hxxp://xzliljiuifyw.5nxs.com
hxxp://vvvilhiueqac.5nxs.com
hxxp://tovikhiiufdt.5nxs.com
hxxp://ttretreeuhgs.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://ypserreeuytq.5nxs.com
hxxp://xxzijkiiikkf.5nxs.com
hxxp://bvzoknaoigpm.5nxs.com
hxxp://nnxihduuutqv.5nxs.com
hxxp://muzidyeeeevh.5nxs.com
hxxp://tpdufhiiidrn.5nxs.com
hxxp://ffpupteeeaqd.5nxs.com
hxxp://bbxigseeolpm.5nxs.com
hxxp://gsdugpeaeibj.5nxs.com
hxxp://pwteyyeaamcg.5nxs.com
hxxp://zxcoljiiigpw.5nxs.com
hxxp://bmacxoiixjs.5nxs.com
hxxp://twqawmaooczf.5nxs.com
hxxp://bbrartuauhjh.5nxs.com
hxxp://dtiolhueeexd.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://gdduhgiiikhd.5nxs.com
hxxp://ryquhfuuuypr.5nxs.com
hxxp://sfhijkiuusrn.5nxs.com
hxxp://staennaoolgy.5nxs.com
hxxp://vvvoczooolzg.5nxs.com
hxxp://bmnokgueequz.5nxs.com
hxxp://proocxoiigds.5nxs.com
hxxp://ptwepwaoozht.5nxs.com
hxxp://fsdufpeeeovg.5nxs.com
hxxp://dtlidwoiuyoz.5nxs.com
hxxp://kvyamboiuhsr.5nxs.com
hxxp://kvmardioetyp.5nxs.com
hxxp://taniljueuwul.5nxs.com
hxxp://jvnartuuixvx.5nxs.com
hxxp://qubijgiuutac.5nxs.com

Sample malicious domains known to have participated in the campaigns:
hxxp://qebocziuidfy.10fast.net
hxxp://gffudpeeeauc.10fast.net
hxxp://vbjustaiurox.10fast.net
hxxp://jgyuptaoutic.10fast.net
hxxp://lkhighueeevk.10fast.net
hxxp://ptpudreeeobz.10fast.net
hxxp://meeambaooxls.10fast.net
hxxp://yrreyraaovld.10fast.net
hxxp://kkdutwaoobzd.10fast.net
hxxp://czxitbouuquz.10fast.net
hxxp://lvbovnaoozjp.10fast.net
hxxp://wiiambaookdt.10fast.net
hxxp://zxkijgueaecg.10fast.net
hxxp://ywqawqaoovzh.10fast.net
hxxp://gzoukwuuizbv.10fast.net
hxxp://roiabcoiigpq.10fast.net
hxxp://vvlufseaavld.10fast.net
hxxp://hgpusyeaamxg.10fast.net
hxxp://kkkikziiifyq.10fast.net
hxxp://dtqaczoiuswb.10fast.net
hxxp://llzozxoiigpw.10fast.net
hxxp://nmcijkiuuobg.10fast.net
hxxp://mnxijliuusrm.10fast.net
hxxp://quuanbooikfy.10fast.net
hxxp://xxzijhuueuex.10fast.net
hxxp://gsyepyeaaubk.10fast.net
hxxp://tqoaqmaoigsr.10fast.net
hxxp://cvbocziiikgp.10fast.net
hxxp://gdyepteaancj.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://qibocziuewuz.10fast.net
hxxp://qrkargoaatsf.10fast.net
hxxp://zzdeymaoifyq.10fast.net
hxxp://noeancoiutac.10fast.net
hxxp://qunovnaaammb.10fast.net
hxxp://gffugdeeeibk.10fast.net
hxxp://cmvijsueenls.10fast.net
hxxp://tqaeryeaanxj.10fast.net
hxxp://xmuambiiifyt.10fast.net
hxxp://cvnanneeesff.10fast.net
hxxp://muuaqbooolfy.10fast.net
hxxp://qimacvaaetyr.10fast.net
hxxp://vxfutqaoihsw.10fast.net
hxxp://ywreyruuuhhg.10fast.net
hxxp://fdteyteeeoel.10fast.net
hxxp://ywianvoiupwc.10fast.net
hxxp://zlgeyraoobls.10fast.net
hxxp://zkhujdeaojpm.10fast.net
hxxp://kjfufduuutqm.10fast.net
hxxp://xxjudpueewiz.10fast.net
hxxp://rooewmeaamcg.10fast.net
hxxp://hffugdueeink.10fast.net
hxxp://xmcoxzoiikkd.10fast.net
hxxp://lllizkuiifyq.10fast.net
hxxp://xmuapsuiovnb.10fast.net
hxxp://tquanvoiuyqv.10fast.net
hxxp://kvnartuuujlk.10fast.net
hxxp://lllikhioozjf.10fast.net
hxxp://yrreypeeamck.10fast.net
hxxp://glhihfueaeck.10fast.net

Sample malicious domains known to have participate in the campaign:
hxxp://goadult.info/go.php?sid=13 -> -> hxxp://goadult.info/go.php?sid=9 -&gt -> hxxp://r2606.com/go/?pid=30937 -> which is a well known Koobface 1.0 command and control server domain.

Related malicious redirectors known to have participated in the campaign:
hxxp://goadult.info - 78.109.28.16 - tech@goadult.info
hxxp://go1go.net - 174.36.214.32 - tech@go1go.net
hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info

HIstorical OSINT - PhishTube Twitter Broadcast Impersonated Scareware Serving Twitter Accounts Circulating

This summary is not available. Please click here to view the post.

Historical OSINT - Hundreds of Bogus Bebo Accounts Serving Malware

It's 2010 and I've recently intercepted a wide-spread Bebo malicious malware-serving campaign successfully enticing users into interacting with the fraudulent and malicious content potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

Sample malicious domains known to have participated in the campaign:
hxxp://boss.gozbest.net/xd.html - 216.32.83.110
hxxp://tafficbots.com/in.cgi?6
hxxp://bolapaqir.com/in.cgi?2
hxxp://mybig-porn.com/promo4/?aid=1339

We'll continue monitoring the campaign and post updates as soon as new developments take place.

Historical OSINT - Chinese Government Sites Serving Malware

It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it.

Compromised Chinese government Web site:
hxxp://nynews.gov.cn

Sample malicious domains known to have participated in the campaign:
hxxp://game1983.com/index.htm
hxxp://sp.070808.net/23.htm
hxxp://higain-hitech.com/mm/index.html

Currently affected Chinese government Web sites:
hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191
hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm
hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm

We'll continue monitoring the campaign and post updates as soon as new developments take place.

Historical OSINT - Calling Zeus Home

Remember ZeuS? The infamous crimeware-in-the-middle exploitation kit? In this post I'll provide historical OSINT on various ZeuS-themed malicious and fraudulent campaigns intercepted throughout 2008 and provide actionable intelligence on the infrastructure behind the campaign.

Related malicious domains known to have participated in the campaign:
hxxp://myxaxa.com/z/cfg.bin
hxxp://dokymentu.info/zeus/cfg.bin
hxxp://online-traffeng.com/zeus/cfg.bin
hxxp://malwaremodel.biz/zeus/cfg.bin
hxxp://giftcardsbox.com/web/cfg.bin
hxxp://d0rnk.com/cfg.bin
hxxp://rfs-group.net/cool/cfg.bin
hxxp://62.176.16.19/11/cfg.bin
hxxp://81.95.149.74/demo/cfg.bin
hxxp://66.235.175.5/.cs/cfg.bin
hxxp://208.72.169.152/web/cfg.bin
hxxp://antispyware-protection.com/web/cfg.bin
hxxp://s0s1.net/web/cfg.bin
hxxp://208.72.169.151/admin/cfg.bin
hxxp://1ntr0.com/zuzu/cfg.bin
hxxp://88.255.90.170/bt/fiz/cfg.bin
hxxp://58.65.235.4/web/conf/cfg.bin
hxxp://forgoogleonly.cn/open/cfg.bin
hxxp://194.1.152.172/11/cfg.bin

We'll continue monitoring the campaign and post updates as soon as new developments take place.

Historical OSINT - A Diverse Portfolio of Fake Security Software

In this post I'll profile a currently circulating circa 2008 malicious and fraudulent scareware-serving campaign successfully enticing users into interacting with rogue and fraudulent fake security software with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type of revenue-sharing scheme.

Related malicious domains known to have participated in the campaign:
hxxp://globals-advers.com
hxxp://alldiskscheck300.com
hxxp://multisearch1.com
hxxp://myfreespace3.com
hxxp://hottystars.com
hxxp://multilang1.com
hxxp://3gigabytes.com
hxxp://drivemedirect.com
hxxp://globala2.com/soft.php
hxxp://teledisons.com
hxxp://theworldnews5.com
hxxp://virtualblog5.com
hxxp://grander5.com
hxxp://5starsblog.com
hxxp://globalreds.com
hxxp://global-advers.com
hxxp://ratemyblog1.com
hxxp://greatvideo3.com
hxxp://beginner2009.com
hxxp://fastwebway.com
hxxp://blazervips.com
hxxp://begin2009.com
hxxp://megatradetds0.com
hxxp://securedonlinewebspace.com
hxxp://proweb-info.com
hxxp://security-www-clicks.com
hxxp://updatedownloadlists.com
hxxp://styleonlyclicks.cn
hxxp://informationgohere.com
hxxp://world-click-service.com
hxxp://secutitypowerclicks.cn
hxxp://securedclickuser.cn
hxxp://slickoverview.com
hxxp://viewyourclicks.com
hxxp://clickwww2.com
hxxp://clickadsystem.com
hxxp://becomepoweruser.cn
hxxp://clickoverridesystem.cn

Related malicious domains known to have participated in the campaign:
hxxp://protecteduser.cn
hxxp://internetprotectedweb.com
hxxp://clicksadssystems.com
hxxp://whereismyclick.cn/
hxxp://trustourclicks.cn
hxxp://goldenstarclick.cn
hxxp://defendedsystemuser.cn

Related malicious domains known to have participated in the campaign:
hxxp://drivemedirect.com
hxxp://virtualblog5.com
hxxp://fastwebway.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

Historical OSINT - Gumblar Botnet Infects Thousands of Sites Serves Adobe Flash Exploits

According to security researchers the Gumblar botnet is making a comeback successfully affecting thousands of users globally potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious client-side exploits serving domains further dropping malicious software on the affected hosts.

In this post we'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Malicious URLs known to have participated in the campaign:
hxxp://ncenterpanel.cn/php/unv3.php
hxxp://ncenterpanel.cn/php/p31.php

Related malicious MD5s known to have participated in the campaign:
MD5: 3f5b905c86d4dcaab9c86eddff1e02c7

MD5: 61461d9c9c1954193e5e0d4148a81a0c
MD5: 65cd1da3d4cc0616b4a0d4a862a865a6
MD5: 7de29e5e10adc5d90296785c89aeabce

Sample URL redirection chain:
hxxp://gumblar.cn/rss/?id - 71.6.202.216 - Email: cuitiankai@googlemail.comi
hxxp://gumblar.cn/rss/?id=2
hxxp://gumblar.cn/rss/?id=3

Related malicious domains known to have participated in the campaign:
hxxp://martuz.cn - 95.129.145.58

With Gumblar making a come-back it's becoming evident that cybercriminals continuing utilizing the usual set of malicious and fraudulent tactics for the purpose of spreading malicious software and affecting hundreds of thousands of legitimate Web sites in a cost-effective and efficient way.

We'll continue monitoring the campaign and post updates and post updates as soon as new developments take place.

Historical OSINT - iPowerWeb Hacked Hundreds of Web Sites Affected

In 2008 it became evident that a widespread malware-embedded attack took place successfully affecting hundreds of iPowerWeb customers potentially exposing hundreds of legitimate Web sites to a multi-tude of malicious software courtesy of a well known Russian Business Network's hosting provider - HostFresh.

In this post we'll profile the campaign provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it. We'll also establish a direct connection between the campaign's infrastructure and the Russian Business Network.

Malicious URL: hxxp://58.65.232.33/gpack/index.php

Related malicious URls known to have participated in the campaign - hxxp://58.65.232.25/counter/getexe.php?h=11 hxxp://58.65.232.25/counter/getfile.php?f=pdf

We'll continue monitoring the campaign and post updates as soon as new developments take place.

Introducing Threat Data - The World's Most Comprehensive Threats Database

Dear blog readers, I wanted to take the time and effort and introduce you to Threat Data - the World's Most Comprehensive Threats Database, a proprietary invite-only MISP-based data information and knowledge sharing community managed and operated by me which basically represents the vast majority of proprietary threat intelligence research that I produce on a daily basis these days.

Users and organizations familiar with my research may be definitely interested in considering the opportunity to obtain access to Threat Data including a possible sample including a possible trial of the service.

Find below a sample FAQ about Threat Data and consider obtaining access to ensure that you and your organization remains on the top of its game including ahead of current and emerging threats.

01. How to request access including a possible trial including API access?
Approach me at ddanchev@cryptogroup.net

02. How do obtain automated access?
The database is delivered daily/weekly/quarterly in MISP-friendly JSON-capable format including STIX coverage.

03. How to request a sample?
Users interested in requesting a sample can approach me at dancho.danchev@hush.com and I'd be more than happy to offer a recent threat intelligence research snapshot.

04. Tell me more about the pricing options?
Monthly subscriptions covering daily weekly and monthly updates start at $4,000 including guaranteed access to 24-32 analysis on a daily basis including active in-house all-source analysis guaranteeing that your organization remains on the top of its game by possessing the necessary data information and knowledge to stay ahead of current and emerging threats.

05. What does the database cover?
- Russian Business Network coverage
- Koobface Botnet coverage
- Kneber Botnet coverage
- Hundreds of IOCs (Indicators of Compromise)
- Tactics Techniques and Procedures In-Depth Coverage
- Malicious and fraudulent infrastructure mapped and exposed
- Malicious and fraudulent Blackhat SEO coverage
- Malicious spam and phishing campaigns
- Malicious and fraudulent scareware campaigns
- Malicious and fraudulent money mule recruitment scams
- Malicious and fraudulent reshipping mule recruitment scams
- Web based mass attack compromise fraudulent and malicious campaigns
- Malicious and fraudulent client-side exploits serving campaigns

The database also offers active malverising, scareware, rogueware, malware, phishing, spam, IM malware, mobile malware, mac OS X malware, android malware, blackhat SEO, money mule recruitment, reshipping mule recruitment, including ransomware coverage.

06. How often does it update?
Updates as issued on a daily weekly monthly basis guaranteeing unlimited access to in-house analysis all-source analysis guaranteeing access to daily weekly and monthly updates.

Enjoy!

Dancho Danchev's 2010 Disappearance - An Elaboration - Part Two

Historical OSINT - Turkey's Chamber of Commerce Serving Malware

oi06.cn
elfah.net/h.js

Historical OSINT - Newly Launched Koobface Themed Campaign Spotted in the Wild

Related malicious URLs known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979

Once executed a sample malware phones back to a well known command and control server IPs:
hxxp://212.117.160.18 GET /install.php?id=02979

Parked at the same IP where crusade affiliates are were more scareware domains. Meanwhile, the Koobface gang is currently busy typosquatting my name for registering domains (Rancho Ranchev; Pancho Panchev) for instance hxxp://mayernews.com - Email: 1andruh.a1@gmail.com is registered using Danchev Danch.

Historical OSINT - Summarizing 2 Years of Webroot's Threat Blog Posts Research

It's been several years since I last posted a quality update at the industry's leading threat-intelligence gathering Webroot's Threat Blog following a successful career as lead security blogger and threat-intelligence analyst throughout 2012-2014.

In this post I'll summarize two years worth of Webroot's Threat Blog research with the idea to provide readers with the necessary data information and knowledge to stay ahead of current and emerging threats.

01. January - 2012

• Cybercriminals generate malicious Java applets using DIY tools
• A peek inside the uBot malware bot
• Researchers intercept a client-side exploits serving malware campaign
• How phishers launch phishing attacks
• A peek inside the Umbra malware loader
• How malware authors evade antivirus detection
• Inside AnonJDB – a Java based malware distribution platforms for drive-by downloads
• Zappos.com hacked, 24 million users affected
• Inside a clickjacking/likejacking scam distribution platform for Facebook
• A peek inside the Cythosia v2 DDoS Bot
• A peek inside the PickPocket Botnet
• Mass SQL injection attack affects over 200,000 URLs
• Email hacking for hire going mainstream
• Millions of harvested emails offered for sale

02. February - 2012

• Research: Google’s reCAPTCHA under fire
• Spamvertised ‘You have 1 lost message on Facebook’ campaign leads to pharmaceutical scams
• A peek inside the Smoke Malware Loader
• Researchers spot Citadel, a ZeuS crimeware variant
• Researchers intercept two client-side exploits serving malware campaigns
• Pharmaceutical scammers launch their own Web contest
• The United Nations hacked, Team Poison claims responsibility
• Report: Internet Explorer 9 leads in socially-engineered malware protection
• Twitter adds HTTPS support by default
• Spamvertised “Hallmark ecard” campaign leads to malware
• Report: 3,325% increase in malware targeting the Android OS
• Why relying on antivirus signatures is simply not enough anymore
• Researchers intercept malvertising campaign using Yahoo’s ad network
• A peek inside the Ann Malware Loader
• Spamvertised ‘Termination of your CPA license’ campaign serving client-side exploits
• How cybercriminals monetize malware-infected hosts
• A peek inside the Elite Malware Loader
• BlackHole exploit kits gets updated with new features

03. March - 2012

• New service converts malware-infected hosts into anonymization proxies
• Spamvertised ‘Temporary Limit Access To Your Account’ emails lead to Citi phishing emails
• A peek inside the Darkness (Optima) DDoS Bot
• Research: proper screening could have prevented 67% of abusive domain registrations
• Spamvertised ‘Your accountant license can be revoked’ emails lead to client-side exploits and malware
• Spamvertised ‘Google Pharmacy’ themed emails lead to pharmaceutical scams
• Research: U.S accounts for 72% of fraudulent pharmaceutical orders
• Millions of harvested U.S government and U.S military email addresses offered for sale
• Trojan Downloaders actively utilizing Dropbox for malware distribution
• Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware
• Malicious USPS-themed emails circulating in the wild
• Spamvertised LinkedIn notifications serving client-side exploits and malware
• Tens of thousands of web sites affected in ongoing mass SQL injection attack
• Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware
• Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

04. April - 2012

• Email hacking for hire going mainstream – part two
• Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware
• New underground service offers access to hundreds of hacked PCs
• New DIY email harvester released in the wild

05. May - 2012

• Managed SMS spamming services going mainstream
• A peek inside a boutique cybercrime-friendly E-shop
• Cybercriminals release ‘Sweet Orange’ – new web malware exploitation kit
• Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware
• Poison Ivy trojan spreading across Skype
• A peek inside a managed spam service
• Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware
• Spamvertised bogus online casino themed emails serving adware
• Spamvertised ‘YouTube Video Approved’ and ‘Twitter Support” themed emails lead to pharmaceutical scams
• A peek inside a boutique cybercrime-friendly E-shop – part two
• Spamvertised CareerBuilder themed emails serving client-side exploits and malware
• Pop-ups at popular torrent trackers serving W32/Casonline adware
• ‘Windstream bill’ themed emails serving client-side exploits and malware

06. June - 2012

• Cybercriminals infiltrate the music industry by offering full newly released albums for just $1
• A peek inside a boutique cybercrime-friendly E-shop – part three
• DDoS for hire services offering to ‘take down your competitor’s web sites’ going mainstream
• Skype propagating Trojan targets Syrian activists
• Spamvertised ‘UPS Delivery Notification’ emails serving client-side exploits and malware
• Spamvertised ‘DHL Package delivery report’ emails serving malware
• Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware
• Cybercriminals populate Scribd with bogus adult content, spread malware using Comodo Backup
• Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware
• ‘Create a Cartoon of You” ads serving MyWebSearch toolbar
• Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware
• Spamvertised ‘Confirm PayPal account” notifications lead to phishing sites
• Spamvertised ‘DHL Express Parcel Tracking Notification’ emails serving malware
• Spamvertised bogus online casino themed emails serving W32/Casonline

07. July - 2012

• Cybercriminals launch managed SMS flooding services
• 117,000 unique U.S visitors offered for malware conversion
• Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail spotted in the wild
• What’s the underground market’s going rate for a thousand U.S based malware infected hosts?
• Spamvertised American Airlines themed emails lead to Black Hole exploit kit
• Online dating scam campaign currently circulating in the wild
• New Russian service sells access to compromised social networking accounts
• Cybercriminals impersonate UPS in client-side exploits and malware serving spam campaign
• Russian Ask.fm spamming tool spotted in the wild
• Spamvertised Intuit themed emails lead to Black Hole exploit kit
• Cybercriminals impersonate Booking.com, serve malware using bogus ‘Hotel Reservation Confirmation’ themed emails
• Spamvertised Craigslist themed emails lead to Black Hole exploit kit
• Cybercriminals impersonate law enforcement, spamvertise malware-serving ‘Speeding Ticket’ themed emails
• Spamvertised ‘Download your USPS Label’ themed emails serve malware
• Cybercriminals target Twitter, spread thousands of exploits and malware serving tweets
• Russian spammers release Skype spamming tool
• Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit

08. August - 2012

• Spamvertised AICPA themed emails lead to Black Hole exploit kit
• Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit
• Ongoing spam campaign impersonates LinkedIn, serves exploits and malware
• Millions of spamvertised emails lead to W32/Casonline
• Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware
• IRS themed spam campaign leads to Black Hole exploit kit
• Cybercriminals spamvertise bogus greeting cards, serve exploits and malware
• Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit
• Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit
• Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware
• Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
• Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware
• Cybercriminals impersonate UPS, serve malware

09. September - 2012

• Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit
• Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
• Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and malware
• Cybercriminals abuse Skype’s SMS sending feature, release DIY SMS flooders
• New Russian service sells access to thousands of automatically registered accounts
• Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit
• New Russian DIY SMS flooder using ICQ’s SMS sending feature spotted in the wild
• Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware
• Cybercriminals impersonate FDIC, serve client-side exploits and malware
• Managed Ransomware-as-a-Service spotted in the wild
• A peek inside a boutique cybercrime-friendly E-shop – part four
• New E-shop selling stolen credit cards data spotted in the wild
• From Russia with iPhone selling affiliate networks
• New Russian DIY DDoS bot spotted in the wild

10. October - 2012

• New Russian DIY DDoS bot spotted in the wild
• Recently launched E-shop sells access to hundreds of hacked PayPal accounts
• New Russian service sells access to compromised Steam accounts
• ‘Vodafone Europe: Your Account Balance’ themed emails serve malware
• Cybercriminals impersonate UPS, serve client-side exploits and malware
• ‘Your video may have illegal content’ themed emails serve malware
• Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware
• American Airlines themed emails lead to the Black Hole Exploit Kit
• Bogus Facebook notifications lead to malware
• Spamvertised ‘KLM E-ticket’ themed emails serve malware
• ‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit
• Malware campaign spreading via Facebook direct messages spotted in the wild
• ‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit
• Russian cybercriminals release new DIY DDoS malware loader
• PayPal ‘Notification of payment received’ themed emails serve malware
• Cybercriminals impersonate Delta Airlines, serve malware
• ‘Your UPS Invoice is Ready’ themed emails serve malware
• Bogus Skype ‘Password successfully changed’ notifications lead to malware
• Cybercriminals impersonate Verizon Wireless, serve client-side exploits and malware
• Spamvertised ‘BT Business Direct Order’ themed emails lead to malware
• Cybercriminals spamvertise millions of British Airways themed e-ticket receipts, serve malware
• Cybercriminals spamvertise millions of bogus Facebook notifications, serve malware
• Nuclear Exploit Pack goes 2.0

11. November - 2012

• BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware
• ‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit
• USPS ‘Postal Notification’ themed emails lead to malware
• ‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit
• ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware
• ‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit
• ‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware
• Cybercriminals abuse major U.S SMS gateways, release DIY Mail-to-SMS flooders
• ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit
• Bogus Better Business Bureau themed notifications serve client-side exploits and malware
• Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multiple malware variants
• Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware
• ‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
• Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware
• Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
• Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware
• Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules
• Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits
• Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware
• Cybercriminals target U.K users with bogus ‘Pay by Phone Parking Receipts’ serve malware
• Bogus DHL ‘Express Delivery Notifications’ serve malware
• Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications
• Cybercriminals impersonate T-Mobile U.K, serve malware
• Bogus ‘Meeting Reminder” themed emails serve malware
• Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit Kit
• Bogus ‘End of August Invoices’ themed emails serve malware and client-side exploits

12. December - 2012

• DIY malicious domain name registering service spotted in the wild
• Fake ‘FedEx Tracking Number’ themed emails lead to malware
• Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side exploits and malware
• Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit
• A peek inside a boutique cybercrime-friendly E-shop – part five
• Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit
• Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit
• Fake Chase ‘Merchant Billing Statement’ themed emails lead to malware
• Cybercriminals entice potential cybercriminals into purchasing bogus credit cards data
• Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
• Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit
• Spamvertised ‘Work at Home” scams impersonating CNBC spotted in the wild
• Pharmaceutical scammers spamvertise YouTube themed emails, entice users into purchasing counterfeit drugs
• Cybercriminals resume spamvertising British Airways themed E-ticket receipts, serve malware
• Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit

12. January - 2013

• Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware
• Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit
• ‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit
• Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware
• A peek inside a boutique cybercrime-friendly E-shop – part six
• Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious Web activity
• Spamvertised AICPA themed emails serve client-side exploits and malware
• ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit
• Malicious DIY Java applet distribution platforms going mainstream
• Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware
• Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating tool
• ‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit
• Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video message’ themed emails, serve malware
• Leaked DIY malware generating tool spotted in the wild
• Email hacking for hire going mainstream – part three
• Android malware spreads through compromised legitimate Web sites
• Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit
• Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and malware
• Novice cybercriminals experiment with DIY ransomware tools
• Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit
• Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit
• A peek inside a DIY password stealing malware
• Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware

12. February - 2013

• Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware
• Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware
• ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit
• New DIY HTTP-based botnet tool spotted in the wild
• Mobile spammers release DIY phone number harvesting tool
• New underground service offers access to thousands of malware-infected hosts
• Targeted ‘phone ring flooding’ attacks as a service going mainstream
• Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware
• Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit
• Malware propagates through localized Facebook Wall posts
• Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware
• New underground E-shop offers access to hundreds of hacked PayPal accounts
• Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit
• DIY malware cryptor as a Web service spotted in the wild
• Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware
• How mobile spammers verify the validity of harvested phone numbers
• How much does it cost to buy 10,000 U.S.-based malware-infected hosts?

13. March - 2013

• New DIY IRC-based DDoS bot spotted in the wild
• Cybercriminals release new Java exploits centered exploit kit
• Segmented Russian “spam leads” offered for sale
• New DIY hacked email account content grabbing tool facilitates cyber espionage on a mass scale
• New DIY unsigned malicious Java applet generating tool spotted in the wild
• Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted fraudulent campaigns
• Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware
• Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit
• New ZeuS source code based rootkit available for purchase on the underground market
• Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware
• ‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit
• Cybercrime-friendly community branded HTTP/SMTP based keylogger spotted in the wild
• Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 2004
• Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit
• Spotted: cybercriminals working on new Western Union based ‘money mule management’ script
• Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit Kit
• ‘ADP Payroll Invoice’ themed emails lead to malware
• ‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit
• New DIY RDP-based botnet generating tool leaks in the wild
• A peek inside the EgyPack Web malware exploitation kit

14. April - 2013

• DIY Java-based RAT (Remote Access Tool) spotted in the wild
• Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware
• Cybercrime-friendly service offers access to tens of thousands of compromised accounts
• Madi/Mahdi/Flashback OS X connected malware spreading through Skype
• Cybercriminals selling valid ‘business card’ data of company executives across multiple verticals
• A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit
• DIY Skype ring flooder offered for sale
• Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to malware
• A peek inside a ‘life cycle aware’ underground market ad for a private keylogger
• American Airlines ‘You can download your ticket’ themed emails lead to malware
• Cybercriminals offer spam-friendly SMTP servers for rent
• How mobile spammers verify the validity of harvested phone numbers – part two
• A peek inside a (cracked) commercially available RAT (Remote Access Tool)
• DIY Russian mobile number harvesting tool spotted in the wild
• DIY SIP-based TDoS tool/number validity checker offered for sale
• CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime
• Historical OSINT – The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in Texas’ themed malware campaigns
• Fake ‘DHL Delivery Report’ themed emails lead to malware
• Cybercriminals impersonate Bank of America (BofA), serve malware
• How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY doorway generators
• Managed ‘Russian ransomware’ as a service spotted in the wild

15. May - 2013

• FedWire ‘Your Wire Transfer’ themed emails lead to malware
• A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool
• New IRC/HTTP based DDoS bot wipes out competing malware
• New version of DIY Google Dorks based mass website hacking tool spotted in the wild
• Citibank ‘Merchant Billing Statement’ themed emails lead to malware
• Fake Amazon ‘Your Kindle E-Book Order’ themed emails circulating in the wild, lead to client-side exploits and malware
• Cybercriminals impersonate New York State’s Department of Motor Vehicles (DMV), serve malware
• Cybercriminals offer HTTP-based keylogger for sale, accept Bitcoin
• Newly launched E-shop for hacked PCs charges based on malware ‘executions’
• New subscription-based ‘stealth Bitcoin miner’ spotted in the wild
• Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement
• New versatile and remote-controlled “Android.MouaBot” malware found in the wild
• Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ messages
• Commercial ‘form grabbing’ rootkit spotted in the wild
• DIY malware cryptor as a Web service spotted in the wild – part two
• CVs and sensitive info soliciting email campaign impersonates NATO
• New commercially available DIY invisible Bitcoin miner spotted in the wild
• Fake ‘Export License/Payment Invoice’ themed emails lead to malware
• Compromised Indian government Web site leads to Black Hole Exploit Kit
• Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve malware
• Marijuana-themed DDoS for hire service spotted in the wild
• Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

16. June - 2013

• Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the underground marketplace
• New E-shop sells access to thousands of hacked PCs, accepts Bitcoin
• Pharmaceutical scammers impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs
• iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Application)
• Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts offered for sale
• Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card details
• Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware
• Tens of thousands of spamvertised emails lead to W32/Casonline
• Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)
• How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them
• Rogue ads target EU users, expose them to Win32/Toolbar.SearchSuite through the KingTranslate PUA
• New boutique iFrame crypting service spotted in the wild
• Rogue ‘Oops Video Player’ attempts to visually social engineer users, mimicks Adobe Flash Player’s installation process
• New E-Shop sells access to thousands of malware-infected hosts, accepts Bitcoin
• New subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool spotted in the wild
• Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted Application (PUA)
• SIP-based API-supporting fake caller ID/SMS number supporting DIY Russian service spotted in the wild
• Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Application (PUA)
• Self-propagating ZeuS-based source code/binaries offered for sale
• How cybercriminals create and operate Android-based botnets

17. July - 2013

• Cybercriminals experiment with Tor-based C&C, ring-3-rootkit empowered, SPDY form grabbing malware bot
• Deceptive ads targeting German users lead to the ‘W32/SomotoBetterInstaller’ Potentially Unwanted Application (PUA)
• Newly launched underground market service harvests mobile phone numbers on demand
• Novel ransomware tactic locks users’ PCs, demands that they participate in a survey to get the unlock code
• Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware
• Cybercriminals spamvertise tens of thousands of fake ‘Your Booking Reservation at Westminster Hotel’ themed emails, serve malware
• New commercially available mass FTP-based proxy-supporting doorway/malicious script uploading application spotted in the wild
• Fake ‘iGO4 Private Car Insurance Policy Amendment Certificate’ themed emails lead to malware
• Tens of thousands of spamvertised emails lead to the Win32/PrimeCasino PUA (Potentially Unwanted Application)
• Spamvertised ‘Vodafone U.K MMS ID/Fake Sage 50 Payroll’ themed emails lead to (identical) malware
• New commercially available Web-based WordPress/Joomla brute-forcing tool spotted in the wild
• Rogue ads targeting German users lead to Win32/InstallBrain PUA (Potentially Unwanted Application)
• Yet another commercially available stealth Bitcoin/Litecoin mining tool spotted in the wild
• Protected: Deceptive ‘Media Player Update’ ads expose users to the rogue ‘Video Downloader/Bundlore’ Potentially Unwanted Application (PUA)
• Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities
• Fake ‘Copy of Vodafone U.K Contract/Your Monthly Vodafone Bill is Ready/New MMS Received’ themed emails lead to malware
• Rogue ads lead to the ‘Free Player’ Win32/Somoto Potentially Unwanted Application (PUA)
• How much does it cost to buy one thousand Russian/Eastern European based malware-infected hosts?
• Custom USB sticks bypassing Windows 7/8’s AutoRun protection measure going mainstream
• DIY commercially-available ‘automatic Web site hacking as a service’ spotted in the wild

18. August - 2013

• ‘Malware-infected hosts as stepping stones’ service offers access to hundreds of compromised U.S based hosts
• New ‘Hacked shells as a service’ empowers cybercriminals with access to high page rank-ed Web sites
• Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware
• Malicious Bank of America (BofA) ‘Statement of Expenses’ themed emails lead to client-side exploits and malware
• Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware
• One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email databases and training to potential customers
• Fake ‘Apple Store Gift Card’ themed emails serve client-side exploits and malware
• Newly launched managed ‘malware dropping’ service spotted in the wild
• Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity
• From Vietnam with tens of millions of harvested emails, spam-ready SMTP servers and DIY spamming tools
• DIY Craigslist email collecting tools empower spammers with access to fresh/valid email addresses
• Bulletproof TDS/Doorways/Pharma/Spam/Warez hosting service operates in the open since 2009
• DIY automatic cybercrime-friendly ‘redirectors generating’ service spotted in the wild
• Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase
• Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two

19. September - 2013

• DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the wild
• Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the wild
• Managed Malicious Java Applets Hosting Service Spotted in the Wild
• Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps
• 419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis themed scams
• Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the SIM card on request
• Yet another ‘malware-infected hosts as anonymization stepping stones’ service offering access to hundreds of compromised hosts spotted in the wild
• Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts based DIY DoS tool
• Cybercriminals sell access to tens of thousands of malware-infected Russian hosts
• Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware
• Cybercriminals experiment with Android compatible, Python-based SQL injecting releases
• Newly launched E-shop offers access to hundreds of thousands of compromised accounts
• DIY commercial CAPTCHA-solving automatic email account registration tool available on the underground market since 2008
• Yet another subscription-based stealth Bitcoin mining tool spotted in the wild

20. October - 2013

• A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform
• Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part two
• ‘T-Mobile MMS message has arrived’ themed emails lead to malware
• DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities
• Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted in the wild
• New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild
• Cybercriminals offer spam-friendly SMTP servers for rent – part two
• Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate fraudulent/malicious online activity
• Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams
• Compromised Turkish Government Web site leads to malware
• Novice cyberciminals offer commercial access to five mini botnets
• Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware
• Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild
• Malicious ‘FW: File’ themed emails lead to malware
• Mass iframe injection campaign leads to Adobe Flash exploits
• Rogue ads lead to the ‘Mipony Download Accelerator/FunMoods Toolbar’ PUA (Potentially Unwanted Application)
• A peek inside the administration panel of a standardized E-shop for compromised accounts
• U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails
• New DIY compromised hosts/proxies syndicating tool spotted in the wild
• Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)
• Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware
• Fake ‘Important: Company Reports’ themed emails lead to malware
• Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot
• Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware

21. November - 2013

• Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity
• Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)
• Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the prevalence of ‘female bot slaves’
• New vendor of ‘professional DDoS for hire service’ spotted in the wild
• Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity
• Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild
• Popular French torrent portal tricks users into installing the BubbleDock/Downware/DownloadWare PUA (Potentially Unwanted Application)
• Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake Adobe Flash player
• Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits
• Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool
• Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users to malware
• Fake ‘Annual Form (STD-261) – Authorization to Use Privately Owned Vehicle on State Business’ themed emails lead to malware
• ‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak passwords’
• Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware
• Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, expose users to malware
• Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware
• Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware

21. December - 2013

• Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by Edward Snowden’
• Commercial Windows-based compromised Web shells management application spotted in the wild
• Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates”
• Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits – part two
• How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+’s ToS
• Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools
• Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part three
• Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC)
• Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams
• A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools
• Cybercrime Trends 2013 – Year in Review

22. January - 2014

• ‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam campaigns intercepted in the wild
• Vendor of TDoS products resets market life cycle of well known 3G USB modem/GSM/SIM card-based TDoS tool
• New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor
• DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of pre-defined exploits spotted in the wild
• Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service
• Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number activation’ account registration process
• Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ standardizes the monetization process
• Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating tool spotted in the wild
• Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share

23. February - 2014

• Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application
• Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online
• Managed TeamViewer based anti-forensics capable virtual machines offered as a service
• Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit
• ‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know how’
• DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure
• Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits
• Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler exploit kit

24. March - 2014

• Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Unwanted Application)
• Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild
• Commercial Windows-based compromised Web shells management application spotted in the wild – part two
• Multiple spamvertised bogus online casino themed campaigns intercepted in the wild
• 5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure
• Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme
• A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot
• Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment
• Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild
• Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications)
• DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two
• Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the wild

24. May - 2014

• Legitimate software apps impersonated in a blackhat SEO-friendly PUA (Potentially Unwanted Application) serving campaign
• DIY cybercrime-friendly (legitimate) APK injecting/decompiling app spotted in the wild
• Malicious DIY Java applet distribution platforms going mainstream – part two
• Spamvertised ‘Error in calculation of your tax’ themed emails lead to malware
• A peek inside a subscription-based DIY keylogging based type of botnet/malware generating tool
• Spamvertised ‘Notification of payment received’ themed emails lead to malware
• Malicious JJ Black Consultancy ‘Computer Support Services’ themed emails lead to malware
• A peek inside a newly launched all-in-one E-shop for cybercrime-friendly services
• Long run compromised accounting data based type of managed iframe-ing service spotted in the wild

Enjoy!