Sample random cybercrime ecosystem screenshots courtesy of me circa 2010:
Tuesday, June 21, 2022
Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 2021 - An OSINT Analysis - Part Ten
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 2021 - An OSINT Analysis - Part Nine
Continuing the "Random Cybercrime Ecosystem Screenshots 2021" series I've decided to share a second compilation of random cybercrime ecosystem screenshots courtesy of me circa 2010 while doing my research. Enjoy!
Sample random cybercrime ecosystem screenshots courtesy of me circa 2010:
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
A Compilation of Known Conti Ransomware Malicious Domains - An OSINT Analysis
Sample Conti ransomware malicious domains known to have been involved in various malicious and fraudulent campaigns include:
hxxp://atlantisprojects.ca
hxxp://dylanengineeringservices.com
hxxp://fancydes.webd.pl
hxxp://fdsfdsf.com
hxxp://kohlheatingandair.com
hxxp://stahlworks.com
hxxp://wholesalebosmereusa.com
hxxp://coalminds.com
hxxp://parkisolutions.com
hxxp://sonorambc.org
hxxp://ajeetsinghbaddan.com
hxxp://alexandersqualitycleaners.com
hxxp://allacestech.com
hxxp://alwasl-syria.com
hxxp://alwaslegypt.com
hxxp://aspiremedstaff.com
hxxp://bloomfieldholding.com
hxxp://calacatta.com
hxxp://coffschamber.com.au
hxxp://copyrightlive-ksa.com
hxxp://dubaidreamsadventure.com
hxxp://e-tech.ie
hxxp://easychurchbooks.com
hxxp://ebeautytrade.com
hxxp://emploimed.com
hxxp://gilchrist.fl.us
hxxp://globaluxrma.com
hxxp://greenmountains.ae
hxxp://maintenance.com
hxxp://middletownfriedchickengyro.com
hxxp://nutritionprofbob.com
hxxp://paullesueurlegacyfoundation.com
hxxp://porceletta-ware.com
hxxp://puccienterprises.com
hxxp://rayanat.com
hxxp://reefglobal.com
hxxp://shawigroup.com
hxxp://unitedyfl.com
hxxp://violinstop.com
hxxp://watchespower.com
hxxp://wikiapply.ir
hxxp://adventureworldindia.com
hxxp://alkanzalzahabi.com
hxxp://almakaan.com
hxxp://bsrdesigns.com
hxxp://delwarren.com
hxxp://namaskardunia.com
hxxp://omegasystemsuae.com
hxxp://ottenbourg.com
hxxp://shighil.com
hxxp://shiningshadowllc.com
Stay tuned!
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
A Compilation of Known Conti Ransomware Gang Malicious Executable Download Locations - An OSINT Analysis
I've decided to continue data mining the recently leaked Conti Ransomware Gang internal communications on my way to find and share more actionable intelligence in terms of their Internet-connected infrastructure and in this post I've decided to share a set of currently active malicious executable download locations courtesy of the Conti Ransomware gang which you can check out in terms of attribution and cyber attack campaign take down efforts.
Sample list of currently active Conti Ransomware gang malicious executable download locations:
hxxp://copyrightlive-ksa.com/Preview_Report.exe
hxxp://ebeautytrade.com/calc.exe
hxxp://37.1.209.181/2805/locker.exe
hxxp://omegasystemsuae.com/Preview_Document.exe
hxxp://copyrightlive-ksa.com/Preview_Document.exe
hxxp://www.alkanzalzahabi.com/Preview_Document.exe
hxxp://omegasystemsuae.com/Preview_Document.exe
hxxp://shawigroup.com/Preview_Document.exe
hxxp://copyrightlive-ksa.com/Preview_Document.exe
hxxp://www.alkanzalzahabi.com/Preview_Document.exe
hxxp://shawigroup.com/Preview_Document.exe
hxxp://copyrightlive-ksa.com/P32.exe
hxxp://shawigroup.com/Preview_Document.exe
hxxp://allacestech.com/Preview_Document.exe
hxxp://allacestech.com/Preview_Document.exe
hxxp://shawigroup.com/Preview_Document.exe
hxxp://allacestech.com/Preview_Document.exe
hxxp://allacestech.com/Preview_Document.exe
hxxp://allacestech.com/Preview_Document.exe
hxxp://globaluxrma.com/Preview_Document.exe
hxxp://globaluxrma.com/Preview_Document.exe
hxxp://shighil.com/Preview_Document.exe
hxxp://porceletta-ware.com/DocumentPreview.exe
hxxp://www.bsrdesigns.com/DocumentPreview.exe
hxxp://91.235.129.41/P32.exe
hxxp://porceletta-ware.com/DocumentPreview.exe
hxxp://porceletta-ware.com/DocumentPreview.exe
hxxp://porceletta-ware.com/DocumentPreview.exe
hxxp://porceletta-ware.com/DocumentPreview.exe
hxxp://porceletta-ware.com/DocumentPreview.exe
hxxp://watchespower.com/DocumentPreview.exe
hxxp://porceletta-ware.com/DocumentPreview.exe
hxxp://watchespower.com/DocumentPreview.exe
hxxp://www.bsrdesigns.com/DocumentPreview.exe
hxxp://watchespower.com/DocumentPreview.exe
hxxp://91.235.129.41/P32.exe
hxxp://91.235.129.41/P32.exe
hxxp://alexandersqualitycleaners.com/DocumentPreview.exe
hxxp://middletownfriedchickengyro.com/DocumentPreview.exe
hxxp://91.235.129.41/P32.exe
hxxp://dubaidreamsadventure.com/Document_Aerlingus.exe
hxxp://www.shiningshadowllc.com/Document_BritishAirways.exe
hxxp://dubaidreamsadventure.com/Document_Aerlingus.exe
hxxp://www.shiningshadowllc.com/Document_BritishAirways.exe
hxxp://dubaidreamsadventure.com/Document_Aerlingus.exe
hxxp://www.shiningshadowllc.com/Document_BritishAirways.exe
hxxp://www.shiningshadowllc.com/Document_BritishAirways.exe
hxxp://www.omegasystemsuae.com/Document_Aerlingus.exe
hxxp://www.omegasystemsuae.com/Document_Aerlingus.exe
hxxp://www.omegasystemsuae.com/Document_Aerlingus.exe
hxxp://www.omegasystemsuae.com/RalphLaurenDocument.exe
hxxp://copyrightlive-uae.com/calc.exe
hxxp://copyrightlive-uae.com/ld1n.exe
hxxp://copyrightlive-uae.com/DAFSDASD.exe
hxxp://copyrightlive-uae.com/DocumentPreview.exe
hxxp://www.almakaan.com/DocumentPreview.exe
hxxp://copyrightlive-uae.com/DocumentPreview.exe
hxxp://45.153.240.191/crypt/18554hs.exe
hxxp://copyrightlive-uae.com/DocumentPreview.exe
hxxp://copyrightlive-uae.com/PreviewDocument.exe
hxxp://194.5.249.13/p32.exe
hxxp://globaluxrma.com/ReviewDocument.exe
hxxp://shawigroup.com/ReviewDocument.exe
hxxp://bloomfieldholding.com/ReviewDocument.exe
hxxp://bloomfieldholding.com/wp-content/ReviewDocument.exe
hxxp://greenmountains.ae/YAS42.exe
hxxp://greenmountains.ae/YAS42.exehxxp://copyrightlive-ksa.com/Preview_Report.exe
hxxp://www.alkanzalzahabi.com/DocumentPreview.exe
hxxp://copyrightlive-ksa.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://allacestech.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://alwasl-syria.com/DocumentPreview.exe
hxxp://alwasl-syria.com/DocumentPreview.exe
hxxp://nutritionprofbob.com/DocumentPreview.exe
hxxp://violinstop.com/DocumentPreview.exe
hxxp://alwasl-syria.com/DocumentPreview.exe
hxxp://alwasl-syria.com/DocumentPreview.exe
hxxp://alwasl-syria.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://allacestech.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/Setup.exe
hxxp://www.omegasystemsuae.com/Setup.exe
hxxp://www.omegasystemsuae.com/Setup.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://www.omegasystemsuae.com/DocumentPreview.exe
hxxp://bloomfieldholding.com/DocumentPreview.exe
hxxp://bloomfieldholding.com/PreviewDocument.exe
hxxp://shawigroup.com/DuplicateFinder.exe
hxxp://shawigroup.com/DuplicateFinder.exe
hxxp://shawigroup.com/DuplicateFinder.exe
hxxp://shawigroup.com/Doc-Print.exe
hxxp://middletownfriedchickengyro.com/DocumentPreview.exe
hxxp://middletownfriedchickengyro.com/Doc-Print.exe
hxxp://middletownfriedchickengyro.com/DocumentPreview.exe
hxxp://middletownfriedchickengyro.com/Doc-Print.exe
hxxp://nutritionprofbob.com/DocumentPreview.exe
hxxp://porceletta-ware.com/DocPreview.exe
hxxp://porceletta-ware.com/DocPreview.exe
hxxp://violinstop.com/DocumentPreview.exe
hxxp://porceletta-ware.com/DocPreview.exe
hxxp://www.ottenbourg.com/Doc-Preview.exe
hxxp://violinstop.com/DocumentPreview.exe
hxxp://violinstop.com/DocumentPreview.exe
hxxp://nutritionprofbob.com/DocumentPreview.exe
hxxp://www.shiningshadowllc.com/Doc-Preview.exe
hxxp://shighil.com/Doc-Preview.exe
hxxp://violinstop.com/DocumentPreview.exe
hxxp://gk24w3eumyv4fqajpbw6jbrd6eb4kwvcqcfg4po25cnxuqs7hhhan6yd.onion/npcap.exe
hxxp://www.ottenbourg.com/AcademiPreview.exe
hxxp://www.shiningshadowllc.com/Doc-Preview.exe
hxxp://ajeetsinghbaddan.com/Doc-Preview.exe
hxxp://www.shiningshadowllc.com/Doc-Preview.exe
hxxp://ajeetsinghbaddan.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc-Preview.exe
hxxp://reefglobal.com/Doc1.exe
hxxp://reefglobal.com/dl2a.exe
hxxp://paullesueurlegacyfoundation.com/9rhjdkjfh.exe
hxxp://www.ottenbourg.com/nagpsdo.exe
hxxp://www.namaskardunia.com/badtest2.exe
hxxp://www.namaskardunia.com/test1.exe
hxxp://45.148.120.192/service64.exe
hxxp://45.148.120.192/service111.exe
hxxp://45.148.120.192/service222.exe
hxxp://fdsfdsf.com/fdsfds/file.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://45.148.120.192/service64.exe
hxxp://45.148.120.192/service111.exe
hxxp://45.148.120.192/service222.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://www.ottenbourg.com/upload/xml1.exe
hxxp://dylanengineeringservices.com/3.exe
hxxp://dylanengineeringservices.com/3.exe
hxxp://www.ottenbourg.com/5.exe
hxxp://maintenance.com/autoupdate.exe
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe
hxxp://shighil.com/dl2.exe
hxxp://shighil.com/dl2.exe
hxxp://62.108.34.54/service64.exe
hxxp://62.108.34.54/service_ssl.exe
hxxp://62.108.34.54/P32.exe
hxxp://62.108.34.54/winserv.exe
hxxp://62.108.34.54/service64.exe
hxxp://62.108.34.54/service_ssl.exe
hxxp://62.108.34.54/P32.exe
hxxp://62.108.34.54/winserv.exe
hxxp://62.108.34.54/service64.exe
hxxp://62.108.34.54/service_ssl.exe
hxxp://62.108.34.54/P32.exe
hxxp://62.108.34.54/winserv.exe
hxxp://62.108.34.54/service64.exe
hxxp://62.108.34.54/service_ssl.exe
hxxp://62.108.34.54/P32.exe
hxxp://62.108.34.54/winserv.exe
hxxp://emploimed.com/dl2m.exe
hxxp://copyrightlive-ksa.com/t1000.exe
hxxp://www.shighil.com/dl2.exe
hxxp://www.shighil.com/dl2.exe
hxxp://nutritionprofbob.com/teste.exe
hxxp://copyrightlive-ksa.com/t1000.exe
hxxp://www.shiningshadowllc.com/DocumentPreview.exe
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe
hxxp://brankovucinec.blob.core.windows.net/downloads/mstsc.exe_.manifest.zip
hxxp://emploimed.com/scintillabc.exe
hxxp://emploimed.com/scintillabc.exe
hxxp://www.coalminds.com/Document_Print.exe
hxxp://www.sonorambc.org/Document_Print.exe
hxxp://nutritionprofbob.com/Preview.exe
hxxp://nutritionprofbob.com/Preview1.exe
hxxp://nutritionprofbob.com/Preview.exe
hxxp://nutritionprofbob.com/Preview1.exe
hxxp://nutritionprofbob.com/Preview.exe
hxxp://nutritionprofbob.com/Preview1.exe
hxxp://nutritionprofbob.com/Preview.exe
hxxp://nutritionprofbob.com/Preview1.exe
hxxp://nutritionprofbob.com/Preview.exe
hxxp://nutritionprofbob.com/Preview1.exe
hxxp://aspiremedstaff.com/Preview.exe
hxxp://nutritionprofbob.com/Preview.exe
hxxp://aspiremedstaff.com/Preview.exe
hxxp://puccienterprises.com/Preview.exe
hxxp://e-tech.ie/PreviewDoc.exe
hxxp://e-tech.ie/PreviewDoc.exe
hxxp://puccienterprises.com/Preview.exe
hxxp://aspiremedstaff.com/Preview.exe
hxxp://aspiremedstaff.com/Preview.exe
hxxp://e-tech.ie/PreviewDoc.exe
hxxp://nutritionprofbob.com/Preview1.exe
hxxp://nutritionprofbob.com/prw/Preview.exe
hxxp://nutritionprofbob.com/prw/Preview.exe
hxxp://violinstop.com/Preview.exe
hxxp://nutritionprofbob.com/prw/Preview.exe
hxxp://reefglobal.com/Preview.exe
hxxp://paullesueurlegacyfoundation.com/Preview.exe
hxxp://middletownfriedchickengyro.com/Preview.exe
hxxp://middletownfriedchickengyro.com/Preview.exe
hxxp://middletownfriedchickengyro.com/Preview.exe
hxxp://paullesueurlegacyfoundation.com/Preview.exe
hxxp://paullesueurlegacyfoundation.com/Preview.exe
hxxp://easychurchbooks.com/Preview.exe
hxxp://easychurchbooks.com/Preview.exe
hxxp://sonorambc.org/Preview.exe
hxxp://paullesueurlegacyfoundation.com/Preview.exe
hxxp://paullesueurlegacyfoundation.com/Preview.exe-
hxxp://aspiremedstaff.com/Print.exe
hxxp://aspiremedstaff.com/Print.exe
hxxp://aspiremedstaff.com/Print.exe
hxxp://emploimed.com/Print_Preview.exe
hxxp://www.namaskardunia.com/Preview.exe
hxxp://www.namaskardunia.com/Preview.exe
hxxp://atlantisprojects.ca/Preview.exe
hxxp://gilchrist.fl.us/Preview.exe
hxxp://www.parkisolutions.com/Preview.exe
hxxp://www.parkisolutions.com/Preview.exe
hxxp://unitedyfl.com/Print_Preview.exe
hxxp://unitedyfl.com/Print_Preview.exe
hxxp://www.parkisolutions.com/Preview.exe
hxxp://fancydes.webd.pl/Review.exe
hxxp://rayanat.com/Print_Preview.exe
hxxp://wholesalebosmereusa.com/Preview.exe
hxxp://kohlheatingandair.com/Review.exe
hxxp://fancydes.webd.pl/Review.exe
hxxp://rayanat.com/Preview_Print.exe
hxxp://calacatta.com/Preview.exe
hxxp://google.com/update.exe
hxxp://alwaslegypt.com/Preview.exe
hxxp://alwaslegypt.com/Preview.exe
hxxp://www.adventureworldindia.com/Preview.exe
hxxp://alwaslegypt.com/Preview.exe
hxxp://alwaslegypt.com/Preview.exe
hxxp://aspiremedstaff.com/Preview.exe
hxxp://aspiremedstaff.com/Preview.exe
hxxp://emploimed.com/Preview.exe
hxxp://emploimed.com/Preview.exe
hxxp://emploimed.com/Preview.exe
hxxp://emploimed.com/Preview.exe
hxxp://globaluxrma.com/Review.exe
hxxp://emploimed.com/Preview.exe
hxxp://emploimed.com/Preview.exe
hxxp://paullesueurlegacyfoundation.com/ReviewPrint.exe
hxxp://alwaslegypt.com/Preview.exe
hxxp://shighil.com/ReviewPrint.exe
hxxp://shighil.com/TerminationRep.exe
hxxp://alwaslegypt.com/Preview.exe
hxxp://www.omegasystemsuae.com/Preview.exe
hxxp://www.omegasystemsuae.com/BKOFR.exe
hxxp://copyrightlive-uae.com/P64.exe
hxxp://copyrightlive-uae.com/Print.pdf.exe
hxxp://copyrightlive-uae.com/P64.exe
hxxp://coffschamber.com.au/Review.exe
hxxp://coffschamber.com.au/Review.exe
hxxp://coffschamber.com.au/Review.exe
hxxp://cdn-102.anonfiles.com/XdzdPbVfo8/a6501123-1600284832/Review.exe
hxxp://cdn-102.anonfiles.com/XdzdPbVfo8/a6501123-1600284832/Review.exe
hxxp://cdn-33.anonfiles.com/L3oeQ0Vbo2/d37ab69a-1600287659/Preview.exe
hxxp://emploimed.com/Preview.exe
hxxp://cdn-33.anonfiles.com/L3oeQ0Vbo2/d37ab69a-1600287659/Preview.exe
hxxp://portableapps.com/downloading/?a=TeamViewerPortable&n=TeamViewer%20Portable&s=s&p=&d=pa&f=TeamViewerPortable_15.9.4.paf.exe
hxxp://www.omegasystemsuae.com/BKOFR.exe
hxxp://www.delwarren.com/backup/nowin.exe
hxxp://wikiapply.ir/Scrip.exe
hxxp://shighil.com/Scrit.exe
hxxp://shighil.com/Scrip.exe
hxxp://shighil.com/Print.exe
hxxp://nutritionprofbob.com/Preview.exe
hxxp://cdn-114.anonfiles.com/ZfSf52X2oc/76279be8-1600685243/mor125.exe
hxxp://dubaidreamsadventure.com/Print_Review.exe
hxxp://107.155.137.21/https_x64.exe
hxxp://stahlworks.com/dev/unzip.exe
hxxp://94.140.115.219/doc/http.bin_x86.exe
hxxp://94.140.115.219/doc/http64.bin_x64.exe
hxxp://94.140.115.219/doc/http.bin_x86.exe
hxxp://94.140.115.219/doc/http64.bin_x64.exe
hxxp://94.140.115.219/doc/htp_x64.exe
hxxp://94.140.115.219/doc/htp_x86.exe
hxxp://94.140.115.219/1/http64.exe
hxxp://94.140.115.219/1/P32.exe
hxxp://94.140.115.219/1/P64.exe
hxxp://94.140.115.219/1/run1.exe
hxxp://94.140.115.219/1/run2.exe
hxxp://94.140.115.219/1/service_http64.exe
hxxp://94.140.115.219/doc/http.bin_x86.exe
hxxp://94.140.115.219/doc/http64.bin_x64.exe
hxxp://94.140.115.219/doc/http.bin_x86.exe
hxxp://94.140.115.219/doc/http64.bin_x64.exe
hxxp://94.140.115.219/doc/htp_x64.exe
hxxp://94.140.115.219/doc/htp_x86.exe
hxxp://94.140.115.219/1/http64.exe
hxxp://94.140.115.219/1/P32.exe
hxxp://94.140.115.219/1/P64.exe
hxxp://94.140.115.219/1/run1.exe
hxxp://94.140.115.219/1/run2.exe
hxxp://94.140.115.219/1/service_http64.exe
hxxp://94.140.115.219/crypt/3/http_8080_x64.exe
hxxp://94.140.115.219/crypt/3/http64.exe
hxxp://94.140.115.219/crypt/3/https_8443_x64.exe
hxxp://94.140.115.219/crypt/3/P64.exe
hxxp://94.140.115.219/crypt/3/run2.exe
hxxp://94.140.115.219/crypt/3/run1.exe
hxxp://94.140.115.219/crypt/3/https_8443.exe
hxxp://94.140.115.219/crypt/3/http8080.exe
hxxp://94.140.115.219/crypt/3/http_8080_x64.exe
hxxp://94.140.115.219/crypt/3/http64.exe
hxxp://94.140.115.219/crypt/3/https_8443_x64.exe
hxxp://94.140.115.219/crypt/3/P64.exe
hxxp://94.140.115.219/crypt/3/run2.exe
hxxp://94.140.115.219/crypt/3/run1.exe
hxxp://94.140.115.219/crypt/3/https_8443.exe
hxxp://94.140.115.219/crypt/3/http8080.exe
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe
hxxp://94.140.115.219/3/http_8080_x64.exe
hxxp://94.140.115.219/3/http64.exe
hxxp://94.140.115.219/3/http8080.exe
hxxp://94.140.115.219/3/https_8443.exe
hxxp://94.140.115.219/3/https_8443_x64.exe
hxxp://94.140.115.219/3/P32.exe
hxxp://94.140.115.219/3/p64.exe
hxxp://94.140.115.219/3/run1.exe
hxxp://94.140.115.219/3/run2.exe
hxxp://94.140.115.219/4/http.exe
hxxp://94.140.115.219/4/http64.exe
hxxp://94.140.115.219/4/https.exe
hxxp://94.140.115.219/4/https64.exe
hxxp://94.140.115.219/4/P32.exe
hxxp://94.140.115.219/4/P64.exe
hxxp://94.140.115.219/4/run1.exe
hxxp://94.140.115.219/4/run2.exe
hxxp://94.140.115.219/4/serv_http64.exe
hxxp://94.140.115.219/3/http_8080_x64.exe
hxxp://94.140.115.219/3/http64.exe
hxxp://94.140.115.219/3/http8080.exe
hxxp://94.140.115.219/3/https_8443.exe
hxxp://94.140.115.219/3/https_8443_x64.exe
hxxp://94.140.115.219/3/P32.exe
hxxp://94.140.115.219/3/p64.exe
hxxp://94.140.115.219/3/run1.exe
hxxp://94.140.115.219/3/run2.exe
hxxp://94.140.115.219/4/http.exe
hxxp://94.140.115.219/4/http64.exe
hxxp://94.140.115.219/4/https.exe
hxxp://94.140.115.219/4/https64.exe
hxxp://94.140.115.219/4/P32.exe
hxxp://94.140.115.219/4/P64.exe
hxxp://94.140.115.219/4/run1.exe
hxxp://94.140.115.219/4/run2.exe
hxxp://94.140.115.219/4/serv_http64.exe
hxxp://94.140.115.219/4/http.exe
hxxp://94.140.115.219/4/http64.exe
hxxp://94.140.115.219/4/https.exe
hxxp://94.140.115.219/4/https64.exe
hxxp://94.140.115.219/4/P32.exe
hxxp://94.140.115.219/4/P64.exe
hxxp://94.140.115.219/4/run1.exe
hxxp://94.140.115.219/4/run2.exe
hxxp://94.140.115.219/4/serv_http64.exe
hxxp://94.140.115.219/4/http.exe
hxxp://94.140.115.219/4/http64.exe
hxxp://94.140.115.219/4/https.exe
hxxp://94.140.115.219/4/https64.exe
hxxp://94.140.115.219/4/P32.exe
hxxp://94.140.115.219/4/P64.exe
hxxp://94.140.115.219/4/run1.exe
hxxp://94.140.115.219/4/run2.exe
hxxp://94.140.115.219/4/serv_http64.exe
hxxp://94.140.115.219/3/http_8080_x64.exe
hxxp://94.140.115.219/3/http64.exe
hxxp://94.140.115.219/3/http8080.exe
hxxp://94.140.115.219/3/https_8443.exe
hxxp://94.140.115.219/3/https_8443_x64.exe
hxxp://94.140.115.219/3/P32.exe
hxxp://94.140.115.219/3/p64.exe
hxxp://94.140.115.219/3/run1.exe
hxxp://94.140.115.219/3/run2.exe
hxxp://94.140.115.219/3/http_8080_x64.exe
hxxp://94.140.115.219/3/http64.exe
hxxp://94.140.115.219/3/http8080.exe
hxxp://94.140.115.219/3/https_8443.exe
hxxp://94.140.115.219/3/https_8443_x64.exe
hxxp://94.140.115.219/3/P32.exe
hxxp://94.140.115.219/3/p64.exe
hxxp://94.140.115.219/3/run1.exe
hxxp://94.140.115.219/3/run2.exe
Stay tuned!
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Sunday, June 19, 2022
A Compilation of Known Conti Ransomware Gang Personal Email Address Accounts - An OSINT Analysis
This summary is not available. Please
click here to view the post.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, June 14, 2022
Another Massive Embedded Malware Attack
Compared to the previous massive malware embedded attack in Italy that I asessed in June, 2007 which was primarily relying on the fact that a shared hosting provider got hacked into, this one is more interesting to follow because the domains have nothing to do with each other, in fact some are suspected of being generated for blackhat SEO purposes in combination with embedded malware. The rest are legitimate sites. Moreover, the campaign is currently in a cover up stage, but the sites are still serving the IFRAME you can see in the attached screenshot. Currently affected sites where over 90% still have the IFRAME within :
syncopatedvideo.comja-bob.com
idledrawings.com
biblequizzer.net
johnnydam.com
gonaus.com
caribbeanjamz.net
campbellscollision.com
instopiainsurance.com
electronicesthetics.com
blackopalproductions.com
loadway.com
mtwashingtonkennelclub.com
shoveltown.com
simplabase.com
ajrivers.com
jacquelinesdayspa.com
epidemianet.com
aabosa.net
bisign.com
orangevaleson.com
blackmanassociates.com
jumarktrade.com
queerduck.icebox.com
The main campaign IFRAME URL is megazo.org/trans.htm serving TR/Crypt.XPACK.Gen and using its own nameservers ns1.megazo.org (203.117.111.102) and ns2.megazo.org (203.117.111.103) which is also hosting 13fr.info; 1sense.info; 1speed.info. Deobfuscation leads to 1spice.info/t/ (203.121.79.164) where we're redirected to 203.121.79.164/cgi-bin/new/in.cgi?p=user4, both URLs try to exploit MDAC ActiveX code execution (CVE-2006-0003) vulnerability. Another exploit URL is also active at this IP - 203.121.79.164/web/index.php which is Icepack is action.
Related posts:
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
209.1 Host Locked
I've been playing a cat and mouse game with the folks behind several different phishing campaigns using the Rock Phish kit for a while now, in between tracking down the New Media Malware Gang and several other related malware campaigns. The Rock Phishers seem to keep track of this, and periodically change the default error message returned on a Rock Phish domain. First it was "209 Host Locked", than it became "66.1 Host Locked", and how they've again changed it on a wide scale to "209.1 Host Locked". Try these : forceadd.com.ph
goldline.org.ph
paypal-accounts.com
mte1nt.ac.cn
Now, would you believe that due to outsourcing considerations NatWest Bank are now using a Siberian ISP? Naah, in your wicked dreams only! This campaign has been going on for the last 24 hours :
natwest.com.tx49.hk/onlinebanking/customerform.aspx
natwest.com.tx40.hk/onlinebanking/customerform.aspx
natwest.com.tx48.hk/onlinebanking/customerform.aspx
natwest.com.tx15.hk/onlinebanking/customerform.aspx
natwest.com.tx47.hk/onlinebanking/customerform.aspx
natwest.com.tx40.hk/onlinebanking/customerform.aspx
natwest.com.iyeufv.org.ph/onlinebanking/customerform.aspx
natwest.com.yeufv.ph/onlinebanking/customerform.aspx
natwest.com.modifitool.kg/onlinebanking/customerform.aspx
Now, let's get back to the domain farms. The first one is located in CTS SIBERIA Complex Telematic Systems Joint Stock Company 53, Pisareva st , Novosibirsk, 630005, RUSSIA, at 81.16.131.40 and is hosting :6584.tw
business-internet-banking.hsbc.com.yeufv.com.ph
hsbc.com.yeufv.com.ph
myyeufv.net.ph
polro.ph
tx49.hk
tx55.hk
yeufv.com.ph
The second one is located in CL-ECSA-LACNIC ENTEL CHILE S.A. at 200.72.139.67, and the IP is acting as the main IP for a wide range of NS servers which further expand the domain farm. As I've already pointed out numerous times, Rock Phish is a great example of how centralization means, both, efficiency and easy of management, and an insecurity from the perspective that shutting down the IP will shut down the entire scammy ecosystem of over 30 Rock Phish domains hosting approximately from 5 to 10 different phishing campaigns targeting different brands on a single domain. Here's another perspective on the blended threat posed by phishing emails that come with embedded banker malware, the results of which get later on aggregated in a banking malware infected botnet only. Find out more about trends and developments related to phishing in 2007 in a related article, and the Rock Phish kit in principle.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Fake Codec Serving Domains from Digg.com's Comment Spam Attack
The following assessment details all the redirectors, fake codec serving domains, as well as related fake security software domains used in the Digg.com' comment spam attack.
The complete list of the domain redirectors used in the comment spam attack:worldnews-video .com - 459,000 bogus comments
youtube-top-video .com - 98,000 bogus comments
new-videos .info - 92,500 bogus comments
film-man .com - 50,700 bogus comments
last-sex-news .com - 26, 000 bogus comments
video-news .cn - 25, 500 bogus comments
last-porno-news .com - 21,500 bogus comments
fresh-video-news .com - 10,900 bogus comments
broken-tv .com - 10,000 bogus comments
video-trailers .net - 8,370 bogus comments
exclusive-videos .net - 7860 bogus comments
funkytube .net - 6,170 bogus comments
shocking-stars .net - 2,600 bogus comments
cinemacafe .tv - 1560 bogus comments
watch-video .cn - 3000 bogus comments
vidstream .cn - 397 bogus comments
divgg .com - 174 bogus comments
golden-portal .us - 3040 bogus comments
tubedirects .net - 290 bogus comments
funkytube .net - 6,480 bogus comments
watchepisodes .cn - 331 bogus comments
video-sensation .com - 1,500 bogus commentsbestlive-tv .cn - 216 bogus comments
svtube .cn - 222 bogus comments
onlyhotvideos .com - 413 bogus comments
celebnudestars .net - 326 bogus comments
usatvshows .us - 41 bogus comments
vidstream .cn - 398 bogus comments
divgg .com - 171 bogus comments
tubedirects .net - 285 bogus comments
yuotnbe .com - 370 bogus comments
omeia .info - 769 bogus comments
video.stumbulepon .com - 669 bogus comments
shocking-stars .net - 2,650 bogus comments
sowonder .net - 3000 bogus comments
sex-tapes-celebs .com - 2,210 bogus comments
video-sensation .com - 1,690 bogus comments
Currently active download locations for the fake codecs, and the rogue security software: vivaextra .com
tube-xxx-tv2009 .com
onlinestreamsofware .com
demoextra .com
best-tube-2008 .net
tubeportalsoftware2008 .com
tubesoftwareviewer2008 .com
exefilesdownload2009 .com
tubesoftwareviewer2009 .com
uporntube-07 .com
tubeporn08 .com
uporn-tube .com
uporntube2009 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
porntubenew .com
ultra-extra .com
xp-police .com
xp-police-av .com
xp-police-2009 .com
antiviralscanner14 .com
Detection rates for the codecs/rogue security software:
viewtubesoftware.40020.exe
Result: 8/39 (20.51%)
File size: 71680 bytes
MD5...: ef26250b946a63112659c94eed016e0d
SHA1..: 902fd30cd4a7465c9f5271971604d273ed74a60c
viewtubesoftware.400201.exe
Result: 7/39 (17.95%)
File size: 62464 bytes
MD5...: 1d4c3a6d2cc8c645652f7090636e5a4b
SHA1..: ccc1994a521d9e8a053a345b9d9cc28a63415845
Install.exe
Result: 5/39 (12.82%)
File size: 77830 bytes
MD5...: 64557f21c50b6c063cc96ba661bcd27c
SHA1..: 5a765a92de07af756c96c83139be8ddace117ef1
install1.exe
Result: 4/39 (10.26%)
File size: 73222 bytes
MD5...: 890bf32b34b7abab7aa7ea049215c429
SHA1..: 8c311a8b6096914f758bcaf82aca465bcc885110
The first comments including links to these domains have been posted at Digg.com on January, 2008 - over an year ago.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)