I'm on Cryptome.org!

Want to hear the big news? My "Cyber Intelligence" memoir available in multiple E-Book reader formats here has just made it to Cryptome.org which is quite a good news in terms of reaching out to more readers and knowledge-seekers in the world of cybercrime research security blogging and threat intelligence gathering.

Stay tuned for more good news and go through my research publications portfolio in multiple E-Book formats and readers available at Archive.org

Stay tuned!

Continue reading →

Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 2021 - An OSINT Analysis - Part Ten

Sample random cybercrime ecosystem screenshots courtesy of me circa 2010:

Continue reading →

Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 2021 - An OSINT Analysis - Part Nine

Continuing the "Random Cybercrime Ecosystem Screenshots 2021" series I've decided to share a second compilation of random cybercrime ecosystem screenshots courtesy of me circa 2010 while doing my research. Enjoy! 

Sample random cybercrime ecosystem screenshots courtesy of me circa 2010:

Continue reading →

A Compilation of Known Conti Ransomware Malicious Domains - An OSINT Analysis

I've decided to dig a little bit deeper in terms of the recently leaked Conti ransomware gang leaked internal communication and I've decided to share a set of known Conti ransomware malicious domains found the original leaked communication of the gang.

Sample Conti ransomware malicious domains known to have been involved in various malicious and fraudulent campaigns include:

hxxp://atlantisprojects.ca

hxxp://dylanengineeringservices.com

hxxp://fancydes.webd.pl

hxxp://fdsfdsf.com

hxxp://kohlheatingandair.com

hxxp://stahlworks.com

hxxp://wholesalebosmereusa.com

hxxp://coalminds.com

hxxp://parkisolutions.com

hxxp://sonorambc.org

hxxp://ajeetsinghbaddan.com

hxxp://alexandersqualitycleaners.com

hxxp://allacestech.com

hxxp://alwasl-syria.com

hxxp://alwaslegypt.com

hxxp://aspiremedstaff.com

hxxp://bloomfieldholding.com

hxxp://calacatta.com

hxxp://coffschamber.com.au

hxxp://copyrightlive-ksa.com

hxxp://dubaidreamsadventure.com

hxxp://e-tech.ie

hxxp://easychurchbooks.com

hxxp://ebeautytrade.com

hxxp://emploimed.com

hxxp://gilchrist.fl.us

hxxp://globaluxrma.com

hxxp://greenmountains.ae

hxxp://maintenance.com

hxxp://middletownfriedchickengyro.com

hxxp://nutritionprofbob.com

hxxp://paullesueurlegacyfoundation.com

hxxp://porceletta-ware.com

hxxp://puccienterprises.com

hxxp://rayanat.com

hxxp://reefglobal.com

hxxp://shawigroup.com

hxxp://unitedyfl.com

hxxp://violinstop.com

hxxp://watchespower.com

hxxp://wikiapply.ir

hxxp://adventureworldindia.com

hxxp://alkanzalzahabi.com

hxxp://almakaan.com

hxxp://bsrdesigns.com

hxxp://delwarren.com

hxxp://namaskardunia.com

hxxp://omegasystemsuae.com

hxxp://ottenbourg.com

hxxp://shighil.com

hxxp://shiningshadowllc.com

Stay tuned!

Continue reading →

A Compilation of Known Conti Ransomware Gang Malicious Executable Download Locations - An OSINT Analysis

I've decided to continue data mining the recently leaked Conti Ransomware Gang internal communications on my way to find and share more actionable intelligence in terms of their Internet-connected infrastructure and in this post I've decided to share a set of currently active malicious executable download locations courtesy of the Conti Ransomware gang which you can check out in terms of attribution and cyber attack campaign take down efforts.

Sample list of currently active Conti Ransomware gang malicious executable download locations:

hxxp://copyrightlive-ksa.com/Preview_Report.exe

hxxp://ebeautytrade.com/calc.exe

hxxp://37.1.209.181/2805/locker.exe

hxxp://omegasystemsuae.com/Preview_Document.exe

hxxp://copyrightlive-ksa.com/Preview_Document.exe

hxxp://www.alkanzalzahabi.com/Preview_Document.exe

hxxp://omegasystemsuae.com/Preview_Document.exe

hxxp://shawigroup.com/Preview_Document.exe

hxxp://copyrightlive-ksa.com/Preview_Document.exe

hxxp://www.alkanzalzahabi.com/Preview_Document.exe

hxxp://shawigroup.com/Preview_Document.exe

hxxp://copyrightlive-ksa.com/P32.exe

hxxp://shawigroup.com/Preview_Document.exe

hxxp://allacestech.com/Preview_Document.exe

hxxp://allacestech.com/Preview_Document.exe

hxxp://shawigroup.com/Preview_Document.exe

hxxp://allacestech.com/Preview_Document.exe

hxxp://allacestech.com/Preview_Document.exe

hxxp://allacestech.com/Preview_Document.exe

hxxp://globaluxrma.com/Preview_Document.exe

hxxp://globaluxrma.com/Preview_Document.exe

hxxp://shighil.com/Preview_Document.exe

hxxp://porceletta-ware.com/DocumentPreview.exe

hxxp://www.bsrdesigns.com/DocumentPreview.exe

hxxp://91.235.129.41/P32.exe

hxxp://porceletta-ware.com/DocumentPreview.exe

hxxp://porceletta-ware.com/DocumentPreview.exe

hxxp://porceletta-ware.com/DocumentPreview.exe

hxxp://porceletta-ware.com/DocumentPreview.exe

hxxp://porceletta-ware.com/DocumentPreview.exe

hxxp://watchespower.com/DocumentPreview.exe

hxxp://porceletta-ware.com/DocumentPreview.exe

hxxp://watchespower.com/DocumentPreview.exe

hxxp://www.bsrdesigns.com/DocumentPreview.exe

hxxp://watchespower.com/DocumentPreview.exe

hxxp://91.235.129.41/P32.exe

hxxp://91.235.129.41/P32.exe

hxxp://alexandersqualitycleaners.com/DocumentPreview.exe

hxxp://middletownfriedchickengyro.com/DocumentPreview.exe

hxxp://91.235.129.41/P32.exe

hxxp://dubaidreamsadventure.com/Document_Aerlingus.exe

hxxp://www.shiningshadowllc.com/Document_BritishAirways.exe

hxxp://dubaidreamsadventure.com/Document_Aerlingus.exe

hxxp://www.shiningshadowllc.com/Document_BritishAirways.exe

hxxp://dubaidreamsadventure.com/Document_Aerlingus.exe

hxxp://www.shiningshadowllc.com/Document_BritishAirways.exe

hxxp://www.shiningshadowllc.com/Document_BritishAirways.exe

hxxp://www.omegasystemsuae.com/Document_Aerlingus.exe

hxxp://www.omegasystemsuae.com/Document_Aerlingus.exe

hxxp://www.omegasystemsuae.com/Document_Aerlingus.exe

hxxp://www.omegasystemsuae.com/RalphLaurenDocument.exe

hxxp://copyrightlive-uae.com/calc.exe

hxxp://copyrightlive-uae.com/ld1n.exe

hxxp://copyrightlive-uae.com/DAFSDASD.exe

hxxp://copyrightlive-uae.com/DocumentPreview.exe

hxxp://www.almakaan.com/DocumentPreview.exe

hxxp://copyrightlive-uae.com/DocumentPreview.exe

hxxp://45.153.240.191/crypt/18554hs.exe

hxxp://copyrightlive-uae.com/DocumentPreview.exe

hxxp://copyrightlive-uae.com/PreviewDocument.exe

hxxp://194.5.249.13/p32.exe

hxxp://globaluxrma.com/ReviewDocument.exe

hxxp://shawigroup.com/ReviewDocument.exe

hxxp://bloomfieldholding.com/ReviewDocument.exe

hxxp://bloomfieldholding.com/wp-content/ReviewDocument.exe

hxxp://greenmountains.ae/YAS42.exe

hxxp://greenmountains.ae/YAS42.exehxxp://copyrightlive-ksa.com/Preview_Report.exe

hxxp://www.alkanzalzahabi.com/DocumentPreview.exe

hxxp://copyrightlive-ksa.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://allacestech.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://alwasl-syria.com/DocumentPreview.exe

hxxp://alwasl-syria.com/DocumentPreview.exe

hxxp://nutritionprofbob.com/DocumentPreview.exe

hxxp://violinstop.com/DocumentPreview.exe

hxxp://alwasl-syria.com/DocumentPreview.exe

hxxp://alwasl-syria.com/DocumentPreview.exe

hxxp://alwasl-syria.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://allacestech.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/Setup.exe

hxxp://www.omegasystemsuae.com/Setup.exe

hxxp://www.omegasystemsuae.com/Setup.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://www.omegasystemsuae.com/DocumentPreview.exe

hxxp://bloomfieldholding.com/DocumentPreview.exe

hxxp://bloomfieldholding.com/PreviewDocument.exe

hxxp://shawigroup.com/DuplicateFinder.exe

hxxp://shawigroup.com/DuplicateFinder.exe

hxxp://shawigroup.com/DuplicateFinder.exe

hxxp://shawigroup.com/Doc-Print.exe

hxxp://middletownfriedchickengyro.com/DocumentPreview.exe

hxxp://middletownfriedchickengyro.com/Doc-Print.exe

hxxp://middletownfriedchickengyro.com/DocumentPreview.exe

hxxp://middletownfriedchickengyro.com/Doc-Print.exe

hxxp://nutritionprofbob.com/DocumentPreview.exe

hxxp://porceletta-ware.com/DocPreview.exe

hxxp://porceletta-ware.com/DocPreview.exe

hxxp://violinstop.com/DocumentPreview.exe

hxxp://porceletta-ware.com/DocPreview.exe

hxxp://www.ottenbourg.com/Doc-Preview.exe

hxxp://violinstop.com/DocumentPreview.exe

hxxp://violinstop.com/DocumentPreview.exe

hxxp://nutritionprofbob.com/DocumentPreview.exe

hxxp://www.shiningshadowllc.com/Doc-Preview.exe

hxxp://shighil.com/Doc-Preview.exe

hxxp://violinstop.com/DocumentPreview.exe

hxxp://gk24w3eumyv4fqajpbw6jbrd6eb4kwvcqcfg4po25cnxuqs7hhhan6yd.onion/npcap.exe

hxxp://www.ottenbourg.com/AcademiPreview.exe

hxxp://www.shiningshadowllc.com/Doc-Preview.exe

hxxp://ajeetsinghbaddan.com/Doc-Preview.exe

hxxp://www.shiningshadowllc.com/Doc-Preview.exe

hxxp://ajeetsinghbaddan.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc-Preview.exe

hxxp://reefglobal.com/Doc1.exe

hxxp://reefglobal.com/dl2a.exe

hxxp://paullesueurlegacyfoundation.com/9rhjdkjfh.exe

hxxp://www.ottenbourg.com/nagpsdo.exe

hxxp://www.namaskardunia.com/badtest2.exe

hxxp://www.namaskardunia.com/test1.exe

hxxp://45.148.120.192/service64.exe

hxxp://45.148.120.192/service111.exe

hxxp://45.148.120.192/service222.exe

hxxp://fdsfdsf.com/fdsfds/file.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://45.148.120.192/service64.exe

hxxp://45.148.120.192/service111.exe

hxxp://45.148.120.192/service222.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://www.ottenbourg.com/upload/xml1.exe

hxxp://dylanengineeringservices.com/3.exe

hxxp://dylanengineeringservices.com/3.exe

hxxp://www.ottenbourg.com/5.exe

hxxp://maintenance.com/autoupdate.exe

hxxp://85.25.194.150/BVY729LK10PAWN/1.exe

hxxp://85.25.194.150/BVY729LK10PAWN/2.exe

hxxp://85.25.194.150/BVY729LK10PAWN/3.exe

hxxp://85.25.194.150/BVY729LK10PAWN/1.exe

hxxp://85.25.194.150/BVY729LK10PAWN/2.exe

hxxp://85.25.194.150/BVY729LK10PAWN/3.exe

hxxp://shighil.com/dl2.exe

hxxp://shighil.com/dl2.exe

hxxp://62.108.34.54/service64.exe

hxxp://62.108.34.54/service_ssl.exe

hxxp://62.108.34.54/P32.exe

hxxp://62.108.34.54/winserv.exe

hxxp://62.108.34.54/service64.exe

hxxp://62.108.34.54/service_ssl.exe

hxxp://62.108.34.54/P32.exe

hxxp://62.108.34.54/winserv.exe

hxxp://62.108.34.54/service64.exe

hxxp://62.108.34.54/service_ssl.exe

hxxp://62.108.34.54/P32.exe

hxxp://62.108.34.54/winserv.exe

hxxp://62.108.34.54/service64.exe

hxxp://62.108.34.54/service_ssl.exe

hxxp://62.108.34.54/P32.exe

hxxp://62.108.34.54/winserv.exe

hxxp://emploimed.com/dl2m.exe

hxxp://copyrightlive-ksa.com/t1000.exe

hxxp://www.shighil.com/dl2.exe

hxxp://www.shighil.com/dl2.exe

hxxp://nutritionprofbob.com/teste.exe

hxxp://copyrightlive-ksa.com/t1000.exe

hxxp://www.shiningshadowllc.com/DocumentPreview.exe

hxxp://85.25.194.150/BVY729LK10PAWN/1.exe

hxxp://85.25.194.150/BVY729LK10PAWN/2.exe

hxxp://85.25.194.150/BVY729LK10PAWN/3.exe

hxxp://brankovucinec.blob.core.windows.net/downloads/mstsc.exe_.manifest.zip

hxxp://emploimed.com/scintillabc.exe

hxxp://emploimed.com/scintillabc.exe

hxxp://www.coalminds.com/Document_Print.exe

hxxp://www.sonorambc.org/Document_Print.exe

hxxp://nutritionprofbob.com/Preview.exe

hxxp://nutritionprofbob.com/Preview1.exe

hxxp://nutritionprofbob.com/Preview.exe

hxxp://nutritionprofbob.com/Preview1.exe

hxxp://nutritionprofbob.com/Preview.exe

hxxp://nutritionprofbob.com/Preview1.exe

hxxp://nutritionprofbob.com/Preview.exe

hxxp://nutritionprofbob.com/Preview1.exe

hxxp://nutritionprofbob.com/Preview.exe

hxxp://nutritionprofbob.com/Preview1.exe

hxxp://aspiremedstaff.com/Preview.exe

hxxp://nutritionprofbob.com/Preview.exe

hxxp://aspiremedstaff.com/Preview.exe

hxxp://puccienterprises.com/Preview.exe

hxxp://e-tech.ie/PreviewDoc.exe

hxxp://e-tech.ie/PreviewDoc.exe

hxxp://puccienterprises.com/Preview.exe

hxxp://aspiremedstaff.com/Preview.exe

hxxp://aspiremedstaff.com/Preview.exe

hxxp://e-tech.ie/PreviewDoc.exe

hxxp://nutritionprofbob.com/Preview1.exe

hxxp://nutritionprofbob.com/prw/Preview.exe

hxxp://nutritionprofbob.com/prw/Preview.exe

hxxp://violinstop.com/Preview.exe

hxxp://nutritionprofbob.com/prw/Preview.exe

hxxp://reefglobal.com/Preview.exe

hxxp://paullesueurlegacyfoundation.com/Preview.exe

hxxp://middletownfriedchickengyro.com/Preview.exe

hxxp://middletownfriedchickengyro.com/Preview.exe

hxxp://middletownfriedchickengyro.com/Preview.exe

hxxp://paullesueurlegacyfoundation.com/Preview.exe

hxxp://paullesueurlegacyfoundation.com/Preview.exe

hxxp://easychurchbooks.com/Preview.exe

hxxp://easychurchbooks.com/Preview.exe

hxxp://sonorambc.org/Preview.exe

hxxp://paullesueurlegacyfoundation.com/Preview.exe

hxxp://paullesueurlegacyfoundation.com/Preview.exe-

hxxp://aspiremedstaff.com/Print.exe

hxxp://aspiremedstaff.com/Print.exe

hxxp://aspiremedstaff.com/Print.exe

hxxp://emploimed.com/Print_Preview.exe

hxxp://www.namaskardunia.com/Preview.exe

hxxp://www.namaskardunia.com/Preview.exe

hxxp://atlantisprojects.ca/Preview.exe

hxxp://gilchrist.fl.us/Preview.exe

hxxp://www.parkisolutions.com/Preview.exe

hxxp://www.parkisolutions.com/Preview.exe

hxxp://unitedyfl.com/Print_Preview.exe

hxxp://unitedyfl.com/Print_Preview.exe

hxxp://www.parkisolutions.com/Preview.exe

hxxp://fancydes.webd.pl/Review.exe

hxxp://rayanat.com/Print_Preview.exe

hxxp://wholesalebosmereusa.com/Preview.exe

hxxp://kohlheatingandair.com/Review.exe

hxxp://fancydes.webd.pl/Review.exe

hxxp://rayanat.com/Preview_Print.exe

hxxp://calacatta.com/Preview.exe

hxxp://google.com/update.exe

hxxp://alwaslegypt.com/Preview.exe

hxxp://alwaslegypt.com/Preview.exe

hxxp://www.adventureworldindia.com/Preview.exe

hxxp://alwaslegypt.com/Preview.exe

hxxp://alwaslegypt.com/Preview.exe

hxxp://aspiremedstaff.com/Preview.exe

hxxp://aspiremedstaff.com/Preview.exe

hxxp://emploimed.com/Preview.exe

hxxp://emploimed.com/Preview.exe

hxxp://emploimed.com/Preview.exe

hxxp://emploimed.com/Preview.exe

hxxp://globaluxrma.com/Review.exe

hxxp://emploimed.com/Preview.exe

hxxp://emploimed.com/Preview.exe

hxxp://paullesueurlegacyfoundation.com/ReviewPrint.exe

hxxp://alwaslegypt.com/Preview.exe

hxxp://shighil.com/ReviewPrint.exe

hxxp://shighil.com/TerminationRep.exe

hxxp://alwaslegypt.com/Preview.exe

hxxp://www.omegasystemsuae.com/Preview.exe

hxxp://www.omegasystemsuae.com/BKOFR.exe

hxxp://copyrightlive-uae.com/P64.exe

hxxp://copyrightlive-uae.com/Print.pdf.exe

hxxp://copyrightlive-uae.com/P64.exe

hxxp://coffschamber.com.au/Review.exe

hxxp://coffschamber.com.au/Review.exe

hxxp://coffschamber.com.au/Review.exe

hxxp://cdn-102.anonfiles.com/XdzdPbVfo8/a6501123-1600284832/Review.exe

hxxp://cdn-102.anonfiles.com/XdzdPbVfo8/a6501123-1600284832/Review.exe

hxxp://cdn-33.anonfiles.com/L3oeQ0Vbo2/d37ab69a-1600287659/Preview.exe

hxxp://emploimed.com/Preview.exe

hxxp://cdn-33.anonfiles.com/L3oeQ0Vbo2/d37ab69a-1600287659/Preview.exe

hxxp://portableapps.com/downloading/?a=TeamViewerPortable&n=TeamViewer%20Portable&s=s&p=&d=pa&f=TeamViewerPortable_15.9.4.paf.exe

hxxp://www.omegasystemsuae.com/BKOFR.exe

hxxp://www.delwarren.com/backup/nowin.exe

hxxp://wikiapply.ir/Scrip.exe

hxxp://shighil.com/Scrit.exe

hxxp://shighil.com/Scrip.exe

hxxp://shighil.com/Print.exe

hxxp://nutritionprofbob.com/Preview.exe

hxxp://cdn-114.anonfiles.com/ZfSf52X2oc/76279be8-1600685243/mor125.exe

hxxp://dubaidreamsadventure.com/Print_Review.exe

hxxp://107.155.137.21/https_x64.exe

hxxp://stahlworks.com/dev/unzip.exe

hxxp://94.140.115.219/doc/http.bin_x86.exe

hxxp://94.140.115.219/doc/http64.bin_x64.exe

hxxp://94.140.115.219/doc/http.bin_x86.exe

hxxp://94.140.115.219/doc/http64.bin_x64.exe

hxxp://94.140.115.219/doc/htp_x64.exe

hxxp://94.140.115.219/doc/htp_x86.exe

hxxp://94.140.115.219/1/http64.exe

hxxp://94.140.115.219/1/P32.exe

hxxp://94.140.115.219/1/P64.exe

hxxp://94.140.115.219/1/run1.exe

hxxp://94.140.115.219/1/run2.exe

hxxp://94.140.115.219/1/service_http64.exe

hxxp://94.140.115.219/doc/http.bin_x86.exe

hxxp://94.140.115.219/doc/http64.bin_x64.exe

hxxp://94.140.115.219/doc/http.bin_x86.exe

hxxp://94.140.115.219/doc/http64.bin_x64.exe

hxxp://94.140.115.219/doc/htp_x64.exe

hxxp://94.140.115.219/doc/htp_x86.exe

hxxp://94.140.115.219/1/http64.exe

hxxp://94.140.115.219/1/P32.exe

hxxp://94.140.115.219/1/P64.exe

hxxp://94.140.115.219/1/run1.exe

hxxp://94.140.115.219/1/run2.exe

hxxp://94.140.115.219/1/service_http64.exe

hxxp://94.140.115.219/crypt/3/http_8080_x64.exe

hxxp://94.140.115.219/crypt/3/http64.exe

hxxp://94.140.115.219/crypt/3/https_8443_x64.exe

hxxp://94.140.115.219/crypt/3/P64.exe

hxxp://94.140.115.219/crypt/3/run2.exe

hxxp://94.140.115.219/crypt/3/run1.exe

hxxp://94.140.115.219/crypt/3/https_8443.exe

hxxp://94.140.115.219/crypt/3/http8080.exe

hxxp://94.140.115.219/crypt/3/http_8080_x64.exe

hxxp://94.140.115.219/crypt/3/http64.exe

hxxp://94.140.115.219/crypt/3/https_8443_x64.exe

hxxp://94.140.115.219/crypt/3/P64.exe

hxxp://94.140.115.219/crypt/3/run2.exe

hxxp://94.140.115.219/crypt/3/run1.exe

hxxp://94.140.115.219/crypt/3/https_8443.exe

hxxp://94.140.115.219/crypt/3/http8080.exe

hxxp://85.25.194.150/BVY729LK10PAWN/1.exe

hxxp://85.25.194.150/BVY729LK10PAWN/2.exe

hxxp://85.25.194.150/BVY729LK10PAWN/3.exe

hxxp://94.140.115.219/3/http_8080_x64.exe

hxxp://94.140.115.219/3/http64.exe

hxxp://94.140.115.219/3/http8080.exe

hxxp://94.140.115.219/3/https_8443.exe

hxxp://94.140.115.219/3/https_8443_x64.exe

hxxp://94.140.115.219/3/P32.exe

hxxp://94.140.115.219/3/p64.exe

hxxp://94.140.115.219/3/run1.exe

hxxp://94.140.115.219/3/run2.exe

hxxp://94.140.115.219/4/http.exe

hxxp://94.140.115.219/4/http64.exe

hxxp://94.140.115.219/4/https.exe

hxxp://94.140.115.219/4/https64.exe

hxxp://94.140.115.219/4/P32.exe

hxxp://94.140.115.219/4/P64.exe

hxxp://94.140.115.219/4/run1.exe

hxxp://94.140.115.219/4/run2.exe

hxxp://94.140.115.219/4/serv_http64.exe

hxxp://94.140.115.219/3/http_8080_x64.exe

hxxp://94.140.115.219/3/http64.exe

hxxp://94.140.115.219/3/http8080.exe

hxxp://94.140.115.219/3/https_8443.exe

hxxp://94.140.115.219/3/https_8443_x64.exe

hxxp://94.140.115.219/3/P32.exe

hxxp://94.140.115.219/3/p64.exe

hxxp://94.140.115.219/3/run1.exe

hxxp://94.140.115.219/3/run2.exe

hxxp://94.140.115.219/4/http.exe

hxxp://94.140.115.219/4/http64.exe

hxxp://94.140.115.219/4/https.exe

hxxp://94.140.115.219/4/https64.exe

hxxp://94.140.115.219/4/P32.exe

hxxp://94.140.115.219/4/P64.exe

hxxp://94.140.115.219/4/run1.exe

hxxp://94.140.115.219/4/run2.exe

hxxp://94.140.115.219/4/serv_http64.exe

hxxp://94.140.115.219/4/http.exe

hxxp://94.140.115.219/4/http64.exe

hxxp://94.140.115.219/4/https.exe

hxxp://94.140.115.219/4/https64.exe

hxxp://94.140.115.219/4/P32.exe

hxxp://94.140.115.219/4/P64.exe

hxxp://94.140.115.219/4/run1.exe

hxxp://94.140.115.219/4/run2.exe

hxxp://94.140.115.219/4/serv_http64.exe

hxxp://94.140.115.219/4/http.exe

hxxp://94.140.115.219/4/http64.exe

hxxp://94.140.115.219/4/https.exe

hxxp://94.140.115.219/4/https64.exe

hxxp://94.140.115.219/4/P32.exe

hxxp://94.140.115.219/4/P64.exe

hxxp://94.140.115.219/4/run1.exe

hxxp://94.140.115.219/4/run2.exe

hxxp://94.140.115.219/4/serv_http64.exe

hxxp://94.140.115.219/3/http_8080_x64.exe

hxxp://94.140.115.219/3/http64.exe

hxxp://94.140.115.219/3/http8080.exe

hxxp://94.140.115.219/3/https_8443.exe

hxxp://94.140.115.219/3/https_8443_x64.exe

hxxp://94.140.115.219/3/P32.exe

hxxp://94.140.115.219/3/p64.exe

hxxp://94.140.115.219/3/run1.exe

hxxp://94.140.115.219/3/run2.exe

hxxp://94.140.115.219/3/http_8080_x64.exe

hxxp://94.140.115.219/3/http64.exe

hxxp://94.140.115.219/3/http8080.exe

hxxp://94.140.115.219/3/https_8443.exe

hxxp://94.140.115.219/3/https_8443_x64.exe

hxxp://94.140.115.219/3/P32.exe

hxxp://94.140.115.219/3/p64.exe

hxxp://94.140.115.219/3/run1.exe

hxxp://94.140.115.219/3/run2.exe

Stay tuned!

Continue reading →

A Compilation of Known Conti Ransomware Gang Personal Email Address Accounts - An OSINT Analysis

This summary is not available. Please click here to view the post. Continue reading →

Another Massive Embedded Malware Attack

Compared to the previous massive malware embedded attack in Italy that I asessed in June, 2007 which was primarily relying on the fact that a shared hosting provider got hacked into, this one is more interesting to follow because the domains have nothing to do with each other, in fact some are suspected of being generated for blackhat SEO purposes in combination with embedded malware. The rest are legitimate sites. Moreover, the campaign is currently in a cover up stage, but the sites are still serving the IFRAME you can see in the attached screenshot. Currently affected sites where over 90% still have the IFRAME within :

syncopatedvideo.com

ja-bob.com

idledrawings.com

biblequizzer.net

johnnydam.com

gonaus.com

caribbeanjamz.net

campbellscollision.com

instopiainsurance.com

electronicesthetics.com

blackopalproductions.com

loadway.com

mtwashingtonkennelclub.com

shoveltown.com

simplabase.com

ajrivers.com

jacquelinesdayspa.com

epidemianet.com

aabosa.net

bisign.com

orangevaleson.com

blackmanassociates.com

jumarktrade.com

queerduck.icebox.com

The main campaign IFRAME URL is megazo.org/trans.htm serving TR/Crypt.XPACK.Gen and using its own nameservers ns1.megazo.org (203.117.111.102) and ns2.megazo.org (203.117.111.103) which is also hosting 13fr.info; 1sense.info; 1speed.info. Deobfuscation leads to 1spice.info/t/ (203.121.79.164) where we're redirected to 203.121.79.164/cgi-bin/new/in.cgi?p=user4, both URLs try to exploit MDAC ActiveX code execution (CVE-2006-0003) vulnerability. Another exploit URL is also active at this IP - 203.121.79.164/web/index.php which is Icepack is action.

Related posts:

Bank of India Serving Malware

U.S Consulate in St.Petersburg Serving Malware

Syrian Embassy in London Serving Malware

CISRT Serving Malware

Compromised Sites Serving Malware and Spam

A Portfolio of Malware Embedded Magazines

Possibility Media's Malware Fiasco

I See Alive IFRAMEs Everywhere

Continue reading →

209.1 Host Locked

I've been playing a cat and mouse game with the folks behind several different phishing campaigns using the Rock Phish kit for a while now, in between tracking down the New Media Malware Gang and several other related malware campaigns. The Rock Phishers seem to keep track of this, and periodically change the default error message returned on a Rock Phish domain. First it was "209 Host Locked", than it became "66.1 Host Locked", and how they've again changed it on a wide scale to "209.1 Host Locked". Try these :

forceadd.com.ph

goldline.org.ph

paypal-accounts.com

mte1nt.ac.cn

Now, would you believe that due to outsourcing considerations NatWest Bank are now using a Siberian ISP? Naah, in your wicked dreams only! This campaign has been going on for the last 24 hours :

natwest.com.tx49.hk/onlinebanking/customerform.aspx

natwest.com.tx40.hk/onlinebanking/customerform.aspx

natwest.com.tx48.hk/onlinebanking/customerform.aspx

natwest.com.tx15.hk/onlinebanking/customerform.aspx

natwest.com.tx47.hk/onlinebanking/customerform.aspx

natwest.com.tx40.hk/onlinebanking/customerform.aspx

natwest.com.iyeufv.org.ph/onlinebanking/customerform.aspx

natwest.com.yeufv.ph/onlinebanking/customerform.aspx

natwest.com.modifitool.kg/onlinebanking/customerform.aspx

Now, let's get back to the domain farms. The first one is located in CTS SIBERIA Complex Telematic Systems Joint Stock Company 53, Pisareva st , Novosibirsk, 630005, RUSSIA, at 81.16.131.40 and is hosting :

6584.tw

business-internet-banking.hsbc.com.yeufv.com.ph

hsbc.com.yeufv.com.ph

myyeufv.net.ph

polro.ph

tx49.hk

tx55.hk

yeufv.com.ph

The second one is located in CL-ECSA-LACNIC ENTEL CHILE S.A. at 200.72.139.67, and the IP is acting as the main IP for a wide range of NS servers which further expand the domain farm. As I've already pointed out numerous times, Rock Phish is a great example of how centralization means, both, efficiency and easy of management, and an insecurity from the perspective that shutting down the IP will shut down the entire scammy ecosystem of over 30 Rock Phish domains hosting approximately from 5 to 10 different phishing campaigns targeting different brands on a single domain. Here's another perspective on the blended threat posed by phishing emails that come with embedded banker malware, the results of which get later on aggregated in a banking malware infected botnet only. Find out more about trends and developments related to phishing in 2007 in a related article, and the Rock Phish kit in principle.

Continue reading →

Fake Codec Serving Domains from Digg.com's Comment Spam Attack

The following assessment details all the redirectors, fake codec serving domains, as well as related fake security software domains used in the Digg.com' comment spam attack.

The complete list of the domain redirectors used in the comment spam attack:
worldnews-video .com - 459,000 bogus comments
youtube-top-video .com - 98,000 bogus comments
new-videos .info - 92,500 bogus comments
film-man .com - 50,700 bogus comments
last-sex-news .com - 26, 000 bogus comments
video-news .cn - 25, 500 bogus comments
last-porno-news .com - 21,500 bogus comments
fresh-video-news .com - 10,900 bogus comments
broken-tv .com - 10,000 bogus comments
video-trailers .net - 8,370 bogus comments
exclusive-videos .net - 7860 bogus comments
funkytube .net - 6,170 bogus comments
shocking-stars .net - 2,600 bogus comments
cinemacafe .tv - 1560 bogus comments
watch-video .cn - 3000 bogus comments
vidstream .cn - 397 bogus comments
divgg .com - 174 bogus comments
golden-portal .us - 3040 bogus comments
tubedirects .net - 290 bogus comments
funkytube .net - 6,480 bogus comments
watchepisodes .cn - 331 bogus comments

video-sensation .com - 1,500 bogus comments
bestlive-tv .cn - 216 bogus comments
svtube .cn - 222 bogus comments
onlyhotvideos .com - 413 bogus comments
celebnudestars .net - 326 bogus comments
usatvshows .us - 41 bogus comments
vidstream .cn - 398 bogus comments
divgg .com - 171 bogus comments
tubedirects .net - 285 bogus comments
yuotnbe .com - 370 bogus comments
omeia .info - 769 bogus comments
video.stumbulepon .com - 669 bogus comments
shocking-stars .net - 2,650 bogus comments
sowonder .net - 3000 bogus comments
sex-tapes-celebs .com - 2,210 bogus comments
video-sensation .com - 1,690 bogus comments

Currently active download locations for the fake codecs, and the rogue security software:
vivaextra .com
tube-xxx-tv2009 .com
onlinestreamsofware .com
demoextra .com
best-tube-2008 .net
tubeportalsoftware2008 .com
tubesoftwareviewer2008 .com
exefilesdownload2009 .com
tubesoftwareviewer2009 .com
uporntube-07 .com
tubeporn08 .com
uporn-tube .com
uporntube2009 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
porntubenew .com
ultra-extra .com
xp-police .com
xp-police-av .com
xp-police-2009 .com
antiviralscanner14 .com

Detection rates for the codecs/rogue security software:
viewtubesoftware.40020.exe
Result: 8/39 (20.51%)
File size: 71680 bytes
MD5...: ef26250b946a63112659c94eed016e0d
SHA1..: 902fd30cd4a7465c9f5271971604d273ed74a60c

viewtubesoftware.400201.exe
Result: 7/39 (17.95%)
File size: 62464 bytes
MD5...: 1d4c3a6d2cc8c645652f7090636e5a4b
SHA1..: ccc1994a521d9e8a053a345b9d9cc28a63415845

Install.exe
Result: 5/39 (12.82%)
File size: 77830 bytes
MD5...: 64557f21c50b6c063cc96ba661bcd27c
SHA1..: 5a765a92de07af756c96c83139be8ddace117ef1

install1.exe
Result: 4/39 (10.26%)
File size: 73222 bytes
MD5...: 890bf32b34b7abab7aa7ea049215c429
SHA1..: 8c311a8b6096914f758bcaf82aca465bcc885110

The first comments including links to these domains have been posted at Digg.com on January, 2008 - over an year ago. Continue reading →