We've, recently, intercepted, a high-profile, Linux-based, botnet-driven, type of, malicious, software, that's capable, of launching, a multitude of malicious attacks, on, compromised servers, potentially, exposing, the, integrity, confidentiality, and, availability, of, the compromised servers. Malicious attackers, often rely, on the use of compromised servers, for, the purpose, of, utilizing the access for malicious purposes, including, the capability, to launch malicious DDoS (Denial of Service Attack) attacks, and the ability, to spread additional malicious software, to potential users, including the capability to monetize access to the service, by, launching, DDoS for hire type of malicious and fraudulent services, including, the capability to launch high performance DDoS attacks.
In this post, we'll, profile, and analyze, the Bill Gates botnet, provide, actionable intelligence, on, the infrastructure, behind it, and, discuss, in depth, the tactics, techniques, and procedures, of the cybercriminals, behind it.
Malicious MD5s known to be part of the Bill Gates botnet:
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 0d79802eeae43459ef0f6f809ef74ecc
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: a89c089b8d020034392536d66851b939
MD5: a5b9270a317c9ef0beda992183717b33
Known Bill Gates botnet C&C server:
hxxp://dgnfd564sdf.com - 122.224.34.42; 122.224.50.37
Malicious C&C servers known to be part of the Bill Gates botnet:
202.103.178.76
121.12.110.96
112.90.252.76
112.90.22.197
112.90.252.79
Known to have responded to the same malicious IP (122.224.50.37) are also the following malicious domains:
hxxp://lfs99.com
hxxp://chchong.com
hxxp://uc43.net
hxxp://59wgw.com
hxxp://frade8c.com
hxxp://96hb.com
hxxp://cq670.com
hxxp://776ka.com
Malicious MD5s known to have phoned back to the same C&C server IP (122.224.50.37):
MD5: 6739ca4a835c7976089e2f00150f252b
MD5: eb234cee4ff769f2b38129bc164809d2
MD5: dc893d16316489dffa4e8d86040189b2
MD5: 0c1cac2a019aa1cc2dcc0d3b17fc4477
MD5: b7765076af036583fc81a50bd0b2a663
Known to have responded to the same malicious IP (122.224.34.42) are also the following malicious domains:
hxxp://76.wawa11.com
hxxp://903.wawa11.com
hxxp://904.wawa11.com
hxxp://905.wawa11.com
hxxp://906.wawa11.com
hxxp://907.wawa11.com
hxxp://91ww.0574yu.com
hxxp://9911sf.com
hxxp://901.t772277.com
hxxp://aisf.jux114.com
hxxp://520.wawa11.com
hxxp://awooolsf.com
hxxp://2288game.com
hxxp://588bc.com
hxxp://488game.com
hxxp://588bc.com
Malicious MD5s known to have been downloaded from the same malicious C&C server IP (122.224.34.42):
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 9a77f1ad125cf34858be5e438b3f0247
Malicious MD5s known to have been phoned back to the same malicious C&C server IP(122.224.34.42):
MD5: 815e453b6e268addf6a6763bfe013928
Once executed the sample phones back to the following malicious C&C server IPs:
hxxp://awooolsf.com/222.txt - 122.224.34.42
hxxp://xxx.com/download/xx.exe - 67.23.112.226
Known to have responded to the same malicious IP (67.23.112.226) are also the following malicious domains:
hxxp://falconglobalimpex.com
hxxp://deschatz-army.net
hxxp://m.xxx.com
hxxp://xxx.com
hxxp://xxxsites.com
hxxp://t.xxx.com
hxxp://m.xxx.org
hxxp://m.xxxsites.com
hxxp://xxx.org
Known to have been downloaded from the same malicious IP (67.23.112.226) are also the following malicious MD5s:
MD5: b4b483eb0d25fa3a9ec589eb11467ab8
Known to have phoned back to the same malicious C&C server (67.23.112.226) are also the following malicious MD5s:
MD5: 53a7fc24cb19463f8df3f4fe3ffd79b9
MD5: 268b8bcacec173eace3079db709b9c69
MD5: 0faf6988dfeaa98241c19fd834eca194
MD5: 87f8ffeb17a72fda7cf28745fa7a6be8
MD5: c973f818a5f9326c412ac9c4dfaeb0bd
This post has been reproduced from Dancho Danchev's blog.
Sunday, April 24, 2016
Analyzing the Bill Gates Botnet - An Analysis
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users Affected
We've recently intercepted, a currently ongoing malicious malvertising attack, affecting thousands of users globally, potentially exposing their PCs, to, a multitude of malicious software, compromising, the, integrity, confidentiality, and, availability, of, their, PCs.
The campaign relies on the Angler Web malware exploitation kit, for, the, purpose of serving malicious software, on the, PCs, of, affected users exposing, their, PCs, to, a multitude, of, malicious software, potentially leading, to, a compromise, of, their, PCs. Once, users, visit, a legitimate Web site, part, of the, campaign, their, PCs, automatically become, part, of the botnet, operated, by, the, cybercriminals, behind it, with, the, campaign, relying, on, the, use, of, the, exploitation, of, a well known, client-side, vulnerability.
Cybercriminals, often, rely, on, the, use, of, compromised, accounting, data, obtained, through, active data mining, of, a botnet's infected population, for, the purpose, of, embedding, malicious, client-side exploits, on well known, and highly popular, Web sites, next, to, the, active, client-side, exploitation, of, known, vulnerabilities, found, on public, and well, known, Web sites. Yet, another highly popular attack vector, remains, the use, of compromised, advertiser network publisher's account, for, the, purpose, of taking advantage, of, the publisher's, already established, clean, network, reputation.
In this post, we'll profile, the, malicious campaign, provide, actionable, intelligence, for, the, infrastructure, behind it, provide, malicious MD5s, as, well, as, discuss, in depth, the, tactics, techniques, and procedures, utilized, by, the, cybercriminals, behind it.
Sample detection rate for the Trojan.Win32.Waldek.gip malware:
MD5: f2b92d07bb35f1649b015a5ac10d6f05
Once executed the sample phones back to:
hxxp://datanet.cc/extra/status.html - 146.185.251.154
Malicious URLs, used, in the, campaign:
hxxp://gamergrad.top/track/k.track?wd=48&fid=2 - 104.24.112.169
hxxp://talk915.pw/track/k.track?wd=48&fid=2 - 104.27.190.84
Known to have responded to the same IP (146.185.251.154) are also the following malicious domains:
hxxp://crenwat.cc
hxxp://oldbog.cc
hxxp://datanet.cc
hxxp://glomwork.cc
hxxp://speedport.cc
hxxp://myhostclub.cc
hxxp://terminreg.cc
hxxp://currentnow.cc
hxxp://copyinv.cc
hxxp://lableok.cc
hxxp://agentad.cc
hxxp://appclone.cc
hxxp://tune4.cc
hxxp://objects.cc
Once executed, the, sample, phones, back, to the, following, C&C server:
hxxp://188.138.70.19
Known to have responded to the same IP (188.138.70.19) are also the following malicious domains:
hxxp://alfatrade.cxaff.com
hxxp://affiliates.alfatrade.com
Known to have phoned back to the same malicious C&C server, are, also, the following malicious MD5s:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a384337cad9335b34d877dd4c59c73ce
MD5: e7b7b7664e89be18bcf2b79cc116731f
MD5: d712ddbc9b4fb27d950be93c1e144cce
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a2bd512e438801a2aa1871a2ac28e5bd
MD5: f01f9ded34cfe21098a2275563cf0d9d
MD5: e7b7b7664e89be18bcf2b79cc116731f
This post has been reproduced from Dancho Danchev's blog.
The campaign relies on the Angler Web malware exploitation kit, for, the, purpose of serving malicious software, on the, PCs, of, affected users exposing, their, PCs, to, a multitude, of, malicious software, potentially leading, to, a compromise, of, their, PCs. Once, users, visit, a legitimate Web site, part, of the, campaign, their, PCs, automatically become, part, of the botnet, operated, by, the, cybercriminals, behind it, with, the, campaign, relying, on, the, use, of, the, exploitation, of, a well known, client-side, vulnerability.
Cybercriminals, often, rely, on, the, use, of, compromised, accounting, data, obtained, through, active data mining, of, a botnet's infected population, for, the purpose, of, embedding, malicious, client-side exploits, on well known, and highly popular, Web sites, next, to, the, active, client-side, exploitation, of, known, vulnerabilities, found, on public, and well, known, Web sites. Yet, another highly popular attack vector, remains, the use, of compromised, advertiser network publisher's account, for, the, purpose, of taking advantage, of, the publisher's, already established, clean, network, reputation.
In this post, we'll profile, the, malicious campaign, provide, actionable, intelligence, for, the, infrastructure, behind it, provide, malicious MD5s, as, well, as, discuss, in depth, the, tactics, techniques, and procedures, utilized, by, the, cybercriminals, behind it.
Sample detection rate for the Trojan.Win32.Waldek.gip malware:
MD5: f2b92d07bb35f1649b015a5ac10d6f05
Once executed the sample phones back to:
hxxp://datanet.cc/extra/status.html - 146.185.251.154
Malicious URLs, used, in the, campaign:
hxxp://gamergrad.top/track/k.track?wd=48&fid=2 - 104.24.112.169
hxxp://talk915.pw/track/k.track?wd=48&fid=2 - 104.27.190.84
Known to have responded to the same IP (146.185.251.154) are also the following malicious domains:
hxxp://crenwat.cc
hxxp://oldbog.cc
hxxp://datanet.cc
hxxp://glomwork.cc
hxxp://speedport.cc
hxxp://myhostclub.cc
hxxp://terminreg.cc
hxxp://currentnow.cc
hxxp://copyinv.cc
hxxp://lableok.cc
hxxp://agentad.cc
hxxp://appclone.cc
hxxp://tune4.cc
hxxp://objects.cc
Once executed, the, sample, phones, back, to the, following, C&C server:
hxxp://188.138.70.19
Known to have responded to the same IP (188.138.70.19) are also the following malicious domains:
hxxp://alfatrade.cxaff.com
hxxp://affiliates.alfatrade.com
Known to have phoned back to the same malicious C&C server, are, also, the following malicious MD5s:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a384337cad9335b34d877dd4c59c73ce
MD5: e7b7b7664e89be18bcf2b79cc116731f
MD5: d712ddbc9b4fb27d950be93c1e144cce
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a2bd512e438801a2aa1871a2ac28e5bd
MD5: f01f9ded34cfe21098a2275563cf0d9d
MD5: e7b7b7664e89be18bcf2b79cc116731f
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Hundreds of Google Play Apps Compromised, Lead to Mobile Malware
Malicious attackers, have, managed, to, infiltrate, and populate, Google Play, with, hundreds, of rogue, applications, exposing, users, to mobile, malware, compromising, the, integrity, of, their, devices, and, exposing, them, to, misleading, advertisements. Once, a socially, engineered, user, obtains, the, application, and, execute, it, their, device, the malware, phones, back, to, a malicious URL, exposing, the, integrity, confidentiality, and, availability, of, the, device.
Malicious attackers, often, rely, on, a variety of social engineering tactics, to, obtain, access, to, a user's device, including, the use, of, compromised, publisher's accounts, obtained, through, data mining, of botnet's of infected, population. Once, access, to, a particular, publisher's account, is, obtained, the malicious attackers, would, attempt, to use, a do-it-yourself, type, of, mobile, malware, generating tool, for, the, purpose, of, modifying, a legitimate, application, for, the, purpose, of, obtaining, access, to, a user's device.
Malicious attackers, are, also, known, to rely, on secondary, marketplaces, for, the, purpose, of, attempting, to, obtain, access, to user's, device, with, the, secondary, marketplaces, populated, with, rogue, and compromised, applications.
Once, a, socially, engineered, user, obtains, an, application, their, device, automatically, becomes, part, of, a, malicious attacker's, botnet, with, the malicious, attackers, relying on, a multitude, of monetization techniques, while, earning, fraudulently, obtained, revenue, in, the, process. Malicious attackers, are, also, known, to, rely, on, rogue, and, fraudulent, affiliate networks, for, the, purpose, of, monetizing, access, to, the, obtained, hosts, through, a, variety, of, rogue, advertising, networks, largely, set, up, for, the, purpose, of, earning, fraudulent, revenue, for, the, malicious attackers.
These affiliate networks, are, known, to, provide, managed, support, including, the, systematic, rotation of the command and control, server, and, the, availability, of, various, templates, empowering, malicious attackers, with, access, to, a, variety, of, fraudulent techniques, allowing, them, to, easily, monetize, access, to, the, infected hosts.
In this post, we'll profile, profile, the, Android.Spy.277.origin, mobile, malware, found, on hundreds, of applications, at Google Play, expose, the, malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in, depth, the, various tactics, techniques, and procedures, utilized, by, malicious, attackers, for, the purpose, of, spreading, mobile, malware, attempting, to, trick, users, into, executing, malicious software, on their, devices.
Sample detection rate for a sample malware:
MD5: a51d7f8413aa3857a4682fa631d39054
Once executed the sample phones back to the following C&C server:
hxxp://startappexchange.com - 184.26.136.91; 184.26.136.113
The same malicious C&C server (startappexchange.com) is also known to have responded to the following IPs:
23.15.5.200
23.63.227.171
95.101.2.24
23.62.239.19
96.6.122.67
23.15.5.205
23.62.236.98
61.213.181.153
23.63.227.208
23.63.227.192
23.3.13.65
96.6.122.74
23.3.13.58
23.62.236.74
184.50.232.74
184.84.243.57
217.7.48.104
217.7.48.192
80.157.151.48
80.157.151.67
67.135.105.35
23.61.194.186
88.221.134.192
88.221.134.211
23.0.160.8
95.101.0.24
95.101.0.50
2.21.243.57
2.21.243.64
23.0.160.51
184.29.105.43
173.223.232.66
184.29.105.83
96.16.98.113
107.14.46.80
62.208.24.33
217.65.36.6
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: 53958d60a2d52c99ad305ec105d47486
MD5: 45eaa4fc36c9a69b3ac78ddce7800daa
MD5: b355ed6fa08ef0415d4e7c6bc602f9a8
MD5: e4c7d87b7b20ae9555c6efe6466b32e6
MD5: 83a449691ff40cf9d3c8c4d7119aaea7
This post has been reproduced from Dancho Danchev's blog.
Malicious attackers, often, rely, on, a variety of social engineering tactics, to, obtain, access, to, a user's device, including, the use, of, compromised, publisher's accounts, obtained, through, data mining, of botnet's of infected, population. Once, access, to, a particular, publisher's account, is, obtained, the malicious attackers, would, attempt, to use, a do-it-yourself, type, of, mobile, malware, generating tool, for, the, purpose, of, modifying, a legitimate, application, for, the, purpose, of, obtaining, access, to, a user's device.
Malicious attackers, are, also, known, to rely, on secondary, marketplaces, for, the, purpose, of, attempting, to, obtain, access, to user's, device, with, the, secondary, marketplaces, populated, with, rogue, and compromised, applications.
Once, a, socially, engineered, user, obtains, an, application, their, device, automatically, becomes, part, of, a, malicious attacker's, botnet, with, the malicious, attackers, relying on, a multitude, of monetization techniques, while, earning, fraudulently, obtained, revenue, in, the, process. Malicious attackers, are, also, known, to, rely, on, rogue, and, fraudulent, affiliate networks, for, the, purpose, of, monetizing, access, to, the, obtained, hosts, through, a, variety, of, rogue, advertising, networks, largely, set, up, for, the, purpose, of, earning, fraudulent, revenue, for, the, malicious attackers.
These affiliate networks, are, known, to, provide, managed, support, including, the, systematic, rotation of the command and control, server, and, the, availability, of, various, templates, empowering, malicious attackers, with, access, to, a, variety, of, fraudulent techniques, allowing, them, to, easily, monetize, access, to, the, infected hosts.
In this post, we'll profile, profile, the, Android.Spy.277.origin, mobile, malware, found, on hundreds, of applications, at Google Play, expose, the, malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in, depth, the, various tactics, techniques, and procedures, utilized, by, malicious, attackers, for, the purpose, of, spreading, mobile, malware, attempting, to, trick, users, into, executing, malicious software, on their, devices.
Sample detection rate for a sample malware:
MD5: a51d7f8413aa3857a4682fa631d39054
Once executed the sample phones back to the following C&C server:
hxxp://startappexchange.com - 184.26.136.91; 184.26.136.113
The same malicious C&C server (startappexchange.com) is also known to have responded to the following IPs:
23.15.5.200
23.63.227.171
95.101.2.24
23.62.239.19
96.6.122.67
23.15.5.205
23.62.236.98
61.213.181.153
23.63.227.208
23.63.227.192
23.3.13.65
96.6.122.74
23.3.13.58
23.62.236.74
184.50.232.74
184.84.243.57
217.7.48.104
217.7.48.192
80.157.151.48
80.157.151.67
67.135.105.35
23.61.194.186
88.221.134.192
88.221.134.211
23.0.160.8
95.101.0.24
95.101.0.50
2.21.243.57
2.21.243.64
23.0.160.51
184.29.105.43
173.223.232.66
184.29.105.83
96.16.98.113
107.14.46.80
62.208.24.33
217.65.36.6
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: 53958d60a2d52c99ad305ec105d47486
MD5: 45eaa4fc36c9a69b3ac78ddce7800daa
MD5: b355ed6fa08ef0415d4e7c6bc602f9a8
MD5: e4c7d87b7b20ae9555c6efe6466b32e6
MD5: 83a449691ff40cf9d3c8c4d7119aaea7
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Friday, August 28, 2015
Historical OSINT - How TROYAK-AS Utillized BGP-over-VPN to Serve the Avalance Botnet
Historical OSINT is a crucial part of an intelligence analyst's mindset, further positioning a growing or an emerging trend, as a critical long term early warning system indicator, highlighting the importance, of current and emerging trends.
In this post, I'll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, that represented, the growing factor, for the highest percentage of malicious and fraudulent activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, a malicious innovation applied by cybercriminals, at the time, namely the introduction of malicious netblocks and ISPs, within the RIPE registry, relying on OPSEC (Operational Security) and basic evasive practices.
According to RSA, the Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP, one whose services haven't been abused in any particular cybercrime-friendly way.
This analysis, will not only prove, otherwise, namely, that NetAssist LLC's involvement in introducing a dozen of cybercrime friendly networks – including TROYAK-AS – has been taking place for purely commercial reasons, with the ISP charging thousands of euros for the process, but also, expose a malicious innovation applied on behalf of opportunistic cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, techniques and procedures.
Domain name reconnaissance:
troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - Email: staruy.rom@troyak.org; staruy.rom@inbox.ru
smallshopkz.org - 195.78.123.1 (AS12570)
Name servers:
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA
ns.bgpvpn.kz - 91.213.93.10
ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net (AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1
Domain name reconnaissance:
bgpvpn.kz
Organization Using Domain Name
Name...................: Mykola Tabakov
Organization Name......: Mykola Tabakov
Street Address.........: office 211, ul. Pushkina, dom 166
City...................: Astana
State..................: Astana
Postal Code............: 010000
Country................: KZ
Administrative Contact/Agent
NIC Handle.............: CA537455-RT
Name...................: Mykola Tabakov
Phone Number...........: +7.7022065468
Fax Number.............: +7.7022065468
Email Address..........: tabanet@mail.ru
Nameserver in listed order:
Primary server.........: ns.bgpvpn.kz
Primary ip address.....: 91.213.93.10
Domain name reconnaissance:
smallshopz.biz
Domain Name:SMALLSHOPKZ.ORG
Created On:30-Oct-2009 13:42:14 UTC
Last Updated On:19-Mar-2010 14:39:19 UTC
Expiration Date:30-Oct-2010 13:42:14 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_10606443
Registrant Name:Vladimir Vladimirovich Stebluk
Registrant Organization:N/A
Registrant Street1:off. 306, Bulvar Mira, 16
Registrant Street2:
Registrant Street3:
Registrant City:Karaganda
Registrant State/Province:Qaraghandyoblysy
Registrant Postal Code:100008
Registrant Country:KZ
Registrant Phone:+7.7012032605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladcrazy@smallshopkz.org
NetAssist LLC (netassist.ua) (AS29632) reconnaissance:
inetnum: 62.205.128.0 - 62.205.159.255
netname: UA-NETASSIST-20080201
descr: NetAssist LLC
country: UA
org: ORG-NL64-RIPE
admin-c: MT6561-RIPE
admin-c: AVI27-RIPE
tech-c: MT6561-RIPE
tech-c: APP18-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MEREZHA-MNT
mnt-routes: MEREZHA-MNT
mnt-domains: MEREZHA-MNT
source: RIPE # Filtered
organisation: ORG-NL64-RIPE
org-name: NetAssist LLC
org-type: LIR
address: NetAssist LLC
Max Tulyev
GEROEV STALINGRADA AVE APP 57 BUILD 54
04213 Kiev
UKRAINE
phone: +380 44 5855265
fax-no: +380 44 2721514
e-mail: info@netassist.kiev.ua
admin-c: AT4266-RIPE
admin-c: KS3536-RIPE
admin-c: MT6561-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MEREZHA-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: Max Tulyev
address: off. 32, 12 Artema str.,
address: Kiev, Ukraine
remarks: Office phones
phone: +380 44 2398999
phone: +7 495 7256396
phone: +1 347 3414023
phone: +420 226020344
remarks: GSM mobile phones, SMS supported
phone: +7 916 6929474
phone: +380 50 7775633
remarks: Fax is in auto-answer mode
fax-no: +380 44 2726209
remarks: The phone below is for emergency only
remarks: You can also send SMS to this phone
phone: +88216 583 00392
remarks:
remarks: Jabber ID mt6561@jabber.kiev.ua
remarks: SIP 7002@195.214.211.129
e-mail: maxtul@netassist.ua
e-mail: president@ukraine.su
nic-hdl: MT6561-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
person: Alexander V Ivanov
address: 14-28 Lazoreviy pr
address: Moscow, Russia
address: 129323
phone: +7 095 7251401
fax-no: +7 095 7251401
e-mail: ivanov077@gmail.com
nic-hdl: AVI27-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
person: Alexey P Panyushev
address: 8-142, Panferova street
address: Moscow, Russia
address: 117261
phone: +7 903 6101520
fax-no: +7 903 6101520
e-mail: panyushev@gmail.com
nic-hdl: APP18-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime-friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? Based on the analysis in this post, and the fact, that the company, continues offering IPv4 RIPE announcing services, I believe, that on the majority of occasions, the company has had its services abused, throughout 2010, leading to the rise of the Avalance bothet.
I expect to continue observing such type of abuse, however, in a cybercrime ecosystem, dominated, by the abuse of legitimate services, I believe that cybercriminals will continue efficiently bypassing defensive measures in place, through the abuse and compromise of legitimate infrastructure.
This post has been reproduced from Dancho Danchev's blog.
In this post, I'll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, that represented, the growing factor, for the highest percentage of malicious and fraudulent activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, a malicious innovation applied by cybercriminals, at the time, namely the introduction of malicious netblocks and ISPs, within the RIPE registry, relying on OPSEC (Operational Security) and basic evasive practices.
According to RSA, the Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP, one whose services haven't been abused in any particular cybercrime-friendly way.
This analysis, will not only prove, otherwise, namely, that NetAssist LLC's involvement in introducing a dozen of cybercrime friendly networks – including TROYAK-AS – has been taking place for purely commercial reasons, with the ISP charging thousands of euros for the process, but also, expose a malicious innovation applied on behalf of opportunistic cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, techniques and procedures.
Domain name reconnaissance:
troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - Email: staruy.rom@troyak.org; staruy.rom@inbox.ru
smallshopkz.org - 195.78.123.1 (AS12570)
Name servers:
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA
ns.bgpvpn.kz - 91.213.93.10
ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net (AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1
Domain name reconnaissance:
bgpvpn.kz
Organization Using Domain Name
Name...................: Mykola Tabakov
Organization Name......: Mykola Tabakov
Street Address.........: office 211, ul. Pushkina, dom 166
City...................: Astana
State..................: Astana
Postal Code............: 010000
Country................: KZ
Administrative Contact/Agent
NIC Handle.............: CA537455-RT
Name...................: Mykola Tabakov
Phone Number...........: +7.7022065468
Fax Number.............: +7.7022065468
Email Address..........: tabanet@mail.ru
Nameserver in listed order:
Primary server.........: ns.bgpvpn.kz
Primary ip address.....: 91.213.93.10
smallshopz.biz
Domain Name:SMALLSHOPKZ.ORG
Created On:30-Oct-2009 13:42:14 UTC
Last Updated On:19-Mar-2010 14:39:19 UTC
Expiration Date:30-Oct-2010 13:42:14 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_10606443
Registrant Name:Vladimir Vladimirovich Stebluk
Registrant Organization:N/A
Registrant Street1:off. 306, Bulvar Mira, 16
Registrant Street2:
Registrant Street3:
Registrant City:Karaganda
Registrant State/Province:Qaraghandyoblysy
Registrant Postal Code:100008
Registrant Country:KZ
Registrant Phone:+7.7012032605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladcrazy@smallshopkz.org
NetAssist LLC (netassist.ua) (AS29632) reconnaissance:
inetnum: 62.205.128.0 - 62.205.159.255
netname: UA-NETASSIST-20080201
descr: NetAssist LLC
country: UA
org: ORG-NL64-RIPE
admin-c: MT6561-RIPE
admin-c: AVI27-RIPE
tech-c: MT6561-RIPE
tech-c: APP18-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MEREZHA-MNT
mnt-routes: MEREZHA-MNT
mnt-domains: MEREZHA-MNT
source: RIPE # Filtered
organisation: ORG-NL64-RIPE
org-name: NetAssist LLC
org-type: LIR
address: NetAssist LLC
Max Tulyev
GEROEV STALINGRADA AVE APP 57 BUILD 54
04213 Kiev
UKRAINE
phone: +380 44 5855265
fax-no: +380 44 2721514
e-mail: info@netassist.kiev.ua
admin-c: AT4266-RIPE
admin-c: KS3536-RIPE
admin-c: MT6561-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MEREZHA-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: Max Tulyev
address: off. 32, 12 Artema str.,
address: Kiev, Ukraine
remarks: Office phones
phone: +380 44 2398999
phone: +7 495 7256396
phone: +1 347 3414023
phone: +420 226020344
remarks: GSM mobile phones, SMS supported
phone: +7 916 6929474
phone: +380 50 7775633
remarks: Fax is in auto-answer mode
fax-no: +380 44 2726209
remarks: The phone below is for emergency only
remarks: You can also send SMS to this phone
phone: +88216 583 00392
remarks:
remarks: Jabber ID mt6561@jabber.kiev.ua
remarks: SIP 7002@195.214.211.129
e-mail: maxtul@netassist.ua
e-mail: president@ukraine.su
nic-hdl: MT6561-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
person: Alexander V Ivanov
address: 14-28 Lazoreviy pr
address: Moscow, Russia
address: 129323
phone: +7 095 7251401
fax-no: +7 095 7251401
e-mail: ivanov077@gmail.com
nic-hdl: AVI27-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
person: Alexey P Panyushev
address: 8-142, Panferova street
address: Moscow, Russia
address: 117261
phone: +7 903 6101520
fax-no: +7 903 6101520
e-mail: panyushev@gmail.com
nic-hdl: APP18-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime-friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? Based on the analysis in this post, and the fact, that the company, continues offering IPv4 RIPE announcing services, I believe, that on the majority of occasions, the company has had its services abused, throughout 2010, leading to the rise of the Avalance bothet.
I expect to continue observing such type of abuse, however, in a cybercrime ecosystem, dominated, by the abuse of legitimate services, I believe that cybercriminals will continue efficiently bypassing defensive measures in place, through the abuse and compromise of legitimate infrastructure.
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)