We've recently, intercepted, a currently, ongoing, malicious, campaign, that's utilizing, Google Play, for, the purpose, of, serving, malicious, software, to, unsuspecting, users.
In this, post, we'll, profile, the campaign, provide malicious MD5s, expose, the, malicious, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.
Malicious MD5s known to be part, of the, malicious, campaign:
MD5: 4cbc7513072a1c0b03f7cedc6d058af4
MD5: 4defc5803de76f506bfc3a6c2c90bd87
MD5: 13647981b37f0c038e096c58b8962f95
Once, executed, the, sample, phones, back, to, the, following, C&C servers:
hxxp://petrporosya.com/123/ - 185.106.92.110
hxxp://78.46.123.205/111/inj/paypal/paypal.php
Known to have responded to the same malicious C&C server IP (185.106.92.110) is also the following malicious C&C server:
hxxp://traktorporosya.com
Related malicious MD5s known to have phoned back to the same malicious C&C server (185.106.92.110):
MD5: a765d6c0c046ffb88f825b3189f02148
MD5: 48cd9d9e03f92743b673a0c8ce58704a
MD5: 58f02914791f1e3075d574e288c80a26
MD5: 09f3f1bd2e91fb5af0c71db307777bbb
MD5: 568ef0fb4d645350b65edb031f4ade2f
MD5: d06ec8b877e2f0f73c4533c4c105acb8
Related malicious MD5s known to have phoned back to the same malicious C&C server (78.46.123.205):
MD5: 32c8af7e7e9076b35dde4d677b14e594
MD5: 27e4b9ae53c2300723c267cf67b930bf
We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.
Sunday, May 15, 2016
Mobile Malware Hits Google Play, Thousands of Users Affected
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Saturday, May 07, 2016
Threat Intelligence - An Adaptive Approach to Information Security
This article will detail the basics of threat intelligence gathering discuss various threat intelligence gathering methodologies discuss the basics of threat intelligence gathering as well as discuss various proactive threat intelligence gathering methodologies in the context of proactive security defense
01. Overview of Threat Intelligence
Threat intelligence is a multi-disciplinary approach to collecting processing and disseminating actionable threat intelligence for the purpose of ensuring that an organizations security defense is actively aware of threats facing its infrastructure so that an adequate and cost-effective strategy can be formulated to ensure the confidentiality integrity and availability of the information. Threat Intelligence is the process of collecting processing and disseminating actionable intelligence for the purpose of ensuring that an organizations infrastructure remains properly secured from threats facing its infrastructure. The collection phrase can be best described as the process of obtaining processing and analyzing actionable threat intelligence for the purpose of processing and disseminating the processed data. The collection phrase consists of actively obtaining real-time threat intelligence data for the purpose of processing enriching and assessing the data for the purpose of processing and disseminating the data.
The collection phrase consists of active monitoring of sources of interest including various public and privately closed community sources for the purpose of establishing an active threat intelligence gathering program foundation. The collection phrase consists of assessing and selecting a diverse set of primary and secondary public and privately closed sources for the purpose of establishing a threat intelligence gathering model. The collection phrase consists of assessing and selecting primary and secondary public and privately closed sources for the purpose of establishing an active threat intelligence collection model. The collection phrase consists of assessing the primary secondary public and privately closed sources for the purpose of establishing an active threat intelligence gathering collection model. The collection phase consists of assessing and selecting the primary and secondary public and privately closed sources for the purpose of establishing the foundations of the collection phrase.
The processing phrase consists of actively selecting processing tools and methodologies for the purpose of setting the foundations for a successful processing of the data. The processing phase consists of actively processing the threat intelligence gathering collected data for the purpose of establishing the foundations for a successful processing of the data. The processing phase consists of collecting the processed data for the purpose of establishing the foundations for a successful processing of the collected data for the purpose of processing and enriching the processed data. The processing phase consists of active collection enrichment and processing of the collected data for the purpose of active processing of the collected data. The processing phase consists of active selection of primary and secondary public and privately closed sources for the purpose of processing the collected data for the purpose of enriching and processing the collected data. The processing phase consists of active real-time aggregation of actionable threat intelligence data for the purpose of establishing the foundations of active processing and enrichment of the processed data for the purpose of processing and enriching of the processed data.
The dissemination phase consists of active processing and dissemination of the processed data for the purpose of communicating the actionable intelligence for the purpose of ensuring that an organizations defense is actively aware of the threats facing its infrastructure and security defense mechanisms. The dissemination phase consists of active distribution of the processed and enriched actionable intelligence for the purpose of active dissemination of the processed and enriched data. The dissemination phase consists of active dissemination and enrichment of the processed data for the purpose of establishing the foundations of an active threat intelligence gathering process. The dissemination phase consists of active communication and distribution of the processed and enriched data for the purpose of communicating the processed and enriched data across the organizations security defense mechanisms.
02. Threat Intelligence Methodologies
Numerous threat intelligence methodologies are currently available for an organization to take advantage of on its way to properly secure its infrastructure taking into consideration a proactive security response. Among the most common data acquisition strategies remains the active data acquisition through forum and communities monitoring including the active monitoring of private forums and communities. Carefully selecting and primary and secondary sources of information is crucial for maintaining the necessary situational awareness to stay ahead of threat facing the organizations infrastructure including the establishment of an active response response through an active threat intelligence gathering program. Among the most common threat intelligence acquisition methodologies remains the active data acquisition through primary and secondary forums and communities including the data acquisition through private and secondary community based type of acquisition platforms.
Among the most common threat intelligence data acquisition strategies remains the active team collaboration in terms of data acquisition data processing and data dissemination for the purpose of establishing an active organizations security response proactively responding to the threats facing an organizations infrastructure. Among the most common data acquisition strategies in terms of threat intelligence gathering methodologies remains the active enrichment of the sources of information to include a variety of primary and secondary sources including private and community based primary and secondary sources.
03. Proactive Threat Intelligence Methodologies
Anticipating the emerging threat landscape greatly ensures an organizations successful implementation of a proactive security type of defense ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Properly understanding the threat landscape greatly ensures that a proactive response can be properly implemented for the purpose of ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Taking into consideration the data obtained through an active threat intelligence gathering program greatly ensures that a proactive security response can be adequately implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.
Among the most common threat acquisition tactics remains the active understanding of the threats facing an organizations security infrastructure to ensure that an adequate response can be properly implemented ensuring that an organizations defense remains properly protected from the threats facing its infrastructure. Among the most common threat intelligence gathering methodologies remains the active team collaboration to ensure that an active enrichment process can be properly implemented further ensuring that an organizations defense can be properly protected from the threats facing its infrastructure. Based on the information acquired through an active threat intelligence gathering acquisition processing and dissemination program further ensuring that an organizations infrastructure can be properly protected from the threats facing its infrastructure.
04. The Future of Threat Intelligence
The future of threat intelligence gathering largely relies on a successful set of threat intelligence gathering methodologies active data acquisition processing and dissemination strategies including the active enrichment of the processed data for the purpose of ensuring that an organizations security defense remains properly in place. The future of threat intelligence largely relies on the successful understanding of multiple threat vectors for the purpose of establishing an organizations security defense. Relying on a multi-tude of enrichment processes including the active establishment of an an active threat intelligence gathering acquisition processing and dissemination program greatly ensures that a proactive team-oriented approach can be implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.
05. Conclusion
Threat Intelligence acquisition processing and dissemination remains a largely proactive response to a growing set of emerging threats facing an organizations infrastructure where the active establishment of an active threat intelligence gathering acquisition processing and dissemination remains an active response to a growing set of security threats facing an organization's infrastructure. Properly ensuring that an organization's security defense remains properly secured from the threats facing its infrastructure ensures that an organizations security defense remains properly in place further ensuring that a successful information security strategy can be properly implemented and that an organization's security defense can be properly put in place.
If you would like to receive additional information regarding a possible threat intelligence program evaluation facing your company's infrastructure including additional information regarding the threat landscape discussing the threats facing your organizations infrastructure you can approach me at dancho.danchev@hush.com
01. Overview of Threat Intelligence
Threat intelligence is a multi-disciplinary approach to collecting processing and disseminating actionable threat intelligence for the purpose of ensuring that an organizations security defense is actively aware of threats facing its infrastructure so that an adequate and cost-effective strategy can be formulated to ensure the confidentiality integrity and availability of the information. Threat Intelligence is the process of collecting processing and disseminating actionable intelligence for the purpose of ensuring that an organizations infrastructure remains properly secured from threats facing its infrastructure. The collection phrase can be best described as the process of obtaining processing and analyzing actionable threat intelligence for the purpose of processing and disseminating the processed data. The collection phrase consists of actively obtaining real-time threat intelligence data for the purpose of processing enriching and assessing the data for the purpose of processing and disseminating the data.
The collection phrase consists of active monitoring of sources of interest including various public and privately closed community sources for the purpose of establishing an active threat intelligence gathering program foundation. The collection phrase consists of assessing and selecting a diverse set of primary and secondary public and privately closed sources for the purpose of establishing a threat intelligence gathering model. The collection phrase consists of assessing and selecting primary and secondary public and privately closed sources for the purpose of establishing an active threat intelligence collection model. The collection phrase consists of assessing the primary secondary public and privately closed sources for the purpose of establishing an active threat intelligence gathering collection model. The collection phase consists of assessing and selecting the primary and secondary public and privately closed sources for the purpose of establishing the foundations of the collection phrase.
The processing phrase consists of actively selecting processing tools and methodologies for the purpose of setting the foundations for a successful processing of the data. The processing phase consists of actively processing the threat intelligence gathering collected data for the purpose of establishing the foundations for a successful processing of the data. The processing phase consists of collecting the processed data for the purpose of establishing the foundations for a successful processing of the collected data for the purpose of processing and enriching the processed data. The processing phase consists of active collection enrichment and processing of the collected data for the purpose of active processing of the collected data. The processing phase consists of active selection of primary and secondary public and privately closed sources for the purpose of processing the collected data for the purpose of enriching and processing the collected data. The processing phase consists of active real-time aggregation of actionable threat intelligence data for the purpose of establishing the foundations of active processing and enrichment of the processed data for the purpose of processing and enriching of the processed data.
The dissemination phase consists of active processing and dissemination of the processed data for the purpose of communicating the actionable intelligence for the purpose of ensuring that an organizations defense is actively aware of the threats facing its infrastructure and security defense mechanisms. The dissemination phase consists of active distribution of the processed and enriched actionable intelligence for the purpose of active dissemination of the processed and enriched data. The dissemination phase consists of active dissemination and enrichment of the processed data for the purpose of establishing the foundations of an active threat intelligence gathering process. The dissemination phase consists of active communication and distribution of the processed and enriched data for the purpose of communicating the processed and enriched data across the organizations security defense mechanisms.
02. Threat Intelligence Methodologies
Numerous threat intelligence methodologies are currently available for an organization to take advantage of on its way to properly secure its infrastructure taking into consideration a proactive security response. Among the most common data acquisition strategies remains the active data acquisition through forum and communities monitoring including the active monitoring of private forums and communities. Carefully selecting and primary and secondary sources of information is crucial for maintaining the necessary situational awareness to stay ahead of threat facing the organizations infrastructure including the establishment of an active response response through an active threat intelligence gathering program. Among the most common threat intelligence acquisition methodologies remains the active data acquisition through primary and secondary forums and communities including the data acquisition through private and secondary community based type of acquisition platforms.
Among the most common threat intelligence data acquisition strategies remains the active team collaboration in terms of data acquisition data processing and data dissemination for the purpose of establishing an active organizations security response proactively responding to the threats facing an organizations infrastructure. Among the most common data acquisition strategies in terms of threat intelligence gathering methodologies remains the active enrichment of the sources of information to include a variety of primary and secondary sources including private and community based primary and secondary sources.
03. Proactive Threat Intelligence Methodologies
Anticipating the emerging threat landscape greatly ensures an organizations successful implementation of a proactive security type of defense ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Properly understanding the threat landscape greatly ensures that a proactive response can be properly implemented for the purpose of ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Taking into consideration the data obtained through an active threat intelligence gathering program greatly ensures that a proactive security response can be adequately implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.
Among the most common threat acquisition tactics remains the active understanding of the threats facing an organizations security infrastructure to ensure that an adequate response can be properly implemented ensuring that an organizations defense remains properly protected from the threats facing its infrastructure. Among the most common threat intelligence gathering methodologies remains the active team collaboration to ensure that an active enrichment process can be properly implemented further ensuring that an organizations defense can be properly protected from the threats facing its infrastructure. Based on the information acquired through an active threat intelligence gathering acquisition processing and dissemination program further ensuring that an organizations infrastructure can be properly protected from the threats facing its infrastructure.
04. The Future of Threat Intelligence
The future of threat intelligence gathering largely relies on a successful set of threat intelligence gathering methodologies active data acquisition processing and dissemination strategies including the active enrichment of the processed data for the purpose of ensuring that an organizations security defense remains properly in place. The future of threat intelligence largely relies on the successful understanding of multiple threat vectors for the purpose of establishing an organizations security defense. Relying on a multi-tude of enrichment processes including the active establishment of an an active threat intelligence gathering acquisition processing and dissemination program greatly ensures that a proactive team-oriented approach can be implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.
05. Conclusion
Threat Intelligence acquisition processing and dissemination remains a largely proactive response to a growing set of emerging threats facing an organizations infrastructure where the active establishment of an active threat intelligence gathering acquisition processing and dissemination remains an active response to a growing set of security threats facing an organization's infrastructure. Properly ensuring that an organization's security defense remains properly secured from the threats facing its infrastructure ensures that an organizations security defense remains properly in place further ensuring that a successful information security strategy can be properly implemented and that an organization's security defense can be properly put in place.
If you would like to receive additional information regarding a possible threat intelligence program evaluation facing your company's infrastructure including additional information regarding the threat landscape discussing the threats facing your organizations infrastructure you can approach me at dancho.danchev@hush.com
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, April 26, 2016
Malicious Client-Side Exploits Serving Campaign Intercepted, Thousands of Users Affected
We've recently intercepted, a currently, circulating, malicious campaign, utilizing, a variety, of compromised, Web sites, for, the purpose, of serving, malicious software, to socially engineered, users.
In this post, we'll profile, the campaign, the infrastructure, behind, it, provide, actionable, intelligence, MD5s, and, discuss, in depth, the tactics, techniques, and procedures, of, the cybercrimnals, behind it.
Sample malicious URL:
hxxp://directbalancejs.com/module.so - 37.48.116.208; 31.31.204.161
hxxp://2-eco.ru
hxxp://2401.ru
hxxp://24xxx.site
hxxp://3502050.ru
hxxp://6553009.xyz
hxxp://7032949.ru
hxxp://academing.ru
hxxp://academyfinance.ru
hxxp://activelifelab.com
hxxp://advokat-mikheev.ru
hxxp://advokatstav.ru
hxxp://akvahim98.ru
hxxp://al-minbar.ru
hxxp://allesmarket.com
hxxp://alltrump.ru
hxxp://altropasso.ru
hxxp://ambertao.info
hxxp://ambertao.org
hxxp://ancra.ru
hxxp://andr-6-update.ru
hxxp://android-new.ru
hxxp://androidid-6-new.ru
hxxp://angrymultik.ru
hxxp://animaciyafoto.ru
hxxp://animaciyaonline.ru
hxxp://animaciyastiker.ru
hxxp://animationline.ru
hxxp://animehvost.ru
hxxp://anyen.ru
hxxp://anywifi.online
hxxp://apple-pro.moscow
hxxp://appliancerepairmonster.com
hxxp://aptechka.farm
hxxp://arbosfera.ru
hxxp://archsalut.ru
hxxp://arstd.ru
hxxp://aslanumarov.ru
hxxp://atlanted.ru
hxxp://aurispc.ru
hxxp://avangardmaster.ru
hxxp://aviacorp24.ru
hxxp://awpashko.com
Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MDSs:
MD5: c3754018dab05b3b8aac5fe8100076ce
Once executed the sample phones back to the following C&C server:
hxxp://info-get.ru - 31.31.204.161
Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MD5s:
MD5: 4ff9bd7a045b0fe42a8f633428a59732
MD5: 46b1eaae5b53668a7ac958aecf4e57c3
MD5: d643025c5d0a2a2940502f4b15ca1801
MD5: 75dce2d84540153107024576bfce08fc
MD5: a23235ed940a75f997c127f59b09011d
This post has been reproduced from Dancho Danchev's blog.
In this post, we'll profile, the campaign, the infrastructure, behind, it, provide, actionable, intelligence, MD5s, and, discuss, in depth, the tactics, techniques, and procedures, of, the cybercrimnals, behind it.
Sample malicious URL:
hxxp://directbalancejs.com/module.so - 37.48.116.208; 31.31.204.161
hxxp://2-eco.ru
hxxp://2401.ru
hxxp://24xxx.site
hxxp://3502050.ru
hxxp://6553009.xyz
hxxp://7032949.ru
hxxp://academing.ru
hxxp://academyfinance.ru
hxxp://activelifelab.com
hxxp://advokat-mikheev.ru
hxxp://advokatstav.ru
hxxp://akvahim98.ru
hxxp://al-minbar.ru
hxxp://allesmarket.com
hxxp://alltrump.ru
hxxp://altropasso.ru
hxxp://ambertao.info
hxxp://ambertao.org
hxxp://ancra.ru
hxxp://andr-6-update.ru
hxxp://android-new.ru
hxxp://androidid-6-new.ru
hxxp://angrymultik.ru
hxxp://animaciyafoto.ru
hxxp://animaciyaonline.ru
hxxp://animaciyastiker.ru
hxxp://animationline.ru
hxxp://animehvost.ru
hxxp://anyen.ru
hxxp://anywifi.online
hxxp://apple-pro.moscow
hxxp://appliancerepairmonster.com
hxxp://aptechka.farm
hxxp://arbosfera.ru
hxxp://archsalut.ru
hxxp://arstd.ru
hxxp://aslanumarov.ru
hxxp://atlanted.ru
hxxp://aurispc.ru
hxxp://avangardmaster.ru
hxxp://aviacorp24.ru
hxxp://awpashko.com
Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MDSs:
MD5: c3754018dab05b3b8aac5fe8100076ce
Once executed the sample phones back to the following C&C server:
hxxp://info-get.ru - 31.31.204.161
Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MD5s:
MD5: 4ff9bd7a045b0fe42a8f633428a59732
MD5: 46b1eaae5b53668a7ac958aecf4e57c3
MD5: d643025c5d0a2a2940502f4b15ca1801
MD5: 75dce2d84540153107024576bfce08fc
MD5: a23235ed940a75f997c127f59b09011d
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Malware Campaign Using Google Docs Intercepted, Thousands of Users Affected
We've recently intercepted, a malicious campaign, utilizing, Google Docs, for, the purpose, of spreading, malicious software, potentially, exposing, the confidentiality, integrity, and availability, of the, targeted hosts.
In this, post, we'll profile, the malicious campaign, expose, the malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.
Sample malicious URL:
hxxp://younglean.cba.pl/lean/ - 95.211.80.4
Sample malicious URL hosting locations:
hxxp://ecku.cba.pl/js/bin.exe
hxxp://mondeodoslubu.cba.pl/js/bin.exe
hxxp://piotrkochanski.cba.pl/js/bin.exe
hxxp://szczuczynsp.cba.pl/122/091.exe
Known to have responded to the same malicious (95.211.80.4) are also the following malicious domains:
hxxp://barbedosgroup.cba.pl
hxxp://brutalforce.pl
hxxp://christophar-hacker.pl
hxxp://moto-przestrzen.pl
hxxp://eturva.y0.pl
hxxp://lingirlie.com
hxxp://ogladajmecz.com.pl
hxxp://oriflamekonkurs2l16.c0.pl
hxxp://umeblowani.cba.pl
hxxp://webadminvalidation.cba.pl
hxxp://adamr.pl
hxxp://alea.cba.pl
hxxp://artbymachonis.cba.pl
hxxp://beqwqgdu.cba.pl
hxxp://bleachonline.pl
hxxp://facebook-profile-natalia9320.j.pl
hxxp://fllrev1978.cba.pl
hxxp://gotowesms.pl
hxxp://kbvdfuh.cba.pl
hxxp://maplka1977.c0.pl
hxxp://nagrobkiartek.pl
hxxp://nyzusbojpxnl.cba.pl
hxxp://okilh1973.cba.pl
hxxp://pucusej.cba.pl
hxxp://sajtom.pl
hxxp://tarnowiec.net.pl
hxxp://techtell.pl
hxxp://testujemypl.cba.pl
hxxp://lawendowawyspa.cba.pl
hxxp://younglean.cba.pl
hxxp://delegaturaszczecin.cba.pl
hxxp://metzmoerex.cba.pl
hxxp://kmpk.c0.pl
hxxp://500plus.c0.pl
hxxp://erxhxrrb1981.cba.pl
hxxp://exztwsl.cba.pl
hxxp://fafrvfa.cba.pl
hxxp://fastandfurios.cba.pl
hxxp://filmonline.cba.pl
hxxp://fragcraft.pl
hxxp://fryzjer.cba.pl
hxxp://hgedkom1973.cba.pl
hxxp://luyfiv1972.cba.pl
hxxp://oliviasekulska.com
hxxp://opziwr-zamosc.pl
hxxp://ostro.ga
hxxp://rodzina500plus.c0.pl
hxxp://roknasilowni.tk
hxxp://vfqqgr1971.cba.pl
Sample malicious MD5s known to have phoned back to the same malicious IP (95.211.80.4):
MD5: 495f05d7ebca1022da2cdd1700aeac39
MD5: 68abd8a3a8c18c59f638e50ab0c386a4
MD5: 65b4bdba2d3b3e92b8b96d7d9ba7f88e
MD5: 64b5c6b20e2d758a008812df99a5958e
MD5: a0869b751e4a0bf27685f2f8677f9c62
Once executed the sample phones back to the following C&C servers:
hxxp://smartoptionsinc.com - 216.70.228.110
hxxp://ppc.cba.pl - 95.211.80.4
hxxp://apps.identrust.com - 192.35.177.64
hxxp://cargol.cat - 217.149.7.213
hxxp://bikeceuta.com - 91.142.215.77
This post has been reproduced from Dancho Danchev's blog.
In this, post, we'll profile, the malicious campaign, expose, the malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind it.
Sample malicious URL:
hxxp://younglean.cba.pl/lean/ - 95.211.80.4
Sample malicious URL hosting locations:
hxxp://ecku.cba.pl/js/bin.exe
hxxp://mondeodoslubu.cba.pl/js/bin.exe
hxxp://piotrkochanski.cba.pl/js/bin.exe
hxxp://szczuczynsp.cba.pl/122/091.exe
Known to have responded to the same malicious (95.211.80.4) are also the following malicious domains:
hxxp://barbedosgroup.cba.pl
hxxp://brutalforce.pl
hxxp://christophar-hacker.pl
hxxp://moto-przestrzen.pl
hxxp://eturva.y0.pl
hxxp://lingirlie.com
hxxp://ogladajmecz.com.pl
hxxp://oriflamekonkurs2l16.c0.pl
hxxp://umeblowani.cba.pl
hxxp://webadminvalidation.cba.pl
hxxp://adamr.pl
hxxp://alea.cba.pl
hxxp://artbymachonis.cba.pl
hxxp://beqwqgdu.cba.pl
hxxp://bleachonline.pl
hxxp://facebook-profile-natalia9320.j.pl
hxxp://fllrev1978.cba.pl
hxxp://gotowesms.pl
hxxp://kbvdfuh.cba.pl
hxxp://maplka1977.c0.pl
hxxp://nagrobkiartek.pl
hxxp://nyzusbojpxnl.cba.pl
hxxp://okilh1973.cba.pl
hxxp://pucusej.cba.pl
hxxp://sajtom.pl
hxxp://tarnowiec.net.pl
hxxp://techtell.pl
hxxp://testujemypl.cba.pl
hxxp://lawendowawyspa.cba.pl
hxxp://younglean.cba.pl
hxxp://delegaturaszczecin.cba.pl
hxxp://metzmoerex.cba.pl
hxxp://kmpk.c0.pl
hxxp://500plus.c0.pl
hxxp://erxhxrrb1981.cba.pl
hxxp://exztwsl.cba.pl
hxxp://fafrvfa.cba.pl
hxxp://fastandfurios.cba.pl
hxxp://filmonline.cba.pl
hxxp://fragcraft.pl
hxxp://fryzjer.cba.pl
hxxp://hgedkom1973.cba.pl
hxxp://luyfiv1972.cba.pl
hxxp://oliviasekulska.com
hxxp://opziwr-zamosc.pl
hxxp://ostro.ga
hxxp://rodzina500plus.c0.pl
hxxp://roknasilowni.tk
hxxp://vfqqgr1971.cba.pl
Sample malicious MD5s known to have phoned back to the same malicious IP (95.211.80.4):
MD5: 495f05d7ebca1022da2cdd1700aeac39
MD5: 68abd8a3a8c18c59f638e50ab0c386a4
MD5: 65b4bdba2d3b3e92b8b96d7d9ba7f88e
MD5: 64b5c6b20e2d758a008812df99a5958e
MD5: a0869b751e4a0bf27685f2f8677f9c62
Once executed the sample phones back to the following C&C servers:
hxxp://smartoptionsinc.com - 216.70.228.110
hxxp://ppc.cba.pl - 95.211.80.4
hxxp://apps.identrust.com - 192.35.177.64
hxxp://cargol.cat - 217.149.7.213
hxxp://bikeceuta.com - 91.142.215.77
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)