Thursday, March 23, 2017

Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available


Dear, blog, readers, as, of, today, I'm, making, publicly, available, my, portfolio, of, services, including, active, threat, intelligence, gathering, and, processing, cybercriminals, and, network, assets, profiling, real, life, personalization, of, malicious, actors, OSINT, analyses, in-depth, understanding, and, processing, of, tactics, techniques, and, procedures (TTPs), including, the, production, of, custom, timely, and, relevant, managed, or, on, demand, client-tailored, reports, and, analysis, briefs, covering, managed, security, blogging, and, conference, attendance, cybercrime, malware, botnets, and, threat, intelligence, including, the, coverage, of, geopolitically, relevant, cyber, threat, assessments.

The, portfolio, of, services, includes, but, is, not, limited, to:
Real-time, managed, or, on, demand, analysis, briefs, and, reports, production:
- analysis, briefs, and, timely, and, relevant, reports, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, not, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network, assets

Geopolitically, relevant, and, geographically, selected, threat, intelligence, processing, and, gathering, relevant, reports:
- geopolitically, relevant, coverage, of, selected, geographic, regions, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network assets

Managed, security, blogging, and, presentation, conference, attendance:
- threat, intelligence, processing, as, a, service, including, but, not, limited, to, the, managed, processing, and, communication, of, threat, intelligence, gathering, and, processing, information, in, the, form, of, managed, communication, to, a, selected, set, of, audiences, including, but, not, limited, to, security, blogging, and, conferences, attendance, on, behalf, of, a, selected, enterprise, further, positioning, its, understanding, and, reaching, out, to, selected, clients

Managed, tactics, techniques, and, procedures (TTPs), processing, managing, and, gathering, analysis, and, reports:
- in-depth, understanding, of, tactics, techniques, and, procesures (TTPs), relevant, to, a, specific, cybercrime, group, geopolitically, relevant, region, or, a, selected, geographically, relevant, region

Enjoy!

DDanchev is for Hire!

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?

Send your proposition to: ddanchev@protonmail.ch

Book Proposal - Seeking Sponsorship - Publisher Contact

Dear, blog, readers, as, I'm, currently, busy, writing, a, book, I'm looking for, a publisher, who's, interested, in, publishing, it, with, the, book, proposal, available, on, request.

Send your proposal to: ddanchev@protonmail.ch

Project Proposal - Cybercrime Research - Seeking Investment

Dear blog readers, I'm currently seeking an investment regarding a cybercrime research project, with, the, project, proposal, available, on request.

Send your proposal at: ddanchev@protonmail.ch

Invitation to Join a Security Community

Dear blog readers, as I'm currently busy launching a private security community, I decided, to publicly announce, its, existence.

Topics of discussion:
- cybercrime research
- threat intelligence
- malicious software

Request an invite: ddanchev@protonmail.ch

Follow me on Twitter!

Dear, blog readers, are, you, on Twitter? Feel, free, to, follow me.

Enjoy!

Dancho Danchev's 2010 Disappearance - An Elaboration


UPDATE: Prior, to, my, stay, in, another, town, I, was, contacted, by, Riva Richmond, (riva@rivarichmond.com), and, set, up, a, meeting, to, discuss, a, potential, New York Times, article.

UPDATE: Prior, to, my, stay, at, this, particular, apartment, I, contacted, Nart Villeneuve, (n.villeneuve@secdev.ca), seeking, assistance, signaling, potential, trouble.

UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, the, same, person, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, released, by, another, person, known, as, Nesho Sheygunov (https://www.facebook.com/nesho.sheygunov).
 
UPDATE: While, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, another, person, that, I, know, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, taken, to, the, room, where, I, was, confined, and, I, spent, a, night, in, the, corridor.

UPDATE: While, I, was, taken, to, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, I, had, my, phone, taken, and, I, was, confined.

UPDATE: While, I, was, taken, out, of, my, place, to, an, unknown, car, the, fuel, was, charged, to, someone, that, I, know.

UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), I, was, offered, to, take, vitamins.

UPDATE: My, place, was, recently, visited, by, unknown, men, taking, me, to, local, police, department (hxxp://troyan-police.com; police_troyan@abv.bg), and, asking, me, to, write, that, my, equipment, was, interfering, with, that, of, local, police, department.

UPDATE: It, appears, that, someone, has, taken, the, time, and, effort, to, take, a, t-shirt, of, mine.

UPDATE: Prior, to, my, visit, at, a, local, hotel, (hxxp://central-hotel.com/en; central@central-hotel.com), some, of, my, clothes, were, missing.

UPDATE: It, appears, that, my, place, was, recently, supposedly, visited, by, Plamen, Dakov (hxxp://universalstroi.com), Hristo, Radionov (hxxp://universalstroi.com; hxxp://www.facebook.com/hristo.radionov), and, Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), who, left, money, for, me.

UPDATE: Prior, to, my, attendance, in, a, local, institution (dpblovech@abv.bg), Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), tried, to, meet, me.


UPDATE: Prior, to, my, attendance, at, this, particular, apartment, I, was, invited, by, Briana Papa (Briana@crenshawcomm.com), to, visit, Prague, on, behalf, of, Avast! Software, where, I, met, with, Vince Steckler (steckler@avast.com), and, Miloslav, Korenko (korenko@avast.com), where, I, met, with, Lucian Constantin (hxxp://twitter.com/lconstantin).


Prior, to, my, attendance, at, this, apartment, I, was, also, invited, to, another, event, held, at, INTERPOL, by, Steve Santorelli
(steve.santorelli@gmail.com), which, I, successfully, attended, and, presented, at.


Something, else, worth, pointing, out, is, that, my, place, is, visited, by, an, unknown, woman, known, as, Boriana Mihovska, an, unknown, man, known, as, Leonid, an, unknown, person, known, as, Tzvetan Georgiev (hxxp://www.youtube.com/user/laron640); (hxxp://plus.google.com/107108766077365473231), and, an, unknown, person, known, as, Dobrin Danchev (hxxp://www.facebook.com/dobrin.danchev); (hxxp://www.sibir.bg/parachut).



The, most, recent, visit, to, my, place, was, by, a, person, known, as, Vasil, Stanev, from DANS (dans@dans.bg), who, was, supposedly, asking, me, to, take, a, job, and, consequently, asked, me, to, attend, a, doctor, session.

Dear, blog, readers, I, feel, it's, about, time, I, post, an, honest, response, regarding, my, disappearance, in, 2010, with, the, purpose, of, information, my, readers, on, my, current, situation, and, to, continue, posting, and, contributing, valuable, threat, intelligence, to, the, security, community.

In, 2010, I, moved, to, an, apartment, located, in, another, town, and, apparently, my, apartment, have, been, vandalized, including, persistent, harassment, by, my, neighbors, including, a, possible, illegal, entry, courtesy, of, the, person, responsible, for, hiring, the, apartment (Kalin Petrov; kalin_petrov@hotmail.com).


After, a, persistent, chase, down, and, harassment, courtesy, of, the, person, responsible, for, hiring, the, apartment, I, received, a, notice, to, leave, and, had, my, apartment, visited, by, the, person, responsible, for, hiring, including, another, man, including, another, man, that, was, supposedly, supposed, to, take, care, of, my, belongings.

Prior, to, my, accommodation, I, was, contacted, by, Pauline, Roberts (pauline.roberts@ic.fbi.gov), who, recommended, me, to, Yavor, Kolev (javor.kolev@gmail.com), and, Albena, Spasova (albaadvisors@gmail.com), from, Bulgarian, local, authorities, followed, by, a, series, of, communication.

Prior, to, returning, to, my, place, in, 2011, my, house, was, vandalized, by, three, police, officers (hxxp://troyan-police.com; police_troyan@abv.bg), from, the, local, police, department, who, entered, my, house, in, particular, my, bedroom, and, unpolitely, asked, my, to, dress, while, showing, me, a, copy, of, my, personal, ID, that, I, haven't, presented, and, taking, me, to, an, unknown, car, without, explaining, the, reason, for, taking, me.

A, few, hours, later, I, find, myself, located, in, an, institution (dpblovech@abv.bg), for, a, period, of, three, months, without, anyone, explaining, the, reason, for, holding, me, there. Upon, entering, I, had, my, phone, taken, without, having, received, any, sort, of, explanation, for, taking, me, and, holding, me, there.

Given, this, circumstances, I, feel, that, it, has, become, highly, unproductive, to, continue, my, work, and, therefore, I'm, currently, seeking, a, permanent, relocation, including, a, possible, full, time, career, opportunity, in, the, field, of, cybercrime, research, security, blogger, or, threat, intelligence, analyst.

I, can, be, reached, at +359 888 996 888, or, at, ddanchev@protonmail.ch

Thursday, January 05, 2017

Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, malicious, releases, successfully, generating, hundreds, of, thousands, of, fraudulent, revenue, while, populating, their, botnet's, infected, population, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, active, malvertising, campaign, affecting, FoxNews, successfully, enticing, users, into, executing, malicious, software, on, the, the, affected, PCs, with, the, cybercriminals, behind, it, successfully, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://toppromooffer.com/vsm/index.html - 85.17.254.158; 69.43.161.174
    - hxxp://78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 - (78.47.132.222)    
        - hxxp://redirectclicks.com/?accs=845&tid=338 - 69.172.201.153; 176.74.176.178; 64.95.64.194
            - hxxp://http://redirectclicks.com/?accs=845&tid=339

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://truconv.com - 78.46.88.202

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (78.46.88.202):
MD5: 473e3615795609a091a2f2d3d1be2d00
MD5: 9e51c29682a6059b9b636db8bf7dcc25
MD5: 08a50ebcaa471cd45b3561c33740136d
MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1
MD5: fcdd2790dd5b1898ef8ee29092dca757

Once, executed, a, sample, malware (MD5: 473e3615795609a091a2f2d3d1be2d00), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yaskiya.cyberfight.de - 78.46.88.202

Once, executed, a, sample, malware (MD5: 9e51c29682a6059b9b636db8bf7dcc25), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://myweb111111.go.3322.org
hxxp://35free.net - 5.61.39.56
hxxp://newsoft1.go.3322.org
hxxp://newsoft11.go.3322.org

Once, executed, a, sample, malware (MD5: 08a50ebcaa471cd45b3561c33740136d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://darthvader.dyndns.tv
hxxp://www12.subdomain.com - 78.46.88.202

Once, executed, a, sample, malware (MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://tundeghanawork.co.gp - 78.46.88.202

Once, executed, a, sample, malware (MD5: fcdd2790dd5b1898ef8ee29092dca757), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsoft.go.3322.org - 221.130.179.36
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://users6.nofeehost.com - 67.208.91.110

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: c9ca43032633584ff2ae4e4d7442f123
MD5: a099766f448acd6b032345dfd8c5491d
MD5: da39ccb40b1c80775e0aa3ab7cefb4b0
MD5: 85750b93319bd2cf57e445e1b4850b08
MD5: e521b31eb97d6d25e3d165f2fe9ca3ba

Once, executed, a, sample, malware (MD5: c9ca43032633584ff2ae4e4d7442f123), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.tokoholapisa.com - 54.229.133.176
hxxp://down2load.net - 69.172.201.153
hxxp://cdn.download2013.net - 185.152.65.38

Once, executed, a, sample, malware (MD5: a099766f448acd6b032345dfd8c5491d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (176.74.176.178):
MD5: 116d07294fb4b78190f44524145eb200
MD5: f9e71f66e3aae789b245638a00b951a8
MD5: 1d6d4a64a9901985b8a005ea166df584
MD5: acfa1a5f290c7dd4859b56b49be41038
MD5: b63fd04a8cdf69fb7215a70ccd0aef27

Once, executed, a, sample, malware (MD5: 116d07294fb4b78190f44524145eb200), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.on86.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: f9e71f66e3aae789b245638a00b951a8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.linkbyte.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: 1d6d4a64a9901985b8a005ea166df584), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.pnmchgameserver.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: acfa1a5f290c7dd4859b56b49be41038), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.97dn.com - 45.125.35.85
hxxp://www.97wg.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: b63fd04a8cdf69fb7215a70ccd0aef27), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pajak.yogya.com - 69.172.201.153
hxxp://www.yogya.com
hxxp://return.uk.uniregistry.com - 176.74.176.178

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (64.95.64.194):
MD5: 7ca6214e3b75bc1f7a41aef3267afc29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freshtravel.net - 184.168.221.36
hxxp://experiencetravel.net - 217.174.248.145
hxxp://freshyellow.net
hxxp://experienceyellow.net
hxxp://freshclose.net
hxxp://experienceclose.net

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.43.161.174):
MD5: 674fca39caf18320e5a0e5fc45527ba4
MD5: 7017a26b53bc0402475d6b900a6c98ae
MD5: 0b61f6dfaddd141a91c65c7f290b9358
MD5: 4d5bc6b69db093824aa905137850e883
MD5: 201dee0da7b7807808d681510317ab59

Once, executed, a, sample, malware (MD5: 674fca39caf18320e5a0e5fc45527ba4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://aahydrogen.com - 208.73.210.214
hxxp://greatinstant.net
hxxp://ginsdirect.net
hxxp://autouploaders.net - 185.53.177.9

Once, executed, a, sample, malware (MD5: 7017a26b53bc0402475d6b900a6c98ae), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://w.wfetch.com - 69.43.161.174
hxxp://ww1.w.wfetch.com - 72.52.4.90

Once, executed, a, sample, malware (MD5: 4d5bc6b69db093824aa905137850e883), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://greattaby.com - 69.43.161.174
hxxp://ww41.greattaby.com - 141.8.224.79

Once, executed, a, sample, malware (MD5: 201dee0da7b7807808d681510317ab59), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://layer-ads.de - 69.43.161.174

Sample, URL, redirection, chain:
hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 204.11.56.45; 204.11.56.26; 208.73.210.215; 208.73.211.246; 82.98.86.178
    - hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc-sst&l=370&f=cs_3506417142&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM - 208.91.197.46; 204.11.56.48; 204.11.56.45; 204.11.56.26; 63.156.206.202; 63.149.176.12
        - hxxp://easywebchecklive.com/1/fileslist.js - 94.247.2.215
            - hxxp://78.47.132.222/a12/index2.php
                - hxxp://78.47.132.221/a12/pdf.php?u=i_7_0
                    - hxxp://78.47.132.221/a12/aff_12.exe?u=i_7_0&spl=4

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs (208.91.197.46):
MD5: b13f1af8fc426e350df11565dcf281e8
MD5: a189b3334fbd9cd357aedff22c672e9c
MD5: da53b068538ff03e2fc136c7d0816e39
MD5: ec08a877817c749597396e6b34b88e78
MD5: b9e7bf23de901280e62fd68090b5b8fa

Once, executed, a, sample, malware (MD5: b13f1af8fc426e350df11565dcf281e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.sslsecure1.com - 193.166.255.171
hxxp://staticrr.paleokits.net - 205.251.219.192
hxxp://dtrack.secdls.com
hxxp://staticrr.sslsecure1.com

Once, executed, a, sample, malware (MD5: a189b3334fbd9cd357aedff22c672e9c), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://staticrr.paleokits.net - 54.230.11.231
hxxp://staticrr.sslsecure1.com - 193.166.255.171
hxxp://staticrr.sslsecure2.com
hxxp://staticrr.sslsecure3.com - 208.91.197.46

Once, executed, a, sample, malware (MD5: ec08a877817c749597396e6b34b88e78), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://skyworldent.com
hxxp://solitaireinfo.com
hxxp://speedholidays.com - 206.221.179.26

Once, executed, a, sample, malware (MD5: b9e7bf23de901280e62fd68090b5b8fa), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com - 193.166.255.171
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com - 208.91.197.46

Related, malicious MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 969601cbf069a849197289e042792419

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware - Part Two

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's. infected, population, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, active, malicious, black, hat, SEO (search engine optimization), type, of, malicious, campaign, serving, malicious, software, to, unsuspecting, users, further, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://notice-of-unreported-income-email.donatehalf.com
hxxp://911-pictures.jewishreference.com
hxxp://911-pictures.dpakman91.com
hxxp://9-11-quotes.midweekpolitics.com

Sample, URL, redirection, chain:
hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237
    - hxxp://trivet.gmgroupenterprises.com/?trivettrivetgmgroupenterprisescom.swf
        - hxxp://vpizdutebygugol.xorg.pl/go/ - 193.203.99.111
            - hxxp://vpizdutebygugol.xorg.pl/go4/
                - hxxp://http://free-checkpc.com/l/d709f38e78s84y76u - 193.169.12.5
                    - hxxp://safe-fileshere.com/s/w58238e9a6dh76k73r/setup.exe - 193.169.12.5

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (193.203.99.111):
MD5: b761960b60f2e5617b4da2e303969ff1
MD5: a27ae350b9d29b13749b14e376a00b52
MD5: adbad83fadc017d60972efa65eb3c230
MD5: b1323d4c7e1f6455701d49621edfb545
MD5: c166767c8aa7a8eee0d12a6d9646b3e8

Once, executed, a, sample, malware (MD5: b761960b60f2e5617b4da2e303969ff1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: a27ae350b9d29b13749b14e376a00b52), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://gwg.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: adbad83fadc017d60972efa65eb3c230), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://htu.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: b1323d4c7e1f6455701d49621edfb545), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://htu.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: c166767c8aa7a8eee0d12a6d9646b3e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: 7df300b01243a42b4ddff724999cd4f7

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://updatepcnow.com - 208.73.211.249
hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (208.73.211.249):
MD5: 940be22f37e30c90d9fded842c23b24d
MD5: ef29c61908f678f313aa298343845175
MD5: 47f5002a0b9d312f28822d92a3962c81
MD5: ba83653117a6196d8b2a52fb168b8142
MD5: f29209f1ca6c4666207ea732c1f32978

Once, executed, a, sample, malware (MD5: 940be22f37e30c90d9fded842c23b24d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://softonic-analytics.net - 46.28.209.74
hxxp://superscan.sd.en.softonic.com - 46.28.209.70
hxxp://www.ledyazilim.com - 213.128.83.163

Once, executed, a, sample, malware (MD5: ef29c61908f678f313aa298343845175), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ksandrafashion.com - 208.73.211.173
hxxp://www.lafyeri.com
hxxp://kulppasur.com

Once, executed, a, sample, malware (MD5: 47f5002a0b9d312f28822d92a3962c81), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php

Once, executed, a sample, malware (MD5: ba83653117a6196d8b2a52fb168b8142), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://mhc.ir - 82.99.218.195
hxxp://naphooclub.com - 208.73.211.173
hxxp://mdesigner.ir - 176.9.98.58

Once, executed, a, sample, malware (MD5: f29209f1ca6c4666207ea732c1f32978), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (50.63.202.54):
MD5: 45497b47a6df2f6216b4c4bebc572dd3
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: 08db02c9873c0534656901d5e9501f46
MD5: 830b22b4a0520d1b46a493f03a6a0a66
MD5: 5ee1bfa766f367393782972718d4e82f

Once, executed, a, sample, malware (MD5: 45497b47a6df2f6216b4c4bebc572dd3), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz - 195.157.15.100

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49

Once, executed, a, sample, malware (MD5: 08db02c9873c0534656901d5e9501f46), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://musicbroke.net - 195.22.28.210

Once, executed, a, sample, malware (MD5: 830b22b4a0520d1b46a493f03a6a0a66), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159

Once, executed, a, sample, malware (MD5: 5ee1bfa766f367393782972718d4e82f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (54.85.196.8):
MD5: 05288748ddccf2e5fedef5d9e8218fef
MD5: 08936ff676b062a87182535bce23d901
MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7
MD5: 8a7e330ad88dcb4ced3e5e843424f85f
MD5: bf3d996376663feaea6031b1114eb714

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://graves111.net - 64.86.17.47 - Email: gertrudeedickens@text2re.com
hxxp://lending10.com
hxxp://adriafin.com
hxxp://7sevenseas.com
hxxp://ironins.com
hxxp://trdatasft.com
hxxp://omeoqka.cn
hxxp://trustshield.cn
hxxp://capide.cn
hxxp://tds-soft.comewithus.cn
hxxp://graves111.net
hxxp://reversfor5.net
hxxp://limestee.net
hxxp://landlang.net
hxxp://langlan.net
hxxp://limpopos.net
hxxp://clarksinfact.net

Sample, URL, redirection, chain:
hxxp://checkvirus-zone.com - 64.86.16.7 - Email: gertrudeedickens@text2re.com
    - hxxp://checkvirus-zone.com/?p=

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: b157106188c2debab5d2f1337c708e35

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pencil-netwok.com/?act=fb&1=1&2=0&3= - 204.11.56.48; 204.11.56.45; 209.222.14.3; 208.73.210.215; 208.73.211.152; 204.13.160.107

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 3c3346426923504571f81caffdac698d
MD5: ad4244794693b41c775b324c4838982a
MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e
MD5: 0526944bfb43b14d8f72fd184cd8c259
MD5: 29932b0cb61011ffc4834c3b7586d956

Once, executed, a, sample, malware (MD5: 3c3346426923504571f81caffdac698d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.76.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9

Once, executed, a, sample, malware (MD5: ad4244794693b41c775b324c4838982a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://banboon.com - 204.11.56.48
hxxp://bdb.com.my - 103.4.7.143
hxxp://baulaung.org - 52.28.249.128

Once, executed, a, sample, malware (MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cubingapi.com - 204.11.56.48
hxxp://error.cubingapi.com - 204.11.56.48

Once, executed, a, sample, malware (MD5: 0526944bfb43b14d8f72fd184cd8c259), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.77.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9

Once, executed, a, sample, malware (MD5: 29932b0cb61011ffc4834c3b7586d956), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
hxxp://rms365x24.com - 166.78.145.90

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, soon, as, new, developments, take, place.

Sunday, December 25, 2016

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, newly, added, socially, engineered, users, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, a, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, utilizing, blackhat, seo (search engine optmization), for, traffic, acquisition, tactics, techniques, and procedures, potentially, exposing, hundreds, of, thousands, of, socially, engineered, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, with, the, cybercriminals, behind, the, campaign, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, traffic, largely, relying, on, the, utilization, of, an, affiliate-network, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://blank_fax_forms.jevjahys.zik.dj -> hxxp://radioheadicon.cn - 216.172.154.34; 205.164.24.44; 205.164.24.45 ->

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://aizvfnnd.cc - Email: janice@whiteplainsrealty.com
hxxp://blnrriwbd.cc - Email: janice@whiteplainsrealty.com
hxxp://crrhxzp.cc - Email: janice@whiteplainsrealty.com
hxxp://ihmedkgi.cc - Email: janice@whiteplainsrealty.com
hxxp://izdzhpdn.cc - Email: janice@whiteplainsrealty.com
hxxp://krnflff.cc - Email: janice@whiteplainsrealty.com
hxxp://lgixuql.cc - Email: janice@whiteplainsrealty.com
hxxp://lsxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://mkzjuoz.cc - Email: janice@whiteplainsrealty.com
hxxp://mobqmizg.cc - Email: janice@whiteplainsrealty.com
hxxp://mqapagelq.cc - Email: janice@whiteplainsrealty.com
hxxp://mrvgusfdu.cc - Email: janice@whiteplainsrealty.com
hxxp://nurzcycxm.cc - Email: janice@whiteplainsrealty.com
hxxp://orhhcunye.cc - Email: janice@whiteplainsrealty.com
hxxp://pdbpczh.cc - Email: janice@whiteplainsrealty.com
hxxp://pkuidxdy.cc - Email: janice@whiteplainsrealty.com
hxxp://qicpfwrx.cc - Email: janice@whiteplainsrealty.com
hxxp://ruhilmec.cc - Email: janice@whiteplainsrealty.com
hxxp://sxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://tcygfdmc.cc - Email: janice@whiteplainsrealty.com
hxxp://tlhaxfr.cc - Email: janice@whiteplainsrealty.com
hxxp://vcjggcbgj.cc - Email: janice@whiteplainsrealty.com
hxxp://xlnojaz.cc - Email: janice@whiteplainsrealty.com
hxxp://zdqvzdj.cc - Email: janice@whiteplainsrealty.com

Sample, malicious, redirector, used, in, the, campaign:
hxxp://bostofsten1.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (216.172.154.34):
MD5: ad04fd31e9868b073222b3fd2aac93f7
MD5: 103ecb766e0deb06ccbcea0a8046b4cb
MD5: eb0fab963cd37660956a7ab0c66715c2
MD5: 00da0096bd91e89e4059c428259a6cbb
MD5: 9b7f0e0ebf1656227de9f8f97dfd9141

Once, executed, a, sample, malicious, executable, (MD5:ad04fd31e9868b073222b3fd2aac93f7) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 65.19.157.228

Once, executed, a, sample, malicious, executable, (MD5:00da0096bd91e89e4059c428259a6cbb) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cutalot.cn - 205.164.24.43

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.24.44):
hxxp://cycling20110829.usa.1204.net
hxxp://pepsizone.cn
hxxp://ysbr.cn
hxxp://interactsession-697593.regions.com.usersetup.cn
hxxp://ad.suoie.cn
hxxp://ycgezkpu.cn

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: cf7a53e66e397c29ea203e025c5d6465
MD5: 089886483353f93a36dd69f0776beace
MD5: 528ac8f94123aaa32058f0114b8e1fd2
MD5: 4e8405bb398509f17242c0b9f614d6e4
MD5: a364d4fe887e2e40bc1ec67ad6f9aa31

Once, executed, a, sample, malware (MD5:cf7a53e66e397c29ea203e025c5d6465), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://blenderartists.org - 141.101.125.180
hxxp://xibudific.cn - 50.117.122.92
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://hardwareindexx.com
hxxp://hardwareindexx.com.ovh.net

Once, executed, a, sample, malware (MD5:089886483353f93a36dd69f0776beace), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freeonlinedatingtips.net - 204.197.252.70
hxxp://xibudific.cn - 216.172.154.38
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://searchfeedbook.com
hxxp://searchfeedbook.com.ovh.net

Once, executed, a, sample, malware (MD5:528ac8f94123aaa32058f0114b8e1fd2), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://historykillerpro.com - 192.254.233.158
hxxp://motherboardstest.com - 195.22.26.252
hxxp://dolbyaudiodevice.com
hxxp://dolbyaudiodevice.com.ovh.net
hxxp://xibudific.cn - 50.117.116.204

Once, executed, a, sample, malware (MD5:4e8405bb398509f17242c0b9f614d6e4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pcskynet.cn
hxxp://gamepknet.cn
hxxp://pcskynet.cn.ovh.net
hxxp://gamepknet.cn.ovh.net
hxxp://yes16800.cn
hxxp://yes16800.cn.ovh.net

Once, executed, a, sample, malware (MD5:a364d4fe887e2e40bc1ec67ad6f9aa31), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://136136.com - 61.129.70.87
hxxp://xibudific.cn - 50.117.122.92
hxxp://hothintspotonline.com
hxxp://hothintspotonline.com.ovh.net
hxxp://hardwareindexx.com

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (205.164.24.45):
hxxp://17mv.com
hxxp://criding.com
hxxp://criding.com
hxxp://17mv.com
hxxp://baudu.com
hxxp://pwgo.cn
hxxp://suqiwyk.cn
hxxp://verringo.cn

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
MD5: 9905ba7c00761a792ad8a361b4de71ea
MD5: b83c68f7d09530181908d513eb30a002
MD5: 78941c2c4b05f8af9a31a9f3d4c94b57
MD5: 7a1b6153a3f00c430b09f1c7b9cf7a77
MD5: 2776c972fa934fd080f5189be7c98a77

Once, executed, a, sample, malware, phones, back, to, the, following, maliciuos, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://imagehut4.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yingzi.org.cn - 50.117.116.205

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qmmmm.com.cn - 50.117.122.94

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.94

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Hundreds of Malicious Web Sites Serve Client-Side Exploits, Lead to Rogue YouTube Video Players

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, a, botnet's, infected, population, further, spreading, malicious, software, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, potentially, exposing, the, affected, user, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, malware-infected, hosts, largely, relying, on, the, use, of, affiliate-network, based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, clicking, on, bogus, and, rogue, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, ultimately, attempting, to, socially, engineer, users, into, interacting, with, rogue, YouTube, Video, Players, ultimately, dropping, fake, security, software, also, known, as, scareware, on, the, affected, hosts, with, the, cybercriminals, behind, the, campaign, actively, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://acquaintive.in/x.html - 208.87.35.103
    - hxxp://xxxvideo-hlyl.cz.cc/video7/?afid=24 - 63.223.117.10
            - hxxp://binarymode.in/topic/j.php - 159.148.117.21 - Email: enquepuedo.senior@gmail.com
                - hxxp://binarymode.in/topic/exe.php?x=jjar
                    - hxxp://binarymode.in/topic/?showtopic=ecard&bid=151&e=post&done=image

Related, malicious, MD5s, known, to, have, responded, to, the, same, C&C, server, IPs (208.87.35.103):
MD5: a12c055f201841f4640084a70b34c0c4
MD5: b4d435f15d094289839eac6228088baf
MD5: 2782220da587427b981f07dc3e3e0d96
MD5: 1151cd39495c295975b8c85bd4b385e5
MD5: 2539d5d836f058afbbf03cb24e41970c

Once, executed, a, sample, malware (MD5: a12c055f201841f4640084a70b34c0c4), phones, back, to, the, following, C&C, server, IPs:
hxxp://926garage.com - 185.28.193.192
hxxp://quistsolutions.eu - 188.165.239.53
hxxp://rehabilitacion-de-drogas.org - 188.240.1.110
hxxp://bcbrownmusic.com - 69.89.21.66
hxxp://andzi0l.5v.pl - 46.41.150.7
hxxp://alsaei.com - 192.186.194.133

Once, executed, a, sample, malware (MD5: 2782220da587427b981f07dc3e3e0d96), phones, back, to, the, following, C&C, server, IPs:
hxxp://lafyeri.com
hxxp://kulppasur.com - 209.222.14.3
hxxp://toalladepapel.com.ar - 184.168.57.1
hxxp://www.ecole-saint-simon.net - 208.87.35.103

Once, executed, a, sample, malware (MD5: 2539d5d836f058afbbf03cb24e41970c), phones, back, to, the, following, C&C, server, IPs:
hxxp://realquickmedia.com (208.87.35.103)

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
hxxp://trustidsoftware.com
hxxp://tc28q8cxl2a5ljwa60skl87w6.cdx1cdx1cdx1.in
hxxp://golubu6ka.com
hxxp://cdx2cdx2cdx2.in
hxxp://redmewire.com
hxxp://5zw3t6jq8fiv9jtdqg23.cdx2cdx2cdx2.in
hxxp://es3iz6lb0pet3ix6la0p.cdx2cdx2cdx2.in
hxxp://qsd79bd0j8f7c90e057a.cdx1cdx1cdx1.in
hxxp://w8ncqpet2hx5kf9mbr1a.cdx1cdx1cdx1.in
hxxp://skygaran4ik.com
hxxp://5xj7wk9amqcpse2ug4ve.cdx1cdx1cdx1.in
hxxp://readrelay.com
hxxp://bk5sbm7xgo6vk0e6b3xc.cdx1cdx1cdx1.in
hxxp://d51f1qam8wi15wpxmtjq.cdx2cdx2cdx2.in
hxxp://wxvtsr98642pomligfed.cdx2cdx2cdx2.in
hxxp://zonkjhgebawzvsq09753.cdx1cdx1cdx1.in
hxxp://nightphantom.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
MD5: a6c06a59da36ee1ae96ffaff37d12f28
MD5: 2d1bb6ca54f4c093282ea30e2096af0f
MD5: adf037ecbd4e7af573ddeb7794b61c40
MD5: ce7d4a493fc4b3c912703f084d0d61e1
MD5: c36941693eeef3fa54ca486044c6085a

Once, executed, a, sample, malware (MD5:a6c06a59da36ee1ae96ffaff37d12f28), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 109.74.195.149
hxxp://zeplost.com - 109.74.195.149

Once, executed, a, sample, malware (MD5:2d1bb6ca54f4c093282ea30e2096af0f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qweplost.com - 109.74.195.149

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (96.126.106.156):
hxxp://checkwebspeed.net
hxxp://gercourses.com
hxxp://replost.com
hxxp://boltoflexaria.in
hxxp://levartnetcom.net
hxxp://boltoflex.in
hxxp://borderspot.net
hxxp://diathbsp.in
hxxp://ganzagroup.in
hxxp://httpsstarss.in
hxxp://missingsync.net
hxxp://qqplot.com
hxxp://evelice.in
hxxp://gotheapples.com
hxxp://surfacechicago.net
hxxp://zeplost.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0183a687365cc3eb97bb5c2710952f95
MD5: f1e3030a83fa2f14f271612a4de914cb
MD5: 97269450de58ef5fb8d449008e550bf0
MD5: c83962659f6773b729aa222bd5b03f2f
MD5: e0aa08d4d98c3430204c1bb6f4c980e1

Once, executed, a, sample, malware (MD5:0183a687365cc3eb97bb5c2710952f95), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156

Once, executed, a, sample, malware (MD5:f1e3030a83fa2f14f271612a4de914cb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://gercourses.com/borders.php

Once, executed, a, sample, malware (MD5:97269450de58ef5fb8d449008e550bf0), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156

Once, executed, a, sample, malware (MD5:c83962659f6773b729aa222bd5b03f2f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156

Once, executed, a, sample, malware (MD5:e0aa08d4d98c3430204c1bb6f4c980e1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Koobface Gang Utilizes, Google Groups, Serves, Scareware and Malicious Software

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, populating, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Groups, potentially, exposing, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, further, enticing, users, into, interacting, with, the, bogus, links, potentially, exposing, their, devices, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, between, the, campaign, and, the, Koobface, gang.

Related, malicious, rogue, content, URLs, known, to, have, participated, in, the, campaign:
- anisimivachev17 - 1125 messages
- ilariongrishelev24 - 1099 messages
- yuvenaliyarzhannikov15 - 1108 messages
- burniemetheny52 - 1035 messages
- mengrug - 1090 messages
- silabobrov27 - 1116 messages

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://wut.im/343535
hxxp://tpal.us/wedding2
hxxp://shrtb.us/New_year_video
hxxp://snipurl.com/tx2r6
hxxp://www.tcp3.com/helga-4315
hxxp://budurl.com/egph
hxxp://flipto.com/jokes/
hxxp://rejoicetv.info/newyear
hxxp://fauz.me/?livetv
hxxp://go2.vg/funnykids
hxxp://usav.us/anecdotes
hxxp://vaime.org/joke
hxxp://theflooracle.com/mistakes
hxxp://dashurl.com/video-jokes
hxxp://www.shortme.info/smileykids/
hxxp://starturl.com/clip32112
hxxp://starturl.com/rebeca
hxxp://starturl.com/video2231
hxxp://starturl.com/funclip
hxxp://starturl.com/sexchat
hxxp://snipurl.com/tx2r6
hxxp://www.41z.com/animals
hxxp://www.rehttp.com/?smileykids
hxxp://starturl.com/adamaura
hxxp://mytinyurls.com/wfj
hxxp://budurl.com/egph

Sample, detection, rate, for, a, malicious, executable:
MD5: 1e0d06095a32645c3f57f1b4dcbcfe5c

Sample, malicious, URL, involved, in, the, campaign:
hxxp://newsekuritylist.com/index.php?affid=92600 - 213.163.89.56 - Bobby.J.Hyatt@gmail.com

Parked there are also:
hxxp://networkstabilityinc .com - Email: juliacanderson@pookmail.com; marcusmhuffaker@mailinator.com; justinpnelson@dodgit.com
hxxp://indiansoftwareworld .com - Email: thelmamhandley@trashymail.com; leanngscofield@gmail.com; ernestygresham@trashymail.com
hxxp://antyvirusdevice .com - Email: latonyawmiller@pookmail.com; royawiley@pookmail.com; gracegoshea@pookmail.com; latonyawmiller@pookmail.com
hxxp://digitalprotectionservice .com - Email: clarencepfetter@trashymail.com; jamesdrobinson@pookmail.com; jamesdrobinson@pookmail.com; clarencepfetter@trashymail .com
hxxp://bestantyvirusservice .com - Email: kathrynrsmith@gmail.com; richardbhughey@gmail.com; joshuamwest@trashymail.com; kathrynrsmith@gmail.com
hxxp://antivirussoftrock .com - Email: michaelaturner@trashymail.com; gracemparker@trashymail.com; cliffordsfernandez@pookmail.com; michaelaturner@trashymail.com
hxxp://antywiramericasell .com - Email: Shannon.J.Ferguson@gmail.com
hxxp://antydetectivewaemergencyroom .com - Email: brettdpetro@gmail.com; valeriejweaver@dodgit.com; williekharris@mailinator.com; brettdpetro@gmail.com
hxxp://freeinternetvacation .com - Email: edwardmyoung@trashymail.com; aileenasaylor@gmail.com; williamjoverby@trashymail.com; edwardmyoung@trashymail.com
hxxp://aolbillinghq .com - Email: haroldamccarthy@trashymail.com; teodoromkeller@trashymail.com; joanswhite@dodgit.com; haroldamccarthy@trashymail.com
hxxp://scanserviceprovider .com - Email: rogerdmurphy@gmail.com; charlescvalentino@mailinator.com; eliarmcdonald@trashymail.com; rogerdmurphy@gmail.com
hxxp://securitytoolsquotes .com - Email: thurmanepidgeon@dodgit.com; jessicapgrady@dodgit.com; jamesmcummings@trashymail.com; thurmanepidgeon@dodgit.com
hxxp://electionprogress .com - Email: clarenceafloyd@pookmail.com; junerwurth@pookmail.com; edjbaxter@gmail.com; clarenceafloyd@pookmail.com
hxxp://myantywiruslist .com - Email: Nathan.S.Dennis@gmail.com
hxxp://antyspywarelistnow .com - Email: James.M.Miller@gmail.com
hxxp://securitylabtoday .com - Email: Marc.N.Torres@gmail.com
hxxp://yournecessary .com - Email: debrahbettis@gmail.com; myracbryant@dodgit.com; marycwilliams@dodgit.com; debrahbettis@gmail.com
hxxp://securityutilitysite .net - Email: michellemwelch@mailinator.com; charlesdfrazier@trashymail.com; rosaliejhumphrey@pookmail.com; michellemwelch@mailinator.com
hxxp://securitytoolsshop .net - Email: sarajgunter@gmail.com; kerstinrbray@gmail.com; keithrdejesus@mailinator.com; sarajgunter@gmail.com
hxxp://securitytooledit .net - Email: byronlross@pookmail.com; jamesslewis@mailinator.com; leighschancey@trashymail.com; byronlross@pookmail.com
hxxp://portsecurityutility .net - Email: marquettacpettit@trashymail.com; melindakbolin@pookmail.com; rhondaehipp@mailinator.com; marquettacpettit@trashymail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 4a3e8b6b7f42df0f26e22faafaa0327f
MD5: 64a111acdc77762f261b9f4202e98d29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsekuritylist.com/in.php?affid=92600
hxxp://newsekuritylist.com/in.php?affid=92600

Sample, URL, redirection, chain:
hxxp://rejoicetv.info/newyear
    - hxxp://91.207.4.19/tds/go.php?sid=3
        - hxxp://liveeditionpc.net?uid=297&pid=3&ttl=11845621a62 - 95.169.187.216 - korn989.net; liveeditionpc.net; createpc-pcscan-korn.net
            - hxxp://www1.hotcleanofyour-pc.net/p=== - 98.142.243.174 - live-guard-forpc.net is also parked there:

Sample, detection, rate, for, a, malicious, executable:
MD5: 4912961c36306d156e4e2b335c51151b

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://update2.pcliveguard.com/index.php?controller=hash - 124.217.251.99
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://securityearth.cn/Reports/MicroinstallServiceReport.php - 210.56.53.125

Sample, URL, redirection, chain:
hxxp://garlandvenit.150m.com
    - hxxp://online-style2.com
        - hxxp://scanner-malware15.com/scn3/?engine=
            - hxxp://scanner-malware15.com/download.php?id=328s3

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://eclipserisa.150m.com
hxxp://adamaura.150m.com
hxxp://hugodinah.150m.com
hxxp://roycesylvia.150m.com
hxxp://lindaagora.150m.com
hxxp://sharolynpam.150m.com
hxxp://letarebeca.150m.com
hxxp://letarebeca.150m.com

Sample, URL, redirection, chain:
hxxp://egoldenglove.com/Images/bin/movie/
    - hxxp://egoldenglove.com/Images/bin/movie/Flash_Update_1260873156.exe

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://2-weather.com/?pid=328s03&sid=3593b2&d=3&name=Loading%20video - 66.197.160.104 -mail@tatrum-verde.com
hxxp://scanner-spya8.com/scn3/?engine= - info@gainweight.com -

Sample, detection, rate, for, a, malicious, executable:
MD5: bfaba92c3c0eaec61679f03ff0eb0911

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://91.212.226.185/download/winlogo.bmp (windowsaltserver.com)

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://2-coat.com - 193.104.22.202 - Email: mail@tatrum-verde.com
hxxp://2-weather.com - 193.104.22.202 - - Email: mail@tatrum-verde.com - currently embedded on Koobface-infected hosts pushing scareware

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://online-style2.com - 66.197.160.104 - Email: mail@tatrum-verde.com
hxxp://scanner-malware15.com - Email: info@natural-health.org

Related, malicious, IPs, known, to, have, participated, in, the, campaign:
hxxp://68.168.212.142
hxxp://91.212.226.97
hxxp://66.197.160.105

Parked on 68.168.212.142:
hxxp://antispywareguide20 .com - Email: contacts@vertigo.us
hxxp://antispywareguide22 .com - Email: contacts@vertigo.us
hxxp://antispywareguide23 .com - Email: contacts@vertigo.us
hxxp://antispywareguide25 .com - Email: contacts@vertigo.us
hxxp://antispywareguide27 .com - Email: contacts@vertigo.us
hxxp://antispywaretools10 .com - Email: contacts@vertigo.us
hxxp://antispywaretools11 .com - Email: contacts@vertigo.us
hxxp://antispywaretools12 .com - Email: contacts@vertigo.us
hxxp://antispywaretools17 .com - Email: contacts@vertigo.us
hxxp://antispywaretools18 .com - Email: contacts@vertigo.us
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://birthday-gifts2 .com - Email: TheodoreWTurner@live.com
hxxp://christmasdecoration2 .com - Email: contact@trythreewish.us
hxxp://computerscanm0 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm2 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm4 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm6 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm8 .com - Email: JamesNTurner@yahoo.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com

hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com
hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://pc-antispyo3 .com
hxxp://pc-antispyo5 .com
hxxp://pc-antispyo6 .com
hxxp://pc-antispyo9 .com
hxxp://pc-securityv8 .com - Email: info@billBlog.com
hxxp://protect-pca1 .com
hxxp://protect-pcr1 .com
hxxp://protect-pct1 .com
hxxp://protect-pcu1 .com

hxxp://quick-antispy91 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy92 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy93 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy95 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy99 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner2 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner4 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner6 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner77 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner78 .com - Email: williams.trio@yahoo.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://safe-pc01 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc02 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc03 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc07 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc09 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc002 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc004.com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc009 .com - Email: JamesNTurner@yahoo.com
hxxp://scan-and-secure01 .com
hxxp://scan-and-secure04 .com
hxxp://scan-and-secure06 .com
hxxp://scan-and-secure07 .com
hxxp://scan-and-secure09 .com
hxxp://scan-computerab .com
hxxp://scan-computere0 .com

hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org
hxxp://securitysoftware1 .com
hxxp://securitysoftware3 .com
hxxp://securitysoftware5 .com
hxxp://securitysoftwaree .com
hxxp://securitysoftwaree7 .com
hxxp://security-softwareo1 .com
hxxp://security-softwareo5 .com
hxxp://security-softwareo7 .com
hxxp://unique-gifts2 .com - Email: contact@trythreewish.us
hxxp://unusual-gifts2 .com - Email: contact@trythreewish.us
hxxp://xmas-song .com - Email: contact@trythreewish.us

Parked on 91.212.226.97; 66.197.160.105:
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com
hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com

hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org

Parked on 66.197.160.104:
hxxp://2activities.com - Email: mail@tatrum-verde.com
hxxp://2-scenes.com - Email: mail@tatrum-verde.com
hxxp://2-weather.com - Email: mail@tatrum-verde.com
hxxp://online-fun2 .com - Email: mail@tatrum-verde.com
hxxp://online-news2.com - Email: mail@tatrum-verde.com
hxxp://online-style2 .com - Email: mail@tatrum-verde.com
hxxp://online-tv2.com - Email: mail@tatrum-verde.com
hxxp://snow-and-fun2 .com - Email: mail@tatrum-verde.com
hxxp://winterart2 .com - Email: info@territoryplace.us
hxxp://winterchristmas2 .com - Email: info@territoryplace.us
hxxp://wintercrafts2 .com - Email: info@territoryplace.us
hxxp://winterkids2 .com - Email: info@territoryplace.us
hxxp://winterphotos2 .com - Email: info@territoryplace.us
hxxp://winterpicture2 .com - Email: info@territoryplace.us
hxxp://winterscene2 .com - Email: info@territoryplace.us
hxxp://winterwallpaper2 .com - Email: info@territoryplace.us

What's particularly, interesting, about, this, particular, campaign, is, the, direct, connection, with, the, Koobface, gang, taking, into, consideration, the, fact, that, hxxp://redirector online-style2.com/?pid=312s03&sid=4db12f has, also, been, used, by, Koobface-infected hosts, and, most, importantly, the, fact, that, a, sampled, scareware, campaign from December 2009, were serving scareware parked on 193.104.22.200, where the Koobface scareware portfolio is parked, as, previously, profiled, and, analyzed.

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Related posts:
Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign

Historical OSINT - Rogue MyWebFace Application Serving Adware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, executing, a, malicious, software, largely, relying, on, basic, visual, social, engineering, enticing, users, into, executing, a, rogue, application, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, host.


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domain, reconnaissance:
hxxp://mywebsearch.com - 74.113.233.48; 74.113.237.48; 66.235.119.48
hxxp://mywebface.mywebsearch.com - 74.113.233.64; 74.113.233.180

Sample, detection, rate, for, a, malicious, executable:
MD5: b32acfece8089e52fa2288cb421fa9de

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (74.113.233.48; 74.113.237.48; 66.235.119.48):
hxxp://myinfo.mywebsearch.com
hxxp://dl.mywebsearch.com
hxxp://tbedits.mywebsearch.com
hxxp://celebsauce.dl.mywebsearch.com
hxxp://bfc.mywebsearch.com
hxxp://bar.mywebsearch.com
hxxp://int.search.mywebsearch.com
hxxp://inboxace.dl.mywebsearch.com
hxxp://internetspeedtracker.dl.mywebsearch.com
hxxp://mywebface.dl.mywebsearch.com
hxxp://easypdfcombine.dl.mywebsearch.com
hxxp://onlinemapfinder.dl.mywebsearch.com
hxxp://eliteunzip.dl.mywebsearch.com
hxxp://mytransitguide.dl.mywebsearch.com
hxxp://packagetracer.dl.mywebsearch.com
hxxp://myway.mywebsearch.com
hxxp://helpint.mywebsearch.com
hxxp://zwinky.dl.mywebsearch.com
hxxp://weatherblink.dl.mywebsearch.com
hxxp://videoscavenger.dl.mywebsearch.com
hxxp://videodownloadconverter.dl.mywebsearch.com
hxxp://translationbuddy.dl.mywebsearch.com
hxxp://totalrecipesearch.dl.mywebsearch.com
hxxp://televisionfanatic.dl.mywebsearch.com
hxxp://retrogamer.dl.mywebsearch.com
hxxp://myscrapnook.dl.mywebsearch.com
hxxp://myfuncards.dl.mywebsearch.com
hxxp://gamingwonderland.dl.mywebsearch.com
hxxp://dictionaryboss.dl.mywebsearch.com
hxxp://astrology.dl.mywebsearch.com
hxxp://utmtrk2.mywebsearch.com
hxxp://utm2.mywebsearch.com
hxxp://utm.trk.mywebsearch.com
hxxp://utm.mywebsearch.com
hxxp://ak.ssl.toolbar.mywebsearch.com
hxxp://www122.mywebsearch.com
hxxp://couponalert.dl.mywebsearch.com
hxxp://help.mywebsearch.com
hxxp://srchsugg.mywebsearch.com
hxxp://utm.gr.mywebsearch.com
hxxp://utmtrk.gr.mywebsearch.com
hxxp://dp.mywebsearch.com
hxxp://download.mywebsearch.com
hxxp://www64.mywebsearch.com
hxxp://filmfanatic.mywebsearch.com
hxxp://mywebface.mywebsearch.com
hxxp://fromdoctopdf.dl.mywebsearch.com
hxxp://www173.mywebsearch.com
hxxp://www153.mywebsearch.com
hxxp://www170.mywebsearch.com
hxxp://www176.mywebsearch.com
hxxp://www155.mywebsearch.com
hxxp://www186.mywebsearch.com
hxxp://www156a.mywebsearch.com
hxxp://www187.mywebsearch.com
hxxp://www198.mywebsearch.com
hxxp://www154.mywebsearch.com
hxxp://cfg.mywebsearch.com
hxxp://mapsgalaxy.dl.mywebsearch.com
hxxp://edits.mywebsearch.com
hxxp://www.mywebsearch.com
hxxp://enable.mywebsearch.com
hxxp://live.mywebsearch.com
hxxp://config.mywebsearch.com
hxxp://anx.mywebsearch.com
hxxp://bstat.mywebsearch.com
hxxp://updates.mywebsearch.com
hxxp://home.mywebsearch.com
hxxp://search.mywebsearch.com
hxxp://stats.mywebsearch.com
hxxp://akd.search.mywebsearch.com
hxxp://ak2.home.mywebsearch.com
hxxp://ak.search.mywebsearch.com
hxxp://ak.toolbar.mywebsearch.com

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 83cdb402fcd68947f7519eaad515fa5a
MD5: 6b31cc25e68d5d008e319c4a1c8c4098
MD5: f2392d18a266f554743b495b4e71b2be
MD5: 9bcaeb5b4bdd6b9e22852a98ca630914
MD5: 4fd260e17ca40a31a7baace9af1b7db9

Once, executed, a, sample, malware, (MD5: 83cdb402fcd68947f7519eaad515fa5a), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.150.139.157/search.htm
hxxp://sev2012.com/page_click.php - 141.8.224.239; 54.72.9.51; 91.220.131.33; 91.236.116.20
hxxp://62.122.107.119/install.htm

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (178.150.139.157), are, also, the, following, malicious, domains:
hxxp://cejzesu.com
hxxp://hqyibul.wuwykym.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: c92a9961e6096eb7af3a34e9e48114f1
MD5: 25789eec9e0d4b5cdf184bf41460808e
MD5: 1a72e482e6ec352ae4c9206b92776f01
MD5: e22a0fd64e5b6193be655cc29ed19755
MD5: fe8a027fd45ec9621b34a20bc907fb2c

Once, executed, a, sample, malware (MD5: c92a9961e6096eb7af3a34e9e48114f1), phones, back, to, the, following, C&C, server, IPs:
http://178.150.244.54/mod2/mentalc.exe
http://178.150.139.157/mod1/mentalc.exe

Once, executed, a, sample, malware (MD5: 25789eec9e0d4b5cdf184bf41460808e), phones, back, to, the, following, C&C, server, IPs:
http://95.180.66.40/mod2/b0ber01.exe
http://91.245.79.46/mod1/b0ber01.exe
http://178.150.139.157/mod1/b0ber01.exe

Once, executed, a, sample, malware (MD5: 1a72e482e6ec352ae4c9206b92776f01), phones, back, to, the, following, C&C, server, IPs:
http://77.123.73.34/keybex4.exe
http://178.150.139.157/keybex4.exe

Once, executed, a, sample, malware (MD5: e22a0fd64e5b6193be655cc29ed19755), phones, back, to, the, following, C&C, server, IPs:
http://176.194.18.198/mod2/ozersid.exe
http://176.110.28.238/mod1/ozersid.exe
http://46.73.67.61/mod2/ozersid.exe
http://178.150.209.116/mod2/ozersid.exe
http://178.150.139.157/mod2/ozersid.exe
http://193.32.14.186/mod1/ozersid.exe
http://46.211.9.37/mod1/ozersid.exe

Once, executed, a, sample, malware (MD5: fe8a027fd45ec9621b34a20bc907fb2c), phones, back, to, the, following, C&C, server, IPs:
http://178.150.139.157/welcome.htm
http://77.122.28.206/default.htm
http://77.122.28.206/online.htm
http://mydear.name/page_umax.php

Once, executed, a, sample, malware, (MD5: 6b31cc25e68d5d008e319c4a1c8c4098), phones, back, to, the, following, C&C, server, IPs:
hxxp://cytpaxiz.us/rasta01.exe
hxxp://60.36.47.71/file.htm
hxxp://219.204.4.3/search.htm

Once, executed, a, sample, malware, (MD5: f2392d18a266f554743b495b4e71b2be), phones, back, to, the, following, C&C, server, IPs:
hxxp://46.121.221.173/start.htm
hxxp://burhyyal.epfusgy.com/calc.exe
hxxp://178.150.138.2/install.htm

Once, executed, a, sample, malware, (MD5: 9bcaeb5b4bdd6b9e22852a98ca630914), phones, back, to, the, following, C&C, server, IPs:
hxxp://159.224.191.47/install.htm
hxxp://109.87.184.7/setup.htm

Once, executed, a, sample, malware, (MD5: 4fd260e17ca40a31a7baace9af1b7db9), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.158.237.37/welcome.htm
hxxp://178.165.13.17/home.htm

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (74.113.233.48):
MD5: a3470a214ec34f7a0b9330e44af80714
MD5: 31593f94936e63152d35ca682fb9ef0b
MD5: eb003b7665b34f6ed3a7944e4254ad2d
MD5: ed1c465beca9596a9031580d1093cb13
MD5: cace61ddd8f8e30cf1f52f9ad6c66578

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://home.mywebsearch.com - 74.113.233.48
hxxp://akd.search.mywebsearch.com - 5.178.43.17
hxxp://ak.imgfarm.com - 90.84.60.81
hxxp://anx.mywebsearch.com - 74.113.233.187

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 11ddcf7bd806c9ef24cc84a440629e68
MD5: 8c1e63b34c678b48c63ba369239d5718
MD5: 10b4c54646567dcee605f5c36bfa8f17
MD5: 70dbce98f1d62c03317797a1dd3da151
MD5: ee00f47a51e91a1f70a5c7a0086b7220

Once, executed, a, sample, malware (MD5: 11ddcf7bd806c9ef24cc84a440629e68), phones, back, to, the, following, malicious, C&C, server, IPs:
http://78.62.197.14/online.htm
http://89.46.92.232/welcome.htm
http://89.46.92.232/login.htm

Once, executed, a, sample, malware (MD5: 8c1e63b34c678b48c63ba369239d5718), phones, back, to, the, following, malicious, C&C, server, IPs:
http://109.251.217.207/home.htm
http://109.251.217.207/login.htm

Once, executed, a, sample, malware, (MD5: 10b4c54646567dcee605f5c36bfa8f17), phones, back, to, the, following, malicious, C&C, server, IPs:
http://91.221.219.12/setup.htm

Once, executed, a, sample, malware, (MD5: 70dbce98f1d62c03317797a1dd3da151), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm

Once, executed, a, sample, malware (MD5: ee00f47a51e91a1f70a5c7a0086b7220), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Saturday, December 24, 2016

Historical OSINT - Google Docs Hosted Rogue Chrome Extension Serving Campaign Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, malware-infected, hosts, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Docs, while, successfully, enticing, socially, engineered, users, into, clicking, on, bogus, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, exposing, socially, engineered, users, to, a, rogue, Chrome Extension.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, redirection, chain:
https://1364757661090.docs.google.com/presentation/d/1w5eh2rh6i0pbuVjb4_MzBNPEovRw3f6qiho7AshTcHI/htmlpresent?videoid=1364757661199 -> http://www.worldvideos.us/chrome.php -> https://chrome.google.com/webstore/detail/high-solution/jokhejlfefegeolonbckggpfggipmmim

Related, malicious, domain, reconnaissance:
hxxp://worldvideos.us - 89.19.10.194
ns1.facebookhizmetlerim.com
ns2.facebookhizmetlerim.com

Responding to 89.19.10.194 are also the following fraudulent domains part of the campaign's infrastructure:
hxxp://e-sosyal.biz
hxxp://facebookhizmetlerim.com
hxxp://facebookmedya.biz
hxxp://facebooook.biz
hxxp://fbmedyahizmetleri.com
hxxp://sansurmedya.com
hxxp://sosyalpaket.com
hxxp://worldmedya.net
hxxp://youtubem.biz

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (208.73.211.70):
hxxp://396p4rassd2.youlovesosoplne.net
hxxp://5q14.zapd.co
hxxp://airmats.com
hxxp://amciksikis.com
hxxp://anaranjadaverzochte.associate-physicians.org
hxxp://autorepairmanual.org
hxxp://blackoutblinds.com
hxxp://blog.jmarkafghans.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (208.73.211.70):
MD5: 584a779ae8cdea13611ff45ebab517ae
MD5: cea89679058fe5a5288cfacc1a64e431
MD5: 62eee7a0bed6e958e72c0edf9da17196
MD5: 160793c37a5aa29ac4c88ba88d1d7cc2
MD5: 46079bbcfcd792dfcd1e906e1a97c3a6

Once, executed, a, sample, malware (MD5: 584a779ae8cdea13611ff45ebab517ae), phones, back, to, the, following, C&C, server, IPs:
hxxp://zhutizhijia.com - 208.73.211.70

Once, executed, a, sample, malware (MD5: cea89679058fe5a5288cfacc1a64e431), phones, back, to, the, following, C&C, server, IPs:
hxxp://aieov.com - 208.73.211.70

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (141.8.224.239):
hxxp://happysocks.7live7.org
hxxp://hiepdam.org
hxxp://hyper-path.com
hxxp://interfacelife.com
hxxp://iowa.findanycycle.com
hxxp://massachusetts.findanyboat.com
hxxp://diptnyc.com

Related, maliciuos, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (141.8.224.239):
MD5: ddf27e034e38d7d35b71b7dc5668ffce
MD5: 6ba6451a9c185d1d07323586736e770e
MD5: 854ea0da9b4ad72aba6430ffa6cc1532
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: bf78b0fcfc8f1a380225ceca294c47d8

Once, executed, a, sample, malware (MD5:ddf27e034e38d7d35b71b7dc5668ffce), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://srv.desk-top-app.info - 141.8.224.239

Once, executed, a, sample, malware (MD5:6ba6451a9c185d1d07323586736e770e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://premiumstorage.info - 141.8.224.239

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49
hxxp://wentstate.net - 141.8.224.93
hxxp://musicnews.net - 176.74.176.187
hxxp://spendstate.net

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (89.19.10.194):
hxxp://liderbayim.com
hxxp://blacksport.org
hxxp://liderbayim.com
hxxp://2sosyal-panelim.com
hxxp://sosyal-panelim.com
hxxp://darknessbayim.com
hxxp://hebobayi.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - FTLog Worm Spreading Across Fotolog

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multu-tude, of, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, the, malware-infected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, monetizing, access, to, the, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a currently, circulating, malicious, spam, campaign, targeting, the, popular, social, network, Web, site, Fotolog, successfully, enticing, socially, engineered, users, into, interacting, with, malicious, links, while, monetizing, access, to, the, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.


Sample, URL, redirection, chain:
hxxp://bit.ly/cBTsWo
        - hxxp://zwap.to/001mk
            - hxxp://www.cepsaltda.cl/uc/red.php?u=1 - 216.155.72.44
                - hxxp://supatds.cn/go.php?sid=1 - 92.241.164.1
                    - hxxp://www.cepsaltda.cl/uc/rcodec.php
                        - hxxp://cepsaltda.cl/uc/codec/divxcodec.exe

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: c6dbc58e0db3c597c4ab562ad9710a38

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Massive Black Hat SEO Campaing Serving Scareware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, acquiring, and, hijacking, traffic, for, the, purpose, of, converting, it, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, serving, fake, security, software, also, known, as, scareware, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, compromised, Web, sites:
hxxp://yushikai.co.uk
hxxp://www.heart-2-heart.nl
hxxp://www.stichtingkhw.nl
hxxp://burgessandsons.com
hxxp://marsmellow.info
hxxp://broolz.co.uk
hxxp://bodyscope.co.uk
hxxp://janschnoor.de
hxxp://goodluckflowers.com
hxxp://www.frank-carillo.com
hxxp://www.strijkvrij.com
hxxp://www.fotosiast.nl
hxxp://www.senbeauty.nl
hxxp://www.menno.info
hxxp://www.kul.fm

Sample, URL, redirection, chain:
hxxp://onotole.iblogger.org/2.html - 199.59.243.120; 205.164.14.79; 199.59.241.181 -> hxxp://mycommercialssecuritytool.com/index.php?affid=34100 - 89.248.171.48 - Email: Kathryn.D.Jennings@gmail.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://myatmoe.iblogger.org
hxxp://creditreport.iblogger.org
hxxp://movieddlheaven.iblogger.org
hxxp://cv-bruno-brocas.iblogger.org
hxxp://islife.iblogger.org
hxxp://iblogger.iblogger.org
hxxp://dressshirt.iblogger.org
hxxp://allians.iblogger.org
hxxp://rapid-weight-loss.iblogger.org
hxxp://breastaugm.iblogger.org
hxxp://uila.iblogger.org
hxxp://oh-tv.iblogger.org
hxxp://brudnopis.iblogger.org
hxxp://learnenglish.iblogger.org
hxxp://motivatedcats.iblogger.org
hxxp://robert.iblogger.org
hxxp://testforask.iblogger.org
hxxp://poormanguides.iblogger.org
hxxp://gelbegabeln.iblogger.org
hxxp://nuagerouge.iblogger.org
hxxp://chicos-on-line.iblogger.org
hxxp://hypnosisworld.iblogger.org
hxxp://tennis.iblogger.org
hxxp://ibu.iblogger.org
hxxp://turkifsa.iblogger.org
hxxp://amandacooper.iblogger.org
hxxp://tw.iblogger.org
hxxp://whedon.iblogger.org
hxxp://han.iblogger.org
hxxp://scclab.iblogger.org
hxxp://besftfoodblogger.iblogger.org
hxxp://premiummenderacunt.iblogger.org
hxxp://seobook.iblogger.org
hxxp://bestjackets.iblogger.org
hxxp://kidszone.iblogger.org
hxxp://liker2fb.iblogger.org
hxxp://vipin.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://palermo.iblogger.org
hxxp://forum.bay.de.iblogger.org
hxxp://online-guard.iblogger.org
hxxp://juhjsd.iblogger.org
hxxp://asulli.iblogger.org
hxxp://youtubetranscription.iblogger.org
hxxp://praza.iblogger.org
hxxp://free-worlds.iblogger.org
hxxp://mlm.iblogger.org
hxxp://myleskadusale.iblogger.org
hxxp://ninjapearls.iblogger.org
hxxp://bassian.iblogger.org
hxxp://d3-f21-w-14.iblogger.org
hxxp://mlk.iblogger.org
hxxp://pe.iblogger.org
hxxp://connor54321.iblogger.org
hxxp://smx.iblogger.org
hxxp://17fire.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://generalsurgery.iblogger.org
hxxp://megafon.iblogger.org
hxxp://dasefx.iblogger.org
hxxp://ysofii.iblogger.org
hxxp://priv8.iblogger.org
hxxp://kahramanmaras.iblogger.org
hxxp://kaoojcjl.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://dla-kobiet.iblogger.org
hxxp://karinahart.iblogger.org
hxxp://mariucciaelasuaombra.iblogger.org
hxxp://signinbay.de.iblogger.org
hxxp://pitstop.iblogger.org
hxxp://colorless.iblogger.org
hxxp://directorio.iblogger.org
hxxp://odenaviva.iblogger.org
hxxp://e-money.iblogger.org
hxxp://digicron.iblogger.org
hxxp://slotomania-hackers.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://bestoksriy.iblogger.org
hxxp://teamsite.iblogger.org
hxxp://mateaplicada.iblogger.org
hxxp://tmgames.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://priv8.iblogger.org
hxxp://sharepointdotnetwiki.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://seobook.iblogger.org
hxxp://jawwal.iblogger.org
hxxp://tomsplace.iblogger.org
hxxp://shreyo.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://beitypedia.iblogger.org
hxxp://dutcheastindies.iblogger.org
hxxp://cramat-satu.iblogger.org
hxxp://misc.iblogger.org
hxxp://espirito-de-aventura.iblogger.org
hxxp://tomksoft.iblogger.org
hxxp://mymovies.iblogger.org

Known, to, have, responded, to, the, same, malicious, IP (199.59.243.120) are, also, the, following, malicious, domains:
hxxp://brendsrnzwrn.cuccfree.com
hxxp://caraccidentlawyer19.us
hxxp://colombiavirtualtours.com
hxxp://dailydigest.cn
hxxp://drugaddiction569.us
hxxp://earnonline.cn
hxxp://epicor.in
hxxp://glhgk.com
hxxp://iroopay.com
hxxp://kajianislam.us

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (199.59.243.120):
MD5: c7bd669a416a8347aeba6117d0040217
MD5: ae89e09f52db7f9d69b9b9c40dbf35f9
MD5: b4399fc8f1de723d452b05ec474ca651
MD5: c779d9f4e9992ad5ffcd2353bb003a51
MD5: cc6efabb0a26c729f126b12be717de47

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://theworldnews.byethost5.com - 199.59.243.120

Known, to, have, responded, to, the, same, malicious IP (205.164.14.79), are, also, the, following, malicious, domains:
hxxp://fsdq.cn
hxxp://parked-domain.org
hxxp://fiverr.hk.tn
hxxp://hamzanori90.name-iq.com
hxxp://postgumtree.uk.tn
hxxp://caoliushequ.info
hxxp://housewives.byethost4.com
hxxp://nuichate.22web.org
hxxp://3rtz.byethost12.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.14.79):
MD5: dbca66955cac79008f9f1cd415d7e308
MD5: b452ca519f077307d68ff034567087c1
MD5: 70e8c79135b341eac51da0b5789744d3
MD5: a9f64c1404faf4a6fc81564c8dec22d9
MD5: b3737a1c34cb705f7d244c99afdc3a01

Once, executed, a, sample, malware (MD5:dbca66955cac79008f9f1cd415d7e308), phones, back, to, the, following, C&C, server, IPs:
hxxp://ibayme.eb2a.com - 205.164.14.79

Known, to, have, responded, to, the, same, malicious, IPs (199.59.241.181), are, also, the, following, malicious, domains:
hxxp://yn919.com
hxxp://wimp.it
hxxp://puqiji.com
hxxp://52style.com
hxxp://007guard.com
hxxp://10iski.10001mb.com
hxxp://11649.bodisparking.com
hxxp://13.get.themediafinder.com
hxxp://134205.aceboard.fr

Sample, detection, rate, for, a, malicious, executable:
MD5: f74a744d75c74ed997911d0e0b7e6f67

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mycommercialssecuritytool.com/in.php?affid=34100

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://protectyoursystemnowonline.com
hxxp://createyoursecurityonline.com
hxxp://commercialssecuritytools.com
hxxp://freecreateyoursecurity.com

Sample, URL, redirection, chain:
hxxp://ulions.com/yxg.php?p= - 104.28.22.34
    - hxxp://ppbmv4.xorg.pl/in.php?t=cc&d=04-02-2010_span&h=
        - hxxp://www1.nat67go4it.net/?uid=195&pid=3&ttl=5184c614d4b - 89.248.160.161
            - hxxp://www1.systemsecure.in/?p=

Know, to, have, responded, to, same, malicious, C&C, server, IP (104.28.22.34), are, also, the, following, malicious, domains:
hxxp://portlandultimate.com
hxxp://portablemineapplicationsub.tech
hxxp://indirimkuponlarimiz.com
hxxp://walkinclosetguys.com
hxxp://bryantanaka.com
hxxp://swisschecklist.com
hxxp://census.mnfurs.org
hxxp://duluthbeth.xyz

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (104.28.22.34):
MD5: 11dda0bbd2aef7944f990fcefbc91034
MD5: d0be24df3078866a277874dad09c98d9
MD5: 9ba06da9370037fd2ffe525d6164b367
MD5: 537bd45df702f90585eebab2a8bb3584
MD5: a9f61e9696ff7ff4bfc34f70549ffdd0

Once, executed, a, sample, malware (MD5:11dda0bbd2aef7944f990fcefbc91034), phones, back, to, the, following, C&C, server, IPs:
hxxp://audio-direkt.net
hxxp://servico-ind.com
hxxp://saios.net
hxxp://coopsupermarkt.nl
hxxp://fruitspot.co.za
hxxp://vitalur.by
hxxp://trinity-works.com

Once, executed, a, sample, malware (MD5:d0be24df3078866a277874dad09c98d9), phones, back, to, the, following, C&C, server, IPs:
hxxp://3asfh.net - 104.28.22.34

Once, executed, a, sample, malware, (MD5:a9f61e9696ff7ff4bfc34f70549ffdd0), phones, back, to the, following, malicious, C&C, server, IPs:
hxxp://link-list-uk.com
hxxp://racknstackwarehouse.com.au
hxxp://zeronet.co.jp
hxxp://sun-ele.co.jp
hxxp://slcago.org
hxxp://frederickallergy.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.