Sunday, December 25, 2016

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, newly, added, socially, engineered, users, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, a, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, utilizing, blackhat, seo (search engine optmization), for, traffic, acquisition, tactics, techniques, and procedures, potentially, exposing, hundreds, of, thousands, of, socially, engineered, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, with, the, cybercriminals, behind, the, campaign, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, traffic, largely, relying, on, the, utilization, of, an, affiliate-network, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://blank_fax_forms.jevjahys.zik.dj -> hxxp://radioheadicon.cn - 216.172.154.34; 205.164.24.44; 205.164.24.45 ->

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://aizvfnnd.cc - Email: janice@whiteplainsrealty.com
hxxp://blnrriwbd.cc - Email: janice@whiteplainsrealty.com
hxxp://crrhxzp.cc - Email: janice@whiteplainsrealty.com
hxxp://ihmedkgi.cc - Email: janice@whiteplainsrealty.com
hxxp://izdzhpdn.cc - Email: janice@whiteplainsrealty.com
hxxp://krnflff.cc - Email: janice@whiteplainsrealty.com
hxxp://lgixuql.cc - Email: janice@whiteplainsrealty.com
hxxp://lsxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://mkzjuoz.cc - Email: janice@whiteplainsrealty.com
hxxp://mobqmizg.cc - Email: janice@whiteplainsrealty.com
hxxp://mqapagelq.cc - Email: janice@whiteplainsrealty.com
hxxp://mrvgusfdu.cc - Email: janice@whiteplainsrealty.com
hxxp://nurzcycxm.cc - Email: janice@whiteplainsrealty.com
hxxp://orhhcunye.cc - Email: janice@whiteplainsrealty.com
hxxp://pdbpczh.cc - Email: janice@whiteplainsrealty.com
hxxp://pkuidxdy.cc - Email: janice@whiteplainsrealty.com
hxxp://qicpfwrx.cc - Email: janice@whiteplainsrealty.com
hxxp://ruhilmec.cc - Email: janice@whiteplainsrealty.com
hxxp://sxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://tcygfdmc.cc - Email: janice@whiteplainsrealty.com
hxxp://tlhaxfr.cc - Email: janice@whiteplainsrealty.com
hxxp://vcjggcbgj.cc - Email: janice@whiteplainsrealty.com
hxxp://xlnojaz.cc - Email: janice@whiteplainsrealty.com
hxxp://zdqvzdj.cc - Email: janice@whiteplainsrealty.com

Sample, malicious, redirector, used, in, the, campaign:
hxxp://bostofsten1.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (216.172.154.34):
MD5: ad04fd31e9868b073222b3fd2aac93f7
MD5: 103ecb766e0deb06ccbcea0a8046b4cb
MD5: eb0fab963cd37660956a7ab0c66715c2
MD5: 00da0096bd91e89e4059c428259a6cbb
MD5: 9b7f0e0ebf1656227de9f8f97dfd9141

Once, executed, a, sample, malicious, executable, (MD5:ad04fd31e9868b073222b3fd2aac93f7) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 65.19.157.228

Once, executed, a, sample, malicious, executable, (MD5:00da0096bd91e89e4059c428259a6cbb) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cutalot.cn - 205.164.24.43

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.24.44):
hxxp://cycling20110829.usa.1204.net
hxxp://pepsizone.cn
hxxp://ysbr.cn
hxxp://interactsession-697593.regions.com.usersetup.cn
hxxp://ad.suoie.cn
hxxp://ycgezkpu.cn

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: cf7a53e66e397c29ea203e025c5d6465
MD5: 089886483353f93a36dd69f0776beace
MD5: 528ac8f94123aaa32058f0114b8e1fd2
MD5: 4e8405bb398509f17242c0b9f614d6e4
MD5: a364d4fe887e2e40bc1ec67ad6f9aa31

Once, executed, a, sample, malware (MD5:cf7a53e66e397c29ea203e025c5d6465), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://blenderartists.org - 141.101.125.180
hxxp://xibudific.cn - 50.117.122.92
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://hardwareindexx.com
hxxp://hardwareindexx.com.ovh.net

Once, executed, a, sample, malware (MD5:089886483353f93a36dd69f0776beace), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freeonlinedatingtips.net - 204.197.252.70
hxxp://xibudific.cn - 216.172.154.38
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://searchfeedbook.com
hxxp://searchfeedbook.com.ovh.net

Once, executed, a, sample, malware (MD5:528ac8f94123aaa32058f0114b8e1fd2), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://historykillerpro.com - 192.254.233.158
hxxp://motherboardstest.com - 195.22.26.252
hxxp://dolbyaudiodevice.com
hxxp://dolbyaudiodevice.com.ovh.net
hxxp://xibudific.cn - 50.117.116.204

Once, executed, a, sample, malware (MD5:4e8405bb398509f17242c0b9f614d6e4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pcskynet.cn
hxxp://gamepknet.cn
hxxp://pcskynet.cn.ovh.net
hxxp://gamepknet.cn.ovh.net
hxxp://yes16800.cn
hxxp://yes16800.cn.ovh.net

Once, executed, a, sample, malware (MD5:a364d4fe887e2e40bc1ec67ad6f9aa31), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://136136.com - 61.129.70.87
hxxp://xibudific.cn - 50.117.122.92
hxxp://hothintspotonline.com
hxxp://hothintspotonline.com.ovh.net
hxxp://hardwareindexx.com

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (205.164.24.45):
hxxp://17mv.com
hxxp://criding.com
hxxp://criding.com
hxxp://17mv.com
hxxp://baudu.com
hxxp://pwgo.cn
hxxp://suqiwyk.cn
hxxp://verringo.cn

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
MD5: 9905ba7c00761a792ad8a361b4de71ea
MD5: b83c68f7d09530181908d513eb30a002
MD5: 78941c2c4b05f8af9a31a9f3d4c94b57
MD5: 7a1b6153a3f00c430b09f1c7b9cf7a77
MD5: 2776c972fa934fd080f5189be7c98a77

Once, executed, a, sample, malware, phones, back, to, the, following, maliciuos, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://imagehut4.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yingzi.org.cn - 50.117.116.205

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qmmmm.com.cn - 50.117.122.94

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.94

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Hundreds of Malicious Web Sites Serve Client-Side Exploits, Lead to Rogue YouTube Video Players

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, a, botnet's, infected, population, further, spreading, malicious, software, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, potentially, exposing, the, affected, user, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, malware-infected, hosts, largely, relying, on, the, use, of, affiliate-network, based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, clicking, on, bogus, and, rogue, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, ultimately, attempting, to, socially, engineer, users, into, interacting, with, rogue, YouTube, Video, Players, ultimately, dropping, fake, security, software, also, known, as, scareware, on, the, affected, hosts, with, the, cybercriminals, behind, the, campaign, actively, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://acquaintive.in/x.html - 208.87.35.103
    - hxxp://xxxvideo-hlyl.cz.cc/video7/?afid=24 - 63.223.117.10
            - hxxp://binarymode.in/topic/j.php - 159.148.117.21 - Email: enquepuedo.senior@gmail.com
                - hxxp://binarymode.in/topic/exe.php?x=jjar
                    - hxxp://binarymode.in/topic/?showtopic=ecard&bid=151&e=post&done=image

Related, malicious, MD5s, known, to, have, responded, to, the, same, C&C, server, IPs (208.87.35.103):
MD5: a12c055f201841f4640084a70b34c0c4
MD5: b4d435f15d094289839eac6228088baf
MD5: 2782220da587427b981f07dc3e3e0d96
MD5: 1151cd39495c295975b8c85bd4b385e5
MD5: 2539d5d836f058afbbf03cb24e41970c

Once, executed, a, sample, malware (MD5: a12c055f201841f4640084a70b34c0c4), phones, back, to, the, following, C&C, server, IPs:
hxxp://926garage.com - 185.28.193.192
hxxp://quistsolutions.eu - 188.165.239.53
hxxp://rehabilitacion-de-drogas.org - 188.240.1.110
hxxp://bcbrownmusic.com - 69.89.21.66
hxxp://andzi0l.5v.pl - 46.41.150.7
hxxp://alsaei.com - 192.186.194.133

Once, executed, a, sample, malware (MD5: 2782220da587427b981f07dc3e3e0d96), phones, back, to, the, following, C&C, server, IPs:
hxxp://lafyeri.com
hxxp://kulppasur.com - 209.222.14.3
hxxp://toalladepapel.com.ar - 184.168.57.1
hxxp://www.ecole-saint-simon.net - 208.87.35.103

Once, executed, a, sample, malware (MD5: 2539d5d836f058afbbf03cb24e41970c), phones, back, to, the, following, C&C, server, IPs:
hxxp://realquickmedia.com (208.87.35.103)

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
hxxp://trustidsoftware.com
hxxp://tc28q8cxl2a5ljwa60skl87w6.cdx1cdx1cdx1.in
hxxp://golubu6ka.com
hxxp://cdx2cdx2cdx2.in
hxxp://redmewire.com
hxxp://5zw3t6jq8fiv9jtdqg23.cdx2cdx2cdx2.in
hxxp://es3iz6lb0pet3ix6la0p.cdx2cdx2cdx2.in
hxxp://qsd79bd0j8f7c90e057a.cdx1cdx1cdx1.in
hxxp://w8ncqpet2hx5kf9mbr1a.cdx1cdx1cdx1.in
hxxp://skygaran4ik.com
hxxp://5xj7wk9amqcpse2ug4ve.cdx1cdx1cdx1.in
hxxp://readrelay.com
hxxp://bk5sbm7xgo6vk0e6b3xc.cdx1cdx1cdx1.in
hxxp://d51f1qam8wi15wpxmtjq.cdx2cdx2cdx2.in
hxxp://wxvtsr98642pomligfed.cdx2cdx2cdx2.in
hxxp://zonkjhgebawzvsq09753.cdx1cdx1cdx1.in
hxxp://nightphantom.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (109.74.195.149):
MD5: a6c06a59da36ee1ae96ffaff37d12f28
MD5: 2d1bb6ca54f4c093282ea30e2096af0f
MD5: adf037ecbd4e7af573ddeb7794b61c40
MD5: ce7d4a493fc4b3c912703f084d0d61e1
MD5: c36941693eeef3fa54ca486044c6085a

Once, executed, a, sample, malware (MD5:a6c06a59da36ee1ae96ffaff37d12f28), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 109.74.195.149
hxxp://zeplost.com - 109.74.195.149

Once, executed, a, sample, malware (MD5:2d1bb6ca54f4c093282ea30e2096af0f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qweplost.com - 109.74.195.149

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (96.126.106.156):
hxxp://checkwebspeed.net
hxxp://gercourses.com
hxxp://replost.com
hxxp://boltoflexaria.in
hxxp://levartnetcom.net
hxxp://boltoflex.in
hxxp://borderspot.net
hxxp://diathbsp.in
hxxp://ganzagroup.in
hxxp://httpsstarss.in
hxxp://missingsync.net
hxxp://qqplot.com
hxxp://evelice.in
hxxp://gotheapples.com
hxxp://surfacechicago.net
hxxp://zeplost.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0183a687365cc3eb97bb5c2710952f95
MD5: f1e3030a83fa2f14f271612a4de914cb
MD5: 97269450de58ef5fb8d449008e550bf0
MD5: c83962659f6773b729aa222bd5b03f2f
MD5: e0aa08d4d98c3430204c1bb6f4c980e1

Once, executed, a, sample, malware (MD5:0183a687365cc3eb97bb5c2710952f95), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156

Once, executed, a, sample, malware (MD5:f1e3030a83fa2f14f271612a4de914cb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://gercourses.com/borders.php

Once, executed, a, sample, malware (MD5:97269450de58ef5fb8d449008e550bf0), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156

Once, executed, a, sample, malware (MD5:c83962659f6773b729aa222bd5b03f2f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://checkwebspeed.net - 96.126.106.156

Once, executed, a, sample, malware (MD5:e0aa08d4d98c3430204c1bb6f4c980e1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://replost.com - 96.126.106.156

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Koobface Gang Utilizes, Google Groups, Serves, Scareware and Malicious Software

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, populating, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Groups, potentially, exposing, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, further, enticing, users, into, interacting, with, the, bogus, links, potentially, exposing, their, devices, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, between, the, campaign, and, the, Koobface, gang.

Related, malicious, rogue, content, URLs, known, to, have, participated, in, the, campaign:
- anisimivachev17 - 1125 messages
- ilariongrishelev24 - 1099 messages
- yuvenaliyarzhannikov15 - 1108 messages
- burniemetheny52 - 1035 messages
- mengrug - 1090 messages
- silabobrov27 - 1116 messages

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://wut.im/343535
hxxp://tpal.us/wedding2
hxxp://shrtb.us/New_year_video
hxxp://snipurl.com/tx2r6
hxxp://www.tcp3.com/helga-4315
hxxp://budurl.com/egph
hxxp://flipto.com/jokes/
hxxp://rejoicetv.info/newyear
hxxp://fauz.me/?livetv
hxxp://go2.vg/funnykids
hxxp://usav.us/anecdotes
hxxp://vaime.org/joke
hxxp://theflooracle.com/mistakes
hxxp://dashurl.com/video-jokes
hxxp://www.shortme.info/smileykids/
hxxp://starturl.com/clip32112
hxxp://starturl.com/rebeca
hxxp://starturl.com/video2231
hxxp://starturl.com/funclip
hxxp://starturl.com/sexchat
hxxp://snipurl.com/tx2r6
hxxp://www.41z.com/animals
hxxp://www.rehttp.com/?smileykids
hxxp://starturl.com/adamaura
hxxp://mytinyurls.com/wfj
hxxp://budurl.com/egph

Sample, detection, rate, for, a, malicious, executable:
MD5: 1e0d06095a32645c3f57f1b4dcbcfe5c

Sample, malicious, URL, involved, in, the, campaign:
hxxp://newsekuritylist.com/index.php?affid=92600 - 213.163.89.56 - Bobby.J.Hyatt@gmail.com

Parked there are also:
hxxp://networkstabilityinc .com - Email: juliacanderson@pookmail.com; marcusmhuffaker@mailinator.com; justinpnelson@dodgit.com
hxxp://indiansoftwareworld .com - Email: thelmamhandley@trashymail.com; leanngscofield@gmail.com; ernestygresham@trashymail.com
hxxp://antyvirusdevice .com - Email: latonyawmiller@pookmail.com; royawiley@pookmail.com; gracegoshea@pookmail.com; latonyawmiller@pookmail.com
hxxp://digitalprotectionservice .com - Email: clarencepfetter@trashymail.com; jamesdrobinson@pookmail.com; jamesdrobinson@pookmail.com; clarencepfetter@trashymail .com
hxxp://bestantyvirusservice .com - Email: kathrynrsmith@gmail.com; richardbhughey@gmail.com; joshuamwest@trashymail.com; kathrynrsmith@gmail.com
hxxp://antivirussoftrock .com - Email: michaelaturner@trashymail.com; gracemparker@trashymail.com; cliffordsfernandez@pookmail.com; michaelaturner@trashymail.com
hxxp://antywiramericasell .com - Email: Shannon.J.Ferguson@gmail.com
hxxp://antydetectivewaemergencyroom .com - Email: brettdpetro@gmail.com; valeriejweaver@dodgit.com; williekharris@mailinator.com; brettdpetro@gmail.com
hxxp://freeinternetvacation .com - Email: edwardmyoung@trashymail.com; aileenasaylor@gmail.com; williamjoverby@trashymail.com; edwardmyoung@trashymail.com
hxxp://aolbillinghq .com - Email: haroldamccarthy@trashymail.com; teodoromkeller@trashymail.com; joanswhite@dodgit.com; haroldamccarthy@trashymail.com
hxxp://scanserviceprovider .com - Email: rogerdmurphy@gmail.com; charlescvalentino@mailinator.com; eliarmcdonald@trashymail.com; rogerdmurphy@gmail.com
hxxp://securitytoolsquotes .com - Email: thurmanepidgeon@dodgit.com; jessicapgrady@dodgit.com; jamesmcummings@trashymail.com; thurmanepidgeon@dodgit.com
hxxp://electionprogress .com - Email: clarenceafloyd@pookmail.com; junerwurth@pookmail.com; edjbaxter@gmail.com; clarenceafloyd@pookmail.com
hxxp://myantywiruslist .com - Email: Nathan.S.Dennis@gmail.com
hxxp://antyspywarelistnow .com - Email: James.M.Miller@gmail.com
hxxp://securitylabtoday .com - Email: Marc.N.Torres@gmail.com
hxxp://yournecessary .com - Email: debrahbettis@gmail.com; myracbryant@dodgit.com; marycwilliams@dodgit.com; debrahbettis@gmail.com
hxxp://securityutilitysite .net - Email: michellemwelch@mailinator.com; charlesdfrazier@trashymail.com; rosaliejhumphrey@pookmail.com; michellemwelch@mailinator.com
hxxp://securitytoolsshop .net - Email: sarajgunter@gmail.com; kerstinrbray@gmail.com; keithrdejesus@mailinator.com; sarajgunter@gmail.com
hxxp://securitytooledit .net - Email: byronlross@pookmail.com; jamesslewis@mailinator.com; leighschancey@trashymail.com; byronlross@pookmail.com
hxxp://portsecurityutility .net - Email: marquettacpettit@trashymail.com; melindakbolin@pookmail.com; rhondaehipp@mailinator.com; marquettacpettit@trashymail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 4a3e8b6b7f42df0f26e22faafaa0327f
MD5: 64a111acdc77762f261b9f4202e98d29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsekuritylist.com/in.php?affid=92600
hxxp://newsekuritylist.com/in.php?affid=92600

Sample, URL, redirection, chain:
hxxp://rejoicetv.info/newyear
    - hxxp://91.207.4.19/tds/go.php?sid=3
        - hxxp://liveeditionpc.net?uid=297&pid=3&ttl=11845621a62 - 95.169.187.216 - korn989.net; liveeditionpc.net; createpc-pcscan-korn.net
            - hxxp://www1.hotcleanofyour-pc.net/p=== - 98.142.243.174 - live-guard-forpc.net is also parked there:

Sample, detection, rate, for, a, malicious, executable:
MD5: 4912961c36306d156e4e2b335c51151b

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://update2.pcliveguard.com/index.php?controller=hash - 124.217.251.99
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://securityearth.cn/Reports/MicroinstallServiceReport.php - 210.56.53.125

Sample, URL, redirection, chain:
hxxp://garlandvenit.150m.com
    - hxxp://online-style2.com
        - hxxp://scanner-malware15.com/scn3/?engine=
            - hxxp://scanner-malware15.com/download.php?id=328s3

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://eclipserisa.150m.com
hxxp://adamaura.150m.com
hxxp://hugodinah.150m.com
hxxp://roycesylvia.150m.com
hxxp://lindaagora.150m.com
hxxp://sharolynpam.150m.com
hxxp://letarebeca.150m.com
hxxp://letarebeca.150m.com

Sample, URL, redirection, chain:
hxxp://egoldenglove.com/Images/bin/movie/
    - hxxp://egoldenglove.com/Images/bin/movie/Flash_Update_1260873156.exe

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://2-weather.com/?pid=328s03&sid=3593b2&d=3&name=Loading%20video - 66.197.160.104 -mail@tatrum-verde.com
hxxp://scanner-spya8.com/scn3/?engine= - info@gainweight.com -

Sample, detection, rate, for, a, malicious, executable:
MD5: bfaba92c3c0eaec61679f03ff0eb0911

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://91.212.226.185/download/winlogo.bmp (windowsaltserver.com)

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://2-coat.com - 193.104.22.202 - Email: mail@tatrum-verde.com
hxxp://2-weather.com - 193.104.22.202 - - Email: mail@tatrum-verde.com - currently embedded on Koobface-infected hosts pushing scareware

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://online-style2.com - 66.197.160.104 - Email: mail@tatrum-verde.com
hxxp://scanner-malware15.com - Email: info@natural-health.org

Related, malicious, IPs, known, to, have, participated, in, the, campaign:
hxxp://68.168.212.142
hxxp://91.212.226.97
hxxp://66.197.160.105

Parked on 68.168.212.142:
hxxp://antispywareguide20 .com - Email: contacts@vertigo.us
hxxp://antispywareguide22 .com - Email: contacts@vertigo.us
hxxp://antispywareguide23 .com - Email: contacts@vertigo.us
hxxp://antispywareguide25 .com - Email: contacts@vertigo.us
hxxp://antispywareguide27 .com - Email: contacts@vertigo.us
hxxp://antispywaretools10 .com - Email: contacts@vertigo.us
hxxp://antispywaretools11 .com - Email: contacts@vertigo.us
hxxp://antispywaretools12 .com - Email: contacts@vertigo.us
hxxp://antispywaretools17 .com - Email: contacts@vertigo.us
hxxp://antispywaretools18 .com - Email: contacts@vertigo.us
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://birthday-gifts2 .com - Email: TheodoreWTurner@live.com
hxxp://christmasdecoration2 .com - Email: contact@trythreewish.us
hxxp://computerscanm0 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm2 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm4 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm6 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm8 .com - Email: JamesNTurner@yahoo.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com

hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com
hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://pc-antispyo3 .com
hxxp://pc-antispyo5 .com
hxxp://pc-antispyo6 .com
hxxp://pc-antispyo9 .com
hxxp://pc-securityv8 .com - Email: info@billBlog.com
hxxp://protect-pca1 .com
hxxp://protect-pcr1 .com
hxxp://protect-pct1 .com
hxxp://protect-pcu1 .com

hxxp://quick-antispy91 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy92 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy93 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy95 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy99 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner2 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner4 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner6 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner77 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner78 .com - Email: williams.trio@yahoo.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://safe-pc01 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc02 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc03 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc07 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc09 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc002 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc004.com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc009 .com - Email: JamesNTurner@yahoo.com
hxxp://scan-and-secure01 .com
hxxp://scan-and-secure04 .com
hxxp://scan-and-secure06 .com
hxxp://scan-and-secure07 .com
hxxp://scan-and-secure09 .com
hxxp://scan-computerab .com
hxxp://scan-computere0 .com

hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org
hxxp://securitysoftware1 .com
hxxp://securitysoftware3 .com
hxxp://securitysoftware5 .com
hxxp://securitysoftwaree .com
hxxp://securitysoftwaree7 .com
hxxp://security-softwareo1 .com
hxxp://security-softwareo5 .com
hxxp://security-softwareo7 .com
hxxp://unique-gifts2 .com - Email: contact@trythreewish.us
hxxp://unusual-gifts2 .com - Email: contact@trythreewish.us
hxxp://xmas-song .com - Email: contact@trythreewish.us

Parked on 91.212.226.97; 66.197.160.105:
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com
hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com

hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org

Parked on 66.197.160.104:
hxxp://2activities.com - Email: mail@tatrum-verde.com
hxxp://2-scenes.com - Email: mail@tatrum-verde.com
hxxp://2-weather.com - Email: mail@tatrum-verde.com
hxxp://online-fun2 .com - Email: mail@tatrum-verde.com
hxxp://online-news2.com - Email: mail@tatrum-verde.com
hxxp://online-style2 .com - Email: mail@tatrum-verde.com
hxxp://online-tv2.com - Email: mail@tatrum-verde.com
hxxp://snow-and-fun2 .com - Email: mail@tatrum-verde.com
hxxp://winterart2 .com - Email: info@territoryplace.us
hxxp://winterchristmas2 .com - Email: info@territoryplace.us
hxxp://wintercrafts2 .com - Email: info@territoryplace.us
hxxp://winterkids2 .com - Email: info@territoryplace.us
hxxp://winterphotos2 .com - Email: info@territoryplace.us
hxxp://winterpicture2 .com - Email: info@territoryplace.us
hxxp://winterscene2 .com - Email: info@territoryplace.us
hxxp://winterwallpaper2 .com - Email: info@territoryplace.us

What's particularly, interesting, about, this, particular, campaign, is, the, direct, connection, with, the, Koobface, gang, taking, into, consideration, the, fact, that, hxxp://redirector online-style2.com/?pid=312s03&sid=4db12f has, also, been, used, by, Koobface-infected hosts, and, most, importantly, the, fact, that, a, sampled, scareware, campaign from December 2009, were serving scareware parked on 193.104.22.200, where the Koobface scareware portfolio is parked, as, previously, profiled, and, analyzed.

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Related posts:
Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign

Historical OSINT - Rogue MyWebFace Application Serving Adware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, executing, a, malicious, software, largely, relying, on, basic, visual, social, engineering, enticing, users, into, executing, a, rogue, application, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, host.


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domain, reconnaissance:
hxxp://mywebsearch.com - 74.113.233.48; 74.113.237.48; 66.235.119.48
hxxp://mywebface.mywebsearch.com - 74.113.233.64; 74.113.233.180

Sample, detection, rate, for, a, malicious, executable:
MD5: b32acfece8089e52fa2288cb421fa9de

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (74.113.233.48; 74.113.237.48; 66.235.119.48):
hxxp://myinfo.mywebsearch.com
hxxp://dl.mywebsearch.com
hxxp://tbedits.mywebsearch.com
hxxp://celebsauce.dl.mywebsearch.com
hxxp://bfc.mywebsearch.com
hxxp://bar.mywebsearch.com
hxxp://int.search.mywebsearch.com
hxxp://inboxace.dl.mywebsearch.com
hxxp://internetspeedtracker.dl.mywebsearch.com
hxxp://mywebface.dl.mywebsearch.com
hxxp://easypdfcombine.dl.mywebsearch.com
hxxp://onlinemapfinder.dl.mywebsearch.com
hxxp://eliteunzip.dl.mywebsearch.com
hxxp://mytransitguide.dl.mywebsearch.com
hxxp://packagetracer.dl.mywebsearch.com
hxxp://myway.mywebsearch.com
hxxp://helpint.mywebsearch.com
hxxp://zwinky.dl.mywebsearch.com
hxxp://weatherblink.dl.mywebsearch.com
hxxp://videoscavenger.dl.mywebsearch.com
hxxp://videodownloadconverter.dl.mywebsearch.com
hxxp://translationbuddy.dl.mywebsearch.com
hxxp://totalrecipesearch.dl.mywebsearch.com
hxxp://televisionfanatic.dl.mywebsearch.com
hxxp://retrogamer.dl.mywebsearch.com
hxxp://myscrapnook.dl.mywebsearch.com
hxxp://myfuncards.dl.mywebsearch.com
hxxp://gamingwonderland.dl.mywebsearch.com
hxxp://dictionaryboss.dl.mywebsearch.com
hxxp://astrology.dl.mywebsearch.com
hxxp://utmtrk2.mywebsearch.com
hxxp://utm2.mywebsearch.com
hxxp://utm.trk.mywebsearch.com
hxxp://utm.mywebsearch.com
hxxp://ak.ssl.toolbar.mywebsearch.com
hxxp://www122.mywebsearch.com
hxxp://couponalert.dl.mywebsearch.com
hxxp://help.mywebsearch.com
hxxp://srchsugg.mywebsearch.com
hxxp://utm.gr.mywebsearch.com
hxxp://utmtrk.gr.mywebsearch.com
hxxp://dp.mywebsearch.com
hxxp://download.mywebsearch.com
hxxp://www64.mywebsearch.com
hxxp://filmfanatic.mywebsearch.com
hxxp://mywebface.mywebsearch.com
hxxp://fromdoctopdf.dl.mywebsearch.com
hxxp://www173.mywebsearch.com
hxxp://www153.mywebsearch.com
hxxp://www170.mywebsearch.com
hxxp://www176.mywebsearch.com
hxxp://www155.mywebsearch.com
hxxp://www186.mywebsearch.com
hxxp://www156a.mywebsearch.com
hxxp://www187.mywebsearch.com
hxxp://www198.mywebsearch.com
hxxp://www154.mywebsearch.com
hxxp://cfg.mywebsearch.com
hxxp://mapsgalaxy.dl.mywebsearch.com
hxxp://edits.mywebsearch.com
hxxp://www.mywebsearch.com
hxxp://enable.mywebsearch.com
hxxp://live.mywebsearch.com
hxxp://config.mywebsearch.com
hxxp://anx.mywebsearch.com
hxxp://bstat.mywebsearch.com
hxxp://updates.mywebsearch.com
hxxp://home.mywebsearch.com
hxxp://search.mywebsearch.com
hxxp://stats.mywebsearch.com
hxxp://akd.search.mywebsearch.com
hxxp://ak2.home.mywebsearch.com
hxxp://ak.search.mywebsearch.com
hxxp://ak.toolbar.mywebsearch.com

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 83cdb402fcd68947f7519eaad515fa5a
MD5: 6b31cc25e68d5d008e319c4a1c8c4098
MD5: f2392d18a266f554743b495b4e71b2be
MD5: 9bcaeb5b4bdd6b9e22852a98ca630914
MD5: 4fd260e17ca40a31a7baace9af1b7db9

Once, executed, a, sample, malware, (MD5: 83cdb402fcd68947f7519eaad515fa5a), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.150.139.157/search.htm
hxxp://sev2012.com/page_click.php - 141.8.224.239; 54.72.9.51; 91.220.131.33; 91.236.116.20
hxxp://62.122.107.119/install.htm

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (178.150.139.157), are, also, the, following, malicious, domains:
hxxp://cejzesu.com
hxxp://hqyibul.wuwykym.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: c92a9961e6096eb7af3a34e9e48114f1
MD5: 25789eec9e0d4b5cdf184bf41460808e
MD5: 1a72e482e6ec352ae4c9206b92776f01
MD5: e22a0fd64e5b6193be655cc29ed19755
MD5: fe8a027fd45ec9621b34a20bc907fb2c

Once, executed, a, sample, malware (MD5: c92a9961e6096eb7af3a34e9e48114f1), phones, back, to, the, following, C&C, server, IPs:
http://178.150.244.54/mod2/mentalc.exe
http://178.150.139.157/mod1/mentalc.exe

Once, executed, a, sample, malware (MD5: 25789eec9e0d4b5cdf184bf41460808e), phones, back, to, the, following, C&C, server, IPs:
http://95.180.66.40/mod2/b0ber01.exe
http://91.245.79.46/mod1/b0ber01.exe
http://178.150.139.157/mod1/b0ber01.exe

Once, executed, a, sample, malware (MD5: 1a72e482e6ec352ae4c9206b92776f01), phones, back, to, the, following, C&C, server, IPs:
http://77.123.73.34/keybex4.exe
http://178.150.139.157/keybex4.exe

Once, executed, a, sample, malware (MD5: e22a0fd64e5b6193be655cc29ed19755), phones, back, to, the, following, C&C, server, IPs:
http://176.194.18.198/mod2/ozersid.exe
http://176.110.28.238/mod1/ozersid.exe
http://46.73.67.61/mod2/ozersid.exe
http://178.150.209.116/mod2/ozersid.exe
http://178.150.139.157/mod2/ozersid.exe
http://193.32.14.186/mod1/ozersid.exe
http://46.211.9.37/mod1/ozersid.exe

Once, executed, a, sample, malware (MD5: fe8a027fd45ec9621b34a20bc907fb2c), phones, back, to, the, following, C&C, server, IPs:
http://178.150.139.157/welcome.htm
http://77.122.28.206/default.htm
http://77.122.28.206/online.htm
http://mydear.name/page_umax.php

Once, executed, a, sample, malware, (MD5: 6b31cc25e68d5d008e319c4a1c8c4098), phones, back, to, the, following, C&C, server, IPs:
hxxp://cytpaxiz.us/rasta01.exe
hxxp://60.36.47.71/file.htm
hxxp://219.204.4.3/search.htm

Once, executed, a, sample, malware, (MD5: f2392d18a266f554743b495b4e71b2be), phones, back, to, the, following, C&C, server, IPs:
hxxp://46.121.221.173/start.htm
hxxp://burhyyal.epfusgy.com/calc.exe
hxxp://178.150.138.2/install.htm

Once, executed, a, sample, malware, (MD5: 9bcaeb5b4bdd6b9e22852a98ca630914), phones, back, to, the, following, C&C, server, IPs:
hxxp://159.224.191.47/install.htm
hxxp://109.87.184.7/setup.htm

Once, executed, a, sample, malware, (MD5: 4fd260e17ca40a31a7baace9af1b7db9), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.158.237.37/welcome.htm
hxxp://178.165.13.17/home.htm

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (74.113.233.48):
MD5: a3470a214ec34f7a0b9330e44af80714
MD5: 31593f94936e63152d35ca682fb9ef0b
MD5: eb003b7665b34f6ed3a7944e4254ad2d
MD5: ed1c465beca9596a9031580d1093cb13
MD5: cace61ddd8f8e30cf1f52f9ad6c66578

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://home.mywebsearch.com - 74.113.233.48
hxxp://akd.search.mywebsearch.com - 5.178.43.17
hxxp://ak.imgfarm.com - 90.84.60.81
hxxp://anx.mywebsearch.com - 74.113.233.187

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 11ddcf7bd806c9ef24cc84a440629e68
MD5: 8c1e63b34c678b48c63ba369239d5718
MD5: 10b4c54646567dcee605f5c36bfa8f17
MD5: 70dbce98f1d62c03317797a1dd3da151
MD5: ee00f47a51e91a1f70a5c7a0086b7220

Once, executed, a, sample, malware (MD5: 11ddcf7bd806c9ef24cc84a440629e68), phones, back, to, the, following, malicious, C&C, server, IPs:
http://78.62.197.14/online.htm
http://89.46.92.232/welcome.htm
http://89.46.92.232/login.htm

Once, executed, a, sample, malware (MD5: 8c1e63b34c678b48c63ba369239d5718), phones, back, to, the, following, malicious, C&C, server, IPs:
http://109.251.217.207/home.htm
http://109.251.217.207/login.htm

Once, executed, a, sample, malware, (MD5: 10b4c54646567dcee605f5c36bfa8f17), phones, back, to, the, following, malicious, C&C, server, IPs:
http://91.221.219.12/setup.htm

Once, executed, a, sample, malware, (MD5: 70dbce98f1d62c03317797a1dd3da151), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm

Once, executed, a, sample, malware (MD5: ee00f47a51e91a1f70a5c7a0086b7220), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Saturday, December 24, 2016

Historical OSINT - Google Docs Hosted Rogue Chrome Extension Serving Campaign Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, malware-infected, hosts, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Docs, while, successfully, enticing, socially, engineered, users, into, clicking, on, bogus, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, exposing, socially, engineered, users, to, a, rogue, Chrome Extension.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, redirection, chain:
https://1364757661090.docs.google.com/presentation/d/1w5eh2rh6i0pbuVjb4_MzBNPEovRw3f6qiho7AshTcHI/htmlpresent?videoid=1364757661199 -> http://www.worldvideos.us/chrome.php -> https://chrome.google.com/webstore/detail/high-solution/jokhejlfefegeolonbckggpfggipmmim

Related, malicious, domain, reconnaissance:
hxxp://worldvideos.us - 89.19.10.194
ns1.facebookhizmetlerim.com
ns2.facebookhizmetlerim.com

Responding to 89.19.10.194 are also the following fraudulent domains part of the campaign's infrastructure:
hxxp://e-sosyal.biz
hxxp://facebookhizmetlerim.com
hxxp://facebookmedya.biz
hxxp://facebooook.biz
hxxp://fbmedyahizmetleri.com
hxxp://sansurmedya.com
hxxp://sosyalpaket.com
hxxp://worldmedya.net
hxxp://youtubem.biz

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (208.73.211.70):
hxxp://396p4rassd2.youlovesosoplne.net
hxxp://5q14.zapd.co
hxxp://airmats.com
hxxp://amciksikis.com
hxxp://anaranjadaverzochte.associate-physicians.org
hxxp://autorepairmanual.org
hxxp://blackoutblinds.com
hxxp://blog.jmarkafghans.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (208.73.211.70):
MD5: 584a779ae8cdea13611ff45ebab517ae
MD5: cea89679058fe5a5288cfacc1a64e431
MD5: 62eee7a0bed6e958e72c0edf9da17196
MD5: 160793c37a5aa29ac4c88ba88d1d7cc2
MD5: 46079bbcfcd792dfcd1e906e1a97c3a6

Once, executed, a, sample, malware (MD5: 584a779ae8cdea13611ff45ebab517ae), phones, back, to, the, following, C&C, server, IPs:
hxxp://zhutizhijia.com - 208.73.211.70

Once, executed, a, sample, malware (MD5: cea89679058fe5a5288cfacc1a64e431), phones, back, to, the, following, C&C, server, IPs:
hxxp://aieov.com - 208.73.211.70

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (141.8.224.239):
hxxp://happysocks.7live7.org
hxxp://hiepdam.org
hxxp://hyper-path.com
hxxp://interfacelife.com
hxxp://iowa.findanycycle.com
hxxp://massachusetts.findanyboat.com
hxxp://diptnyc.com

Related, maliciuos, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (141.8.224.239):
MD5: ddf27e034e38d7d35b71b7dc5668ffce
MD5: 6ba6451a9c185d1d07323586736e770e
MD5: 854ea0da9b4ad72aba6430ffa6cc1532
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: bf78b0fcfc8f1a380225ceca294c47d8

Once, executed, a, sample, malware (MD5:ddf27e034e38d7d35b71b7dc5668ffce), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://srv.desk-top-app.info - 141.8.224.239

Once, executed, a, sample, malware (MD5:6ba6451a9c185d1d07323586736e770e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://premiumstorage.info - 141.8.224.239

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49
hxxp://wentstate.net - 141.8.224.93
hxxp://musicnews.net - 176.74.176.187
hxxp://spendstate.net

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (89.19.10.194):
hxxp://liderbayim.com
hxxp://blacksport.org
hxxp://liderbayim.com
hxxp://2sosyal-panelim.com
hxxp://sosyal-panelim.com
hxxp://darknessbayim.com
hxxp://hebobayi.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - FTLog Worm Spreading Across Fotolog

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multu-tude, of, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, the, malware-infected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, monetizing, access, to, the, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a currently, circulating, malicious, spam, campaign, targeting, the, popular, social, network, Web, site, Fotolog, successfully, enticing, socially, engineered, users, into, interacting, with, malicious, links, while, monetizing, access, to, the, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.


Sample, URL, redirection, chain:
hxxp://bit.ly/cBTsWo
        - hxxp://zwap.to/001mk
            - hxxp://www.cepsaltda.cl/uc/red.php?u=1 - 216.155.72.44
                - hxxp://supatds.cn/go.php?sid=1 - 92.241.164.1
                    - hxxp://www.cepsaltda.cl/uc/rcodec.php
                        - hxxp://cepsaltda.cl/uc/codec/divxcodec.exe

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: c6dbc58e0db3c597c4ab562ad9710a38

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Massive Black Hat SEO Campaing Serving Scareware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, acquiring, and, hijacking, traffic, for, the, purpose, of, converting, it, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, serving, fake, security, software, also, known, as, scareware, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, compromised, Web, sites:
hxxp://yushikai.co.uk
hxxp://www.heart-2-heart.nl
hxxp://www.stichtingkhw.nl
hxxp://burgessandsons.com
hxxp://marsmellow.info
hxxp://broolz.co.uk
hxxp://bodyscope.co.uk
hxxp://janschnoor.de
hxxp://goodluckflowers.com
hxxp://www.frank-carillo.com
hxxp://www.strijkvrij.com
hxxp://www.fotosiast.nl
hxxp://www.senbeauty.nl
hxxp://www.menno.info
hxxp://www.kul.fm

Sample, URL, redirection, chain:
hxxp://onotole.iblogger.org/2.html - 199.59.243.120; 205.164.14.79; 199.59.241.181 -> hxxp://mycommercialssecuritytool.com/index.php?affid=34100 - 89.248.171.48 - Email: Kathryn.D.Jennings@gmail.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://myatmoe.iblogger.org
hxxp://creditreport.iblogger.org
hxxp://movieddlheaven.iblogger.org
hxxp://cv-bruno-brocas.iblogger.org
hxxp://islife.iblogger.org
hxxp://iblogger.iblogger.org
hxxp://dressshirt.iblogger.org
hxxp://allians.iblogger.org
hxxp://rapid-weight-loss.iblogger.org
hxxp://breastaugm.iblogger.org
hxxp://uila.iblogger.org
hxxp://oh-tv.iblogger.org
hxxp://brudnopis.iblogger.org
hxxp://learnenglish.iblogger.org
hxxp://motivatedcats.iblogger.org
hxxp://robert.iblogger.org
hxxp://testforask.iblogger.org
hxxp://poormanguides.iblogger.org
hxxp://gelbegabeln.iblogger.org
hxxp://nuagerouge.iblogger.org
hxxp://chicos-on-line.iblogger.org
hxxp://hypnosisworld.iblogger.org
hxxp://tennis.iblogger.org
hxxp://ibu.iblogger.org
hxxp://turkifsa.iblogger.org
hxxp://amandacooper.iblogger.org
hxxp://tw.iblogger.org
hxxp://whedon.iblogger.org
hxxp://han.iblogger.org
hxxp://scclab.iblogger.org
hxxp://besftfoodblogger.iblogger.org
hxxp://premiummenderacunt.iblogger.org
hxxp://seobook.iblogger.org
hxxp://bestjackets.iblogger.org
hxxp://kidszone.iblogger.org
hxxp://liker2fb.iblogger.org
hxxp://vipin.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://palermo.iblogger.org
hxxp://forum.bay.de.iblogger.org
hxxp://online-guard.iblogger.org
hxxp://juhjsd.iblogger.org
hxxp://asulli.iblogger.org
hxxp://youtubetranscription.iblogger.org
hxxp://praza.iblogger.org
hxxp://free-worlds.iblogger.org
hxxp://mlm.iblogger.org
hxxp://myleskadusale.iblogger.org
hxxp://ninjapearls.iblogger.org
hxxp://bassian.iblogger.org
hxxp://d3-f21-w-14.iblogger.org
hxxp://mlk.iblogger.org
hxxp://pe.iblogger.org
hxxp://connor54321.iblogger.org
hxxp://smx.iblogger.org
hxxp://17fire.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://generalsurgery.iblogger.org
hxxp://megafon.iblogger.org
hxxp://dasefx.iblogger.org
hxxp://ysofii.iblogger.org
hxxp://priv8.iblogger.org
hxxp://kahramanmaras.iblogger.org
hxxp://kaoojcjl.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://dla-kobiet.iblogger.org
hxxp://karinahart.iblogger.org
hxxp://mariucciaelasuaombra.iblogger.org
hxxp://signinbay.de.iblogger.org
hxxp://pitstop.iblogger.org
hxxp://colorless.iblogger.org
hxxp://directorio.iblogger.org
hxxp://odenaviva.iblogger.org
hxxp://e-money.iblogger.org
hxxp://digicron.iblogger.org
hxxp://slotomania-hackers.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://bestoksriy.iblogger.org
hxxp://teamsite.iblogger.org
hxxp://mateaplicada.iblogger.org
hxxp://tmgames.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://priv8.iblogger.org
hxxp://sharepointdotnetwiki.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://seobook.iblogger.org
hxxp://jawwal.iblogger.org
hxxp://tomsplace.iblogger.org
hxxp://shreyo.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://beitypedia.iblogger.org
hxxp://dutcheastindies.iblogger.org
hxxp://cramat-satu.iblogger.org
hxxp://misc.iblogger.org
hxxp://espirito-de-aventura.iblogger.org
hxxp://tomksoft.iblogger.org
hxxp://mymovies.iblogger.org

Known, to, have, responded, to, the, same, malicious, IP (199.59.243.120) are, also, the, following, malicious, domains:
hxxp://brendsrnzwrn.cuccfree.com
hxxp://caraccidentlawyer19.us
hxxp://colombiavirtualtours.com
hxxp://dailydigest.cn
hxxp://drugaddiction569.us
hxxp://earnonline.cn
hxxp://epicor.in
hxxp://glhgk.com
hxxp://iroopay.com
hxxp://kajianislam.us

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (199.59.243.120):
MD5: c7bd669a416a8347aeba6117d0040217
MD5: ae89e09f52db7f9d69b9b9c40dbf35f9
MD5: b4399fc8f1de723d452b05ec474ca651
MD5: c779d9f4e9992ad5ffcd2353bb003a51
MD5: cc6efabb0a26c729f126b12be717de47

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://theworldnews.byethost5.com - 199.59.243.120

Known, to, have, responded, to, the, same, malicious IP (205.164.14.79), are, also, the, following, malicious, domains:
hxxp://fsdq.cn
hxxp://parked-domain.org
hxxp://fiverr.hk.tn
hxxp://hamzanori90.name-iq.com
hxxp://postgumtree.uk.tn
hxxp://caoliushequ.info
hxxp://housewives.byethost4.com
hxxp://nuichate.22web.org
hxxp://3rtz.byethost12.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.14.79):
MD5: dbca66955cac79008f9f1cd415d7e308
MD5: b452ca519f077307d68ff034567087c1
MD5: 70e8c79135b341eac51da0b5789744d3
MD5: a9f64c1404faf4a6fc81564c8dec22d9
MD5: b3737a1c34cb705f7d244c99afdc3a01

Once, executed, a, sample, malware (MD5:dbca66955cac79008f9f1cd415d7e308), phones, back, to, the, following, C&C, server, IPs:
hxxp://ibayme.eb2a.com - 205.164.14.79

Known, to, have, responded, to, the, same, malicious, IPs (199.59.241.181), are, also, the, following, malicious, domains:
hxxp://yn919.com
hxxp://wimp.it
hxxp://puqiji.com
hxxp://52style.com
hxxp://007guard.com
hxxp://10iski.10001mb.com
hxxp://11649.bodisparking.com
hxxp://13.get.themediafinder.com
hxxp://134205.aceboard.fr

Sample, detection, rate, for, a, malicious, executable:
MD5: f74a744d75c74ed997911d0e0b7e6f67

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mycommercialssecuritytool.com/in.php?affid=34100

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://protectyoursystemnowonline.com
hxxp://createyoursecurityonline.com
hxxp://commercialssecuritytools.com
hxxp://freecreateyoursecurity.com

Sample, URL, redirection, chain:
hxxp://ulions.com/yxg.php?p= - 104.28.22.34
    - hxxp://ppbmv4.xorg.pl/in.php?t=cc&d=04-02-2010_span&h=
        - hxxp://www1.nat67go4it.net/?uid=195&pid=3&ttl=5184c614d4b - 89.248.160.161
            - hxxp://www1.systemsecure.in/?p=

Know, to, have, responded, to, same, malicious, C&C, server, IP (104.28.22.34), are, also, the, following, malicious, domains:
hxxp://portlandultimate.com
hxxp://portablemineapplicationsub.tech
hxxp://indirimkuponlarimiz.com
hxxp://walkinclosetguys.com
hxxp://bryantanaka.com
hxxp://swisschecklist.com
hxxp://census.mnfurs.org
hxxp://duluthbeth.xyz

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (104.28.22.34):
MD5: 11dda0bbd2aef7944f990fcefbc91034
MD5: d0be24df3078866a277874dad09c98d9
MD5: 9ba06da9370037fd2ffe525d6164b367
MD5: 537bd45df702f90585eebab2a8bb3584
MD5: a9f61e9696ff7ff4bfc34f70549ffdd0

Once, executed, a, sample, malware (MD5:11dda0bbd2aef7944f990fcefbc91034), phones, back, to, the, following, C&C, server, IPs:
hxxp://audio-direkt.net
hxxp://servico-ind.com
hxxp://saios.net
hxxp://coopsupermarkt.nl
hxxp://fruitspot.co.za
hxxp://vitalur.by
hxxp://trinity-works.com

Once, executed, a, sample, malware (MD5:d0be24df3078866a277874dad09c98d9), phones, back, to, the, following, C&C, server, IPs:
hxxp://3asfh.net - 104.28.22.34

Once, executed, a, sample, malware, (MD5:a9f61e9696ff7ff4bfc34f70549ffdd0), phones, back, to the, following, malicious, C&C, server, IPs:
hxxp://link-list-uk.com
hxxp://racknstackwarehouse.com.au
hxxp://zeronet.co.jp
hxxp://sun-ele.co.jp
hxxp://slcago.org
hxxp://frederickallergy.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Friday, December 23, 2016

Historical OSINT - Haiti-themed Blackhat SEO Campaign Serving Scareware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, spreading, malicious, software, largely, relying, on, a, pre-defined, set, of, compromised, hosts, for, the, purpose, of, spreading, malicious, software, further, expanding, a, specific, botnet's, infected, population, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, infected, hosts, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

In, this, post, we'll, profile, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, affected, Web, sites:
hxxp://austinluce.co.uk
hxxp://naukatanca.co.uk
hxxp://truenorthinnovation.co.uk
hxxp://robsonsofwolsingham.co.uk
hxxp://daviddewphotography.co.uk

Sample, URL, redirection, chain:
hxxp://sciencefirst.com/?red=haiti-earthquake-donate
    - hxxp://otsosute.freehostia.com/c.html
        - hxxp://scan-now24.com/go.php?id=2022&key=4c69e59ac&d=1

Sample, URL, redirection, chain:
hxxp://lipsticpi.ru/sm/r.php
    - hxxp://uscaau.com/back.php
        - hxxp://sekuritylistsite.com/hitin.php?land=20&affid=94801
            - hxxp://mypremiumantyspywarepill.com/hitin.php?land=20&affid=94801
                - hxxp://mypremiumantyspywarepill.com/index.php?affid=94801

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: ebc956abadefdac794ebcd1898ea07cf

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: d65a5d1ab98bd690dccd07cb6eebcba3

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mypremiumantyspywarepill.com/in.php?affid=94801
hxxp://greatnorthwill.com/?mod=vv&i=1&id=11-18

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://getholidaypresent0.com - 204.12.225.83
hxxp://getholidaypresent2.com
hxxp://getholidaypresent3.com
hxxp://scan-now22.com
hxxp://scan-now23.com
hxxp://scan-now24.com
hxxp://santaclaus4.com
hxxp://getholidaypresent5.com
hxxp://getholidaypresent7.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://freeantyviruspillblog.com - 213.163.91.240
hxxp://newgoodantyspywarepill.com
hxxp://mypremiumantyspywarepill.com
hxxp://freegoodantyviruspill.com
hxxp://freeantyspywarepillshop.com
hxxp://thevirustoolbox.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Zeus and Client-Side Exploit Serving Facebook Phishing Campaign Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercrimianals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, thousands, of, newly, affected, users, globally, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, botnet's, population, largely, relying, on, the, utilization, of, affiliate-based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, impersonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, type, of, fraudulent, revenue, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, exploitation, chain:
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
    - hxxp://wqdfr.salefale.com/index.php - 62.193.127.197
        - hxxp://spain.salefale.com/index.php

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://salefale.com - 112.137.165.114
    - hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru
       
Sample, detection, rate, for, the, malicious, executable:
MD5: e96c8d23e3b64d79e5e134a9633d6077
MD5: 19d9cc4d9d512e60f61746ef4c741f09

Once, executed, a, sample, malware, phones back to:
hxxp://makotoro.com

Related, malicious, C&C, server, IPs, known, to, have, participated, in, the, campaign:
hxxp://91.201.196.99
hxxp://91.201.196.77
hxxp://91.201.196.101
hxxp://91.201.196.35
hxxp://91.201.196.75
hxxp://91.201.196.76
hxxp://91.201.196.38
hxxp://91.201.196.34
hxxp://91.201.196.37

Related, malicious, C&C, server, IPs (212.175.173.88), known, to, have, participated, in, the, campaign:
hxxp://downloads.fileserversa.org
hxxp://downloads.fileserversc.org
hxxp://downloads.fileserversd.org
hxxp://downloads.portodrive.org
hxxp://downloads.fileserversj.org
hxxp://downloads.fileserversk.org
hxxp://downloads.fileserversm.org
hxxp://downloads.fileserversn.org
hxxp://downloads.fileserverso.org
hxxp://downloads.fileserversq.org
hxxp://downloads.fileserversr.org
hxxp://auth.facebook.com.megavids.org
hxxp://auth.facebook.com.fileserversl.com
hxxp://auth.facebook.com.legomay.com
hxxp://auth.facebook.com.crymyway.com
hxxp://auth.facebook.com.portodrive.net
hxxp://auth.facebook.com.modavedis.net
hxxp://auth.facebook.com.migpix.net
hxxp://auth.facebook.com.legomay.net
hxxp://auth.facebook.com.crymyway.net
hxxp://downloads.megavids.org
hxxp://downloads.regzavids.org
hxxp://downloads.vedivids.org
hxxp://downloads.restpictures.org
hxxp://downloads.modavedis.org
hxxp://downloads.fileserverst.org
hxxp://downloads.fileserversu.org
hxxp://downloads.regzapix.org
hxxp://downloads.reggiepix.org
hxxp://downloads.migpix.org
hxxp://downloads.restopix.org
hxxp://downloads.legomay.org
hxxp://downloads.vediway.org
hxxp://downloads.compoway.org
hxxp://downloads.restway.org
hxxp://downloads.crymyway.org
hxxp://downloads.fileserversa.com
hxxp://downloads.fileserversb.com
hxxp://downloads.fileserversc.com
hxxp://downloads.fileserversd.com
hxxp://downloads.fileserverse.com
hxxp://downloads.fileserversf.com
hxxp://downloads.fileserversg.com
hxxp://downloads.fileserversh.com
hxxp://downloads.fileserversi.com
hxxp://downloads.fileserversj.com
hxxp://downloads.fileserversk.com
hxxp://downloads.fileserversl.com
hxxp://downloads.fileserversm.com
hxxp://downloads.fileserversn.com
hxxp://downloads.fileserverso.com
hxxp://downloads.fileserversp.com
hxxp://downloads.fileserversq.com
hxxp://downloads.fileserversr.com
hxxp://downloads.regzavids.com
hxxp://downloads.vedivids.com
hxxp://downloads.restpictures.com
hxxp://downloads.modavedis.com
hxxp://downloads.fileserverss.com
hxxp://downloads.fileserverst.com
hxxp://downloads.fileserversu.com
hxxp://downloads.regzapix.com
hxxp://downloads.reggiepix.com
hxxp://downloads.migpix.com
hxxp://downloads.legomay.com
hxxp://downloads.vediway.com
hxxp://downloads.compoway.com
hxxp://downloads.crymyway.com
hxxp://downloads.fileserversa.net
hxxp://downloads.fileserversb.net
hxxp://downloads.fileserversc.net
hxxp://downloads.fileserversd.net
hxxp://downloads.fileserverse.net
hxxp://downloads.portodrive.net
hxxp://downloads.fileserversf.net
hxxp://downloads.fileserversg.net
hxxp://downloads.fileserversh.net
hxxp://downloads.fileserversi.net
hxxp://downloads.fileserversj.net
hxxp://downloads.fileserversk.net
hxxp://downloads.fileserversl.net
hxxp://downloads.fileserversm.net
hxxp://downloads.fileserversn.net
hxxp://downloads.fileserverso.net
hxxp://downloads.fileserversp.net
hxxp://downloads.fileserversq.net
hxxp://downloads.fileserversr.net
hxxp://downloads.regzavids.net
hxxp://downloads.vedivids.net
hxxp://downloads.tastyfiles.net
hxxp://downloads.restpictures.net
hxxp://downloads.modavedis.net
hxxp://downloads.fileserverss.net
hxxp://downloads.fileserverst.net
hxxp://downloads.fileserversu.net
hxxp://downloads.regzapix.net
hxxp://downloads.reggiepix.net
hxxp://downloads.migpix.net
hxxp://downloads.legomay.net
hxxp://downloads.vediway.net
hxxp://downloads.compoway.net
hxxp://downloads.restway.net
hxxp://downloads.crymyway.net

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection

In, a, cybercrime, dominated, by, fraudulent, propositions, historical, OSINT, remains, a, crucial, part, in, the, process, of, obtaining, actionable. intelligence, further, expanding, a, fraudulent, infrastructure, for, the, purpose, of, establishing, a, direct, connection, with, the, individuals, behind, it. Largely, relying, on, a, set, of, tactics, techniques, and, procedures, cybercriminals, continue, further, expanding, their, fraudulent, infrastructure, successfully, affecting, hunreds, of, thousands, of, users, globally, further, earning, fraudulent, revenue, in, the, process, of, committing, fraudulent, activity, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

In, this, post, we'll, discuss, a, black, hat, SEO (search engine optimization), campaign, intercepted, in, 2009, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, successfully, establishing, a, direct, connection, with, the, Koobface, gang.


The, Koobface, gang, having, successfully, suffered, a, major, take, down, efforts, thanks, to, active, community, and, ISP (Internet Service Provider), cooperation, has, managed, to, successfully, affect, a, major, proportion, of, major, social, media, Web, sites, including, Facebook, and, Twitter, for, the, purpose, of, further, spreading, the, malicious, software, served, by, the, Koobface, gang, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, fake, security, software, and, the, reliance, on, a, fraudulent, affiliate-network, based, type, of, monetizing, scheme.


Largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, including, social, media, propagation, black, hat, SEO (search engine optimization), and, client-side, exploits, the, Koobface, gang, has, managed, to, successfully, affect, hundreds, of, thousands, of, users, globally, successfully, populating, social, media, networks, such, as, Facebook, and, Twitter, with, rogue, and, bogus, content, for, the, purpose, of, spreading, malicious, software, and, earning, fraudulent, revenue, in, the, process, largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, affiliate-network, based, traffic, monetizing, scheme.

Let's, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, with, the, Koobface, gang, and, the, Koobface, botnet's, infrastructure.

Sample URL, redirection, chain:
hxxp://flash.grywebowe.com/elin5885/?x=entry:entry091109-071901; -> http://alicia-witt.com/elin1619/?x=entry:entry091112-185912 -> hxxp://indiansoftwareworld.com/index.php?affid=31700 - 213.163.89.56


Sample, detection, rate, for, a, malicious, executable:MD5: bd7419a376f9526719d4251a5dab9465


Sample, URL, redirection, chain, leading, to, client-side, exploits:
hxxp://loomoom.in/counter.js - 64.20.53.84 - the front page says "We are under DDOS attack. Try later".
hxxp://firefoxfowner.cn/?pid=101s06&sid=977111 -> hxxp://royalsecurescana.com/scan1/?pid=101s6&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZT0xMjUxNMkNPAhN

Sample, detection, rate, for, a, malicious, executable:
MD5: a91a1bb995e999f27ffc5d9aa0ac2ba2

Once, executed, a, sample, malware, phones, back, to:
hxxp://systemcoreupdate.com/download/timesroman.tif - 213.136.83.234


Sample, URL, redirection, chain:
hxxp://oppp.in/counter.js - 64.20.53.83 - the same message is also left "We are under DDOS attack. Try later"
hxxp://johnsmith.in/counter.js - 64.20.53.86
hxxp://gamotoe.in/counter.js
hxxp://polofogoma.in/counter.js
hxxp://jajabin.in/counter.js
hxxp://dahaloho.in/counter.js
hxxp://gokreman.in/counter.js
hxxp://freeblogcounter2.com/counter.js
hxxp://lahhangar.in/counter.js
hxxp://galorobap.in/counter.js


Sample, directory, structure, for, the, black, hat, SEO (search engine optimization), campaign:
hxxp://images/include/bmblog
hxxp://bmblog/category/art/
hxxp://images/style/bmblog
hxxp://photos/archive/bmblog/
hxxp://templates/img/bmblog
hxxp://phpsessions/bmblog
hxxp://Index_archivos/img/bmblog/
hxxp://bmblog/category/hahahahahah/
hxxp://gallery/include/bmblog


Sample, malicious, domains, participating, in, the, campaign:
pcmedicalbilling.com - Email: sophiawrobertson@pookmail.com
securitytoolnow.com - Email: ronaldmpappas@dodgit.com
securitytoolsclick.net - Email: ruthdtrafton@dodgit.com
security-utility.net - Email: richardrmccullough@trashymail.com

Historically on the same IP were parked the following, now responding to 91.212.107.37 domains:
online-spyware-remover.biz - Email: robertsimonkroon@gmail.com
online-spyware-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.biz  - Email: robertsimonkroon@gmail.com
spyware-online-remover.com - Email: robertsimonkroon@gmail.com
spyware-online-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.net - Email: robertsimonkroon@gmail.com
spyware-online-remover.org - Email: robertsimonkroon@gmail.com
tubepornonline.biz - Email: robertsimonkroon@gmail.com
tubepornonline.org - Email: robertsimonkroon@gmail.com


Sample, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://antyspywarestore.com/index.php?affid=90400
hxxp://newsecuritytools.net/index.php?affid=90400 - 78.129.166.11 - Email: joyomcdermott@gmail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 0feffd97ffe3ecc875cfe44b73f5653b
MD5: a0d9d3127509272369f05c94ab2acfc9

Naturally, it gets even more interesting, in particular the fact the very same robertsimonkroon@gmail.com used to register the domains historically parked at the IP that is currently hosting the scareware domains part of the massive blackhat SEO campaign -- the very same domains (hxxp://firefoxfowner.cn), were also in circulation on Koobface infected host, in a similar fashion when the domains used in the New York Times malvertising campaign were simultaneously used in blackhat SEO campaigns managed by the Koobface gang -- have not only been seen in July's scareware campaigns -- but also, has been used to register actual domains used as a download locations for the scareware campaigns part of the Koobface botnet's scareware business model.


Parked, at, the, same, malicious, IP (91.212.107.37), are, also, the, following, malicious, domains:
hxxp://free-web-download.com
hxxp://web-free-download.com
hxxp://iqmediamanager.com
hxxp://oesoft.eu
hxxp://unsoft.eu
hxxp://losoft.eu
hxxp://tosoft.eu
hxxp://kusoft.eu

Sample, detection, rate, for, a, malicious, executable:
MD5: 29ff816c7e11147bb74570c28c4e6103
MD5: e59b66eb1680c4f195018b85e6d8b32b
MD5: b34593d884a0bc7a5adb7ab9d3b19a2c

The overwhelming evidence of underground multi-tasking performed by the Koobface gang, it's connections to money mule recruitment scams, high profile malvertising attacks, and current market share leader in blackhat SEO campaigns, made, the, group, a, prominent, market, leader, within, the, cybercrime, ecosystem, having, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, earning, hundreds, of, thousands, in, fraudulent, revenue, in, the, process.

Related posts:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign

Historical OSINT - Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign

There's no such thing as free porn, unless there are client-side, exploits, served.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, end, users, into, clicking, on, malware-serving, client-side, exploits, embedded, content, for, the, purpose, of, affecting, a, socially, engineered, user''s, host, further, monetizing, access, by, participating, in, a, rogue, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, malicious, URL, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/HytucztXRs.html? -> hxxp://aboutg.dothome.co.kr/bbs/theme_1_1_1.php -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=6 -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=14 -> hxxp://meganxoxo.com - 74.222.13.2 - associated, name, servers: ns1.tube310.info; ns2.tube310.info - 74.222.13.24

Parked there (74.222.13.2) are also:
hxxp://e-leaderz.com - Email: seoproinc@gmail.com
hxxp://babes4you.info - 74.222.13.25
hxxp://tubexxxx.info
hxxp://my-daddy.info - 74.222.13.25

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://eroticahaeven.info
hxxp://freehotbabes.info
hxxp://freepornportal.info
hxxp://hot-babez.info
hxxp://sex-sexo.info
hxxp://tube310.info
hxxp://tube323.info

The exploitation structure is as follows:
hxxp://meganxoxo.com/xox/go.php?sid=6 -> hxxp://kibristkd.org.tr/hasan-ikizer/index01.php -> hxxp://fd1a234sa.com/js - 79.135.152.26 -> hxxp://asf356ydc.com/qual/index.php - CVE-2008-2992; CVE-2009-0927; CVE-2010-0886 -> hxxp://asf356ydc.com/qual/52472f502b9688d3326a32ed5ddd5d2c.js ->  hxxp://asf356ydc.com/qual/abe9c321312b206bffa798ef9d5b6a9b.php?uid=206369 -> hxxp://188.243.231.39/public/qual.jar ->  hxxp://asf356ydc.com/qual/load.php/0a3584217553d6fccbd74cfb73e954b6?forum=thread_id -> hxxp://asf356ydc.com/download/stat.php -> hxxp://asf356ydc.com/download/load/load.exe

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886
    - hxxp://jfkweb.chez.com/bud2.html
        - hxxp://jfkweb.chez.com/4.html
            - hxxp://wemhkr3t4z.com/qual/load/myexebr.exe
                - hxxp://asf356ydc.com/download/index.php
                    - hxxp://89.248.111.71/qual/load.php?forum=jxp&ql
                        - hxxp://asf356ydc.com/qual/index.php

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://qual/10964108e3afab081ed1986cde437202.js
hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php?spn=2&uid=213393&
hxxp://qual/index.php?browser_version=6.0&uid=213393&browser=MSIE&spn=2

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://download/banner.php?spl=javat
hxxp://download/j1_ke.jar
hxxp://download/j2_93.jar

parked on 89.248.111.71, AS45001, Interdominios_ono Grupo Interdominios S.A.
wemhkr3t4z.com - Email: fole@fox.net - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
hxxp://alhatester.com/cp/file.exe - 204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 208.73.211.247; 208.73.211.249; 208.73.211.246; 208.73.211.233; 208.73.211.238; 208.73.211.208

Known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs, are, also, the, following, malicious, MD5s:
MD5: 89fb419120d1443e86d37190c8f42ae8
MD5: 3194e6282b2e51ed4ef186ce6125ed73
MD5: 7f42da8b0f8542a55e5560e86c4df407
MD5: f8bdc841214ae680a755b2654995895e
MD5: ed8062e152ccbe14541d50210f035299

Once, executed, a, sample, malware (MD5: 89fb419120d1443e86d37190c8f42ae8), phones, back, to, the, following, C&C, server, IPs:
hxxp://gremser.eu
hxxp://bibliotecacenamec.org.ve
hxxp://fbpeintures.com
hxxp://postgil.com
hxxp://verum1.home.pl
hxxp://przedwislocze.internetdsl.pl
hxxp://iskurders.webkursu.net
hxxp://pennthaicafe.com.au
hxxp://motherengineering.com
hxxp://krupoonsak.com

Once, executed, a, sample, malware (MD5: 3194e6282b2e51ed4ef186ce6125ed73), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://get.enomenalco.club
hxxp://promos-back.peerdlgo.info
hxxp://get.cdzhugashvili.bid
hxxp://doap.ctagonallygran.bid
hxxp://get.gunnightmar.club
hxxp://huh.adowableunco.bid
hxxp://slibby.ineddramatiseo.bid

Once, executed, a, sample, malware (MD5: 7f42da8b0f8542a55e5560e86c4df407), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://acemoglusucuklari.com.tr
hxxp://a-bring.com
hxxp://tn69abi.com
hxxp://gim8.pl
hxxp://sso.anbtr.com

Once, executed, a, sample, malware (MD5: f8bdc841214ae680a755b2654995895e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.secdls.com
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com
hxxp://api.v2.sslsecure4.com
hxxp://api.v2.sslsecure5.com
hxxp://api.v2.sslsecure6.com
hxxp://api.v2.sslsecure7.com
hxxp://api.v2.sslsecure8.com

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://v00d00.org/nod32/grabber.exe - - 67.215.238.77; 67.215.255.139; 184.168.221.87

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (67.215.238.77):
MD5: 1233c86d3ab0081b69977dbc92f238d0

Known, to, have, responded, to, the, same, malicious, IPs, are, also, the, following, malicious, domains:
hxxp://blog.symantecservice37.com
hxxp://agoogle.in
hxxp://adv.antivirup.com
hxxp://cdind.antivirup.com

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://v00d00.org/nod32/update.php

Known, to, have, responded, to, the, same, malicious, IPs (67.215.255.139), are, also, the, following, malicious, domains:
hxxp://lenovoserve.trickip.net
hxxp://proxy.wikaba.com
hxxp://think.jkub.com
hxxp://upgrate.freeddns.com
hxxp://webproxy.sendsmtp.com
hxxp://yote.dellyou.com
hxxp://lostself.dyndns.info
hxxp://dellyou.com
hxxp://mtftp.freetcp.com
hxxp://ftp.adobe.acmetoy.com
hxxp://timeout.myvnc.com
hxxp://fashion.servehalflife.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (67.215.255.139):
MD5: e76aa56b5ba3474dda78bf31ebf1e6c0
MD5: 4de5540e450e3e18a057f95d20e3d6f6
MD5: 346a605c60557e22bf3f29a61df7cd21
MD5: ae9fefda2c6d39bc1cec36cdf6c1e6c4
MD5: da84f1d6c021b55b25ead22aae79f599

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (184.168.221.87), are, also, the, following, malicious, domains:
hxxp://teltrucking.com
hxxp://capecoraldining.org
hxxp://carsforsaletoronto.com
hxxp://joeyboca.com
hxxp://meeraamacids.com
hxxp://orangepotus.com
hxxp://palmerhardware.com
hxxp://railroadtohell.com

Related, malicious, MD5s, known, to, have, phoned, back, the, same, malicious, C&C, server, IPs (184.168.221.87):MD5: 037f8120323f2ddff3c806185512538c
MD5: 44f0e8fe53a3b489cb5204701fa1773d
MD5: 8a053e8d3e2eafc27be9738674d4d5b0
MD5: 9efc79cd75d23070735da219c331fe4d
MD5: ed81b9f1b72e31df1040ccaf9ed4393f

Once, executed, a, sample, malware (MD5: 037f8120323f2ddff3c806185512538c), phones, back, to, the, following, C&C, server, IPs:
hxxp://porno-kuba.net/emo/ld.php?v=1&rs=1819847107&n=1&uid=1

Once, executed, a, sample, malware, (MD5: 44f0e8fe53a3b489cb5204701fa1773d), phones, back, to, the, following, C&C, server, IPs:
hxxp://mhc.ir
hxxp://naphooclub.com
hxxp://mdesigner.ir
hxxp://nazarcafe.com
hxxp://meandlove.com
hxxp://nakhonsawangames.com
hxxp://mevlanacicek.com
hxxp://meeraprabhu.com
hxxp://micr.ae
hxxp://myhyderabadads.com
hxxp://cup-muangsuang.net

Sample, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://portinilwo.com/nhjq/n09230945.asp
    - hxxp://portinilwo.com/botpanel/sell2.jpg
        - hxxp://portinilwo.com/boty.dat
            - hxxp://91.188.60.161/botpanel/sell2.jpg
                - hxxp://91.188.60.161/botpanel/ip.php

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
asf356ydc.com - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, domains, known, to, have, participated, in, the, campaign:
asf356ydc.co
kaljv63s.com
sadkajt357.com

We'll, continue, monitoring, the, fraudulent, infrastructure, and, post, updates, as, soon, as, new, developments, take, place.