Monday, August 29, 2016

Managed SWF Injection Cybercrime-friendly Service Fuels Growth Within the Malvertising Market Segment

Cybercriminals, continue, launching, new, cybercrime-friendly, services, aiming, to, diversify, their, portfolio, of, fraudulent, services, while, earning, tens, of, thousands of fraudulent revenue in the process. Thanks, to, a vibrant, cybercrime ecosystem, and, the, overall, availability, of, DIY (do-it-yourself) type of, malicious, software, generating, tools, cybercriminals, continue, diversifying, their, portfolio, of, fraudulent, services, while, earning, tens, of, thousands, of, fraudulent, revenue, in, the, process.

Largely, relying, on, a diversified, set, of, tactics, techniques, and, procedures, cybercriminals, often, rely, on, automated, and, systematic, compromise, of, vulnerable, Web sites, for, the, purpose, of, active, traffic, acquisition, tactics, to hijack, intercept, and, monetize, the, acquired, traffic, for, the, purpose, of, earning, fraudulent, revenue, in, the, process. Thanks, to, a, vibrant, cybercrime-friendly, ecosystem, cybercriminals, continue, actively, hijacking, intercepting, and, monetizing, the, acquired, traffic, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.



In, this, post, we'll discuss, a, newly, launched, managed SWF injecting, type, of, cybercrime-friendly, service (108.162.197.62), provide actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Malicious MD5s known to have been downloaded from the same C&C server IP (108.162.197.62):
MD5: 738ef8e826b5f9070f555dc8d5e3320f
MD5: 8dddf1d1786ff72adc60057305f4f2c9
MD5: 0042ef6b151d68824999ed27e320ab7b
MD5: ea0f806840a8f1765994d2941d24a18a
MD5: 9d0e32a4f1d4fb348f70f235e9731363

Related malicious MD5s known to have phoned back to the same C&C server IP (108.162.197.62):
MD5: 4e108296f11d99e56be375dcab2e03d4
MD5: 8f696a2995aa56be5a7fe6ac8639e94a
MD5: 2aa4fedd2626f4a210d13a356cf721a1
MD5: 822606bb2f5a86bd20e4d111705c9e99
MD5: 6267650eb343bc1fb063233aaf398c9a

The, service, is, currently, offering, basic, type, of, account, registration, process, priced, at $100, and, premium, type, of, account, registration, process, priced, at, $1,000.

We'll continue, monitoring, the, market, segment, for, malvertising, type, of, managed, cybercrime-friendly, services, and, post, updates, as, soon, as, new, developments, take, place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Sunday, August 28, 2016

Managed Hacked PCs as a Service Type of Cybercrime-friendly service Spotted in the Wild

With the cybercrime ecosystem, persistently, supplying, new, malware, releases, cybercriminals continue occupying multiple market segments, within, the, cybercrime, ecosystem, generating, tens, of, thousands, of fraudulent revenue, in, the, process, potentially, empowering, new market entrants, with, the, necessary, tools, and, know-how, to, continue, launching, related, malicious, attacks, potentially, generating, tens, of, thousands, of fraudulent, revenue, in, the, process, while, targeting, users, internationally.

In this, post, we'll profile a newly, launched, managed hacked PCs, as, a, service, type, of cybercrime-friendly, service, and, discuss, in, depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.





Next to the overall availability of malware infected hosts empowering novice cybercriminals with the necessary tools and know, to, conduct, related, malicious attacks, cybercriminals, often, rely, on basic, market segmentation, approaches, further, taking, advantage, of the, affected, users, to, launch, related, managed cybercrime-friendly, type, of, managed, services.

The service is currently offering access to malware-infected hosts, in, the United States, Italy, France, Spain, Brazil, Argentina, and Poland, further, empowering, novice, cybercriminals, with, the, necessary, tools, and, know-how, to, continue, launching, related, malicious attacks.

We'll continue monitoring, the, market, segment, for, hacked PCs, and, post, updates, as, soon, as, new developments, take, place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

New Cybercrime-Friendly Service Offers Fake Documents and Bills on Demand

The market segment, for, fake, documents, and, bills, continues, flourishing, thanks, to, a, vibrant, cybercrime, ecosystem, offering, access, to, a, variety, of commoditized, underground, market, items, further generating fraudulent revenue for the cybercriminals behind it. Thanks to the overall availability of DIY (do-it-yourself) type of malware generating tools, and, the, overall prevalence, of money mule recruitment scams, allowing, cybercriminals, an easy access to basic risk-forwarding, tactics, cybercriminals, continue, generating, tens, of thousands, of fraudulent revenue in the process.

In this, post, we'll discuss a newly launched managed cybercrime service offering access to fake documents, stolen credit cards, and, fake, bills, and, discuss, in-depth, the tactics, techniques, and procedures, of, the, cybercriminals behind it.




The service is currently offering fake documents for Australia, Belgium, Brazil, Canada, Denmark, Estonia, Finland, France, Germany, Greece, Italy, India, Netherlands, Norway, Latvia, Lithuania, Poland, Romania, Slovakia, Slovenia, Sweden, United Kingdom, USA, Russia, and fake bills for, Australia, Austria. Canada, Czech Republic, Estonia, France, Finland, Germany, Irland, Italy, United Kingdom, Latvia, Norway, Romania, Slovakia, Sweden, Switzerland, USA, Spain, Russia, France, Ukraine.

We'll continue monitoring the market segment for fake documents, and, post, updates, as soon, as, new, developments, take place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, August 19, 2016

Invitation - Private Party - Kings of Wisdom

Dear, blog, readers, I decided to invite selected, blog, readers, to, a, private, party, hosted, in, my, town, for, the, opening, of, Kings of Wisdom [hard copy] magazine.

If, you're, interested, in, attending, and, bringing, back, the, spirit, of, what, used, to, be, the, scene, you, can, approach, me, at ddanchev@protonmail.ch to request, attendance, details.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, August 17, 2016

Newly Launched Cybercrime Service Offers Access to POS Terminals on Demand

Cybercriminals continue applying basic market segmentation concepts, to their underground market propositions, to further ensure, that, they're capable of targeting the right audience, potentially generating hundreds of thousands of fraudulently generating revenues in the process.

From basic, malware as a service underground market propositions, offering access to country, city, ISP based type of malware-infected hosts, to cybercrime-friendly services, offering access to malware-infected hosts converted to anonymization proxies, to further target additional market segments, within the cybercrime ecosystem, cybercriminals continue to utilize basic market segmentation concepts, based on the targeted population.

In this post, we'll discuss a newly launched managed service, offering access to POS (Point of Sale) terminals, further empowering, both, novice, and sophisticated cybercriminals, with the necessary access to commit related fraudulent activities.





The service is currently offering access to POS (Point of Sale) terminals, located, in the United States, Canada, Australia, United Kingdom, the Netherlands and Germany, priced between $30 and $50 for access to a POS (Point of Sale) terminal.

Cybercriminals, continue relying on basic data mining concepts, while utilizing the overall target population, further, ensuring that their market-relevant propositions, while, continuing to generate fraudulent revenues, in, the, process.

We expect to continue observing an increase in underground market propositions, utilizing basic market segmentation concepts, further positioning, both, novice, and experienced market leaders, as relevant and competitive market participants, potentially generating tens of thousands of fraudulently obtained assets in the process.

Managed Social Engineering Based Code Signing Generating Certificate Service Spotted in the Wild

Cybercriminals are masters of social engineering, potentially tricking, tens of thousands of users on a daily basis, into falling victims into fraudulent cybercrime-friendly campaigns, generating them, hundreds of thousands of fraudulent revenues, successfully, contributing to the growth of multiple underground market segments, within, the underground marketplace.

In this post, we'll discuss a newly launched service, empowering, both, novice, and experienced cybercriminals, with the necessary tools and know how, to further commit, fraudulent activities, in the form of socially engineered code signing certificates, obtained through the registration of bogus and non-existent companies.


Priced at $1,000 per certificate, the service is also offering discounts on a volume basis, including custom contacts based customization files, including detailed info about the rogue company, used in the code signing process. Relying on basic 'visual social engineering' concepts, cybercriminals are perfectly positioned, to execute a successful campaign on a mass scale, or in a targeted nature, successfully targeting tens of thousands of users.

We expect to continue observing relevant code signing as a service, type of cybercrime-friendly propositions, within the cybercrime ecosystem, with more market vendors, entering the market segment, further positioning themselves, as market leaders, through basic market segmentation, and efficient social engineering techniques.

Spam-friendly Image Randomization Tool Released on the Underground Marketplace

Cybercriminals, continue applying basic QA (Quality Assurance) processes, to their fraudulent campaigns, on their way to achieve a posive ROI (Return on Investment) out of their fraudulent activities.

In this post, we'll discuss a newly launched commercial tool, that's capable of generating unique images, for the purpose of tricking spam filters, in an attempt to trick end users into falling victim into the fraudulent campaign.





Priced at $25, the API-enabled tool is capable of converting a regular image, executed in a spam campaign, into a new one, successfully bypassing spam filters, exposing end users to fraudulent attempts, generating fraudulent revenue, for the cybercriminals behind the campaign.

We expect to continue observing an increase in QA (Quality Assurance) driven underground market propositions, leading to a successful set of fraudulent propositions, dominating the underground marketplace.

Tuesday, August 16, 2016

Cybercriminals Offer Fake/Fraudulent Press Documents Accreditation On Demand

In a cybercrime ecosystem, dominated by fraudulent market propositions, and new market entrants occupying new market segments on a daily basis, cybercriminals are perfectly positioned, to continue offering, commoditized underground market goods, such as, for instance, fake documents, for the purpose of generating fraudulent revenue, while empowering fellow cybercriminas, with the necessary tools to further commit fraudulent activities.

In this post, we'll, discuss a newly launched service, offering fake press accreditation documents, and discuss the overall relevance of the service, in the context of the underground marketplace's ongoing commoditization, basic market segmentation concepts, as well as newly applied concepts such as DIY (do-it-yourself) type of services, and basic OPSEC with QA (Quality Assurance) in mind.







The service is currently offering custom-made press accreditation documents for the Russian Federation, allowing potential cybercriminals the ability to access press-free zones, potentially commiting related fraudulent activities.

The price varies between $62 and $130 depending on the number of fake documents requested, including the option to request anonymous delivery of the fake documents.

Thanks to a vibrant DIY (do-it-yourself) custom-based type of fake documents generating market segment, cybercriminals, have also successfully managed to efficiently streamline the process of generating these documents, applying, both, basic OPSEC (Operational Security) measures in place, to ensure that they're perfectly positioned to reach to their targeted audience, while preserving a decent degree of their operational procedures, as well as Q&A (Quality Assurance) processes, to further ensure the quality of their underground market proposition.

We expect to continue observing a decent supply of segmented market propositions, targeting, both, novice and experienced cybercriminals, seeking to obtain fake documents, on their way to commit related fraudulent activities.

Related posts:

Historical OSINT - Exposing the Market for Stolen Credit Card Data

With the carding underground continuing to flourish, for the purpose, of, monetizing commoditized underground items such as, stolen credit cards, cybercriminals continue to over-supply the market segment for stolen credit cards data, largely relying on a boutique type of cybercrime-operations business model, continuously supplying the market segment with tens of thousands of stolen credit cards data.

Thanks, to, the general availability of malicious software whose purpose is to obtain and process stolen credit cards data, cybercriminals continue to over-supply the marketplace with tens of thousands of stolen credit cards, further, continuing, to, monetize the commoditized underground marketplace item, through, the use of boutique E-shops, offering access to tens of thousands of stolen credit cards data.

In this post we'll profile several boutique E-shops for stolen credit cards data and provide actionable intelligence on the cybercriminals behind it.

Related data exposing the infrastructure behind the most popular boutique E-shops offering access to stolen credit cards data:
accessltd.ru - Email: admin@accessltd.ru
track2.name - Email: rubensamvelich@gmail.com;rubensamvelich@yahoo.com
bulba.cc - Email: bulbacc@rocketmail.com; bulbacc@yahoo.com
ccStore.ru - Email: ooo.service@yahoo.com
dumps.cc - Email: dumps.cc@safe-mail.net
ccmall.cc - Email: b2b.maxim@gmail.com; lvjiecong@yahoo.com.cn
trackstore.su - Email: roger.sroy@yahoo.com
magic-numbers.cc - Email: elche011@yahoo.com
allfresh.us - Email: keikomiyahara@yahoo.com; dcb725@gmail.com
freshstock.biz - Email: wattt80@yahoo.com
approven.su - Email: yurtan20@e1.ru
cv2shop.com - Email: vipforexbiz@gmail.com
vzone.tc - Email: Whois Privacy Activated
privateservices.ws - Whois Privacy Activated
trackservices.ws - Whois Privacy Activated
perfect-numbers.cc - Email: kachanaburi@yahoo.com
mega4u.biz - Email: persiks@online.ua
pwnshop.cc - Email: alexandanns@gmail.com
bestdumps.su - Email: bestdumpssu@live.com
mycc.su - Email: admin@mycc.su
bestdumps.biz - Email: admin@bestdumps.biz
dumpshop.bz - Email: tonchang2011@yahoo.com
cardshop.bz - Email: tonchang2011@yahoo.com

Thanks to the vibrant cybercrime ecosystem, cybercriminals will continue to actively monetize access to malware-infected hosts, for the purpose, of earning fraudulent revenue and achieving stolen assets liquidity, while earning fraudulent revenue in the process.

We'll continue monitoring the market segment for stolen credit cards data, and post updates as soon as new developments take place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Sunday, August 14, 2016

DDanchev is for Hire!

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?

Send your proposition to: ddanchev@protonmail.ch

Book Proposal - Seeking Sponsorship - Publisher Contact

Dear, blog, readers, as, I'm, currently, busy, writing, a, book, I'm looking for, a publisher, who's, interested, in, publishing, it, with, the, book, proposal, available, on, request.

Send your proposal to: ddanchev@protonmail.ch

Project Proposal - Cybercrime Research - Seeking Investment

Dear blog readers, I'm currently seeking an investment regarding a cybercrime research project, with, the, project, proposal, available, on request.

Send your proposal at: ddanchev@protonmail.ch

Invitation to Join a Security Community

Dear blog readers, as I'm currently busy launching a private security community, I decided, to publicly announce, its, existence.

Topics of discussion:
- cybercrime research
- threat intelligence
- malicious software

Request an invite: ddanchev@protonmail.ch

Tuesday, June 21, 2016

Malware Serving Campaign Intercepted, Hundreds of Users Affected

We've recently intercepted, a currently, circulating, malicious, spam, campaign, exposing, users, to, a, multi-tude, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, PCs, to, a, variety, of, malicious, software.

In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 6b422988b8b66e54e68f110c64914744
MD5: 414fc339b2dd57bab972b3175a18d64a

Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://hrtests.ru/S.php - 136.243.126.105; 146.185.243.133; 5.135.104.91; 178.33.188.142; 178.32.238.223; 178.208.83.7; 88.214.200.145
hxxp://managtest.ru/WinRAR.exe - 176.126.71.5; 5.196.241.192; 88.214.200.145

Related malicious MD5s known to have phoned back to the same C&C server IPs (136.243.126.105):
MD5: e974e77d0f69b46b9f6c88d98c76c0c6
MD5: 908bb37015af1c863e8e73bb76fdb127
MD5: 87882046d21d2468ee993ea7c3159c4d
MD5: 299c6ac73e225ec5a355b2fb7a618e8f
MD5: 7f2862b5f399bc74dd6d8079da819126

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 47c18c76540b74a1bca6ca3ae10ebd50
MD5: 024807c29f147dd77450a5bc62e59fa5
MD5: e283f13766be7f705c0271bc42681270
MD5: a29d67dad13eef259dc5c872706f15a6
MD5: 2cf7bf436ef8cbfda0136efd11e92341

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 2cf7bf436ef8cbfda0136efd11e92341
MD5: 3a5f263a24728d3805045778978f00b5
MD5: 87435a3fc3799d271b3608955d1c6c4d
MD5: 95c0194351bc2685535544574eb3f5df
MD5: 7224e3698edec9590a5198defae66ef1

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server IP:
hxxp://worktests.ru/test0.txt

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://testswork.ru/test15.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test20.txt
hxxp://testswork.ru/test21.txt

Once executed a sample malware phones, back, to, the, following, C&C, server, IP:
hxxp://tradetests.ru/test0.txt

Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (176.126.71.5):
MD5: 44c3ac885206d641a6d2dce5a675f378
MD5: 2bf97da5f11b655428622fb10c68ff11
MD5: 6911f4a5a85e266229debfdf0832faad
MD5: 8f1b264ceef3e116522ec213ee691cd2
MD5: af7275d12796b53f0ad4d7866be49a4c

Once executed, a, sample, malware, phones, back, to, the, following, C&C server, IPs:
61.246.33.84:7974
187.2.210.167:6688
199.189.86.18:6199
62.103.89.163:9333
95.104.13.237:7158
203.231.71.85:6413
150.129.184.145:5560
213.184.4.236:5531
198.27.96.43:6327
115.110.36.121:8009
46.150.36.126:8404
118.233.56.195:6159
187.55.178.150:6984
219.71.10.251:6070
190.37.215.91:7443
122.117.152.249:7894
14.141.70.162:8811
188.173.150.210:6598
60.171.206.39:6349
103.47.194.115:6959
116.241.49.160:7023
175.45.228.54:6324
158.58.204.215:6789
82.76.230.210:6266
220.134.149.93:6688
201.24.187.30:9088
84.108.148.178:6822
186.95.199.115:5943
113.160.112.8:6439
24.190.4.178:6554
52.26.185.23:6549
115.165.241.228:6623
190.254.83.226:7961
177.103.154.31:6554
114.35.121.231:5774
202.65.136.234:7594
91.186.3.83:8673
31.170.141.113:11802
190.205.137.158:6554
223.255.202.23:5949
175.45.228.56:6249
202.143.149.66:9333
5.189.177.10:6843
91.224.25.225:7677
113.176.82.247:6315
121.42.15.50:11649
189.51.15.2:6018
108.61.213.137:9595
96.56.17.58:6126
61.216.32.170:8513
202.166.162.6:6519
119.236.147.67:6755
96.23.181.97:5531
190.142.66.233:7269

Related malicious MD5s known to have phoned back to the same C&C server IP (5.196.241.192):
MD5: 57f6c25f57f6af3feb149d2cf0ca7b70
MD5: 45bc494e569671ac902ac4abeaf52d0e
MD5: b23b41bc40dd6b2d707c07dfb7da8a8b
MD5: 6458ddbaa59448352cfd18d774af1114
MD5: 89bd709329d7a2666e538ee0fdc7e6a0

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://stafftest.ru/test.html

Related malicious MD5s known to have participated in the campaign:
MD5: 414fc339b2dd57bab972b3175a18d64a

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://stafftest.ru
hxxp://hrtests.ru
hxxp://profetest.ru
hxxp://testpsy.ru
hxxp://pstests.ru
hxxp://qptest.ru
hxxp://prtests.ru
hxxp://jobtests.ru
hxxp://iqtesti.ru

Related malicious MD5s known to have participated in the campaign:
MD5: 7838ccf4e448d8c7404bfe86f5c9d116

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://managtest.ru/minerd
hxxp://hrtests.ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s

We'll continue monitoring the campaign and post updates as soon as new developments, take, place.

Monday, June 20, 2016

Malware Serving Campaign Intercepted, Hundreds of Users Affected

We've recently intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, their PCs, to, a, variety, of, malicious, software, compromising, the, integrity, confidentiality, and, availability, of, their, devices.

In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious URLs, known, to, have, participated, in, the, campaign:
hxxp://gv.com.my/0gcgs - 210.48.153.240
hxxp://test.glafuri.net/yxk6s - 176.223.121.193
hxxp://australiancheerleader.com.au/jsc1okam - 103.254.138.242

Related malicious MD5s known to have participated in the campaign:
MD5: c1f95adbcaf520bf182f9014970d33e5

Known to have phoned back to the same C&C server (210.48.153.240) are also the following malicious MD5s:
MD5: 8ea223d68856ba857a485b506259ae00
MD5: 8697121c56d20b602cd866dd1c0c1791
MD5: d668ee452efb2f1dd0dafc3f44b003e9
MD5: b1eedb69ad38d2e9ff3d5165163f1d0f

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php

Related malicious C&C servers, known, to, have, participated, in, the, campaign:
hxxp://pariachat.ir
hxxp://mahshahrchat.top
hxxp://tandischat.xyz
hxxp://irancell-chat.ir
hxxp://shokolatt.ir
hxxp://mahshahrchat.ir
hxxp://roznazchat.com

Related malicious MD5s known to have participated in the campaign:
MD5: 47223a926f70206de5aa9e9f4f4182f0

Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://138.201.93.46/userinfo.php
hxxp://91.200.14.139/userinfo.php
hxxp://104.131.182.103/userinfo.php
hxxp://164.132.40.47/userinfo.php
hxxp://tjpdcrsbkyqscdue.info/userinfo.php - 69.195.129.70

Related malicious MD5s known to have phoned back to the same C&C server IP (91.200.14.139):
MD5: 47223a926f70206de5aa9e9f4f4182f0

Known to have phoned back to the same C&C server IP (69.195.129.70) are also the following malicious MD5s:
MD5: cd867fa29b9cd9b4d16f96aecb179521
MD5: ec12c2a033b3a381a86072c20a0527f2
MD5: d27ecf75aeb611297ed5b9f70b9773f0
MD5: 3b6ad5215f20452417e4af71eefe7bc9
MD5: b75580959b8eef6574ac029333afafa5

Once executed, a, sample, malware, phones, back, to, the, following C&C server IPs:
hxxp://insamertojertoq.cc/in0odrfqwbio0sa
hxxp://tbiimhetdqyn.com/in0odrfqwbio0sa
hxxp://pmiqpskfkwkc.com/in0odrfqwbio0sa
hxxp://osghqrdmlyhh.net/in0odrfqwbio0sa
hxxp://lltlsiirjjjj.com/in0odrfqwbio0sa

Related malicious MD5s known to have participated in the campaign:
MD5: 90eb8948513e21a8c87f8295ac7e81f5

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Thursday, June 09, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently intercepted, a, currently, circulating, malicious, campaign, exposing, users, to, a, variety, of malicious software, potentially, exposing, the, confidentiality, integrity, and availability, of, their, devices.

In this, post, we'll profile, the campaign, provide, malicious MD5s, expose, the, infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: beff48e790ed35ba081ea5d852e27c98
MD5: e200e630ad3af2e91f10608577e0ece3

Once executed a sample malware phones back to the following C&C server:
hxxp://ksa-sef.com - 166.62.28.116; 107.180.50.244

Related malicious MD5s known to have phoned back to the same C&C server (166.62.28.116; 107.180.50.244):
MD5: c235a6e9700eb647f64113afa7bf028e
MD5: 3e00678672854c59c95eb4e800ec70a7
MD5: a24ba1d529ed33b86d04901f7b8e0d0a

MD5: ce22495bb5dda49a3953b7280b9032ef
MD5: 94885422e458fae7d83f0765c3cfa799
MD5: 180ff0b7620d525a2359f419b29a055e

Once executed a sample malware phones back to the following C&C server:
hxxp://92.222.71.26/userinfo.php

Related malicious MD5s, known, to, have, phoned, back, to the, same, C&C server:
MD5: ea662c74e0cc7f798b9cfa73754e0458
MD5: a33b472659cba92a620e21797118a96d
MD5: 41f7c6937803e18c58e435c86771a381
MD5: cd1bb597d3d9ba25bc983f9be72f78ae
MD5: 92530421468a7532a57757bb1d5c967a

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://188.127.231.124
hxxp://92.222.71.26
hxxp://107.181.174.15

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://orgyyeetrcy.biz
hxxp://kfcsrdphvavgvmds.work
hxxp://dqtfhkgskushlum.org
hxxp://nxmdtliospnbnveuk.pw
hxxp://ahhjmkwfnjkitu.biz
hxxp://gxaabswsxvdohead.su
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info
hxxp://qgbikqjraxhtndbl.biz
hxxp://omlsxegqnuqgpctp.click
hxxp://dinbfdccx.work

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://92.222.71.26
hxxp://188.127.231.124

Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://omlsxegqnuqgpctp.click
hxxp://dqtfhkgskushlum.org
hxxp://gxaabswsxvdohead.su
hxxp://evesynbkcji.info
hxxp://kfcsrdphvavgvmds.work
hxxp://ahhjmkwfnjkitu.biz
hxxp://dinbfdccx.work
hxxp://nxmdtliospnbnveuk.pw
hxxp://orgyyeetrcy.biz
hxxp://fkrvelnrphljkykhf.su
hxxp://jqdfhsb.info

Once executed, a, sample. malware, phones, back, to, the, following C&C servers:
hxxp://92.222.71.26
hxxp://176.53.21.105
hxxp://149.202.109.202
hxxp://31.184.197.72
hxxp://188.127.231.124

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Monday, May 30, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently, intercepted, a currently, circulating, malicious, campaign, exposing, users, to, a variety, of, malicious, software, exposing, the, confidentiality, integrity, and availability, of, their devices.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: bd4ed8b3b5d37f34fb63ce2798c585e9
MD5: 1c2c8894ab12a38b7420c7e04ed690f3

MD5: 7e3410e3b74866b02f8c8d6a3220aa23
MD5: 427ec5aef2a0ca2b2c8edbf24f1aeb8f
MD5: 770c77bfa64dc89638d5ac07ca6d1246
MD5: 3670576f507327fc4cbec45d0b3b6d2e

MD5: 5a3d1953631d1e78af6390c88a4ea434
MD5: 7322362d952eb63c07b9585107604a90

MD5: d9f63a6944648646343be1b7fbebe734
MD5: 611a6489bb7c9357765b8dd00f00d953
MD5: c81a88af87dfd05f5f757eea56d83fb8
MD5: 381a9b123d2b43ae8ff617d708bcfce8
MD5: a3bbf048865c48d2b2d5c8973d8a95d3
MD5: 66f31f76a5633e8a16ffe763093b546b

MD5: ac74bdca918dc6416cfa4e710d238f43
MD5: b169837db80e53c4564b62c0a4b9eba3
MD5: b334c20de944bb15cc8ac6aa59215e73
MD5: 677aa8cba92cdda2ec80b61fb7052813
MD5: 7b366d1273c65d0be63b7d68b268d3b8

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://sklasse-b.in.ua/777/gate.php - 217.12.201.60

Known to have phoned back to the same C&C server IP (217.12.201.60) are also the following malicious MD5s:
MD5: e070535dd1ca923d1b12a71307b2639a
MD5: 3092a0a15dceb494a62eb00ea1c51283
MD5: 90123fd7978d42c2cd0a1fdc62651eb6
MD5: 553bed2a3cab5f1ec98bbec6dc151dd3
MD5: 947efe328858d816a77ef6b103097097

Once executed, sample, malware, phones, back, to, the, following, C&C server:
hxxp://apimobiapps.com/api/app.php - 54.72.9.115; 37.1.210.139

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 7e6429d92bf457f5580457260c92d615
MD5: f89ee0bd2fa97380ceedbfe5bf3d5c93

Known to have phoned back to the same C&C server IP (54.72.9.115) are also the following malicious MD5s:
MD5: 886d621a5abeea5609ae813b50ea35a5
MD5: 576da1ff48ae7d4ce092698c20bb9c2c
MD5: 1c93b5c33585ab60c61c698713a6446d
MD5: 6afea2ece23b57fe3d3076ca799c18fe
MD5: 9a43a4bee370f7ae3759a5633b0ee40a

Once executed a sample malware phones back to the following C&C server:
hxxp://dh005.com - 54.72.9.115; 172.99.89.215
hxxp://parkingcrew.net - 185.53.179.29
hxxp://quickdomainfwd.com - 208.91.196.46

We'll continue, monitoring, the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Hits Google Play, Hundreds of Users Affected

We've recently intercepted a currently circulating, malicious, campaign, affecting, hundreds, of Google Play users, potentially, exposing, the confidentiality, integrity, and availability, of their devices, to, a variety, of malicious, software.

In this, post, we'll, profile, the campaign, provide, malicious MD5s, expose, the infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: 3f57dfe0ca2440bf03fda3e3b1295edc

Once executed the sample phones back to the following C&C server:
hxxp://37.1.207.31/api/?id=5

Related malicious MD5s known to have been downloaded from the same C&C server (37.1.207.31):
MD5: 1fa7df305b49f03e9ecf05fbb9cf74b8
MD5: 52b256f04bc9f5f003e9f292e6fabcc2
MD5: 76cc87289fa2a2363b42551b180c05de
MD5: 4ac2c20905c9761b863fdc9e737ea3d5
MD5: be0493f06f55ef7daf30e7e4d9cd03db

Related malicious MD5s known to have phoned back to the same C&C server (37.1.207.31):
MD5: 6ebe7504bcc4003c5b224801e961848c
MD5: 6f918766c935c7a472c9518c5b4aa7ba
MD5: 4d083b01c850c418e97c2fcf4031eff5
MD5: 2ce8dc9e399dc90d54d151aefec97091
MD5: 8f524b8daa68063af05313870ba198cd

We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, developments, take, place.

Mobile Malware Intercepted, Hundreds of Users Affected

We've, recently, intercepted, a currently, circulating, malicious, campaign, exposing, Google Play, users, to, a variety, of malicious, software, exposing, the confidentiality, integrity, and availability, of, their, devices, to, a multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5s known to have participated in the campaign:
MD5: f6aedc30fdab1b0a0bfebb3d51cb82ea

Related malicious MD5s known to have participated in the campaign:
MD5: ff844a8bb40da72b5c9f3a8c3cda7c9d051921e6
MD5: 83e56809b1662be002f4e1c4bcd3aef90d060d8f
MD5: 7c3f693d0b0ea6c6fdbb078e56d7e71ffaf648b8
MD5: 9e36414341e4dbaa113980f7d900e0ac4baa4103
MD5: 21266e72c8becbb439cb6d77f174b5eccefa2769

Once executed a sample malware phones back to the following C&C server:
hxxp://193.201.224.22
hxxp://85.143.221.46
hxxp://85.143.219.118

Known to have phoned back to the same C&C server IP(193.201.224.22) are also the following malicious MD5s:
MD5: 99f66211f75ace7d103fc2fbc147cd8c
MD5: ab712f0c6339d2c33cf34df44da972b8
MD5: d66f59cd897e5992c4dca3c6f6d198ce
MD5: 635fbe342c0732294db648e36b8e0a58

We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Tuesday, May 17, 2016

Mobile Malware Intercepted, Hundreds of Users Affected

We've recently intercepted, yet, another, malicious, mobile, malware, exposing, users, to, a, multi-tude, of, malicious, software.

In this, post, we'll, profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Malicious MD5 known to have been part of the campaign:
MD5: febc8518183e13114e7e4da996e64270

Once executed a sample malware phones back to the following C&C server:
hxxp://adultix.ru - 91.200.14.105; 185.87.51.121; 94.142.141.18
hxxp://xxxmobiletubez.com - 54.72.130.67; 89.144.14.59

Known to have responded to the same malicious C&C server IP (91.200.14.105) are also the following malicious domains:
hxxp://adultix.ru
hxxp://pixtrxxx.com
hxxp://coreectway.com
hxxp://filingun.com.ua

Known to have responded to the same malicious C&C server IP (185.87.51.121):
hxxp://adultix.ru
hxxp://updsandr.com

Related malicious MD5s known to have phoned back to the same malicious C&C server IP (185.87.51.121):
MD5: 662e459a0b3a08f5632934565e8d898e

Known to have responded to the same malicious C&C server IP (94.142.141.18) are also the following malicious domains:
hxxp://updforphone.com
hxxp://adultix.ru

Related malicious MD5s, know, to, have, phoned, back, to, the, same, C&C server IP (91.200.14.105):
MD5: 034f764d5d87d15680fff0256a7cf3f0
MD5: 6a5320f495250ab5e1965fcc3814ef06
MD5: 5a324d1e2dd88a57df0ae34ef1c8c687
MD5: d8f1b92d104c4e68e86f99e7f855caf8
MD5: 1b31d8db32fb7117d7cf985940a10c54

Known to have phoned back to the same malicious C&C server IP (54.72.130.67) are also the following malicious MD5s:
MD5: 007dbbed15e254cba024ea1fb553fbb2
MD5: 0b6c1377fc124cc5de66f39397d0a502
MD5: 2cfba1bce9ee1cfe1f371bcf1755840d
MD5: 26004eacdd59dcc4fd5fd82423079182
MD5: 2a1cfc13dac8cea53ce8937ee9b7a2fe

Once executed a sample malware phones back to the following C&C server:
hxxp://toolkitgold.org (54.72.130.67)

We'll continue monitoring, the, campaign, and post, updates, as, soon, as, new, developments, take, place.