Thursday, May 11, 2017

Dancho Danchev's Mind Streams of Information Security Knowledge - The World's Most Comprehensive Threats Database

Dear blog readers, it's been several years since I last posted a quality update, further sharing actionable intelligence with the security community. As, it's been several years since I last posted a quality update I feel it's about time that we take the stakes a little higher by successfully launching what can be best described as the industry's leading and most versatile JSON-capable threats database successfully empowering companies and security researchers with the necessary knowledge to stay ahead of current and emerging threats, further, positioning their company and enterprise on the top of its game.



02. How to request access?
Approach me at ddanchev@protonmail.ch.

03. How do obtain automated access?
The database is delivered daily/weekly/quarterly in MISP-friendly JSON-capable format, including STIX coverage.

04. Tell me more about the pricing options?
One time purchase of the entire database starts at $2,500. Monthly, subscriptions, covering daily, and, weekly updates, start, at $4,000, including, guaranteed access to in-house, all-source, analysis, including, and, daily, and, monthly, updates.

06. What does the database cover?
- Russian Business Network coverage
- Koobface Botnet coverage
- Kneber Botnet coverage
- Hundreds of IOCs (Indicators of Compromise)
- Tactics Techniques and Procedures In-Depth Coverage
- Malicious and fraudulent infrastructure mapped and exposed
- Malicious and fraudulent Blackhat SEO coverage
- Malicious spam and phishing campaigns
- Malicious and fraudulent scareware campaigns
- Malicious and fraudulent money mule recruitment scams
- Malicious and fraudulent reshipping mule recruitment scams
- Web based mass attack compromise fraudulent and malicious campaigns
- Malicious and fraudulent client-side exploits serving campaigns

07. How often does it update?
Updates as issued on a daily, weekly, monthly, basis, guaranteeing, unlimited access to in-house analysis, all-source analysis, guaranteeing access to daily, weekly, and, monthly updates.

Enjoy!

Thursday, March 23, 2017

Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available


Dear, blog, readers, as, of, today, I'm, making, publicly, available, my, portfolio, of, services, including, active, threat, intelligence, gathering, and, processing, cybercriminals, and, network, assets, profiling, real, life, personalization, of, malicious, actors, OSINT, analyses, in-depth, understanding, and, processing, of, tactics, techniques, and, procedures (TTPs), including, the, production, of, custom, timely, and, relevant, managed, or, on, demand, client-tailored, reports, and, analysis, briefs, covering, managed, security, blogging, and, conference, attendance, cybercrime, malware, botnets, and, threat, intelligence, including, the, coverage, of, geopolitically, relevant, cyber, threat, assessments.

The, portfolio, of, services, includes, but, is, not, limited, to:
Real-time, managed, or, on, demand, analysis, briefs, and, reports, production:
- analysis, briefs, and, timely, and, relevant, reports, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, not, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network, assets

Geopolitically, relevant, and, geographically, selected, threat, intelligence, processing, and, gathering, relevant, reports:
- geopolitically, relevant, coverage, of, selected, geographic, regions, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network assets

Managed, security, blogging, and, presentation, conference, attendance:
- threat, intelligence, processing, as, a, service, including, but, not, limited, to, the, managed, processing, and, communication, of, threat, intelligence, gathering, and, processing, information, in, the, form, of, managed, communication, to, a, selected, set, of, audiences, including, but, not, limited, to, security, blogging, and, conferences, attendance, on, behalf, of, a, selected, enterprise, further, positioning, its, understanding, and, reaching, out, to, selected, clients

Managed, tactics, techniques, and, procedures (TTPs), processing, managing, and, gathering, analysis, and, reports:
- in-depth, understanding, of, tactics, techniques, and, procesures (TTPs), relevant, to, a, specific, cybercrime, group, geopolitically, relevant, region, or, a, selected, geographically, relevant, region

Enjoy!

DDanchev is for Hire!

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?

Send your proposition to: ddanchev@protonmail.ch

Book Proposal - Seeking Sponsorship - Publisher Contact

Dear, blog, readers, as, I'm, currently, busy, writing, a, book, I'm looking for, a publisher, who's, interested, in, publishing, it, with, the, book, proposal, available, on, request.

Send your proposal to: ddanchev@protonmail.ch

Project Proposal - Cybercrime Research - Seeking Investment

Dear blog readers, I'm currently seeking an investment regarding a cybercrime research project, with, the, project, proposal, available, on request.

Send your proposal at: ddanchev@protonmail.ch

Invitation to Join a Security Community

Dear blog readers, as I'm currently busy launching a private security community, I decided, to publicly announce, its, existence.

Topics of discussion:
- cybercrime research
- threat intelligence
- malicious software

Request an invite: ddanchev@protonmail.ch

Follow me on Twitter!

Dear, blog readers, are, you, on Twitter? Feel, free, to, follow me.

Enjoy!

Dancho Danchev's 2010 Disappearance - An Elaboration


UPDATE: Prior, to, my, stay, in, another, town, I, was, contacted, by, Riva Richmond, (riva@rivarichmond.com), and, set, up, a, meeting, to, discuss, a, potential, New York Times, article.

UPDATE: Prior, to, my, stay, at, this, particular, apartment, I, contacted, Nart Villeneuve, (n.villeneuve@secdev.ca), seeking, assistance, signaling, potential, trouble.

UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, the, same, person, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, released, by, another, person, known, as, Nesho Sheygunov (https://www.facebook.com/nesho.sheygunov).
 
UPDATE: While, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, another, person, that, I, know, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, taken, to, the, room, where, I, was, confined, and, I, spent, a, night, in, the, corridor.

UPDATE: While, I, was, taken, to, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, I, had, my, phone, taken, and, I, was, confined.

UPDATE: While, I, was, taken, out, of, my, place, to, an, unknown, car, the, fuel, was, charged, to, someone, that, I, know.

UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), I, was, offered, to, take, vitamins.

UPDATE: My, place, was, recently, visited, by, unknown, men, taking, me, to, local, police, department (hxxp://troyan-police.com; police_troyan@abv.bg), and, asking, me, to, write, that, my, equipment, was, interfering, with, that, of, local, police, department.

UPDATE: It, appears, that, someone, has, taken, the, time, and, effort, to, take, a, t-shirt, of, mine.

UPDATE: Prior, to, my, visit, at, a, local, hotel, (hxxp://central-hotel.com/en; central@central-hotel.com), some, of, my, clothes, were, missing.

UPDATE: It, appears, that, my, place, was, recently, supposedly, visited, by, Plamen, Dakov (hxxp://universalstroi.com), Hristo, Radionov (hxxp://universalstroi.com; hxxp://www.facebook.com/hristo.radionov), and, Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), who, left, money, for, me.

UPDATE: Prior, to, my, attendance, in, a, local, institution (dpblovech@abv.bg), Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), tried, to, meet, me.


UPDATE: Prior, to, my, attendance, at, this, particular, apartment, I, was, invited, by, Briana Papa (Briana@crenshawcomm.com), to, visit, Prague, on, behalf, of, Avast! Software, where, I, met, with, Vince Steckler (steckler@avast.com), and, Miloslav, Korenko (korenko@avast.com), where, I, met, with, Lucian Constantin (hxxp://twitter.com/lconstantin).


Prior, to, my, attendance, at, this, apartment, I, was, also, invited, to, another, event, held, at, INTERPOL, by, Steve Santorelli
(steve.santorelli@gmail.com), which, I, successfully, attended, and, presented, at, where, I, also, met, with, Krassimir Tzvetanov (krassi@krassi.biz).


Something, else, worth, pointing, out, is, that, my, place, is, visited, by, an, unknown, woman, known, as, Boriana Mihovska, an, unknown, man, known, as, Leonid, an, unknown, person, known, as, Tzvetan Georgiev (hxxp://www.youtube.com/user/laron640); (hxxp://plus.google.com/107108766077365473231), and, an, unknown, person, known, as, Dobrin Danchev (hxxp://www.facebook.com/dobrin.danchev); (hxxp://www.sibir.bg/parachut).



The, most, recent, visit, to, my, place, was, by, a, person, known, as, Vasil, Stanev, from DANS (dans@dans.bg), who, was, supposedly, asking, me, to, take, a, job, and, consequently, asked, me, to, attend, a, doctor, session.

Dear, blog, readers, I, feel, it's, about, time, I, post, an, honest, response, regarding, my, disappearance, in, 2010, with, the, purpose, of, information, my, readers, on, my, current, situation, and, to, continue, posting, and, contributing, valuable, threat, intelligence, to, the, security, community.

In, 2010, I, moved, to, an, apartment, located, in, another, town, and, apparently, my, apartment, have, been, vandalized, including, persistent, harassment, by, my, neighbors, including, a, possible, illegal, entry, courtesy, of, the, person, responsible, for, hiring, the, apartment (Kalin Petrov; kalin_petrov@hotmail.com).


After, a, persistent, chase, down, and, harassment, courtesy, of, the, person, responsible, for, hiring, the, apartment, I, received, a, notice, to, leave, and, had, my, apartment, visited, by, the, person, responsible, for, hiring, including, another, man, including, another, man, that, was, supposedly, supposed, to, take, care, of, my, belongings.

Prior, to, my, accommodation, I, was, contacted, by, Pauline, Roberts (pauline.roberts@ic.fbi.gov), who, recommended, me, to, Yavor, Kolev (javor.kolev@gmail.com), and, Albena, Spasova (albaadvisors@gmail.com), from, Bulgarian, local, authorities, followed, by, a, series, of, communication.

Prior, to, returning, to, my, place, in, 2011, my, house, was, vandalized, by, three, police, officers (hxxp://troyan-police.com; police_troyan@abv.bg), from, the, local, police, department, who, entered, my, house, in, particular, my, bedroom, and, unpolitely, asked, my, to, dress, while, showing, me, a, copy, of, my, personal, ID, that, I, haven't, presented, and, taking, me, to, an, unknown, car, without, explaining, the, reason, for, taking, me.

A, few, hours, later, I, find, myself, located, in, an, institution (dpblovech@abv.bg), for, a, period, of, three, months, without, anyone, explaining, the, reason, for, holding, me, there. Upon, entering, I, had, my, phone, taken, without, having, received, any, sort, of, explanation, for, taking, me, and, holding, me, there.

Given, this, circumstances, I, feel, that, it, has, become, highly, unproductive, to, continue, my, work, and, therefore, I'm, currently, seeking, a, permanent, relocation, including, a, possible, full, time, career, opportunity, in, the, field, of, cybercrime, research, security, blogger, or, threat, intelligence, analyst.

I, can, be, reached, at +359 888 996 888, or, at, ddanchev@protonmail.ch

Thursday, January 05, 2017

Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, malicious, releases, successfully, generating, hundreds, of, thousands, of, fraudulent, revenue, while, populating, their, botnet's, infected, population, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, active, malvertising, campaign, affecting, FoxNews, successfully, enticing, users, into, executing, malicious, software, on, the, the, affected, PCs, with, the, cybercriminals, behind, it, successfully, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://toppromooffer.com/vsm/index.html - 85.17.254.158; 69.43.161.174
    - hxxp://78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 - (78.47.132.222)    
        - hxxp://redirectclicks.com/?accs=845&tid=338 - 69.172.201.153; 176.74.176.178; 64.95.64.194
            - hxxp://http://redirectclicks.com/?accs=845&tid=339

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://truconv.com - 78.46.88.202

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (78.46.88.202):
MD5: 473e3615795609a091a2f2d3d1be2d00
MD5: 9e51c29682a6059b9b636db8bf7dcc25
MD5: 08a50ebcaa471cd45b3561c33740136d
MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1
MD5: fcdd2790dd5b1898ef8ee29092dca757

Once, executed, a, sample, malware (MD5: 473e3615795609a091a2f2d3d1be2d00), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yaskiya.cyberfight.de - 78.46.88.202

Once, executed, a, sample, malware (MD5: 9e51c29682a6059b9b636db8bf7dcc25), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://myweb111111.go.3322.org
hxxp://35free.net - 5.61.39.56
hxxp://newsoft1.go.3322.org
hxxp://newsoft11.go.3322.org

Once, executed, a, sample, malware (MD5: 08a50ebcaa471cd45b3561c33740136d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://darthvader.dyndns.tv
hxxp://www12.subdomain.com - 78.46.88.202

Once, executed, a, sample, malware (MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://tundeghanawork.co.gp - 78.46.88.202

Once, executed, a, sample, malware (MD5: fcdd2790dd5b1898ef8ee29092dca757), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsoft.go.3322.org - 221.130.179.36
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://users6.nofeehost.com - 67.208.91.110

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: c9ca43032633584ff2ae4e4d7442f123
MD5: a099766f448acd6b032345dfd8c5491d
MD5: da39ccb40b1c80775e0aa3ab7cefb4b0
MD5: 85750b93319bd2cf57e445e1b4850b08
MD5: e521b31eb97d6d25e3d165f2fe9ca3ba

Once, executed, a, sample, malware (MD5: c9ca43032633584ff2ae4e4d7442f123), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.tokoholapisa.com - 54.229.133.176
hxxp://down2load.net - 69.172.201.153
hxxp://cdn.download2013.net - 185.152.65.38

Once, executed, a, sample, malware (MD5: a099766f448acd6b032345dfd8c5491d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (176.74.176.178):
MD5: 116d07294fb4b78190f44524145eb200
MD5: f9e71f66e3aae789b245638a00b951a8
MD5: 1d6d4a64a9901985b8a005ea166df584
MD5: acfa1a5f290c7dd4859b56b49be41038
MD5: b63fd04a8cdf69fb7215a70ccd0aef27

Once, executed, a, sample, malware (MD5: 116d07294fb4b78190f44524145eb200), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.on86.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: f9e71f66e3aae789b245638a00b951a8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.linkbyte.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: 1d6d4a64a9901985b8a005ea166df584), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.pnmchgameserver.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: acfa1a5f290c7dd4859b56b49be41038), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.97dn.com - 45.125.35.85
hxxp://www.97wg.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: b63fd04a8cdf69fb7215a70ccd0aef27), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pajak.yogya.com - 69.172.201.153
hxxp://www.yogya.com
hxxp://return.uk.uniregistry.com - 176.74.176.178

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (64.95.64.194):
MD5: 7ca6214e3b75bc1f7a41aef3267afc29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freshtravel.net - 184.168.221.36
hxxp://experiencetravel.net - 217.174.248.145
hxxp://freshyellow.net
hxxp://experienceyellow.net
hxxp://freshclose.net
hxxp://experienceclose.net

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.43.161.174):
MD5: 674fca39caf18320e5a0e5fc45527ba4
MD5: 7017a26b53bc0402475d6b900a6c98ae
MD5: 0b61f6dfaddd141a91c65c7f290b9358
MD5: 4d5bc6b69db093824aa905137850e883
MD5: 201dee0da7b7807808d681510317ab59

Once, executed, a, sample, malware (MD5: 674fca39caf18320e5a0e5fc45527ba4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://aahydrogen.com - 208.73.210.214
hxxp://greatinstant.net
hxxp://ginsdirect.net
hxxp://autouploaders.net - 185.53.177.9

Once, executed, a, sample, malware (MD5: 7017a26b53bc0402475d6b900a6c98ae), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://w.wfetch.com - 69.43.161.174
hxxp://ww1.w.wfetch.com - 72.52.4.90

Once, executed, a, sample, malware (MD5: 4d5bc6b69db093824aa905137850e883), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://greattaby.com - 69.43.161.174
hxxp://ww41.greattaby.com - 141.8.224.79

Once, executed, a, sample, malware (MD5: 201dee0da7b7807808d681510317ab59), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://layer-ads.de - 69.43.161.174

Sample, URL, redirection, chain:
hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 204.11.56.45; 204.11.56.26; 208.73.210.215; 208.73.211.246; 82.98.86.178
    - hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc-sst&l=370&f=cs_3506417142&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM - 208.91.197.46; 204.11.56.48; 204.11.56.45; 204.11.56.26; 63.156.206.202; 63.149.176.12
        - hxxp://easywebchecklive.com/1/fileslist.js - 94.247.2.215
            - hxxp://78.47.132.222/a12/index2.php
                - hxxp://78.47.132.221/a12/pdf.php?u=i_7_0
                    - hxxp://78.47.132.221/a12/aff_12.exe?u=i_7_0&spl=4

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs (208.91.197.46):
MD5: b13f1af8fc426e350df11565dcf281e8
MD5: a189b3334fbd9cd357aedff22c672e9c
MD5: da53b068538ff03e2fc136c7d0816e39
MD5: ec08a877817c749597396e6b34b88e78
MD5: b9e7bf23de901280e62fd68090b5b8fa

Once, executed, a, sample, malware (MD5: b13f1af8fc426e350df11565dcf281e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.sslsecure1.com - 193.166.255.171
hxxp://staticrr.paleokits.net - 205.251.219.192
hxxp://dtrack.secdls.com
hxxp://staticrr.sslsecure1.com

Once, executed, a, sample, malware (MD5: a189b3334fbd9cd357aedff22c672e9c), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://staticrr.paleokits.net - 54.230.11.231
hxxp://staticrr.sslsecure1.com - 193.166.255.171
hxxp://staticrr.sslsecure2.com
hxxp://staticrr.sslsecure3.com - 208.91.197.46

Once, executed, a, sample, malware (MD5: ec08a877817c749597396e6b34b88e78), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://skyworldent.com
hxxp://solitaireinfo.com
hxxp://speedholidays.com - 206.221.179.26

Once, executed, a, sample, malware (MD5: b9e7bf23de901280e62fd68090b5b8fa), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com - 193.166.255.171
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com - 208.91.197.46

Related, malicious MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 969601cbf069a849197289e042792419

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware - Part Two

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's. infected, population, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, active, malicious, black, hat, SEO (search engine optimization), type, of, malicious, campaign, serving, malicious, software, to, unsuspecting, users, further, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://notice-of-unreported-income-email.donatehalf.com
hxxp://911-pictures.jewishreference.com
hxxp://911-pictures.dpakman91.com
hxxp://9-11-quotes.midweekpolitics.com

Sample, URL, redirection, chain:
hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237
    - hxxp://trivet.gmgroupenterprises.com/?trivettrivetgmgroupenterprisescom.swf
        - hxxp://vpizdutebygugol.xorg.pl/go/ - 193.203.99.111
            - hxxp://vpizdutebygugol.xorg.pl/go4/
                - hxxp://http://free-checkpc.com/l/d709f38e78s84y76u - 193.169.12.5
                    - hxxp://safe-fileshere.com/s/w58238e9a6dh76k73r/setup.exe - 193.169.12.5

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (193.203.99.111):
MD5: b761960b60f2e5617b4da2e303969ff1
MD5: a27ae350b9d29b13749b14e376a00b52
MD5: adbad83fadc017d60972efa65eb3c230
MD5: b1323d4c7e1f6455701d49621edfb545
MD5: c166767c8aa7a8eee0d12a6d9646b3e8

Once, executed, a, sample, malware (MD5: b761960b60f2e5617b4da2e303969ff1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: a27ae350b9d29b13749b14e376a00b52), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://gwg.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: adbad83fadc017d60972efa65eb3c230), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://htu.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: b1323d4c7e1f6455701d49621edfb545), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://htu.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: c166767c8aa7a8eee0d12a6d9646b3e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: 7df300b01243a42b4ddff724999cd4f7

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://updatepcnow.com - 208.73.211.249
hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (208.73.211.249):
MD5: 940be22f37e30c90d9fded842c23b24d
MD5: ef29c61908f678f313aa298343845175
MD5: 47f5002a0b9d312f28822d92a3962c81
MD5: ba83653117a6196d8b2a52fb168b8142
MD5: f29209f1ca6c4666207ea732c1f32978

Once, executed, a, sample, malware (MD5: 940be22f37e30c90d9fded842c23b24d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://softonic-analytics.net - 46.28.209.74
hxxp://superscan.sd.en.softonic.com - 46.28.209.70
hxxp://www.ledyazilim.com - 213.128.83.163

Once, executed, a, sample, malware (MD5: ef29c61908f678f313aa298343845175), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ksandrafashion.com - 208.73.211.173
hxxp://www.lafyeri.com
hxxp://kulppasur.com

Once, executed, a, sample, malware (MD5: 47f5002a0b9d312f28822d92a3962c81), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php

Once, executed, a sample, malware (MD5: ba83653117a6196d8b2a52fb168b8142), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://mhc.ir - 82.99.218.195
hxxp://naphooclub.com - 208.73.211.173
hxxp://mdesigner.ir - 176.9.98.58

Once, executed, a, sample, malware (MD5: f29209f1ca6c4666207ea732c1f32978), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (50.63.202.54):
MD5: 45497b47a6df2f6216b4c4bebc572dd3
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: 08db02c9873c0534656901d5e9501f46
MD5: 830b22b4a0520d1b46a493f03a6a0a66
MD5: 5ee1bfa766f367393782972718d4e82f

Once, executed, a, sample, malware (MD5: 45497b47a6df2f6216b4c4bebc572dd3), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz - 195.157.15.100

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49

Once, executed, a, sample, malware (MD5: 08db02c9873c0534656901d5e9501f46), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://musicbroke.net - 195.22.28.210

Once, executed, a, sample, malware (MD5: 830b22b4a0520d1b46a493f03a6a0a66), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159

Once, executed, a, sample, malware (MD5: 5ee1bfa766f367393782972718d4e82f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (54.85.196.8):
MD5: 05288748ddccf2e5fedef5d9e8218fef
MD5: 08936ff676b062a87182535bce23d901
MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7
MD5: 8a7e330ad88dcb4ced3e5e843424f85f
MD5: bf3d996376663feaea6031b1114eb714

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://graves111.net - 64.86.17.47 - Email: gertrudeedickens@text2re.com
hxxp://lending10.com
hxxp://adriafin.com
hxxp://7sevenseas.com
hxxp://ironins.com
hxxp://trdatasft.com
hxxp://omeoqka.cn
hxxp://trustshield.cn
hxxp://capide.cn
hxxp://tds-soft.comewithus.cn
hxxp://graves111.net
hxxp://reversfor5.net
hxxp://limestee.net
hxxp://landlang.net
hxxp://langlan.net
hxxp://limpopos.net
hxxp://clarksinfact.net

Sample, URL, redirection, chain:
hxxp://checkvirus-zone.com - 64.86.16.7 - Email: gertrudeedickens@text2re.com
    - hxxp://checkvirus-zone.com/?p=

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: b157106188c2debab5d2f1337c708e35

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pencil-netwok.com/?act=fb&1=1&2=0&3= - 204.11.56.48; 204.11.56.45; 209.222.14.3; 208.73.210.215; 208.73.211.152; 204.13.160.107

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 3c3346426923504571f81caffdac698d
MD5: ad4244794693b41c775b324c4838982a
MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e
MD5: 0526944bfb43b14d8f72fd184cd8c259
MD5: 29932b0cb61011ffc4834c3b7586d956

Once, executed, a, sample, malware (MD5: 3c3346426923504571f81caffdac698d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.76.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9

Once, executed, a, sample, malware (MD5: ad4244794693b41c775b324c4838982a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://banboon.com - 204.11.56.48
hxxp://bdb.com.my - 103.4.7.143
hxxp://baulaung.org - 52.28.249.128

Once, executed, a, sample, malware (MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cubingapi.com - 204.11.56.48
hxxp://error.cubingapi.com - 204.11.56.48

Once, executed, a, sample, malware (MD5: 0526944bfb43b14d8f72fd184cd8c259), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.77.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9

Once, executed, a, sample, malware (MD5: 29932b0cb61011ffc4834c3b7586d956), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
hxxp://rms365x24.com - 166.78.145.90

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, soon, as, new, developments, take, place.