Tuesday, April 26, 2016

Malicious Client-Side Exploits Serving Campaign Intercepted, Thousands of Users Affected

We've recently intercepted, a currently, circulating, malicious campaign, utilizing, a variety, of compromised, Web sites, for, the purpose, of serving, malicious software, to socially engineered, users.

In this post, we'll profile, the campaign, the infrastructure, behind, it, provide, actionable, intelligence, MD5s, and, discuss, in depth, the tactics, techniques, and procedures, of, the cybercrimnals, behind it.

Sample malicious URL:
hxxp://directbalancejs.com/module.so - 37.48.116.208; 31.31.204.161

hxxp://2-eco.ru
hxxp://2401.ru
hxxp://24xxx.site
hxxp://3502050.ru
hxxp://6553009.xyz
hxxp://7032949.ru
hxxp://academing.ru
hxxp://academyfinance.ru
hxxp://activelifelab.com
hxxp://advokat-mikheev.ru
hxxp://advokatstav.ru
hxxp://akvahim98.ru
hxxp://al-minbar.ru
hxxp://allesmarket.com
hxxp://alltrump.ru
hxxp://altropasso.ru
hxxp://ambertao.info
hxxp://ambertao.org
hxxp://ancra.ru
hxxp://andr-6-update.ru
hxxp://android-new.ru
hxxp://androidid-6-new.ru
hxxp://angrymultik.ru
hxxp://animaciyafoto.ru
hxxp://animaciyaonline.ru
hxxp://animaciyastiker.ru
hxxp://animationline.ru
hxxp://animehvost.ru
hxxp://anyen.ru
hxxp://anywifi.online
hxxp://apple-pro.moscow
hxxp://appliancerepairmonster.com
hxxp://aptechka.farm
hxxp://arbosfera.ru
hxxp://archsalut.ru
hxxp://arstd.ru
hxxp://aslanumarov.ru
hxxp://atlanted.ru
hxxp://aurispc.ru
hxxp://avangardmaster.ru
hxxp://aviacorp24.ru
hxxp://awpashko.com

Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MDSs:
MD5: c3754018dab05b3b8aac5fe8100076ce

Once executed the sample phones back to the following C&C server:
hxxp://info-get.ru - 31.31.204.161

Known to have phoned back to the same malicious C&C server (31.31.204.161) are also the following malicious MD5s:
MD5: 4ff9bd7a045b0fe42a8f633428a59732
MD5: 46b1eaae5b53668a7ac958aecf4e57c3
MD5: d643025c5d0a2a2940502f4b15ca1801
MD5: 75dce2d84540153107024576bfce08fc
MD5: a23235ed940a75f997c127f59b09011d

This post has been reproduced from Dancho Danchev's blog.