Monday, May 29, 2017

Historical OSINT - A Portfolio of Exploits Serving Domains

With, the, rise, of, Web, malware, exploitation, kits, continuing, to, proliferate, cybercriminals, are, poised, to, continue, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, active,y utilization, of, client-side, exploits, further, spreaing, malicious, software, potentially, compromising, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software.

What, used, to, be, an, ecosystem, dominated, by, proprietary, DIY (do-it-yourself) malware and exploits, generating, tools, is, today's, modern, cybercrime, ecosystem, dominated, by, Web, malware, exploitation, kits, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, launching, a, fraudulent, and, malicious, campaign, potentially, affecting, hundreds, of, thousands, of, users, globally.

In, this, post, we'll, provide, actionable, intelligence, on, currently, active, IcePack, Web, malware, exploitation, kit, client-side, and, malware-exploits, serving, domains.

Related IcePack Web Malware Exploitation Kit domains:
hxxp://seateremok.com/xc/index.php
hxxp://lskdfjlerjvm.com/ice-pack/index.php  
hxxp://formidleren.dk/domain/mere.asp  
hxxp://webs-money.info/ice-pack/index.php  
hxxp://seateremok.com/xc/index.php
hxxp://greeetthh.com/ice-pack1/index.php
hxxp://58.65.235.153/~pozitive/ice/index.php
hxxp://iframe911.com/troy/us/sp/ice/index.php
hxxp://themusicmp3.info/rmpanfr/index.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (lskdfjlerjvm.com):
MD5: 4c0958f2f9f5ff2e5ac47e92d4006452
MD5: d955372c7ef939502c43a71ff1a9f76e
MD5: 118e24ea884d375dc9f63c986a15e5df
MD5: e825a7e975a9817441da9ba1054a3e6f
MD5: 71460d4a1c7c18ec672fed56d764ebe6

Once, executed, a, sample, malware (MD5: d955372c7ef939502c43a71ff1a9f76e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://tableshown.net - 208.100.26.234
hxxp://leadshown.net
hxxp://tablefood.ru
hxxp://tablefood.net - 180.210.34.47
hxxp://leadfood.net
hxxp://tablemeet.net
hxxp://leadmeet.net
hxxp://pointneck.net
hxxp://pointshown.net
hxxp://callshown.net - 212.61.180.100
hxxp://callneck.ru
hxxp://callneck.net
hxxp://ringshown.ru
hxxp://ringshown.net
hxxp://noneshown.net

We'll, continue, monitoring, the, campaigns, and, post, updates, as, soon, as, new, developments, take, place.