Breaking News

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, newly, added, socially, engineered, users, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, a, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, utilizing, blackhat, seo (search engine optmization), for, traffic, acquisition, tactics, techniques, and procedures, potentially, exposing, hundreds, of, thousands, of, socially, engineered, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, with, the, cybercriminals, behind, the, campaign, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, traffic, largely, relying, on, the, utilization, of, an, affiliate-network, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://blank_fax_forms.jevjahys.zik.dj -> hxxp://radioheadicon.cn - 216.172.154.34; 205.164.24.44; 205.164.24.45 ->

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://aizvfnnd.cc - Email: janice@whiteplainsrealty.com
hxxp://blnrriwbd.cc - Email: janice@whiteplainsrealty.com
hxxp://crrhxzp.cc - Email: janice@whiteplainsrealty.com
hxxp://ihmedkgi.cc - Email: janice@whiteplainsrealty.com
hxxp://izdzhpdn.cc - Email: janice@whiteplainsrealty.com
hxxp://krnflff.cc - Email: janice@whiteplainsrealty.com
hxxp://lgixuql.cc - Email: janice@whiteplainsrealty.com
hxxp://lsxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://mkzjuoz.cc - Email: janice@whiteplainsrealty.com
hxxp://mobqmizg.cc - Email: janice@whiteplainsrealty.com
hxxp://mqapagelq.cc - Email: janice@whiteplainsrealty.com
hxxp://mrvgusfdu.cc - Email: janice@whiteplainsrealty.com
hxxp://nurzcycxm.cc - Email: janice@whiteplainsrealty.com
hxxp://orhhcunye.cc - Email: janice@whiteplainsrealty.com
hxxp://pdbpczh.cc - Email: janice@whiteplainsrealty.com
hxxp://pkuidxdy.cc - Email: janice@whiteplainsrealty.com
hxxp://qicpfwrx.cc - Email: janice@whiteplainsrealty.com
hxxp://ruhilmec.cc - Email: janice@whiteplainsrealty.com
hxxp://sxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://tcygfdmc.cc - Email: janice@whiteplainsrealty.com
hxxp://tlhaxfr.cc - Email: janice@whiteplainsrealty.com
hxxp://vcjggcbgj.cc - Email: janice@whiteplainsrealty.com
hxxp://xlnojaz.cc - Email: janice@whiteplainsrealty.com
hxxp://zdqvzdj.cc - Email: janice@whiteplainsrealty.com

Sample, malicious, redirector, used, in, the, campaign:
hxxp://bostofsten1.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (216.172.154.34):
MD5: ad04fd31e9868b073222b3fd2aac93f7
MD5: 103ecb766e0deb06ccbcea0a8046b4cb
MD5: eb0fab963cd37660956a7ab0c66715c2
MD5: 00da0096bd91e89e4059c428259a6cbb
MD5: 9b7f0e0ebf1656227de9f8f97dfd9141

Once, executed, a, sample, malicious, executable, (MD5:ad04fd31e9868b073222b3fd2aac93f7) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 65.19.157.228

Once, executed, a, sample, malicious, executable, (MD5:00da0096bd91e89e4059c428259a6cbb) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cutalot.cn - 205.164.24.43

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.24.44):
hxxp://cycling20110829.usa.1204.net
hxxp://pepsizone.cn
hxxp://ysbr.cn
hxxp://interactsession-697593.regions.com.usersetup.cn
hxxp://ad.suoie.cn
hxxp://ycgezkpu.cn

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: cf7a53e66e397c29ea203e025c5d6465
MD5: 089886483353f93a36dd69f0776beace
MD5: 528ac8f94123aaa32058f0114b8e1fd2
MD5: 4e8405bb398509f17242c0b9f614d6e4
MD5: a364d4fe887e2e40bc1ec67ad6f9aa31

Once, executed, a, sample, malware (MD5:cf7a53e66e397c29ea203e025c5d6465), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://blenderartists.org - 141.101.125.180
hxxp://xibudific.cn - 50.117.122.92
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://hardwareindexx.com
hxxp://hardwareindexx.com.ovh.net

Once, executed, a, sample, malware (MD5:089886483353f93a36dd69f0776beace), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freeonlinedatingtips.net - 204.197.252.70
hxxp://xibudific.cn - 216.172.154.38
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://searchfeedbook.com
hxxp://searchfeedbook.com.ovh.net

Once, executed, a, sample, malware (MD5:528ac8f94123aaa32058f0114b8e1fd2), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://historykillerpro.com - 192.254.233.158
hxxp://motherboardstest.com - 195.22.26.252
hxxp://dolbyaudiodevice.com
hxxp://dolbyaudiodevice.com.ovh.net
hxxp://xibudific.cn - 50.117.116.204

Once, executed, a, sample, malware (MD5:4e8405bb398509f17242c0b9f614d6e4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pcskynet.cn
hxxp://gamepknet.cn
hxxp://pcskynet.cn.ovh.net
hxxp://gamepknet.cn.ovh.net
hxxp://yes16800.cn
hxxp://yes16800.cn.ovh.net

Once, executed, a, sample, malware (MD5:a364d4fe887e2e40bc1ec67ad6f9aa31), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://136136.com - 61.129.70.87
hxxp://xibudific.cn - 50.117.122.92
hxxp://hothintspotonline.com
hxxp://hothintspotonline.com.ovh.net
hxxp://hardwareindexx.com

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (205.164.24.45):
hxxp://17mv.com
hxxp://criding.com
hxxp://criding.com
hxxp://17mv.com
hxxp://baudu.com
hxxp://pwgo.cn
hxxp://suqiwyk.cn
hxxp://verringo.cn

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
MD5: 9905ba7c00761a792ad8a361b4de71ea
MD5: b83c68f7d09530181908d513eb30a002
MD5: 78941c2c4b05f8af9a31a9f3d4c94b57
MD5: 7a1b6153a3f00c430b09f1c7b9cf7a77
MD5: 2776c972fa934fd080f5189be7c98a77

Once, executed, a, sample, malware, phones, back, to, the, following, maliciuos, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://imagehut4.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yingzi.org.cn - 50.117.116.205

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qmmmm.com.cn - 50.117.122.94

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.94

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Share:

Featured Security Image

Featured Security Image
The Heart of KOOBFACE. C&C and Social Network Propagation

Featured Cyber Intelligence Service

Featured Cyber Intelligence Service
DDanchev is for Hire!

Featured Cyber Intelligence Project

Featured Cyber Intelligence Project
Project Proposal - Cybercrime Research - Seeking Investment

Featured Threat Intelligence Project

Featured Threat Intelligence Project
Dancho Danchev's Mind Streams of Information Security Knowledge - The World's Most Comprehensive Threats Database

Featured Threat Intelligence Consultancy

Featured Threat Intelligence Consultancy
Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available

Featured Hacking Project

Featured Hacking Project
Book Proposal - Seeking Sponsorship - Publisher Contact

Popular Posts

Featured Privacy Service

Featured Privacy Service
Pi-hole Privacy Blocking

Featured Video

Recent Posts

Featured Service

Featured Service
SurfWatch Threat Analyst

Featured Video

Featured Privacy Tool

Featured Privacy Tool
DNSCrypt

Featured Product

Featured Product
Sentinel Visualizer

Unordered List

  • Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
  • Aliquam tincidunt mauris eu risus.
  • Vestibulum auctor dapibus neque.

Featured Privacy Tool

Featured Privacy Tool
OnionShare