Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Historical OSINT Google Docs Hosted Rogue Chrome Extension Serving Campaign S ...

0
0

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, while, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, malware-infected, hosts, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Docs, while, successfully, enticing, socially, engineered, users, into, clicking, on, bogus, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, successfully, exposing, socially, engineered, users, to, a, rogue, Chrome Extension.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, redirection, chain:

https://1364757661090.docs.google.com/presentation/d/1w5eh2rh6i0pbuVjb4_MzBNPEovRw3f6qiho7AshTcHI/htmlpresent?videoid=1364757661199 -> http://www.worldvideos.us/chrome.php -> https://chrome.google.com/webstore/detail/high-solution/jokhejlfefegeolonbckggpfggipmmim

Related, malicious, domain, reconnaissance:

hxxp://worldvideos.us - 89.19.10.194

ns1.facebookhizmetlerim.com

ns2.facebookhizmetlerim.com

Responding to 89.19.10.194 are also the following fraudulent domains part of the campaign's infrastructure:

hxxp://e-sosyal.biz

hxxp://facebookhizmetlerim.com

hxxp://facebookmedya.biz

hxxp://facebooook.biz

hxxp://fbmedyahizmetleri.com

hxxp://sansurmedya.com

hxxp://sosyalpaket.com

hxxp://worldmedya.net

hxxp://youtubem.biz

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (208.73.211.70):

hxxp://396p4rassd2.youlovesosoplne.net

hxxp://5q14.zapd.co

hxxp://airmats.com

hxxp://amciksikis.com

hxxp://anaranjadaverzochte.associate-physicians.org

hxxp://autorepairmanual.org

hxxp://blackoutblinds.com

hxxp://blog.jmarkafghans.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (208.73.211.70):

MD5: 584a779ae8cdea13611ff45ebab517ae

MD5: cea89679058fe5a5288cfacc1a64e431

MD5: 62eee7a0bed6e958e72c0edf9da17196

MD5: 160793c37a5aa29ac4c88ba88d1d7cc2

MD5: 46079bbcfcd792dfcd1e906e1a97c3a6

Once, executed, a, sample, malware (MD5: 584a779ae8cdea13611ff45ebab517ae), phones, back, to, the, following, C&C, server, IPs:

hxxp://zhutizhijia.com - 208.73.211.70

Once, executed, a, sample, malware (MD5: cea89679058fe5a5288cfacc1a64e431), phones, back, to, the, following, C&C, server, IPs:

hxxp://aieov.com - 208.73.211.70

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (141.8.224.239):

hxxp://happysocks.7live7.org

hxxp://hiepdam.org

hxxp://hyper-path.com

hxxp://interfacelife.com

hxxp://iowa.findanycycle.com

hxxp://massachusetts.findanyboat.com

hxxp://diptnyc.com

Related, maliciuos, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (141.8.224.239):

MD5: ddf27e034e38d7d35b71b7dc5668ffce

MD5: 6ba6451a9c185d1d07323586736e770e

MD5: 854ea0da9b4ad72aba6430ffa6cc1532

MD5: d5585af92c512bec3009b1568c8d2f7d

MD5: bf78b0fcfc8f1a380225ceca294c47d8

Once, executed, a, sample, malware (MD5:ddf27e034e38d7d35b71b7dc5668ffce), phones, back, to, the, following, malicious, C&C, server, IPs:

hxxp://srv.desk-top-app.info - 141.8.224.239

Once, executed, a, sample, malware (MD5:6ba6451a9c185d1d07323586736e770e), phones, back, to, the, following, malicious, C&C, server, IPs:

hxxp://premiumstorage.info - 141.8.224.239

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, C&C, server, IPs:

hxxp://riddenstorm.net - 208.100.26.234

hxxp://lordofthepings.ru - 173.254.236.159

hxxp://yardnews.net - 104.154.95.49

hxxp://wentstate.net - 141.8.224.93

hxxp://musicnews.net - 176.74.176.187

hxxp://spendstate.net

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (89.19.10.194):

hxxp://liderbayim.com

hxxp://blacksport.org

hxxp://liderbayim.com

hxxp://2sosyal-panelim.com

hxxp://sosyal-panelim.com

hxxp://darknessbayim.com

hxxp://hebobayi.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.


Viewing all articles
Browse latest Browse all 12749