Backdoor - Silent miner - 'with proof' - Free backdoor!
One more backdoored ''free'' tool posted on Youtube.
#silentminer
#securityresearch
#weblegacy
#prodefenceorg
#backdoor
#malware.
http://www.prodefence.org
sâmbătă, 30 iunie 2018
luni, 26 februarie 2018
Credit card phishing – Iphone campaign
A new phishing campaign targeting fans of free Iphone.
The campaign targets the victims’ credit cards with a wonderful promise to win a Iphone.
Everything is visually prepared and it only remains for the victims to add their personal data.
Domains involted:
This is all!!!
“Soon your card will be shopping without you!”
Have fun & Stay safe!
The campaign targets the victims’ credit cards with a wonderful promise to win a Iphone.
Everything is visually prepared and it only remains for the victims to add their personal data.
Domains involted:
- uploadocean.com/ – Adverts campaing
- adminlady.info – Redirection
- awarded.pw – Promoter
- radiuniverse.com – hacked domain hosting the phishing page (or just owned by the hacker)
h**p://browser.awarded.pw/todays-winner/?winner=xx.xxx.xxx.xx&cc=RO&brw=Firefox&voluumdata=deprecated&eda=deprecated&cep=******&sourceid=57a5012f14822bf716721506&match=ron&carrier=wifi&mob_pf=windows&country=RO&cpc=0.0015
h**ps://ff.radiuniverse.com/n/iphonex/?transaction_id=102704cb8f7cc8e75a5a5705197330
This is all!!!
“Soon your card will be shopping without you!”
Have fun & Stay safe!
Zeus botnet simple analysis
A little analysis of Zeus botnet.
It was done for someone to see how it works and I share it with you.
bot.exe
Injects into remote processes
Injected into “explorer.exe”
Drops files:
giep.exe
MD5: 769919e56bd4e9e1e906559c1c36bdf6
SHA-1: 39ed72d34e02e1674742cb47bbd6ebdad13f7931
Reg: HKU\S-1-5-21-2442644137-1929233181-142757687-1000\Software\Microsoft\Windows\CurrentVersion\Run\{74A201A8-2DEE-69F0-F124-27DF3D9773DA}: “C:\Users\Insider\AppData\Roaming\Qioho\giep.exe”
https://www.virustotal.com/#/file/5069bc991ff37817bb05e6bb453c9c44d22ef2719bb0d4f72a3ca30c544f040c/detection
Some of the processes made by the bot.exe action:
Network traffic:
In the same way it is using the /POST request for sending stealed data, when the victim visits some bank account, paypal…etc.
Botnet host directory and login page:
H**p://xxx.xxx/adminpanel/admin.php
The remove is easy. You just have to follow the path’s to find the droped executables and delete the created registers.
It was done for someone to see how it works and I share it with you.
bot.exe
- OEP: 0040DCA0
- COMPILER: Borland Delphi 6.0 – 7.0
- MD5: 8a849d20c0a954f45566cec53acc9263
- SHA-1: 764c29fd18c3f3c4d9ba3fe394655f2ed2ec0c01
Injects into remote processes
Injected into “explorer.exe”
Drops files:
giep.exe
MD5: 769919e56bd4e9e1e906559c1c36bdf6
SHA-1: 39ed72d34e02e1674742cb47bbd6ebdad13f7931
Reg: HKU\S-1-5-21-2442644137-1929233181-142757687-1000\Software\Microsoft\Windows\CurrentVersion\Run\{74A201A8-2DEE-69F0-F124-27DF3D9773DA}: “C:\Users\Insider\AppData\Roaming\Qioho\giep.exe”
https://www.virustotal.com/#/file/5069bc991ff37817bb05e6bb453c9c44d22ef2719bb0d4f72a3ca30c544f040c/detection
- Same atributes like bot.exe
Some of the processes made by the bot.exe action:
- CreateFile
- RegOpenKey
- RegisterClass
- CoCreate
- CreateThread
- RegCreateKey
- RegSetValue
- ProcessStarted
Network traffic:
In the same way it is using the /POST request for sending stealed data, when the victim visits some bank account, paypal…etc.Botnet host directory and login page:
H**p://xxx.xxx/adminpanel/admin.php
The remove is easy. You just have to follow the path’s to find the droped executables and delete the created registers.
Silent miner backdoor - Good AV detection
One engine detected this file! Hmmmm
It's easy to become a miner....just that you will not be paid.
By the way... it was posted in some forum like this:
"**** Silence Miner - Make a lot of money "
The message for the winners - Scam
I told you.... one day I will be rich!!!
I only have to give her my personal data.
Probably I will have to pay some taxes... and some other taxes... and after all that I will be.... just scammed!
duminică, 4 februarie 2018
Browser Hijack – The journey – Cybersecurity research
A new software test.
Something announced as free … but it’s not really for free.
Today I wanted to see what level of browser hijacking is running out there.
Browses hijack:
“A program changes your home page, redirects browser typos to a search engine you have never heard of or to other sites. This is annoying, popping up ads and displaying unwanted site”
So.
I have seen alot of ”good” things like: a java ”update”, winning iphones, free apps, cassino offers, games, some redirections… etc.
This code was injected in my browser.
”xxxx.rsc.cdn77.org install malicious extensions, plug-ins, ads, banner ads, pop-up ads, etc and creates mess on your browsers. Even if mistakenly you click on any ads or link then also it redirects you to some other websites. It also uses cookie and keep spy on your online activities like browsing history, mostly visited websites, login, password details, etc. The redirect virus has the ability to disable the anti-virus and other security program without your knowledge.” Source: removemalwarevirus.com
Here you can see some of the domains i visited in this journey:
myographical.dll = sandastros.dll
Virus Total Graph
Fake Java Update
Virus Total Report
It is clear that it is not a pleasant trip for those who do not know how to protect themselves.
Have fun & Stay safe!!!
http://www.prodefence.org/
Something announced as free … but it’s not really for free.
Today I wanted to see what level of browser hijacking is running out there.
Browses hijack:
“A program changes your home page, redirects browser typos to a search engine you have never heard of or to other sites. This is annoying, popping up ads and displaying unwanted site”
So.
I have seen alot of ”good” things like: a java ”update”, winning iphones, free apps, cassino offers, games, some redirections… etc.
This code was injected in my browser.
”xxxx.rsc.cdn77.org install malicious extensions, plug-ins, ads, banner ads, pop-up ads, etc and creates mess on your browsers. Even if mistakenly you click on any ads or link then also it redirects you to some other websites. It also uses cookie and keep spy on your online activities like browsing history, mostly visited websites, login, password details, etc. The redirect virus has the ability to disable the anti-virus and other security program without your knowledge.” Source: removemalwarevirus.com
Here you can see some of the domains i visited in this journey:
- rsc.cdn77[.]org
- liveadexchanger[.]com
- static.199.55.201.138.clients.your-server[.]de
- timetrackingext.xyz
- 2048-game[.]review
search.findthatsearch[.]com
findthatsearch[.]com
minesweepx[.]com
solitaire4u2[.]com
tetrigame[.]com
certifiedwinners[.]info
wtrtr1[.]com
ads.dlvr[.]live
betano[.]com
digitaldsp[.]com
c.codeonclick[.]com
join.pro-gaming-world[.]com
3327329.js — ”pref(“general.config.obscure_value”, 0);pref(“general.config.filename”, “3321791.cfg”);pref(“network.proxy.type”, 2);pref(“network.proxy.autoconfig_url”, “http://unstop-access.biz/wpad.dat?cb241ce907c6857bc3c28a220ec2076437981150”);pref(“network.proxy.autoconfig_url.include_path”, true);”
3321791.js — ”pref(“general.config.obscure_value”, 0);pref(“general.config.filename”, “3327329.cfg”);pref(“network.proxy.type”, 2);pref(“network.proxy.autoconfig_url”, “http://unstop-access.biz/wpad.dat?cb241ce907c6857bc3c28a220ec2076437981150”);pref(“network.proxy.autoconfig_url.include_path”, true);”
Adware Agent – PUA.YoBrowser:myographical.dll = sandastros.dll
- MD5: 8ecbfcb3c062755a3d5b3851cbe98357
- SHA-1: 5d1cccd87d0e4d81090d288d201d9c4467765513
Virus Total Graph
Fake Java Update
Virus Total Report
It is clear that it is not a pleasant trip for those who do not know how to protect themselves.
Have fun & Stay safe!!!
http://www.prodefence.org/
sâmbătă, 3 februarie 2018
Blockchain phishing… Same campaign.. new domain.
I’m happy.
If I continue so.. I will become rich …
The same blockchain phishing campaign, but with new domain.
No further details are needed ….
If I continue so.. I will become rich …
The same blockchain phishing campaign, but with new domain.
- h**p://ainea.pro/2891/ INFO
- h**p://schains.org/2183/ INFO
- h**ps://blockch.ains.im/wallet/#/login INFO
No further details are needed ….
Blockchain scamming and more…
Hello.
I know … I know I’m very lucky.
I was just informed that someone made a payment on my bitcoin address.
…or just a phishing email?!?
Today I do not have much time, but I’ll explain briefly.
An email with mistakes and a photo with hyperlink.
Involted domains:
OK.
I sent him an email reply and I hope he will answer me…
… and a .doc file with some info about ”me”.
We’re waiting to see if he’ll open the document. We will know if he did it because it is not a simple word document.
… you understand what I mean!
That’s all for the moment.
If we have results … I will inform you!
Have fun & Stay safe!!!
http://www.prodefence.org/blockchain-scamming-and-more/
I know … I know I’m very lucky.
I was just informed that someone made a payment on my bitcoin address.
…or just a phishing email?!?
Was a Japonese puzzle games website.
Today I do not have much time, but I’ll explain briefly.
An email with mistakes and a photo with hyperlink.
Involted domains:
- ainea.pro INFO
- aiin.info INFO Japonese puzzle games. Redirected to .net
- aiin.net INFO
- blockchain.dk INFO
- bliockche.info INFO
- ainea.pro/2891/…..
- bliockche.info/2183/…
- blockch.aiin.info/wallet/#/login
OK.
I sent him an email reply and I hope he will answer me…
… and a .doc file with some info about ”me”.
We’re waiting to see if he’ll open the document. We will know if he did it because it is not a simple word document.
… you understand what I mean!
That’s all for the moment.
If we have results … I will inform you!
Have fun & Stay safe!!!
http://www.prodefence.org/blockchain-scamming-and-more/
2x Bitcoin scam – The magic application.
People still want to believe that the money are made easy with some application and without doing anything.
Click a button and you get money.
This weakness is exploited every day.
Here is a program that promises to double the profit by pressing that magic button.
To become credible, a demonstration video is a good way.
To become super credible, you make some false accounts and comment on your post.
This is a part of social engineering and works.
Let’s see the application.
*the -1 is mine! lol
It has a certain detection but insignificant.
The application does not steal, has no backdoor …
It is created by:
…looks like it’s his real name..
(his first name in the account is another … it seems to start with an M.)
As the application configuration looks like, it seems that the users who use it,are sending the bitcoin to an address added by the programmer.
After sending, they still expect someone to send them the double amount, but they will wait a lot and without success.
And let’s not forget … this is version 6.1!?!
We could continue because he still has some programs with such schemes, but time is limited!
In conclusion … I hope that Internet users will be more careful, do not believe in the wonders promised by the unknown!
Have fun & Stay safe!!!
http://www.prodefence.org/bitcoin-scam-the-magic-application/
Click a button and you get money.
This weakness is exploited every day.
Here is a program that promises to double the profit by pressing that magic button.
To become credible, a demonstration video is a good way.
To become super credible, you make some false accounts and comment on your post.
This is a part of social engineering and works.
At one point, he changed his name, seeing he had potential victims in many countries.
Let’s see the application.
MD5: 19d6d6f312ec00998d379eec9fe21aa9
SHA-1: a5d27b1cf43cb5dcd7feeea279b70588c5910e12
*the -1 is mine! lolThe application does not steal, has no backdoor …
It is created by:
…looks like it’s his real name..
(his first name in the account is another … it seems to start with an M.)As the application configuration looks like, it seems that the users who use it,are sending the bitcoin to an address added by the programmer.
After sending, they still expect someone to send them the double amount, but they will wait a lot and without success.
And let’s not forget … this is version 6.1!?!
We could continue because he still has some programs with such schemes, but time is limited!
In conclusion … I hope that Internet users will be more careful, do not believe in the wonders promised by the unknown!
Remember:
When something is free, you are not the customer but the product!
Have fun & Stay safe!!!
http://www.prodefence.org/bitcoin-scam-the-magic-application/
vineri, 12 ianuarie 2018
Win32/Laziok malware – Cybersecurity research
This topic it is about Win32 / Laziok malware.
It does not matter where I found it.
His hidden activity is very intense. Seeks to install itself, wants to cancel the antivirus, modify the Registry, scans for instaled softwares…etc.
The .exe file has the smss name and with the same name I found it in other AV report. Seems that was detected and named as Win32/Laziok on 01.2015 for the first time, but noone has made a clear report about it.
After running the backdoored software… the smss.exe starts running in backgound creating a good environment.
Scans the whole system to find the computer protection software.
The smss infected file it is hidden on \Application Data\System\Oracle directory, but super hidden.
Easy to ignore becouse the original smss.exe is a windows process.
It does not matter where I found it.
His hidden activity is very intense. Seeks to install itself, wants to cancel the antivirus, modify the Registry, scans for instaled softwares…etc.
The .exe file has the smss name and with the same name I found it in other AV report. Seems that was detected and named as Win32/Laziok on 01.2015 for the first time, but noone has made a clear report about it.
Easy to ignore becouse the original smss.exe is a windows process.
Tries to connect to a server where it is located the swoleoil.co domain.
- URL: hxxp:///http://87.121.52.228/panel/includes/verif.php
TYPE: GET
USER AGENT: None - Organization Neterra Ltd.
- Country Bulgaria
- Detection ratio: 43 / 67 at this moment.
- MD5 0947e4f35f823b37fd8352e643d6cf8c
- SHA1 79b183a761470c3e3662ab64004072c70131a815
- hxxp://87.121.52.228/panel/includes/country.php
- hxxp://87.121.52.228/panel/includes/idcontact.php
- hxxp://87.121.52.228/panel/includes/post.php
- hxxp://87.121.52.228/panel/includes/verif.php
- hxxp://87.121.52.228/panel/includes/chromix.exe
Domain:swoleoil.co
Registrar:Key-Systems GmbH
Registration Date:2014-05-08
Expiration Date:2018-05-07
Updated Date:2017-06-22
Status:ok
Name Servers: carter.ns.cloudflare.com/gwen.ns.cloudflare.com
The server seems to be empty at this time.
That’s all about this malware.
That’s all about this malware.
Source:Prodefence.org
Have fun & Stay safe!
Abonați-vă la:
Postări (Atom)