International Embassies Web Malware Exploitation Serving Domain Properties

Folks,

Do you remember the international embassies web malware exploitation spree using client-side exploits that took place back in 2009 with the Russian Business Network the hosting provider of choice for these campaigns?

I recently took the effort to look at my original data set here and tried to enrich it and provide additional analysis with more details and context.

Sample domains known to have been operated by the same individuals behind these campaigns include:

hxxp://beert54[.]xyz
hxxp://aaepgp[.]com
hxxp://brightstonepharma[.]com
hxxp://ksfcradio[.]com
hxxp://ksfcnews[.]com
hxxp://kklfnews[.]com
hxxp://arabiandemographics[.]com
hxxp://sig4forum[.]com
hxxp://pornokman[.]com
hxxp://pinalbal[.]com
hxxp://bodinzone[.]com
hxxp://123124[.]com
hxxp://pixf[.]biz
hxxp://frmimg[.]info
hxxp://us-shops[.]online
hxxp://hornybabeslive[.]com
hxxp://pharmacyit[.]net
hxxp://deapotheke[.]com
hxxp://cplplywood[.]com
hxxp://us-electro[.]online
hxxp://omiardo[.]com
hxxp://frmimg[.]info
hxxp://ramualdo[.]com
hxxp://pixf[.]biz
hxxp://ksfcnews[.]com
hxxp://ksfcradio[.]com
hxxp://kklfnews[.]com
hxxp://odmarco[.]com
hxxp://us-electro[.]online
hxxp://123124[.]com
hxxp://sig4forum[.]com
hxxp://brightstonepharma[.]com
hxxp://bodinzone[.]com
hxxp://aaepgp[.]com
hxxp://pinalbal[.]com
hxxp://cplplywood[.]com
hxxp://pornokman[.]com
hxxp://hornybabeslive[.]com
hxxp://beert54[.]xyz
hxxp://us-shops[.]online
hxxp://deapotheke[.]com
hxxp://pharmacyit[.]net

Sample personally identifiable email address accounts known to have been involved in these campaigns:

nepishite555suda[.]gmail.com
abusecentre[.]gmail.com
belyaev_andrey[.]inbox.ru
srvs4you[.]gmail.com
migejosh[.]yahoo.com
kseninkopetr[.]nm.ru
palfreycrossvw[.]gmail.com
redemption[.]snapnames.com
mogensen[.]fontdrift.com
xix.x12345[.]yahoo.com
johnvernet[.]gmail.com
4ykakabra[.]gmail.com
mironbot[.]gmail.com
fuadrenalray[.]gmail.com
incremental[.]list.ru
traffon[.]gmail.com
auction[.]r01.ru
admin[.]brut.cn
bobby10[.]mail.zp.ua
ipspec[.]gmail.com
OdileMarcotte[.]gmail.com
sflgjlkj45[.]yahoo.com

Sample MD5s:

MD5: ca9c64945425741f21ba029568e85d29
MD5: b252c210eeed931ee82d0bd0f39c4f1d
MD5: 787ed25000752b1c298b8182f2ea4faa
MD5: fcbd2777c8352f8611077c084f41be8c
MD5: ce02bed90fd08c3586498e0d877ff513
MD5: 97ff606094de24336c3e91eaa1b2d4f0
MD5: a0caae81c322c03bd6b02486319a7f40
MD5: 5733030dcd96cec73e0a86da468a101c
MD5: 5d8398070fa8888275742db5b8bbcebf

*** This is a Security Bloggers Network syndicated blog from Dancho Danchev's Blog - Mind Streams of Information Security Knowledge authored by Dancho Danchev. Read the original post at: https://ddanchev.blogspot.com/2024/09/international-embassies-web-malware.html