Tuesday, April 18, 2017

ShadowBrokers EquationGroup Compilation Timestamp Observation

I looked at the IOCs @GossiTheDog ‏posted, looked each up in virus total and dumped the compilation timestamp into a spreadsheet.

To step back a second, the Microsoft Windows compiler embeds the date and time that the given .exe or .dll was compiled. Compilation time is a very useful characteristic of Portable Executable. Malware authors could zero it or change it to a random value, but I'm not sure there is any indication of that here. If the compilation timestamps are real, then there's an interesting observation in this dataset.

Virus total shows you this value for example.



If you notice, the files in the dump range from 11/2009 to 8/2013.



And if you throw it into a pretty little graph you see a possible timeline of exploit creation.



Just an observation.



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, April 12, 2017

Collection of Google Docs Phishes seen by @neonprimetime

Below is a timelined Collection of DropBox Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://drcherian.com/alert/GD/
Folder: alert/SD
Page: Default
Source: PhishTank.com
Meta Page Title: Google Docs
Meta Page Author: None
Post page(s): Default



Seen Live on: 4/12/2017
Url: hxxp://drcherian.com/kingssss/GD/
Folder: kingssss/SD
Page: Default
Source: PhishTank.com
Meta Page Title: Google Docs
Meta Page Author: None
Post page(s): Default





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of Yahoo Phishes seen by @neonprimetime

Below is a timelined Collection of Yahoo Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://ehncsopiik.club/bt/
Folder: bt
Page: Default
Source: PhishTank.com
Meta Page Title: Login - BT Yahoo!
Meta Page Author: None
Post page(s): form2mail2.php





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of DropBox Phishes seen by @neonprimetime

Below is a timelined Collection of DropBox Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://devux[.]com[.]mx/drpbox/file/files/db/file.dropbox/
Folder: db/file.dropbox
Page: Default
Source: PhishTank.com
Meta Page Title: Dropbox - Sign in
Meta Page Author: None
Post page(s): submit.php



Seen Live on: 4/12/2017
Url: hxxp://vitrinedascompras[.]com[.]br/dropbox/Dropbox/doc-login/
Folder: DropBox/doc-login
Page: Default
Source: PhishTank.com
Meta Page Title: Dropbox - Sign in
Meta Page Author: None
Post page(s): dropbox.php





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of Capital One Phishes seen by @neonprimetime

Below is a timelined Collection of Capital One Phishes seen by @neonprimetime

Seen Live on: 3/22/2017
Url: hxxp://capitalone[.]com[.]maxonpaving[.]com/logon/ , hxxp://www[.]pecport[.]pw/c.html
Folder: logon , None
Page: Default , c.html
Source: @neonprimetime
Meta Page Title: Did not record it
Meta Page Author: Did not record it
Post page(s): Did not record it





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of WeTransfer Phishes seen by @neonprimetime

Below is a timelined Collection of WeTransfer Phishes seen by @neonprimetime

Seen Live on: 4/10/2017
Url: hxxps://alkhidmattour[.]com/BNB/WeTransfer/index.html
Folder: BNB/WeTransfer
Page: index.html
Source: @demonslay335
Meta Page Title: Empty
Meta Page Author: None
Post page(s): en.php, login.php, phone.php





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Somebody Sent out a Phish/Spam Template instead of the Phish

Saw this email. I would guess the attacker sent out the phish/spam template instead of the actual phish/spam!

From: alex@shedbar.com.br
To:
Date: 04/12/2017
Subject: {Say|Tell} No To {Fat|Being Fat}: {Act Now|Act Fast} & Get {Instant|Quick|Incredible|Fantastic|Marvelous|Outstanding} Results


{Having|Getting} the {body of you dreams|slim body|fit body|beach body} is {easier|much easier} than you {think|always thought|thought}, {all thanks to|thanks to|with the help of} the {correct|right|low carb} {diet|diet program|diet plan|nutrition plan|nutrition program}, {good|regular} {workout|gym workouts|workouts} and this {amazing|exclusive|revolutionary|advance|spectacular} {product|supplement|solution} that will {help you|allow you to|give you a chance to|give you an opportunity to|give you a possibility to} achieve {instant|quick|incredible|fantastic|marvelous|outstanding} results.
{Incredible|Revolutionary|Exceptional|Phenomenal|Outstanding|Glorious|Brilliant|Rapid-acting|Fast-acting} {product|supplement|solution} {working|suitable} for {all body types|types of bodies} has proven to {bring fast|show incredible|show fantastic|show quick|show jaw-dropping} results, {motivate|give motivation} for {ongoing|further} {weight reduction|weight loss}, improve {mood|your mood}, {reduce|decrease} appetite and {bring|provide} {all|other|many other} {positive|beneficial|great} effects.
{With the help of|Thanks to its} {exclusive|advanced|amazing|marvelous|unique|one-of-a-kind} formula {developed|created} {in collaboration|together} by {Japanese|German} and American {nutritionists|dietologists|scientists}, your {beach|fit|slim|dream} body is {only one click|one link} away, what are you waiting for?



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Sunday, April 9, 2017

Collection of Facebook Phishes seen by @neonprimetime

Below is a timelined Collection of Facebook Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://facebook.notjustcoded.com/pc/fblog.html
Folder: pc
Page: fblog.html
Source: PhishTank.com
Meta Page Title: Facebook - Log In or Sign Up
Meta Page Author: None
Post page(s): sege.php



Seen Live on: 4/9/2017
Url: hxxp://usrecoverpgs65[.]esy[.]es/
Folder: None
Page: Default
Source: PhishTank.com
Meta Page Title: Facebook
Meta Page Author: None
Post page(s): others.php



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of Paypal Phishes seen by @neonprimetime

Below is a timelined Collection of Paypal Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://ga2017[.]com/misc/wp.php
Folder: misc
Page: wp.php
Source: @malware_traffic
Meta Page Title: Log in to your PɑyPɑl ɑccount
Meta Page Author: None
Post page(s): wp.php



Seen Live on: 4/9/2017
Url: hxxp://www.paypal[.]com[.]cgi-bin.w3bscrcmd222f91e14e61be374f236df6bd32e71434.456b6064cc4ba375cc0d415be95807ecdeed6789.2488b2cc5808b734242446e29e5e0ca8.5555b2aa5708b14344143e29e51011.gurame.com.sg/.string/w3b.login.cmd/
Folder: w3b.login.cmd
Page: Default
Source: PhishTank.com
Meta Page Title: Log in to your PayPal account
Meta Page Author: DecrypteD
Post page(s): inc/visit.php , inc/login.php



Seen Live on: 4/9/2017
Url: hxxp://opthimpro[.]ru/RU/support/9f22ee9c5bc81fc8c71373bc861d0bbeZDZmOTI1MDEzZWZmOWUxNjA0N2IwOTZjNjI1MzNhZWU=/myaccount/websc_verification/
Folder: websc_verification
Page: Default
Source: PhishTank.com
Meta Page Title: Empty
Meta Page Author: None
Post page(s): Templates/MO_VBV.php





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

WordPress sites redirecting to Weight Loss Product Site, Pharma Hack

NOTE: All Links below were active & working as of 4/9/2017

Have seen a bunch of spammy looking emails with subject line similar to

Incredible Formula Is Now Available For Everybody

All from random sender emails such as

mlhernandez@bolivar.gov.co
py10024@dongshin.net
kd-dovitec@vnn.vn


With email bodies like this with a hyperlink on the last line

Tsss... Though this exclusive product is already out there for everybody on the web, the amount is very limited, so don't tell your friends about it until you get some first.
Advanced solution and redesigned formula has been created to help you get rid of excessive weight. Natural ingredients and secret components are exactly what you need to get back in a great shape and get your dream body.
Act now as next week it will already be too late. Get a beautiful and fit body like you deserve.


The hyperlink went to sites like this that appear to be probably outdated hacked wordpress sites with unpatched plugins

hxxp://klkgraphics[.]com/wordpress_d/wp-includes/SimplePie/lib.php?c2JyeWFuQG9zaGtvc2hjb3JwLmNvbQ==
hxxp://www.sandeepguptagmatclasses[.]com/wp-admin/css/dump/db.php?aGxvdWRlbkBkZWZlbnNlLm9zaGtvc2hjb3JwLmNvbQ==
hxxp://unlimitedsuccesscoaching[.]com/wp-includes/SimplePie/Decode/old.php?dG1vcnJpc0BqbGcuY29t
hxxp://covrefugee[.]org/wp-includes/SimplePie/Decode/lib.php?bGdhbGxhY2hlckBqbGcuY29t
hxxp://www.libertywebcreation[.]com/norfolk/wp-includes/fonts/ini.php?dGxiaWdoYW1AamxnLmNvbQ==


If the user clicks on any of those links the site simply redirects to this 1 single site, thus it's likely the attacker is the same for each site

hxxp://dietokdlikefut[.]com/us/emko/t11-cla?bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX


The Page title on that page is

Gwen Stefani Shares Blake Shelton's Secret To Rapid Weight Loss (Pics Below)

No matter where you click on that page All links go to this follow-up url

hxxp://dietokdlikefut[.]com/us/emko/go.php?CID=313491&bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX


If you decide you want to buy the product, clicking checkout goes to this page

hxxps://checkout-cla-extract[.]com/?click_id=04_29517092_5bcca100-2e0d-4262-a3d7-a225b73ac143&subid1=313491&netid=3&ver=old&ad=1kN9


Also found it interesting at any point on the fake sales pitch page if you remove the php file name it redirects you to a random sub-domain that contains the exact same content

hxxp://557-healthandbeauty.dietokdlikefut[.]com/us/xvoh/cla-safflower-oil/
hxxp://852-diet.dietokdlikefut[.]com/us/hefk/cla-safflower-oil/
hxxp://110-health.dietokdlikefut[.]com/us/lldl/cla-safflower-oil/


Looks to me similar to past Pharma Hacks that I've seen where attacker is simply going around hacking weak wordpress sites in order to both bump up their search engine rankings and also simply generate traffic to their website to make money.

Let me know if I'm missing anything else important.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.