Client-Side Vulnerabilities

Historical OSINT – International Institute For Counter-Terrorism Serving Malware – An Analysis

13 Dec 2020 By Dancho Danchev

The International Institute For Counter-Terrorism is known to have served malicious software to its targeted user base back in 2013. In this post I’ll provide actionable intelligence behind the campaign and discuss in-depth the tactics technique and procedures of the cybercriminals behind it. Sample malicious software client-side exploits serving chain: hxxp://ict.org.il/js/1.html Sample malicious MD5 known toRead More

Exposing Modern Client-Side Exploits Serving Kits – An AV and Snort IDS MD5 List Compilation

12 Dec 2020 By Dancho Danchev

Dear blog readers, It’s been a while since I’ve last posted a quality update and I’ve decided to share with everyone the results of a recent initiative where I aim to provide actionable threat intelligence on some of the key client-side exploits serving kits in terms of actual MD5s for the purpose of empowering AVsRead More

Spamvertised ‘Confirmed Facebook Friend Request’ Themed Emails Serve Client-Side Exploits

15 Aug 2013 By Dancho Danchev

A currently circulating malicious spam campaign, entices users into thinking that they’ve received a legitimate ‘Friend Confirmation Request‘ on Facebook. In reality thought, the campaign attempts to exploit client-side vulnerabilities, CVE-2010-0188 in particular. Client-side exploits serving URL: hxxp://facebook.com.n.find-friends.lindoliveryct.net:80/news/facebook-onetime.php?dpheelxa=1l:30:1l:1g:1j&pkvby=h&rzuhhh=1h:33:1o:2v:32:1o:2v:1o:1j:1m&ycxlcvr=1f:1d:1f:1d:1f:1d:1f Detection rate for the malicious PDF: MD5: 39326c9a2572078c379eb6494dc326ab – detected by 3 out of 45 antivirus scannersRead More

Spamvertised ‘Confirmed Facebook Friend Request’ Themed Emails Serve Client-Side Exploits

15 Aug 2013 By Dancho Danchev

A currently circulating malicious spam campaign, entices users into thinking that they’ve received a legitimate ‘Friend Confirmation Request‘ on Facebook. In reality thought, the campaign attempts to exploit client-side vulnerabilities, CVE-2010-0188 in particular. Client-side exploits serving URL: hxxp://facebook.com.n.find-friends.lindoliveryct.net:80/news/facebook-onetime.php?dpheelxa=1l:30:1l:1g:1j&pkvby=h&rzuhhh=1h:33:1o:2v:32:1o:2v:1o:1j:1m&ycxlcvr=1f:1d:1f:1d:1f:1d:1f Detection rate for the malicious PDF: MD5: 39326c9a2572078c379eb6494dc326ab – detected by 3 out of 45 antivirus scannersRead More

The Avalanche Botnet and the TROYAK-AS Connection

13 May 2010 By Dancho Danchev

According to the latest APWG Global Phishing Survey: But by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and “crimeware” – malware designed specifically to automateRead More

Dissecting the Mass DreamHost Sites Compromise

11 May 2010 By Dancho Danchev

Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns. What’s particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet,Read More

TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad

11 May 2010 By Dancho Danchev

Deja vu! Jerome Segura at the Malware Diaries is reporting that TorrentReactor.net, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by “Fulldls.com  – Your source for daily torrent downloads“. Why deja vu? It’s because the TorrentReactor.net malware campaign takes me back to 2008, among the very first extensive profiling ofRead More

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

04 May 2010 By Dancho Danchev

UPDATED: Saturday, May 08, 2010: 5 new domains have been introduced by the same gang, once again parked at 217.23.14.14, AS49981, WorldStream. jumpsearches.com – 217.23.14.14 – Email: alex1978a@bigmir.net ingeniosearch.net – 217.23.14.14 – Email: alex1978a@bigmir.net searchnations.com – 217.23.14.14 – Email: alex1978a@bigmir.net mainssearch.com – 217.23.14.14 – Email: alex1978a@bigmir.net bigsearchinc.com – 217.23.14.14 – Email: alex1978a@bigmir.net Sample exploitation structure:Read More

GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware

27 Apr 2010 By Dancho Danchev

UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update “What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?“. UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign’s structure, the changed IPs, and the newly introduced scareware samples+phone back locations over the past few days. Sample structure fromRead More

Dissecting the WordPress Blogs Compromise at Network Solutions

18 Apr 2010 By Dancho Danchev

UPDATED: Network Solutions issued an update to the situation. The folks at Sucuri Security have posted an update on the reemergence of  mass site compromises at Network Solutions, following last week’s WordPress attack. What has changed since last week’s campaign? Several new domains were introduced, including new phone back locations, with the majority of newRead More

Unit-123.org E-shop Owner Information

Who is Dancho Danchev?

Unit-123.org

Focused on delivering daily batches of personally-produced never-ending supply of high-quality and never-published and released before classified and sensitive Intelligence Deliverables.

Latest Products