Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Da’esh’ Category

SADAQAHCOINS: Darknet Jihad Funding

leave a comment »

A few days ago the word got out that a new da’esh jihadi funding site had hit the darknet. Much of the reporting has been about the novelty around this idea which isn’t all that novel really. There was another site back in the day that was looking for bitcoin donations and was much more sketchy than this site is but who’s paying attention right? Anyway, this site is the next generation of jihobbyist funding by an unknown group of guys and it is novel in a couple of ways that in reading the other reports, was missed out on. In fact, one alleged expert just marked this site down as just another scam site when in fact, while it may in fact be a scam, it is much more nuanced than the usual fare you see in the darknet and thus, I judge it to be run by people who at least know the jihad well and understand the Hadiths.

The premise of the site is based on the Islamic notion of Sadaqah, which is misspelled for the jihobbyists on this site to make it catchy. Sadaqah, literally means charity or benevolence and is an apt name for this site because it is exactly that which they are seeking. It is an interesting area of Islam concerning your obligations for charity as well as public works and in this twist, the sadaqacoins crew is attempting, as others have, to manipulate the original intent of Sadaqah, for jihad and the furtherance of the war against the infidels. That this site is using trackable bitcoins and attempts to use a more opaque currency like Monero is novel only for the fact that this site is much more slick and put together than the others I have seen out there in the past. Honestly, much of the jihad has always been propped up on donations and the Hawala system since the beginning of the GWOT.

Of course this site not only wants to have the believers give them bitcoin for the jihad but they have funding programs for specific things like buying a sniper rifle or a truck that they can mount a gun on. Not much new here in the way of asking for donations like this inside the jihad. Now, what is new is that the site is open to “others” to suggest finding programs or “projects” as well so anyone could hit them up within different areas of the jihad to get this funding set up. This could be the big difference if this thing actually flies. Imagine more of the disparate cells asking for new projects and then setting up their own bitcoin wallets. This could mushroom a bit for the more savvy jihadi’s out there on the net looking to help but maybe not get blown up in the lands right?

In fact, the most interesting bit for me and for my old friend Onionscan, was the fact that these guys added an Eid celebration to the mix where you could donate for sacrifice. What this means is that you could help the jihadi’s celebrate Eid in country by funding their goat dinner. This is a bit that I think others missed in reporting this because of two reasons. First, these people who wrote about the site don’t understand the religion and the sociology, and two the site had been updated by the time I got to it with the Eid celebration. In fact, it was here that Onionscan puked out some interesting information about the mostly secure site. It seems that their Eid celebrations were in haste to be posted and they forgot to get rid of their EXIF data.

Oops.

Basically, the data that I managed to pull out of all these photos show that they are using a phone camera by Motorola and managed to not have their geolocation turned on. Of course this doesn’t mean they won’t mess up later and leave that kind of data in them for us to hoover up and use as coords for a hellfire visit. This all could be leveraged by the right players though to manipulate them to make a mistake in the future as well. I look forward to seeing where this all goes in the future. However as it stands now, their OPSEC is fair to medium. They did manage to give us a lot to work with though with all the email addresses to reach them on and their Telegram channels to infiltrate and get in their insides with.

 

 

Another point of interest for me on the OPSEC front was their choice of languages  for the site. It seems that these jihadi’s like to speak German, Turkish, and English. These three languages are of note because the site has no area that is strictly in Arabi and that is an oddity. This implies that the group who set this up are English speakers, Turks, and Germans but not really well equipped to write and read Arabic and this kind of tracks with some of the intelligence that comes out of the da’esh circles over the last couple years. There has been an influx of foreign fighters to the jihad but really guys, no Arabi? Shame on you as good Muslims not at least being able to have a page in Arabi!

I guess maybe we can see if they add some Arabic later on…

14gymFijxkFzbxbacbP9ioGndsqHRuJJTc —0 coins
1Dft8kgCWiuqRBLqgTuH2ZhVeUAxC8KGGi—0 coins
1KHDmXfqHJM9XqDHvGfCN4KVhsuReHDfLc—0 coins
1LGHotsLQF1evDXkt7DBTwvZ48SY3idTBL—0 coins
12QufGGoEoNUZN6aobofCoj9giNzCeHFP4—0 coins
184FNLi5aXGcurjEmUs7kgc7cYJ5gauduB—0 coins
1HABpbonuhGUL1woiQELuoDFXBEV6ZLpyG—0 coins
1Br6MtEQLgikLAQSFsrZKWxX6UPYzkAQz9—0 coins
15zbyqsq3q5s5ea5uEQz8xFkEpsPYAW3CE—0 coins
1KHmpHw8p7VGjQpftj2axdqq5NE3JYGT6C—0 coins
1MFeZbNsfWqBVytLmUjYcZoV3RhxJpQ3Kn—0 coins
17mwSmM6NzZTzoAiP3PHLAkooF9jd1xDY8—0 coins

Meanwhile, back to the bitcoins. This site has 12 bitcoin wallets at the time of my assessment and NONE of them have any coin in there at all. Nothing, nada, niente. Of course the site is fairly new so I can see why it wouldn’t have any coin in there yet. In fact the site only popped up on my link search in the darknet on the 24th of August so there is that. (see below) So we need to give it time to see what else they do and if anyone actually donates. Once they do, well then we can track the coins and see who did what huh?

Well, this was an interesting diversion for a while but I am still kinda meh about the whole thing. I am gonna keep an eye on it and maybe visit those Telegram channels to see what other OPSEC FAIL’s they make. Until then, hey, it’s out there and it’s novel.

BOOGA BOOGA BOOGA JIHAD IN THE DARKNET BOOGA!

Derp.

K.

Written by Krypt3ia

2018/08/27 at 18:22

Fancy Bears, CyberCaliphates, and Reporters

leave a comment »

Recently the AP put out a story that links the GRU (Fancy Bear/APT28, whatever you want to call them) to a spate of threats made to five military wives back in 2015 and alleged to have been carried out by Da’esh or the CyberCaliphate. Caliphate is/was/kinda was a loose group of hackers in the Muslim community who carried out a bunch of web defacement’s with slogans like “we love ISIS” etc. Now this isn’t very scary and the group finally got a titular leader in Junaid Hussain, a Brit who went to Jihad after being popped for hacking with an Anonymous group. These disaparate groups of skids are still out there today defacing pages and causing a nuisance but none of them ever rose to the level of being a clear and present danger hacking wise, but Juny, well, Juny became a mouthpiece for da’esh and his popularity got him whacked with a missile in Raqqa.

From AP News

The AP story though, is only tangentially about the CyberCaliphate in that the claims made by the AP are that the five wives who were threatened were in fact not threatened by Caliphate, but instead the GRU carrying out a “False Flag” to make it look like it was the skids. While Juny and whoever else he was working with did in fact dump some military data back in 2015, there were other hacks that went on that people think wasn’t him and the brothers at all but their sophistication means that they had help if not outright wasn’t them at all. The fact of the matter is that finding open source lists of military and other’s details is easy with Google Fu today and no hacking may have been needed for many of these dumps that the ISHD dropped. There were some righteous hacks though and I can easily go with the idea that the Russians and others perhaps had been leveraging these guys names to carry out their own attacks for their own ends,but, this threatening of five military people’s families is a bit of a stretch for me to say is definitively the GRU and not in fact the real ISHD or Caliphate hackers.

My biggest problem with this AP report is that there is little to no details on how they came to the conclusion they reported. In asking the reporter, Raphael Satter, on Twitter I only got sketchy replies on how he/they got this grand conclusion. Basically, his story is that he asked SecureWorks for their data (including personal information it seems of those who got hacked/attacked) and went through all of the phishing emails that were carried out by APT 28 using the bit.ly links to avoid Google filters. Out of all those 4k emails they then saw that the five families were recipients of the phishing emails that APT 28 carried out on the everyone in their large drift net attacks to gather intelligence. AP/Satter then went and rummaged in their closet for the JUMP TO CONCLUSIONS MAT and laid it out to finalize their cognitive bias. From this, and it seems bothering a bunch of military wives previously on the 4k emails that went out they came to the conclusion somehow, that the five were in fact attacked by the GRU because they got those phish. Satter and AP give no details or evidence on this and in my chat with Satter on Twitter he was too busy pub crawling to answer my questions fully on this.

While it is not inconceivable that these families may have been harassed by the GRU for some reason, it is also not a conclusive fact given what has been presented by the AP that they did in fact do this and it was not really the actual ISHD or CyberCaliphate or even just Juny himself. What really needs to happen though, is when a reporter and an agency makes an assertion, but provides little to no evidence of it, it kinda comes off as a grab for attention without truth to back it up, in effect, they did it for the clicks. Now if Satter and AP can provide more conclusive data then I will concede that they are in the right here, but so far they have not. I see no direct connections in the story to anything more than the fact that these ladies got messages on Facebook that were threatening and claimed to be from ISIS. When I asked if Satter had tried to pull the data together to see if these families all had members in FOB’s (Forward Operating Bases) he did not even know what that meant, so I enlightened him. My point being is that if those five members of families were in an area that the Russians wanted to effect some outcome at the time of the attacks, then maybe I could see my way to believing it, but if it was only five, and there is no evidence that they were in positions that the Russians would want to effect, then why do this at all? Why only five? Am I missing something? It all comes back to “Cui bono” or “Who benefits?”

Certainly the AP story is splashy and makes for clicks but I have these concerns as well as I now have to wonder about SecureWorks giving up this data with PERSONAL DATA ATTACHED to the AP. Say, isn’t giving personal data of military and government people to the AP a violation of law somehow? Even of the AP says they are protecting the data, this isn’t really kosher to me, but who am I huh? Maybe just someone with data out there huh? It also makes me wonder how SecureWorks is feeling about all this too. I mean, they had all this data and they did not report this. As Satter said to me; he and a team of people pulled all this together. Well, unless you provide your work it’s just another story and may be in fact incorrect. But back to SecureWorks, why did you guys give this data to the media? What were you thinking?

Screenshot from 2018-05-14 09-12-55

All in all I have had this story sticking in my craw for a while now and I had to get this out. I have worked on the Caliphate and ISHD tracking so I know the players and I know the game. I am certain that in some cases the attacks carried out were more sophisticated and coherent for them to be the actors involved but to make these wild leaps of logic like AP did and then publish them without supporting evidence is bad journalism. In a time when the media want’s to be above board because we have a liar in chief in office who is daily attacking our institutions like the Fifth Estate with disinformation, we need you reporters to do a better job than this. If Satter and AP can provide more than I will be happy. Until then, this story is just that and just adds to the cacophony of fake news and clickbait that I deplore.

K.

UPDATE: One last thought I thought I should add. There is a definite difference between actors here where it comes to ISHD and CyberCaliphate. Two different manners of attacks/hacks and ways of speaking. Look at the image above and look at the language as opposed to most of the defacements and posturing by the UCC. So if you want to say anyone GRU may have done this you would want to call them out as ISHD (Islamic State Hacking Division) as opposed to CyberCaliphate.

Just Sayin.

Written by Krypt3ia

2018/05/14 at 12:33

Posted in Da'esh, ISIL, jihad

MuslimCrypt and Clickbait

leave a comment »

MEMRI talked up a report on a new “steg” program being offered and “used” by da’esh that was then picked up on by Wired (or more to the point someone called from MEMRI offering a story because slow news day at Wired) touting the new scareware booga booga booga that jihadi’s are using STEGO ERMEGERD! Of course this type of encryption has been around all along and in fact, as Wired alludes to, it has even been used by UBL back in the day as well. The fact that there is stego out there is nothing new but this alleged program is, maybe. You see, the problems I have with this assessment and the Wired story sold to them is that there is no real penetration of this software being used as far as can be seen and in fact nowhere on the net can the actual software be found to download.

So yeah, it is not in every da’esh cyber toolbox kids and if anything, it may be an OP trying to pop some of them on Telegram.

Telegram Accounts:

The Telegram accounts involved in this drop also seem to lack some history as well. I looked them up on Telegram and there isn’t much to see at all. Of course it could be that one needs to engage with them to see more but I am not going to do that for this so suffice to say that Google searches of these accounts, the names in them, and iterations thereof come up with nothing useful. In essence what I am saying here is they have “no history” and thus to me should be looked at as cutout accounts to drop this software from and nothing more. This is an important piece of the puzzle too but it seems MEMRI is more interested in selling subscriptions and getting on Wired than they are at being thorough in investigating things like this.

MuslimCrypt.zip and .exe:

Meanwhile one cannot find the software at all nor the zip file anywhere on the net. Not one download link anywhere. No uploads to MEGA, nor any of the other places that you would think that these guys would want to put it so that the jihadi masses can securely talk right?

Nopesauce.

The staggering lack of the file only leads me to believe that it was a drop to entice people to download in-line on Telegram in hopes that the account (MuslimTec) would be a form of watering hole attack. We see this kind of thing all the time in the hacking world and many of those kinds of attacks are carried out by more sophisticated actors. In this case the only place that the file can be seen is on Hybrid Analysis and on VirusTotal and even there there are only one to two drops of the file for testing. In all of these cases the files are not available for download so only one source has uploaded them.

Interesting huh?

So what do we have here so far… One source (MEMRI) sharing a story with Wired about a software package no one really has except MEMRI? How odd is this? Well, kinda odd and to me smacks of two things;

  1. MEMRI got played
  2. This was an OP by a nation state actor looking to own some jihadi’s

I will go into these ideas in some more detail below. Just remember that it is odd that these files are not out there in the forums nor being saved and uploaded for more penetration of use.

Reversal of the binary:

I found that the zip file had been uploaded to Hybrid in January as well as March 4th 2018. The VT upload happened in February 2018 so this has been around and about a bit. Remember though, these are the only instances of the files that I could find, and I REALLY wanted to find a copy. So whoever had the files to upload (assuming it was MEMRI) are the only ones to do so. I looked at the whole sandbox report of the zip and the executable and came up with some interesting factoids for you all.

  1. The language set is German
  2. The language of some of the re-used code snippets are in German, so, I could go either way on this one. Could be a German who did the coding or just someone who knows some and worked on re-used code to make this program
  3. This was cobbled together by someone with some skills
  4. The software does have what seems to be a keystroke recorder built in but it has nothing really to do in sandbox because it is a sandbox and no actual keystrokes are made
  5. Whoever compiled this has a pc name or a folder name on their system of “SultanEasy” with “SultanEasy-2” which, ya know, kinda sounds all code wordy to me

I scoured the internet for “SultanEasy” and “SultanEasy-2” to no avail. Now with that in mind consider that this was a slip up on the part of the coder and that this folder in projects is a code name.

Ponder ponder ponder… A piece of software magically dropped on Telegram by accounts with no history and a binary that has a keystroke logger embedded in it?

Hmmmmmmmmm…..

Oh, by the way MEMRI, your reversal skills suck.

An Op?

Overall, this smells bad and MEMRI seems to have fallen for it or is unable to read a reversal report and strings well enough to see things in perspective.

Could this be an operation by a nation state? Sure.

Could it be another group like Anonymous or some other vigilante group? Sure.

Could it be a serious attempt at making steagnography the go to encryption for jihadi’s today? Yeah no.

Nice clickbait though.

Derp.

K.

 

UPDATE: I was sent this by <REDACTED> this is from a paste of conversation screenshots from the MuslimTec Telegram channel…

Screenshot from 2018-04-02 14-45-24

So yeah, there are many comments in there about spies and even at one point claims of being hacked by dissension…

Just sayin.

Written by Krypt3ia

2018/04/02 at 18:06

Posted in Da'esh, jihad, Jihobbyists

Amaq News Malware Attempt Using Old Malware

with one comment

Amaq Hack:

Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.

As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?

REALLY?

Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.

Domains:

After checking the domain jiko.at from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of alibenmohaed216@gmail.com is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are ad13.de, amaqqq.xyz, baqiyy.at, and jkikkia.at.

Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:

Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like ad13.de have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.

When I started looking up the list.ru address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.

Here you go!

IOC’s:

Malware:

https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/OTllNDU5YjNkYzVlNDFhOWI1Yzc2YWY0ZWI3NWY0N2Q/ –> Malware
http://urlquery.net/report.php?id=1490856486148
https://virustotal.com/en/file/379cd2fed583c183fc1c5d1597421642f8e6b15af74ec58348e40ee80f227b25/analysis/1490880990/ —> Malware
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/ZDgyOWFkYTIwNjdlNGJjOWE2MTMwYjQwYmJmNmRiN2M/

Domains:
https://virustotal.com/en/domain/saitamasinse.com/information/
https://www.threatcrowd.org/domain.php?domain=amqqq.xyz
https://virustotal.com/en/domain/saitamasinsefesa1forall.com/information/
https://virustotal.com/en/domain/saitamasinsefesa1formelol.com/information/
https://virustotal.com/en/domain/fgssaitamasinsefesabgformelol.com/information/
https://www.threatcrowd.org/domain.php?domain=saitamasinse.com
https://www.threatcrowd.org/domain.php?domain=ad13.de
https://www.threatcrowd.org/ip.php?ip=66.85.157.86

Malware:

The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.

These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?

Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the list.ru user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.

The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.

Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?

I am still deciding…

K.

Written by Krypt3ia

2017/04/03 at 18:42

Posted in CyberFAIL, Da'esh, jihad

أخبار المسلمين akhbar almuslimin: Muslim News

leave a comment »

Screenshot from 2016-08-08 12-17-55

Yep, yet another Da’esh darknet site popped up this morning. This one is a rather bare bones effort that relies on free DynDNS, Tor2web and links back to things like WordPress and imgur and Cloudflare. The site came up and then went down after the kids from OpISIS came and went. The cloudflare though seemed to help as well as the tor2web linkage. As of this writing Cloudflare started to act up and the site was losing bits of itself as I was interrogating it for information.

Anyway, this site is pretty sparse design wise but has a lot of content to click. As you can see below it is low tek but the content is brand new. No mention of official ties but it has the flag in the tab as you can see. All of the links go to external clearnet sites for content so much of the work is being placed on the clearnet sites that the daeshbags upload shit to like mega and the like.

Screenshot from 2016-08-08 12-18-31Videos from Syria

 

Screenshot from 2016-08-08 12-21-37Dabiq 15 linked to clearnet dump

 

Screenshot from 2016-08-08 12-24-34Other mags

 

Screenshot from 2016-08-08 12-24-56Al Bayan radio streams

 

Screenshot from 2016-08-08 12-25-51Martyrs and usual propaganda crap

 

Screenshot from 2016-08-08 12-26-35Single page content links

 

Screenshot from 2016-08-08 14-00-25Page info

 

Overall, not much to write home about. The site I assume will be down and up for a while but this just shows you that the daeshbags are trying to get content in the darknet but they seem to be unable to host it all themselves on a single server. Until they can do this, then technically they will continue to be taken offline pretty easily by the kids.

I will be pulling all the metadata since I have already archived the site en toto with wget… More when I have it.

Dr. K.

 

–UPDATE–

I ran an onion scan on this site for all you kids.. Go.. play..

krypt3ia@krypt3ia:~/go$ sudo ./bin/onionscan http://ou7zytv3h2yaosqq.onion/
2016/08/10 12:59:25 Starting Scan of http://ou7zytv3h2yaosqq.onion/
2016/08/10 12:59:25 This might take a few minutes..

————— OnionScan Report —————
High Risk Issues: 0
Medium Risk Issues: 0
Low Risk Issues: 0
Informational Issues: 4

Info: Missing X-Frame-Options HTTP header discovered!
Why this is bad: Provides Clickjacking protection. Values: deny – no rendering within a frame, sameorigin
– no rendering if origin mismatch, allow-from: DOMAIN – allow rendering if framed by frame loaded from DOMAIN
To fix, use X-Frame-Options: deny
Info: Missing X-XSS-Protection HTTP header discovered!
Why this is bad: This header enables the Cross-site scripting (XSS) filter built
into most recent web browsers. It’s usually enabled by default anyway,
so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
To fix, use X-XSS-Protection: 1; mode=block
Info:  Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: The only defined value, “nosniff”, prevents browsers
from MIME-sniffing a response away from the declared content-type.
This reduces exposure to drive-by download attacks and sites serving user
uploaded content that, by clever naming, could be treated as executable or dynamic HTML files.
To fix, use  X-Content-Type-Options: nosniff
Info: Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: Content Security Policy requires careful tuning and precise definition of the policy.
If enabled, CSP has significant impact on the way browser renders pages (e.g., inline
JavaScript disabled by default and must be explicitly allowed in policy).
CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
To fix, use  Content-Security-Policy: default-src ‘self’
krypt3ia@krypt3ia:~/go$

 

Written by Krypt3ia

2016/08/08 at 20:44

Posted in Da'esh, DARKNET

Two More Da’eshbag Darknet Sites Popped Up

leave a comment »

Screenshot from 2016-04-29 08:48:34The Cyber Kahilafah

 A couple more daring Da’eshbags have decided that the darknet is the place for them to spread their propaganda. The sites just popped up and aren’t quite finished. The Cyber “Khahilafah” خِلافة “Caliphate” has a total of 5 main pages with links off of those to other internal and external pages.The main page has the following text:

Screenshot from 2016-04-29 10:54:27

Fight in the cause of God those who fight you not transgress Allah loveth not aggressors} Al-Baqarah: 190}

————————————————– ———-

The books you dislike it, and it may be that you dislike a thing which is good for you, and that ye love a thing which is bad for you. Allah knows and you do not know the cow} 216}

————————————————– ———-

Very soon will be open all sections

We hope to collect the largest number of individual wolves

Cyber kahilafah

!Beware no joking here!

Overall this page is really quite simple and reminds me of just about every other page on the darknet (some remnant from Geocities got loose in the darknet and multiplied!) it’s kinda ugly and simple. As the site is not finished there isn’t much to look at right now but I thought I would archive it and pass it along before the kids hear about it and DD0S the crap out of it or hack the node and take it down. Of course if someone hacks it and somehow get’s a raw IP that would be interesting huh? *hint hint NSA*

Anywho, this site is different from the last one because it is not really pulling a whole lot from the clearnet and it is certainly not at this time like any of the other jihadi boards out there but it seems to me that is what they may be aiming at later on down the line. I am sure it won’t be around that long anyway but it’s amusing to see them try.. Ok on to the data and further below the second site!

DATA

The sub pages consist of the following headings:

/bomb/

Screenshot from 2016-04-29 10:27:03with sub categories of /bomb/ for redundancy?

/kafia/

which seems to be a version of Keffeyah which is a scarf, head dress common to the region.

Screenshot from 2016-04-29 10:29:21

Both of the downloads fail and the domain they point to are:

Now the 00-up domain is interesting because it has a long stories WHOIS history and the present owner is a Mohammed Ezz out of Egypt according to the data.

Screenshot from 2016-04-29 10:32:08

Screenshot from 2016-04-29 10:33:00/army/

Screenshot from 2016-04-29 10:44:15/army/ only has “coming soon” in Arabi on it at the moment

/armyb/

has the following single page with a link (Infantry Mechanisms In Desert Operations)

Screenshot from 2016-04-29 10:45:15

Screenshot from 2016-04-29 10:45:54

The desert operations piece is pretty much a re-hash of the desert war tactics from WWII. It’s an interesting read if you are in to desert warfare but I am not sure why they have put this up there because it is specific to the Sahara.

/isdarat/

Isdarat we saw the last time and refers to isdarat.tv so maybe these are the same guys?

Screenshot from 2016-04-29 10:44:15Another “coming soon” image

/gun/

Screenshot from 2016-04-29 10:51:59

“Kalashnikov Weapon” which links to some videos that don’t work

Screenshot from 2016-04-29 10:53:11

That’s all she wrote for this site. The next one though is a stand alone with the same name as this one but really is just a shingle for the Da’esh Cyber Kahilafah Al Bayan (popular news paper in the region) radio link. This link is not working but there were some interesting links that were offshoots to this.

 Screenshot from 2016-04-29 09:52:20Cyber Khaliafa Radio (non functional)

Now Al Bayan is the radio station that the da’eshbags started when they took over a station in the region. It is on FM and cannot be heard here unless you get it online. Thus this page and links. As they are not working it may be that they only post things or make the link live at certain times. In any case, the links on this page led to the clearnet and some interesting people and places (see below)

Screenshot from 2016-04-29 11:25:43

Screenshot from 2016-04-29 10:10:54

 

Screenshot from 2016-04-29 10:11:18

 

Screenshot from 2016-04-29 10:19:22

Screenshot from 2016-04-29 10:21:29

I have yet to try and give a listen but when I get a working link I will. Until then, you kids have fun with these guys in the darknets! Once again they show that they have some sophistication in being able to set up a tor site but then they completely lack the ability to really program it or keep it online. These are not the cyber warriors the media would like you to think they are.

Dr. K.

EDIT: There is a THIRD site evidently. I have found the “creator” of the site and located yet another page he/she/they are looking to link from. This one will eventually have the bomb making tutorials for making phone bombs.

Screenshot from 2016-04-29 13:12:15

 

Written by Krypt3ia

2016/04/29 at 15:28

Posted in Da'esh, DARKNET

isdratetp4donyfy.onion The Da’esh Darknet Propaganda Site: Down But Still Telling Tales

leave a comment »

Screenshot from 2015-11-15 16:46:15

The Isdarat Onion and the MoD Address:

After posting my second piece on the da’esh propaganda site in the darknet (under the hood) it wasn’t long before the darknet site was down for the count. Interestingly though, before it went down some information could be gleaned as to perhaps it’s IP address as well as what it was running. I had already mentioned that it was running a WordPress frontend but behind everything was a bit more interesting. When a whatweb was carried out on the url it came back with an IP address that on the face of it was just another IP. However, when Googled, the IP had a nice little hit that shed some light on perhaps what may have been going on before I got there.

Whatweb -v

http://isdratetp4donyfy.onion/ [200]
http://isdratetp4donyfy.onion [200] Country[RESERVED][ZZ], HTTPServer[nginx/1.8.0], IP[10.213.114.145], UncommonHeaders[link], nginx[1.8.0], x-pingback[http://isdratetp4donyfy.onion/ar/xmlrpc.php]
URL    : http://isdratetp4donyfy.onion
Status : 200
Country ——————————————————————–
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country databTEXTase from
http://software77.net/geo-ip/. Instructions on updating the
database are in the plugin comments.
String     : RESERVED
Module     : ZZ

HTTPServer —————————————————————–
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String     : nginx/1.8.0 (from server string)

IP ————————————————————————-
Description: IP address of the target, if available.
String     : 10.213.114.145

UncommonHeaders ————————————————————http://isdratetp4donyfy.onion/ [200]
http://isdratetp4donyfy.onion [200] Country[RESERVED][ZZ], HTTPServer[nginx/1.8.0], IP[10.213.114.145], UncommonHeaders[link], nginx[1.8.0], x-pingback[http://isdratetp4donyfy.onion/ar/xmlrpc.php]
URL    : http://isdratetp4donyfy.onion
Status : 200
Country ——————————————————————–
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country database from
http://software77.net/geo-ip/. Instructions on updating the
database are in the plugin comments.
String     : RESERVED
Module     : ZZ

HTTPServer —————————————————————–
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String     : nginx/1.8.0 (from server string)

IP ————————————————————————-
Description: IP address of the target, if available.
String     : 10.213.114.145

UncommonHeaders ————————————————————
Description: Uncommon HTTP server
Description: Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at http://www.http-stats.com
String     : link (from headers)

nginx ———————————————————————-
Description: Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server. – Homepage: http://nginx.net/
Version    : 1.8.0

x-pingback —————————————————————–
Description: A pingback is one of three types of linkbacks, methods for
Web authors to request notification when somebody links to
one of their documents. This enables authors to keep track
of who is linking to, or referring to their articles. Some
weblog software, such as Movable Type, Serendipity,
WordPress and Telligent Community, support automatic
pingbacks
String     : http://isdratetp4donyfy.onion/ar/xmlrpc.php

Once you Googled the IP address alone you got some usual stuff but one thing stood out. and index of logs for that IP and another. What was this? Well, it was a site holding the logs for a keylogger by DarkZhyk a Russian keylogger RAT. So, it seems that this IP address as of February 28th 2015 had a RAT/Kelogger on the box that had the IP at the time. Now, the question is was this IP a static box that held the onion or was this somehow the box that the webserver sat on? I really would have to do some more digging but let’s just leave that for now because it is the second address that is the interesting bit. It seems that 25.154.73.36 belongs to the Ministry of Defense in the U.K.

Screenshot from 2015-11-24 14:42:06

Screenshot from 2015-11-24 14:42:58

Screenshot from 2015-11-24 14:44:25

That’s right kids, in February of this year that IP address cited from that whatweb was logged into by the MoD. Quite the interesting tidbit huh? I did not poke around the MoD at all but I have told some peeps to keep their eyes open and maybe wink wink nudge nudge some folks about this. Could this be a sign that the site was already compromised? The box itself compromised? That the MoD knew about this box and already had been inside it? One wonders. I do know thought that the clearnet RSS feed was a Windows box as well and in all it took no time whatsoever for the kiddies to take this site down. It’s pretty much as I intoned in the last piece that this site was pretty poorly secured.

So let the games begin!

But wait, there’s more!

Screenshot from 2015-11-25 13_54_33

In the interim as the site was down I decided to do all the OSINT work on the players involved. See, unlike Anonymous or goatsec I actually do research on targets before I do any kind of reporting. In looking at these guys it became clear that not only were their sites all over the place but also that they are in fact Indonesian in origin. It seems that these guys spend quite a bit of time buying domains anonymously to RSS feed this shit to the world under the “Isdarat” moniker. Isdarat by the way is “to spread” in Arabic so basically to spread the word so to speak. While anonymous has been trying to swat all these sites down they have just gone back to backup sites as usual with no real effect on their ability to stream videos and push the propaganda levers for da’esh.

Screenshot from 2015-11-29 12_30_43

http://isdarat.in.hypestat.com/

http://isdarat.xyz.hypestat.com/

http://isdarat.xyz.hypestat.com/

http://isdarat.tv.hypestat.com/

http://isdarat.sd.hypestat.com/

http://isdarattv.blogspot.com/

http://isdarat.tumblr.com/

http://isdarat-istube.cf

https://khilafahdaulahislamiyyah.wordpress.com/

http://web.archive.org/web/20150430091539/http://isdarat.in/

http://khilafahtoday.blogspot.no/2015/05/terowongan-tentara-khilafah-menyusup-ke.html

https://plus.google.com/100434261915807680617/posts

https://www.facebook.com/pages/Khilafah-daulah-Islamiyyah/726338634152991

http://www.al-hisbah.com/

Isdarat Admin: http://mig.me/u/isdarat

http://www.muqawamah.net/contact-us/ —————–> redaksi.muqawamah@gmail.com

and… redaski.daulahislamiyyah@gmail.com

 

Screenshot from 2015-11-29 12_33_40

Screenshot from 2015-11-29 12_31_58

Screenshot from 2015-11-29 12_31_21

 

Screenshot from 2015-11-29 12_27_28

 

Screenshot from 2015-11-29 11_56_07

 

Screenshot from 2015-11-29 11_21_42

 

Screenshot from 2015-11-29 11_19_14

 

Yep, these guys are all over the place. So far I have yet to get a lock on any real names. So far all the pseudonyms come back to either nonsense or in one case the name of a famous Indo jihadi who died back in 2009. The upshot here is that not too many people talk about the Malay or Indo areas where Jihad and da’esh are concerned. These players have been around for a long time and I used to see a lot of activity by them for AQ. Piradius, the hosting/internet company was the Mos Eisley of the internet back in the day and it may be time to circle back to that neck of the woods again and take a look around.

Oh well, I am sure the KDI/daulahislamiyyah guys will be back with main sites again to go along with all the other ones they have hidden around.

Anonymous/goatsec 0

daulahislamiyyah 1

 

K.

Written by Krypt3ia

2015/11/29 at 21:42

Posted in Da'esh, DARKNET