Archive for the ‘OpISIS’ Category
I was bored again and let my fingers do the walking on ThreatCrowd with some interesting results. Did you all know that you could put words into that search engine and come up with malware hits? So, in the case of my word searches I decided to look for Arabi words that have meaning to Da’esh and the jihadi set with some interesting results. In the case of the word “jihad” I came up with the following hits:
The hits there show you the attendant hashes of malware alleged to be connected to those domains as C2’s (Command and Control) systems. When you click on them you get the Maltego maps and all of the data concerning them so you can see where everything pivots to and what other servers may be involved with it. Using this method I ran into a set of results for Balabindi, which is the same malware as seen in the recent attack on the Amaq Da’esh site that was hacked and served malware out to about 600 people (claimed) by stats from the link shortener used to propagate it.
The searches that I ran showed that there were concerted efforts with Balabindi using dynDNS sites (jihad101.no-ip.biz and others) as command and controls for the Balabindi variants used against jihadists in the past and they continue today. There is even a minecraft server (jihad.serveminecraft.net) that may also be involved as well. Of course it is funny ha ha to name these servers jihadihacker and other names to poke at the jihobbyists but it is kinda bad OPSEC really in my book. So either these are OpISIS or someone is having a bit of a joke, but the malware in the case of jihad100.no-ip.biz is just “server.exe” and basically like the rest of the samples I was seeing was a RAT, so I can see how these are just being used to pwn these jihadi’s and harvest their real data, that is if they are stupid enough to run “server.exe” on their box.
Generally I am seeing the same kinds of attacks with older off the shelf malware that may get past some old AV or work on people who have no AV at all but nothing so far has stood out as exotic so I am thinking this is the Anon’s doing their thing, or trying to… At the least it was interesting to find the function on ThreatCrowd and leverage it. I think I will plink away at it some more using Russian words next for shits and giggles.. Or.. OOOH maybe Korean huh?
I guess the last thing I would say on all of this is that the Anon’s may have had some success with these attacks and maybe passed on some info to the right people but generally I am not impressed with the op’s against Da’esh as a whole. Taking down the jihobbyist sites may be splashy for the tabloids but the reality of it is that these sites like Amaq are just for the lowest of fruit users online wanking off to jihad. Sure, some could maybe go full “lone wolf nutbag” and try something but generally the real players got off the boards years ago because they were just for skidz and wannabe’s. Most of the real shit happens in closed sites that are below the radar and of course on chat systems like Telegram and others where they can talk with some crypto and not be hassled by some poor php site that gets popped every other day and taken offline.
Threatcrowd for word jihad: https://www.threatcrowd.org/searchTwo.php?data=jihad
Threatcrowd for word ISIS: https://www.threatcrowd.org/searchTwo.php?data=ISIS
Reference=Houdini/Dinihu/Jenxcus/H-worm Reference=http://cybertracker.malwarehunterteam.com/c2/ Reference=https://bartblaze.blogspot.com/2014/02/remediate-vbs-malware.html Reference=https://otx.alienvault.com/pulse/56e2dab5aef921042823dbca/
MD5=11b45bfbbbd944ca9bf1f5f69628d055 MD5=1eb1a366dae694202235656f2f42aa9a MD5=7f209fa351a6792484fcc4d786a17ffd MD5=cd685e040b584909bd208e8fcad0c846