Hosting.Black

Malware botnet controller @20.226.20.129

blog — Thu, 21 Apr 2022 08:37:41 +0000

The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. Malware botnet controller located at 20.226.20.129 on port 80 (using HTTP POST): hXXp://iofajfioshnguiosfui.from-pa.com/novidades/inspecionando.php $ dig +short iofajfioshnguiosfui.from-pa.com 20.226.20.129 Referencing malware binaries (MD5 hash): 3030d0b1335357da24960cd99e54ef02 — AV detection:… Читать далее

QuasarRAT botnet controller @3.83.129.253

blog — Thu, 21 Apr 2022 08:37:34 +0000

The host at this IP address is obviously operated by cybercriminals. It is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse.

Malware botnet controller located at 3.83.129.253 on port 4747 TCP:
$ telnet 3.83.129.253 4747
Trying 3.83.129.253…
Connected to 3.83.129.253.
Escape character is ‘^]’

$ nslookup 3.83.129.253
ec2-3-83-129-253.compute-1.amazonaws.com

Referencing malware samples (MD5 hash):
d3b411350e9ef770aeb358856d002cf7 — AV detection: 26 / 70 (37.14%)

Malware botnet controller @176.9.148.153

blog — Thu, 21 Apr 2022 01:35:55 +0000

The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse.

Malware botnet controller at 176.9.148.153 on port 443.
$ telnet 176.9.148.153 443
Trying 176.9.148.153…
Connected to 176.9.148.153.
Escape character is ‘^]’

Malicious domains observed at this IP address:
amazinginvezt.org. 60 IN A 176.9.148.153
btc-es.net. 60 IN A 176.9.148.153
btc-es.org. 60 IN A 176.9.148.153
btcbill.net. 60 IN A 176.9.148.153
btcbill.org. 60 IN A 176.9.148.153
crypt-invezt.net. 60 IN A 176.9.148.153
gas-invest.com. 60 IN A 176.9.148.153
gazivest.net. 60 IN A 176.9.148.153
investgas.net. 60 IN A 176.9.148.153
nbk-invest.org. 60 IN A 176.9.148.153
obszhee-delo.org. 60 IN A 176.9.148.153
plan2-live.org. 60 IN A 176.9.148.153
pr-invest.org. 60 IN A 176.9.148.153
success-finance.org. 60 IN A 176.9.148.153
ultra-signals.com. 60 IN A 176.9.148.153

AveMariaRAT botnet controller @192.95.0.200

blog — Wed, 20 Apr 2022 18:34:20 +0000

Malware botnet controller located at 192.95.0.200 on port 6768 TCP:
$ telnet 192.95.0.200 6768
Trying 192.95.0.200…
Connected to 192.95.0.200.
Escape character is ‘^]’

$ nslookup 192.95.0.200
ip200.ip-192-95-0.net

Referencing malware samples:
MD5 e47a72f1a4ba1732f4a227f7569215c3
MD5 ea7d9d499457f32afcb7dafe3b3bb81c

ArkeiStealer botnet controller @116.202.1.195

blog — Wed, 20 Apr 2022 18:34:13 +0000

The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. ArkeiStealer botnet controller located at 116.202.1.195 on port 80 (using HTTP GET): hXXp://116.202.1.195/ $ nslookup 116.202.1.195 static.195.1.202.116.clients.your-server.de Referencing malware binaries (MD5 hash): ad1b502b6714c0a374b055332018974b — AV detection: 26… Читать далее

Abused / misconfigured newsletter service (listbombing)

blog — Wed, 20 Apr 2022 10:32:15 +0000

The host at this IP address is being (ab)used to «listbomb» email addresses:

From: aidsmap bulletins <[email protected]>
Subject: aidsmap news: CoronaVac shows weaker response in people with HIV, 19 April 2022

Problem description
============================

Spammers signed up for the bulk email service using the victim’s email address. As a result, the victim is being «listbombed» with transactional messages and bulk email campaigns.

Problem resolution
============================

In order to resolve this spam problem (and have this SBL listing removed), the affected sender must take the folloing actions:

a) Implementing CAPTCHA to prevent automated subscriptions
b) Implementing Confirmed Opt In (COI) if not already done so
c) Clean up their email address list (e.g. sending out a permission pass / COI)

Further reading
============================

Further information can be found on the referenced links below.

Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs:
https://www.spamhaus.org/news/article/734/

Mailing Lists -vs- Spam Lists:
https://www.spamhaus.org/whitepapers/mailinglists/

Confirmed Opt In — A Rose by Any Name:
https://www.spamhaus.org/news/article/635

Spamhaus Marketing FAQ:
https://www.spamhaus.org/faq/section/Marketing%20FAQs

DCRat botnet controller @82.146.59.136

blog — Wed, 20 Apr 2022 09:31:57 +0000

The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. DCRat botnet controller located at 82.146.59.136 on port 80 (using HTTP GET): hXXp://82.146.59.136/_/datalife45/TrackProcessDle/JavascriptUpdateGeneratordlelocal.php $ nslookup 82.146.59.136 nolove209.fvds.ru Referencing malware binaries (MD5 hash): bc43cff296c2977a382f6569ed0db331 — AV detection: 40… Читать далее

Socelars botnet controller @207.180.250.246

blog — Wed, 20 Apr 2022 09:31:53 +0000

The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. Socelars botnet controller located at 207.180.250.246 on port 80 (using HTTP POST): hXXp://www.fpsbw.com/ $ dig +short www.fpsbw.com 207.180.250.246 $ nslookup 207.180.250.246 vmi856029.contaboserver.net Referencing malware binaries (MD5 hash):… Читать далее

Smoke Loader botnet controller @95.213.216.204

blog — Tue, 19 Apr 2022 21:29:14 +0000

The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. Smoke Loader botnet controller located at 95.213.216.204 on port 80 (using HTTP POST): hXXp://ejeana.co.ug/index.php ejeana.co.ug. 600 IN A 95.213.216.204 Referencing malware binaries (MD5 hash): 623ef5cd7c56c96132336938466c9c16 — AV… Читать далее

Malware botnet controller @198.244.224.87

blog — Tue, 19 Apr 2022 20:28:53 +0000

The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse.

Malware botnet controller at 198.244.224.87 on port 443.
$ telnet 198.244.224.87 443
Trying 198.244.224.87…
Connected to 198.244.224.87.
Escape character is ‘^]’

Malicious domains observed at this IP address:
shibaswapbeax.com. 600 IN A 198.244.224.87

Related malicious domains observed at this IP address:
98.244.224.87|illuviumfiren.com|2022-04-19
198.244.224.87|illuviumpiper.com|2022-04-19
198.244.224.87|illuviumquar.com|2022-04-19
198.244.224.87|illuviumtiru.com|2022-04-19
198.244.224.87|illuviumveiar.com|2022-04-19
198.244.224.87|stepnonli.com|2022-04-19