Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks ============================================================================================================================================================= [Hashes] ============================================================================================================================================================= [SHA-256] [Description] 95995686b9af8b56c3fed1dadccf8b2ed5f417bb4eb8947a406a6e943cca33c6 p1, bash script 85a4151d790ab32d5321c6e71748b2446032e1775aedd0168be25f76bf4fe93f p1, bash script edefd297285090fe743f5c3b111bce54da40f43a32e15d8fa87b8a2c243f6d47 ptty, bash script 2847ae693533406defecb226bfe6d62dd36905ff07add4e773426bde83e85ddc ptty, bash script ef6fe4140001cb099968acd5772452859adbe7b57496389fbbf2342f9047b962 ptty, bash script 944be9bb167a2f76fe2f539d3860bbf26301830c479bc68509af46e047993c8c ptty, bash script 104e3ea9a190ba039488f5200824fe883b98f6fe01d05a1b55e15ed2199c807a SSHDoor MIPS-II 4a932ccc8a45db6897a11de118cdbf67062569112f1caa69793669c5c24be708 SSHDoor MIPS-II 17257ce42246b8c47f9ec639a6ffaca2bc14c21a22c4419bf468e3f1d491e330 SSHDoor MIPS-II 4d35ae9669db428b72b1aaadd21dbed44ad2fc678efc8110d89ff723e0497406 SSHDoor MIPS-II dfc86b375e974b3092bbff41eb24db3281fb4fc104f1043a7afbf95f85a2c1d5 SSHDoor x86-64 f88d12332d2f58459f989c7c41b5381e8aed9c8c30c1d11373f0d1eb0b340b9a SSHDoor ARM a4a95807f1c5b200d5d94e3e811a7c4af2d0d9ca88ca4d7f9d02015574f4716f SSHDoor MIPS-II 681a00df2e2cc680a4b68bdb6fe7d55c34d6d3fc35d462c78ebb659f9cb2cd60 SSHDoor i386 e3ba85e0bc978013b145ebb4c2d583b33422da93787ab8fb2185b55478652d91 Modified MicroSocks. Fixed port 56981/tcp and credentials. fed8c98fc754aff95f8538b5bebce558eb274256b0265d4482a675b74e93cc93 Modified MicroSocks. No authentication required. Fixed port 56981/tcp. ad3fd3eb7a3a276ec0d384afb5b75fe7d9fc047bb0dab40f9d55870d4520c1f3 Modified MicroSocks. Fixed port 56981/tcp and credentials. 0891588667da40da58ffaa8fedcddb0a9a172646ec12e6d0b9ce2acc2caa302b Modified MicroSocks. No authentication required. Fixed port 56981/tcp. bd0ea597f24bb72f8db34b6b6d2c0bc70eb53df9eae40cdb216a13521145ab03 SSHDoor ARM 28aee94e9a3f6c4296663bb853a5af5817ae109f066c88b7a245316a9a1e4712 SSHDoor x86-64 2ae805b68d7408cc40ad058bc0b8b2b5c29d77760084a5230448e47cec1c43f4 SSHDoor x86-64 2f182a6cb72712c340c2adb43843cfccb5916d236485de1c62fb40c883570824 SSHDoor x86-64 53d687868fd7ab9e78aa09f696923bd3c057e4e50432d07210080474a8d879cb SSHDoor x86-64 844cc1807cc5b628b7aa807ef3b682d051c8ad5427df3d3e36c7e7633bfc5768 SSHDoor x86-64 c290ab5d8ce9fcaa91da3b488c93dee1a4d0581c1335f19cb48027a5a03fe525 SSHDoor i386 88f2d42bf225c930bc644f82bbd229e170d53dd1072e846e2883265a7ac33301 SSHDoor x86-64 f6541b569787aa050c54ad85976ac5b729697a022be188b0040d37aa91e49ae2 SSHDoor x86-64 ============================================================================================================================================================= [Domain/Address] [Description] 185.62.58.20 New C&C after FBI take down 185.62.58.141 New C&C after FBI take down, DNS server used by bots (TCP port 80), Monero mining pool server (TCP port 3332, 3333) 193.34.166.176 Old C&C taken down by FBI and international partners 193.34.166.206 Historic C&C moreover.lostgumball.com New C&C domain li4858member.possessed.us New C&C domain clientrun.compuinter.com New C&C domain founderside.joseulloa.cl New C&C domain packinstall.kozow.com Old C&C domain matbaiteahe.mooo.com Old C&C domain lalapoc.kozow.com Old C&C domain gneivaientga.ignorelist.com Old C&C domain antotehlant.theworkpc.com Old C&C domain onechoice.gleeze.com Old C&C domain mumucnc.kozow.com Old C&C domain enforcer.mywire.org Historic C&C domain puffypuf.gleeze.com Historic C&C domain speddot.seburn.net Historic C&C domain terminal.ooguy.com Historic C&C domain vrrumover0.vrrum0.farted.net Historic C&C domain trompadiom.tutotame.bigbox.info Historic C&C domain gopremium.mooo.com Historic C&C domain dfgtjytdfs.work.gd Pawn Storm credential phishing xfgjgjkuykykgihguifdt.mywire.org Pawn Storm credential phishing changepassword.giize.com Pawn Storm credential phishing kjskrvmwerffssd.kozow.com Pawn Storm C&C 24.88.87.29 EdgeRouter abused by Pawn Storm for NTLMv2 hash relay attack 32.143.50.222 EdgeRouter abused by Pawn Storm for credential phishing and NTLMv2 hash relay attack 86.123.151.53 EdgeRouter abused by Pawn Storm for credential phishing 172.114.170.18 EdgeRouter abused by Pawn Storm 184.75.134.59 EdgeRouter abused by Pawn Storm after take down. Also used by Ngioweb botnet actor. 185.227.137.200 Pawn Storm upstream IP for collecting victims’ credentials. Tunnels to EdgeOS routers. prekudinish.com Ngioweb C&C remalexation.name Ngioweb C&C macrofocafify.org Ngioweb C&C semiridinution-postepudency.com Ngioweb C&C underuvukent.com Ngioweb C&C minixetepate.biz Ngioweb C&C antihicipate.com Ngioweb C&C interocakate.com Ngioweb C&C promexucate.com Ngioweb C&C inoluvary.com Ngioweb C&C recepatission.info Ngioweb C&C ultradomafy.net Ngioweb C&C emelenalike.com Ngioweb C&C subonuker.name Ngioweb C&C decumify.net Ngioweb C&C