[anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)

Here is the new hacked script call to url that is responsible for
controlling this malware and hacked data.

http://135.181.21.126/story2020.php?pass=aodhfherkejkerjk&q=

On Tue, Jan 12, 2021 at 6:40 AM steve payne <stevenp8844 at gmail.com> wrote:

> " P.S.  Please send me via private email the full list of suspicious URLs.
> I may not be able to actually do anything with those, but I can at least
> have a look.  (For some reason my browser is not allowing me to just cut
> and paste from your google docs.)"
>
> I have sent you an email with two attachements. Please let me know if you
> do not receive it!
>
> On Tue, Jan 12, 2021 at 6:30 AM steve payne <stevenp8844 at gmail.com> wrote:
>
>> Hi,
>>
>> "All abuse complaints must be put through their abuse form:
>>
>> https://www.ovh.com/world/abuse/"
>>
>> I have filled out the form with OVH a few times, almost 2 weeks ago and
>> have not heard any response. The domains I submitted are still active and
>> redirecting to malware.
>>
>> "It must be put through their abuse form:
>>
>> https://www.cloudflare.com/abuse/form"
>>
>> The main form for the Cloudflare Malware submit form only allows for 1
>> url submission at a time. I have submitted this form many times and support
>> tickets, as I also have a Cloudflare service.
>>
>> I was told this can only be handled by the "Support & Trust" team and
>> they will reach out to me. We have gone through this Twice, yet all domains
>> are still actively hosted through Cloudflare.
>>
>> "I'm confused.  How exactly does one "spam" a search engine?
>>
>> And what is "spun text", exactly?"
>>
>> This spam operation is no small operation. The way they are spamming
>> search engines is by using the authority of hacked domains to "link to"
>> these fraud domains. It's bringing link juice and a lot of search engine
>> traffic.
>>
>> By "spun text", it's basically garbled text that has thousands of
>> keywords in it and for some reason Google is not able to detect it.
>>
>> Here are a couple of links.
>>
>>
>> https://www.google.com/search?q=site%3Aatlantidepz.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aatlantidepz.it&aqs=chrome..69i57j69i58.4172j0j7&sourceid=chrome&ie=UTF-8
>>
>>
>> https://www.google.com/search?q=site%3Aandrea-rubinetterie.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aandrea-rubinetterie.it&aqs=chrome..69i57j69i58.6191j0j7&sourceid=chrome&ie=UTF-8
>>
>> Basically search google for site:domain and you will see the "spun text".
>>
>> Here is a direct domain (there are many inside of the two files I
>> listed): http://asugroup.ir/bdo-wizard-ziuli/seccomp-bypass-ctf.html
>>
>> " seccomp bypass ctf 첫 Seccomp Bypass 공부 This test will connect to a
>> mail server via SMTP, perform a simple Open Relay Test and verify the
>> server has a reverse DNS (PTR) record. This is the most disappointing and
>> astonishing challenge in this year's DEFCON qual. On Linux, chroot() can be
>> used to break out of a chroot() jail: chroot() does not require your pwd be
>> in the directory that is chroot()'d to the new root. See the complete
>> profile on LinkedIn and discover Ajin’s connections and jobs at similar
>> companies. From the initial plan we know we must change values on
>> _IO_2_1_STDOUT->file->vtable, and values on the _IO_helper_jumps vtable but
>> there will be a lot of values in the middle because we are overflowing
>> everything from the very beginning, in this case from the stdin we can’t
>> just fill everything with nulls and expect everything to run smoothly ,
>> obviously the program will Apr 14, 2020 · Allocate a chunk using
>> leave_feedback function and free it and since the seccomp filters uses heap
>> to allocate its rules the freed chunk will never be merged with top chunk
>> and considering the big size of allocation is 0x501 the freed chunk will go
>> to unsorted bin because tcache bins can only holds size lower then 0x408.
>> Fuzzing {{7*7}} Till {{P1}} This is an SSTI writeup. 1. Current list last
>> refreshed on Tue, 2020-12-29 at 00:22:48 (local time) Microsoft, McAfee,
>> Rapid7, and Others Form New Ransomware Task Force id: | 2020-12-23 15:25:00
>> Thursday, September 17, 2020 OEM Security Newsalert - 17-Oct-2020. The
>> binary initializes some seccomp rules, and then EN | ZH. Hence, an attacker
>> might gain control over some process of a web browser but seccomp will
>> restrict the set of available syscalls to only those it needs. X. If answer
>> is Y\x00 then it calls set_context() else it calls system("/bin/sh")  12
>> Jul 2018 Introduction After my tutorial on seccomp, thanks for Google CTF
>> for This post will give the write-up for the execve-sandbox in GoogleCTF. 2
>> man page for review. areas of specialty include exmpedded/IoT CTF / Capture
>> the Flag and IoT Village CTF: Security Innovation will be hosting the CTF
>> event using their CMD+CTRL platform .
>> com/2020/07/26/security-101-backups-protecting-backups <p>I can already
>> hear some readers saying that backups are an 11 Apr 2019 ROP to Shellcode
>> To ease bypassing of the seccomp filter, let's first set up a ROP Service:
>> nc gissa-igen-01. HarveyHunt/howm 451 A lightweight, X11 tiling window
>> manager that behaves like vim trailofbits/ctf 451 CTF Field Guide
>> bwalex/tc-play 451 Free and simple TrueCrypt Implementation based on
>> dm-crypt libharu/libharu 450 libharu - free PDF library gittup/tup 449 Tup
>> is a file-based build system. PHP-FPM/FastCGI bypass disable_functions 6.
>> 43 runtime : 6 remark : size (MB) : 1. Posted on December 13, 2020* in
>> ctf-writeups. club MMA CTF 2nd 2016 PPC pwn format string web sql injection
>> heap ASIS CTF Finals 2016 Use After Free fastbin off-by-one shadow stack
>> CSAW CTF 2016 overflow Crypto Forensic padding oracle attack World-first
>> proof-of-principle to bypass Internet kill switches. clMathLibraries/clBLAS
>> - a software library containing BLAS functions written in OpenCL;
>> andrewrk/libsoundio - C library for cross-platform real-time audio input
>> and output View Ajin Abraham’s profile on LinkedIn, the world’s largest
>> professional community. En este post daremos una posible solución al reto
>> Weird Chall planteado en el DEKRA CTF 2020. Vulc at n Difensiva Senior
>> Engineer, DDTEK Hawaii John CTF organizer, Legit Business Syndicate Chris
>> Eagle CTF organizer, DDTEK Invisigoth CTF organizer, Kenshoto Caezar CTF
>> organizer In this onlin "
>>
>> ETc etc. etc etc.
>>
>>
>> Another easy way to spot them is by searching for 3 letter keywords in
>> the past hour. "PCH" is a big one.
>>
>>
>> https://www.google.com/search?rlz=1C1GCEA_enUS802US802&biw=1920&bih=937&tbs=qdr%3Ah&sxsrf=ALeKk02CH7HNpzS8urRXOtXxUoV-aiqZUw%3A1610457738956&ei=iqL9X8zwOZfA0PEPyuGm-Ak&q=pch&oq=pch&gs_lcp=CgZwc3ktYWIQAzINCAAQsQMQgwEQyQMQQzIKCAAQsQMQgwEQQzIICAAQsQMQgwEyCAgAELEDEIMBMgQILhBDMgIIADIICAAQsQMQgwEyCAgAELEDEIMBMgIIADICCAA6BAgAEEM6CwguELEDEMcBEKMCOgUIABCxA1DjxxFYxckRYJbLEWgAcAB4AIABpwGIAZ4DkgEDMC4zmAEAoAEBqgEHZ3dzLXdpesABAQ&sclient=psy-ab&ved=0ahUKEwjM3dLLvpbuAhUXIDQIHcqwCZ8Q4dUDCA0&uact=5
>>
>> These results are the same with Bing.
>>
>> -------
>>
>> Here is a new Chrome Extension this malware group is promoting with
>> "download" to continue for search queries:
>> https://chrome.google.com/webstore/detail/search-and-newtab-by-medi/kgmkoajcbbjaobdbmcnhkppmpnejjpkn
>>
>> It has 400,000 downloads and basically changes Google from their default
>> search engine to "MediaNewPage".
>>
>> https://malwaretips.com/blogs/remove-medianewpage-search/
>>
>> There's pages that talk about how to remove a Chrome Browser Extension
>> Virus, but reporting it does nothing.
>>
>>
>>
>>
>>
>>
>> On Mon, Jan 11, 2021 at 11:25 PM Ronald F. Guilmette <
>> rfg at tristatelogic.com> wrote:
>>
>>> In message <
>>> CAMPzqHa0T9PxyjbvA6AFZMOoVVMqipP1OXS8SNa+eY+KtUrQLA at mail.gmail.com>,
>>> steve payne <stevenp8844 at gmail.com> wrote:
>>>
>>> >There is a huge amount of some type of fraud happening with .it, .pl,
>>> .xyz
>>> >and other domains being registered (see links below).
>>> >
>>> >
>>> https://docs.google.com/document/d/159Sbik8CkO9WDbLjH_tqAhr-dkpODWS1kt4UULLLfk0/edit?usp=sharing
>>> >
>>> >
>>> https://docs.google.com/document/d/1z43WugqqgyVjNy6-IPgON118YaE0HxrgRMKbVwW42NM/edit?usp=sharing
>>> >
>>> >These links contain a list of over 5,000 domains that are currently
>>> >spamming search engines with spun text and then cloaking users to
>>> malware
>>> >that have the search engine referrer.
>>>
>>> I'm confused.  How exactly does one "spam" a search engine?
>>>
>>> And what is "spun text", exactly?
>>>
>>>
>>> Regards,
>>> rfg
>>>
>>>
>>> P.S.  Please send me via private email the full list of suspicious URLs.
>>> I may not be able to actually do anything with those, but I can at least
>>> have a look.  (For some reason my browser is not allowing me to just cut
>>> and paste from your google docs.)
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20210112/b6edc2c1/attachment.html>