[anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)

Here is one of the Malware Wordpress Themes that have lots of reports,
comments about the virus and more. Yet it still remains online

https://wordpress.org/support/plugin/three-column-screen-layout/reviews/

On Tue, Jan 12, 2021 at 6:53 AM steve payne <stevenp8844 at gmail.com> wrote:

> Here is the new hacked script call to url that is responsible for
> controlling this malware and hacked data.
>
> http://135.181.21.126/story2020.php?pass=aodhfherkejkerjk&q=
>
> On Tue, Jan 12, 2021 at 6:40 AM steve payne <stevenp8844 at gmail.com> wrote:
>
>> " P.S.  Please send me via private email the full list of suspicious URLs.
>> I may not be able to actually do anything with those, but I can at least
>> have a look.  (For some reason my browser is not allowing me to just cut
>> and paste from your google docs.)"
>>
>> I have sent you an email with two attachements. Please let me know if you
>> do not receive it!
>>
>> On Tue, Jan 12, 2021 at 6:30 AM steve payne <stevenp8844 at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> "All abuse complaints must be put through their abuse form:
>>>
>>> https://www.ovh.com/world/abuse/"
>>>
>>> I have filled out the form with OVH a few times, almost 2 weeks ago and
>>> have not heard any response. The domains I submitted are still active and
>>> redirecting to malware.
>>>
>>> "It must be put through their abuse form:
>>>
>>> https://www.cloudflare.com/abuse/form"
>>>
>>> The main form for the Cloudflare Malware submit form only allows for 1
>>> url submission at a time. I have submitted this form many times and support
>>> tickets, as I also have a Cloudflare service.
>>>
>>> I was told this can only be handled by the "Support & Trust" team and
>>> they will reach out to me. We have gone through this Twice, yet all domains
>>> are still actively hosted through Cloudflare.
>>>
>>> "I'm confused.  How exactly does one "spam" a search engine?
>>>
>>> And what is "spun text", exactly?"
>>>
>>> This spam operation is no small operation. The way they are spamming
>>> search engines is by using the authority of hacked domains to "link to"
>>> these fraud domains. It's bringing link juice and a lot of search engine
>>> traffic.
>>>
>>> By "spun text", it's basically garbled text that has thousands of
>>> keywords in it and for some reason Google is not able to detect it.
>>>
>>> Here are a couple of links.
>>>
>>>
>>> https://www.google.com/search?q=site%3Aatlantidepz.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aatlantidepz.it&aqs=chrome..69i57j69i58.4172j0j7&sourceid=chrome&ie=UTF-8
>>>
>>>
>>> https://www.google.com/search?q=site%3Aandrea-rubinetterie.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aandrea-rubinetterie.it&aqs=chrome..69i57j69i58.6191j0j7&sourceid=chrome&ie=UTF-8
>>>
>>> Basically search google for site:domain and you will see the "spun text".
>>>
>>> Here is a direct domain (there are many inside of the two files I
>>> listed): http://asugroup.ir/bdo-wizard-ziuli/seccomp-bypass-ctf.html
>>>
>>> " seccomp bypass ctf 첫 Seccomp Bypass 공부 This test will connect to a
>>> mail server via SMTP, perform a simple Open Relay Test and verify the
>>> server has a reverse DNS (PTR) record. This is the most disappointing and
>>> astonishing challenge in this year's DEFCON qual. On Linux, chroot() can be
>>> used to break out of a chroot() jail: chroot() does not require your pwd be
>>> in the directory that is chroot()'d to the new root. See the complete
>>> profile on LinkedIn and discover Ajin’s connections and jobs at similar
>>> companies. From the initial plan we know we must change values on
>>> _IO_2_1_STDOUT->file->vtable, and values on the _IO_helper_jumps vtable but
>>> there will be a lot of values in the middle because we are overflowing
>>> everything from the very beginning, in this case from the stdin we can’t
>>> just fill everything with nulls and expect everything to run smoothly ,
>>> obviously the program will Apr 14, 2020 · Allocate a chunk using
>>> leave_feedback function and free it and since the seccomp filters uses heap
>>> to allocate its rules the freed chunk will never be merged with top chunk
>>> and considering the big size of allocation is 0x501 the freed chunk will go
>>> to unsorted bin because tcache bins can only holds size lower then 0x408.
>>> Fuzzing {{7*7}} Till {{P1}} This is an SSTI writeup. 1. Current list last
>>> refreshed on Tue, 2020-12-29 at 00:22:48 (local time) Microsoft, McAfee,
>>> Rapid7, and Others Form New Ransomware Task Force id: | 2020-12-23 15:25:00
>>> Thursday, September 17, 2020 OEM Security Newsalert - 17-Oct-2020. The
>>> binary initializes some seccomp rules, and then EN | ZH. Hence, an attacker
>>> might gain control over some process of a web browser but seccomp will
>>> restrict the set of available syscalls to only those it needs. X. If answer
>>> is Y\x00 then it calls set_context() else it calls system("/bin/sh")  12
>>> Jul 2018 Introduction After my tutorial on seccomp, thanks for Google CTF
>>> for This post will give the write-up for the execve-sandbox in GoogleCTF. 2
>>> man page for review. areas of specialty include exmpedded/IoT CTF / Capture
>>> the Flag and IoT Village CTF: Security Innovation will be hosting the CTF
>>> event using their CMD+CTRL platform .
>>> com/2020/07/26/security-101-backups-protecting-backups <p>I can already
>>> hear some readers saying that backups are an 11 Apr 2019 ROP to Shellcode
>>> To ease bypassing of the seccomp filter, let's first set up a ROP Service:
>>> nc gissa-igen-01. HarveyHunt/howm 451 A lightweight, X11 tiling window
>>> manager that behaves like vim trailofbits/ctf 451 CTF Field Guide
>>> bwalex/tc-play 451 Free and simple TrueCrypt Implementation based on
>>> dm-crypt libharu/libharu 450 libharu - free PDF library gittup/tup 449 Tup
>>> is a file-based build system. PHP-FPM/FastCGI bypass disable_functions 6.
>>> 43 runtime : 6 remark : size (MB) : 1. Posted on December 13, 2020* in
>>> ctf-writeups. club MMA CTF 2nd 2016 PPC pwn format string web sql injection
>>> heap ASIS CTF Finals 2016 Use After Free fastbin off-by-one shadow stack
>>> CSAW CTF 2016 overflow Crypto Forensic padding oracle attack World-first
>>> proof-of-principle to bypass Internet kill switches. clMathLibraries/clBLAS
>>> - a software library containing BLAS functions written in OpenCL;
>>> andrewrk/libsoundio - C library for cross-platform real-time audio input
>>> and output View Ajin Abraham’s profile on LinkedIn, the world’s largest
>>> professional community. En este post daremos una posible solución al reto
>>> Weird Chall planteado en el DEKRA CTF 2020. Vulc at n Difensiva Senior
>>> Engineer, DDTEK Hawaii John CTF organizer, Legit Business Syndicate Chris
>>> Eagle CTF organizer, DDTEK Invisigoth CTF organizer, Kenshoto Caezar CTF
>>> organizer In this onlin "
>>>
>>> ETc etc. etc etc.
>>>
>>>
>>> Another easy way to spot them is by searching for 3 letter keywords in
>>> the past hour. "PCH" is a big one.
>>>
>>>
>>> https://www.google.com/search?rlz=1C1GCEA_enUS802US802&biw=1920&bih=937&tbs=qdr%3Ah&sxsrf=ALeKk02CH7HNpzS8urRXOtXxUoV-aiqZUw%3A1610457738956&ei=iqL9X8zwOZfA0PEPyuGm-Ak&q=pch&oq=pch&gs_lcp=CgZwc3ktYWIQAzINCAAQsQMQgwEQyQMQQzIKCAAQsQMQgwEQQzIICAAQsQMQgwEyCAgAELEDEIMBMgQILhBDMgIIADIICAAQsQMQgwEyCAgAELEDEIMBMgIIADICCAA6BAgAEEM6CwguELEDEMcBEKMCOgUIABCxA1DjxxFYxckRYJbLEWgAcAB4AIABpwGIAZ4DkgEDMC4zmAEAoAEBqgEHZ3dzLXdpesABAQ&sclient=psy-ab&ved=0ahUKEwjM3dLLvpbuAhUXIDQIHcqwCZ8Q4dUDCA0&uact=5
>>>
>>> These results are the same with Bing.
>>>
>>> -------
>>>
>>> Here is a new Chrome Extension this malware group is promoting with
>>> "download" to continue for search queries:
>>> https://chrome.google.com/webstore/detail/search-and-newtab-by-medi/kgmkoajcbbjaobdbmcnhkppmpnejjpkn
>>>
>>> It has 400,000 downloads and basically changes Google from their default
>>> search engine to "MediaNewPage".
>>>
>>> https://malwaretips.com/blogs/remove-medianewpage-search/
>>>
>>> There's pages that talk about how to remove a Chrome Browser Extension
>>> Virus, but reporting it does nothing.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Jan 11, 2021 at 11:25 PM Ronald F. Guilmette <
>>> rfg at tristatelogic.com> wrote:
>>>
>>>> In message <
>>>> CAMPzqHa0T9PxyjbvA6AFZMOoVVMqipP1OXS8SNa+eY+KtUrQLA at mail.gmail.com>,
>>>> steve payne <stevenp8844 at gmail.com> wrote:
>>>>
>>>> >There is a huge amount of some type of fraud happening with .it, .pl,
>>>> .xyz
>>>> >and other domains being registered (see links below).
>>>> >
>>>> >
>>>> https://docs.google.com/document/d/159Sbik8CkO9WDbLjH_tqAhr-dkpODWS1kt4UULLLfk0/edit?usp=sharing
>>>> >
>>>> >
>>>> https://docs.google.com/document/d/1z43WugqqgyVjNy6-IPgON118YaE0HxrgRMKbVwW42NM/edit?usp=sharing
>>>> >
>>>> >These links contain a list of over 5,000 domains that are currently
>>>> >spamming search engines with spun text and then cloaking users to
>>>> malware
>>>> >that have the search engine referrer.
>>>>
>>>> I'm confused.  How exactly does one "spam" a search engine?
>>>>
>>>> And what is "spun text", exactly?
>>>>
>>>>
>>>> Regards,
>>>> rfg
>>>>
>>>>
>>>> P.S.  Please send me via private email the full list of suspicious URLs.
>>>> I may not be able to actually do anything with those, but I can at least
>>>> have a look.  (For some reason my browser is not allowing me to just cut
>>>> and paste from your google docs.)
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20210112/ca3738bb/attachment.html>