It’s been one month since I noticed an increase in number of malware communication to a certain IP: 185.6.242[.]251 and the trend has not slowed down in the last 30 days.
The total of web panel malware seen the last 30 days is totalling 97 as of this morning, as shown in this bar graph.
The distribution of malware C2 seen on this ip is uneven. Most are Lokibot and Pony instances, a few ISRStealer, LiteHTTP and Citadel have also been noticed.
A few stats:
- 1 IP
- 5 malware families
- 30 Days
- 47 Domains
- 97 C2 Web panel instances
- 222 MD5 hashes
| malware | panel_url | date |
| Citadel | www.dtron.gdn/testimony/cp.php?m=login | 20180420 |
| Citadel | nsdic.pp.ru/pilot/cp.php?m=login | 20180421 |
| ISRStealer | sellychukwu.ru/PHP/ | 20180412 |
| LiteHTTP | posalive.su/login/ | 20180413 |
| Loki | bellegin.ru/don-cha11/pen.php | 20180412 |
| Loki | bellegin.ru/doncha10/pen.php | 20180412 |
| Loki | bellegin.ru/oshok/pen.php | 20180412 |
| Loki | gokuu.club/ckan/PvqDq929BSx_A_D_M1n_a.php | 20180412 |
| Loki | lidgeys.ru/buch-k/pen.php | 20180412 |
| Loki | lidgeys.ru/buch-m/pen.php | 20180412 |
| Loki | papgon10.ru/davidm/pen.php | 20180412 |
| Loki | papgon10.ru/don-12/pen.php | 20180412 |
| Loki | papgon10.ru/kennyB-1/pen.php | 20180412 |
| Loki | papgon10.ru/oshok-two/pen.php | 20180412 |
| Loki | gokuu.club/M/PvqDq929BSx_A_D_M1n_a.php | 20180414 |
| Loki | braithwalte.co.uk/konvict/five/PvqDq929BSx_A_D_M1n_a.php | 20180418 |
| Loki | finelets.ru/fankzu/pen.php | 20180418 |
| Loki | finelets.ru/buch-x3/pen.php | 20180420 |
| Loki | finelets.ru/buch-x4/pen.php | 20180420 |
| Loki | topreadz.ru/willy-1/pen.php | 20180420 |
| Loki | lidgeys.ru/buch-x2/pen.php | 20180421 |
| Loki | domainsender.info/moon/five/PvqDq929BSx_A_D_M1n_a.php | 20180422 |
| Loki | dunysaki.ru/buch-x5/pen.php | 20180423 |
| Loki | joanread.ru/work-1/pen.php | 20180423 |
| Loki | dunysaki.ru/stephen/pen.php | 20180424 |
| Loki | topreadz.ru/alexbe/pen.php | 20180424 |
| Loki | unifarmex.net/Dstan/Panel/five/PvqDq929BSx_A_D_M1n_a.php | 20180424 |
| Loki | braithwalte.co.uk/smith/five/PvqDq929BSx_A_D_M1n_a.php | 20180425 |
| Loki | dunysaki.ru/doncha-2/pen.php | 20180425 |
| Loki | lidgeys.ru/buch-l/pen.php | 20180425 |
| Loki | vopspyder.website/log/five/PvqDq929BSx_A_D_M1n_a.php | 20180425 |
| Loki | annamadums.ml/jazzy/PvqDq929BSx_A_D_M1n_a.php | 20180426 |
| Loki | domainsender.info/sun/five/PvqDq929BSx_A_D_M1n_a.php | 20180426 |
| Loki | papgon10.ru/don-one/pen.php | 20180426 |
| Loki | vopspyder.website/home/five/PvqDq929BSx_A_D_M1n_a.php | 20180427 |
| Loki | joanread.ru/decap/pen.php | 20180429 |
| Loki | vailablity.ml/vaila/PvqDq929BSx_A_D_M1n_a.php | 20180430 |
| Loki | braithwalte.co.uk/blam/five/PvqDq929BSx_A_D_M1n_a.php | 20180502 |
| Loki | unifarmex.net/hsp1/Panel/five/PvqDq929BSx_A_D_M1n_a.php | 20180502 |
| Loki | unifarmex.net/nesto/Panel/five/PvqDq929BSx_A_D_M1n_a.php | 20180502 |
| Loki | viettrust-vn.net/samii/PvqDq929BSx_A_D_M1n_a.php | 20180502 |
| Loki | braithwalte.co.uk/block/five/PvqDq929BSx_A_D_M1n_a.php | 20180503 |
| Loki | ultrainstinct.ru/file/exe/five/PvqDq929BSx_A_D_M1n_a.php | 20180504 |
| Loki | lidgeys.ru/buchX-1/pen.php | 20180505 |
| Loki | topreadz.ru/doncha-3/pen.php | 20180507 |
| Loki | bollingoes.ml/ngoes/PvqDq929BSx_A_D_M1n_a.php | 20180508 |
| Loki | cadjetbums.ml/tbums/PvqDq929BSx_A_D_M1n_a.php | 20180508 |
| Loki | erintoba.info/bbbb/Panel/five/PvqDq929BSx_A_D_M1n_a.php | 20180508 |
| Loki | eriousimen.ml/eriou/PvqDq929BSx_A_D_M1n_a.php | 20180508 |
| Loki | lidgeys.ru/eddy/pen.php | 20180508 |
| Loki | thousandan.ml/andan/PvqDq929BSx_A_D_M1n_a.php | 20180508 |
| Loki | uy-akwaibom.ru/vinho/Panel/five/PvqDq929BSx_A_D_M1n_a.php | 20180510 |
| Loki | wheelonexs.ml/wheel/PvqDq929BSx_A_D_M1n_a.php | 20180510 |
| Pony | hypercosine.ml/cosi/hyper/admin.php | 20180412 |
| Pony | preutainer.ml/aine/preut/admin.php | 20180412 |
| Pony | rolexkings.ml/king/rolex/admin.php | 20180412 |
| Pony | theonlygoodman.com/dort/admin.php | 20180412 |
| Pony | theonlygoodman.com/sekiz/admin.php | 20180412 |
| Pony | theonlygoodman.com/yedi/admin.php | 20180412 |
| Pony | vinglosine.ml/osin/vingl/admin.php | 20180412 |
| Pony | theonlygoodman.com/bes/admin.php | 20180413 |
| Pony | erintoba.info/user/admin.php | 20180414 |
| Pony | theonlygoodman.com/alti/admin.php | 20180414 |
| Pony | cuogargaming.com/sop/admin.php | 20180416 |
| Pony | irishgrind.ml/irish/grind/admin.php | 20180417 |
| Pony | hostelunke.ml/lunke/hoste/admin.php | 20180418 |
| Pony | efficienci.ml/ienci/effic/admin.php | 20180419 |
| Pony | grandmoney.ml/money/grand/admin.php | 20180419 |
| Pony | theonlygoodman.com/on/admin.php | 20180419 |
| Pony | centranets.ml/anets/centr/admin.php | 20180420 |
| Pony | dazzlelogs.ml/elogs/dazzl/admin.php | 20180422 |
| Pony | gokubid.review/chife/panelnew/admin.php | 20180423 |
| Pony | gokubid.review/indo/panelnew/admin.php | 20180423 |
| Pony | carikapapa.ml/apapa/carik/admin.php | 20180424 |
| Pony | cuogargaming.com/klinsnip/admin.php | 20180424 |
| Pony | braithwalte.co.uk/bass/admin.php | 20180425 |
| Pony | pharma–partners.com/bfayz/admin.php | 20180425 |
| Pony | theonlygoodman.com/dokuz/admin.php | 20180425 |
| Pony | uy-akwaibom.ru/wise/Panel/admin.php | 20180425 |
| Pony | pharma–partners.com/nonib/admin.php | 20180426 |
| Pony | taineruder.ml/ruder/carik/admin.php | 20180427 |
| Pony | totalguage.ml/guage/total/admin.php | 20180427 |
| Pony | pharma–partners.com/twst/admin.php | 20180428 |
| Pony | viettrust-vn.net/juzz/admin.php | 20180502 |
| Pony | braithwalte.co.uk/ajjuu/admin.php | 20180503 |
| Pony | carikapapa.ml/carik/admin.php | 20180503 |
| Pony | irishgrind.ml/grind/admin.php | 20180503 |
| Pony | stauniverseqp.com/roks2/admin.php | 20180503 |
| Pony | bundletops.ml/bundl/etops/admin.php | 20180504 |
| Pony | stauniverseqp.com/office1/admin.php | 20180504 |
| Pony | viettrust-vn.net/adin/admin.php | 20180507 |
| Pony | hostelunke.ml/lunke/admin.php | 20180510 |
| Pony | suruperet.ml/eret/surup/admin.php | 20180510 |
| Pony | taineruder.ml/ruder/admin.php | 20180510 |
| Pony | theonlygoodman.com/aman/admin.php | 20180510 |
| Pony | dunysaki.ru/buch-A3/admin.php | 20180512 |
| Pony | thousandan.ml/lumin/sop/admin.php | 20180513 |
