Locker Post Compromise Traffic

Very Noisy Malware.

HTTP Request Method = GET
Content-type = application/octet-stream
HTTP URI ends with *.php OR *.html
Regex HTTP URI for “\/[a-z-_]{70,}\.(php|html)$” OR “\/([a-z]+(\-|_)){5,}(\-|_)?\.(php|html)$”

Examples:

http://dbtnw.ru/oa-hjyq-ybtisddnxojg-tskorpvqvrdg_ksauqkddxxrcelpaehsdceal-alla-ousu-mrwfqs-xjytcnxignohzh-qt.php
http://wvrxe.su/cgcgcgcg-cgcg_cgcgwp-ezpl-htqu-oaysvpuxoncu_vtpt-wiko-jxus-ixwgjuykxsvi_nehtxjlldgcbdmbadukseb-.php
http://dbtnw.ru/cu-opvkdgksbafvsu-oayhrn-dwmr-yejz-nlxtxyfrrcawrtez-jwfr-yvtecotumsdn-vait-dify-pipt-narpjkduuq.php
http://wvrxe.su/dhxsdknq-zajpfcgtvyzv_cegonl-eljv-mpph-kqsy-mxfyiprakylgop_fzgo_ohlxprrtxiyn-hcgb-nhbtiqfrcosh.php

http://proimagecreativeservices.com/forums/vkwqahirbdwviurviuujvsgusnsgazrxryqf-xtorlp-htxadiamwi-plgc-plspnnlwenogdkyxtm_dklbsncxny.html
http://proimagecreativeservices.com/news/kwnnjrwsjspvefgz_gkig_qqsl-jruu-rrjrhioprrbp-qvkvfqhuwjdkcpzk-ylwk-mtnc-afzfbfksynfl_xtwqaq-el.html

http://unknownbringing.asia/news/bheyvibfiqfzcjynvnvyqclidgtskfdhsnpi-ysjkqzllys-nwfz_tfrpqkxovpdf-gtjzkbjhptdaxtjlwflzcu-.html

Comments are closed.