Quantcast
Channel: Krypt3ia – Krypt3ia
Viewing all 452 articles
Browse latest View live

Shadow Brokers: Scylla Hacking Store

June 22, 2017, 7:25 am
$
0
0

 

Welp, I found the darknet site for the ShadowBrokers new monthly dumps service this morning. The site’s proper name according to the masthead is Scylla Hacking Store, which if you Google up Scylla Hacking you locate a tool and a preso by two Columbians from DC20 called “Scylla, because there is no patch for human stupidity” which make me wonder if this site name is a double entender on perhaps the tool being used to hack the NSA as well as the cut line of “There is no patch for human stupidity”, which implies that it was something really stupid that led to this compromise of the NSA. Of course that is all supposition on my part but the more I look at this site and the attitudes of the Shadow Brokers I tend to think I am onto something there, I mean, they aren’t that subtle right?

The site requires you to create a login and uses the proper security protocols as passwords go, BUT, as you are on the darknet the one thing that makes you think is that they require Java to do business with the site and that is a no no in the darkwebs. So I temporarily allowed the site and created an account so I could have a look around. The site has more than a few sections selling their wares and those include now APT exploits not only from the US but it seems from other countries and actors like Cozy Bear, using the Crowdstrike terminology for Russian actors. They have the old favorites too from FuzzBunch payloads and sources as well as DoS tools and other goodies for sale, so it seems we are now seeing all the things they have that may or may not have come from their hacking of the NSA?

When you create an account the site generates a bitcoin wallet for you and then you have to transfer funds to it for transactions, it is literally their wallet and you are gaining points or credits to buy the exploits you want. I checked the wallet and there is in fact a zero balance so perhaps they are generating them on the fly or this wallet is in use by the brokers as the sole one? In any case, they have come through as promised before that they would create the dumps service and now they are using the bitcoin once again as their means to an end.

Overall it seems that whoever is behind this not only has NSA’s trove but also a bunch of other exploits, tools, 0day, etc. They are in the market for making money this time and they are carrying it all out in the darknet.

So, is this Russia or is this DPRK?

Who needs money?

I know a guy…

Maybe….

Honestly though, for the longest time this group has to me, seemed to be GRU/FSB fuckery but now with this whole money making scheme I am not so sure anymore. Of course it could be RU just fucking with everyone and making it look like maybe it is ol’ Un. I mean with the fake written Asian dialect it is easy to see that someone is trying to make it look like it’s Lil Kim and his Funky Bunch …Meh, it’s all just games anyway. We live in interesting times though. I guess I should just now look forward to another group of hackers to try to crowd source funds to send them the bitcoins for these sploits huh?

Derp.

K.


Search

Nyetya, Being Downrange, and Active Measure Campaigns in Ukraine

June 30, 2017, 7:13 am
$
0
0

 

While all the AV/TI/INFOSEC firms have been masturbating to the latest outbreak of systems degrading malware, I have been sitting back after insuring that my environment has not been hit nor anyone connected to it. Since the reversal’s and the inevitable attribution fuckery cycle has spun up I have been pondering things outside the usual whodunnit. Lesley Carhart had a good post on why one should worry about such attacks and this kind of malware that people should read, I want to go a different route. What I want to talk about is motivation and with that motivation, yes, who is more likely to have carried out the attack. In this case we have yet another piece of malware that was either well coded or poorly coded depending on who you talk to. It was targeted or not targeted depending on who wants to sell you a service too. Well, I have nothing to sell you all, I just want to point out some interesting things regarding the whole mess.

The one simple fact that the malware used a Ukrainian tax software (MEDoc) as the means of initial attack is telling. The time-line on this also pretty much shows (and I experienced this from messages to me the day of the incident) that Ukraine was patient zero. By looking at the image below from the linked page you can see that a great swath of Ukrainian infrastructure was hit on the 27th. Coinciding with this malware attack later in the day several military and government individuals were assassinated in Ukraine as well. Are you starting to see a pattern here?

Recently Wired had a big article on how some in the security community had been feeling that Ukraine was the testbed for Russian active measures in the cyber warfare battle space and this is something I agree with. They have been using active measures of this nature for some time. In fact I actually located some malware in dumps of the Russian media company created by Putin to be a propaganda and intelligence wing for Russia in the region last year. The attacks on the Ukrainian elections as well as the electrical grid now twice by “unknown actors” (Russia) (insert stupid code name from TI firm HERE) have shown just how willing the Russians are to use such technologies in the region. Understanding what they are doing though needs more than the myopia of reverse engineers and sales people in the security space to impart that to you so I will put it plainly here for you;

  • Russia is carrying out an all out war against Ukraine and they are now using the means to an end of malware to deny, degrade, and deter the Ukrainian people and their government from being their own.
  • Russia’s use of these malware attacks have a secondary but important function psychologically to bolster the idea that the Ukrainian government cannot protect itself nor its people
  • Russia’s use of these kinds of measures is just another part of the playbook to add to the battle-space

The Russians get the advantage of using these techniques on Ukraine and no one is stopping them. They get  the advantage of a smaller state infrastructure to attack which means more amplification of the effects on the populace as well. In larger states it is harder to carry these out and obviously would take much more effort. In fact, in the case of the Russian meddling in the US elections last year, one can see how much effort it took on the Russians part to carry out the attacks but as well, how a larger and diffused infrastructure gives varying levels of returns. Alas, for poor Ukraine you can see just how effective at degrading and perhaps disenfranchising the general populace can be with such attacks on their infrastructure. I heard one comment from a Ukrainian that just bespoke their resignation to the interruptions as they happen so much. All of this though, demoralizes the population and in the case of Ukraine, since the Maidan event, they have fought hard to stay free and that is why Russia is ramping up their attacks.

So yeah, my money is on Russia and I will stick with Occam’s razor on that one. Now, on other thoughts about this malware and Wannacry I just have to once again muse about how we have now reached a place where malware is reaching parity with bio weapons. I say this in the sense that malware like Nyetya and Wannacry both had unintended consequences once released either willfully for by accident. They broke out of their cages, their battle-spaces, and began to infect the populace globally. Instead of having some poor shmuck getting on a plane and infecting the world, we now have malware that is either scanning the net for clients to attack or being sent out and then forwarded by accident (or on purpose) by actors. Could some of the infection vectors and trajectories be chaff to obscure the real targets? Sure, but I think in these last two cases the attackers perhaps did not take into account the interconnectedness of the world today.

….Or that’s exactly what the counted on…

Anyway, those are my thoughts on the subject. We are at a crossroads where malware like this can cause headaches but in the end, the world did not end did it?

Did I miss it?

Damn.

EDIT: I also failed to mention that this attack took place one day before their Consitution Day, ya know that thing where they proclaim they are not a part of Russia. Mmmmmyeah…

Wednesday June 28 Constitution Day Marks the signing of the Constitution of Ukraine in 1996

K.


Eugene and the DoD

July 3, 2017, 9:38 am
$
0
0

Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…

Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…

Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?

Fuck you.

FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.

Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?

Imagine that Eugene’s software is clean as a whistle.

Now imagine that it is sitting on many USGOV and MIL systems.

Now imagine that all that telemetry from those systems is going to RUSSIA.

Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”

Think about that hacker kids.

Think about that you spies too.

You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?

So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….

So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?

Yeah neither do I.

K.


2017 Krypt3ia Kryptos Crypto Challenge!

July 20, 2017, 5:00 pm
$
0
0

 

Solve the cipher.

Follow the instructions.

Collect your prize.

You have until 7.30.17 to complete.

CIPHER:

RGILGNCMDENEDJRNMANNJFNLNILJDICLKLOFCNONARMJCTDIORIMCHDIKLHANIJNIEEEGICJO

FEBMLEHFLIFINRLIAREKEOLIPRKKMOEDBORIPRECRMNNDDDLGHNNLJINGKHJHRPARNMIIJNGH

AHOTCLHJSAHDNJOEPESMREDIDINCOEIPLJDICLKLOFINHDNMMBJCRBTODKBLRILSITLDLSIIINIIE

HHMFEMBRGILGNRHMCMHGFHIDJNDDLRLICHMLMMINCIIKRILEEGFGTMCNI

 


The Psychopath: A Darkweb Manifesto

August 7, 2017, 1:11 pm
$
0
0

The darkweb spider kicked out an interesting albeit kind of freaky site this morning for me. The site “The Psychopath” has a long rambling diatribe on how the world has become too domesticated and that this group, the psychopaths, are starting a war against “the man” so to speak. I honestly had a hard time reading this darkweb manifesto because it is poorly written in a long winded sort of way as well as reminded me greatly of Ted Kaczynski‘s rant that he sent to the New York Times and other papers back in 1996. The rambling text with the pseudo educated diatribe on this site reminds me of Ted’s particular bent as well about society and it’s ills. In this case though it seems that the creators have a grudge against societies conformity.

The site names names of targets they have in mind and claims there will be actions against them while seeking to entice you yet scare you to their position and call to action. I will keep an eye on this one to see what else comes of it and perhaps do a little more digging on the clearnet for hints as to the person(s) involved. Until then, I leave you with the full in screen shot and uploaded here for you to read through. It seems that they set up the robots.txt well so I could not wget it.

 


I Am Danny Glover: I Am Too Old For This Shit

August 7, 2017, 2:01 pm
$
0
0

Welp, I am gonna say what others I interacted with this year at Defcon imparted in person. Just gonna rip the Band-aid right off, no Bactene, nada….

Defcon has become too big for it’s own good.

There, I said it…

*waits for inevitable whining and recriminations from those who love it and run it*

Really though, the congestion even in Caesar’s was too much to deal with and certainly the fact of getting into lines and then not seeing the talk because you were too far down said line is… Well.. Disappointing to say the least. Add to this that you can see the media later online, why the fuck am I going to attempt to brave the hoards and pay $260 to attend? Everyone says “HallwayCon” now but even that was stupifyingly impossible because the traffic analysis had been fubar’d for this one.

Nope, I am just too old for this shit now. The paradigm of BlackHat is the new RSA, Defcon is the new BlackHat, and Bsides is the new Defcon is really true I think. I had a better time at Bsides and actually got to have substantive educational interludes as well as conversations at Bsides. I attended BlackHat this year and had classes and I also have to say that the Classes were excellent but the presentations were a bag of fail, but hey at least I got to see them. A special note goes out to Matt Suiche on spectacular fail on slides with large blocks of text and his inability to speak English clearly for the ShadowBrokers presentation. In fact, let me also add that he did not add anything to the discourse on the subject by just regurgitating, in large blocks of text on screen, things we all could just Google.

But I digress…

It seems to me now in hindsight that the only way one will get good content and a hassle free way to consume it is to pay exorbinate fee’s to see it so all the other kids aren’t there rubber necking in front of you gawping at all the shiny shiny. Even if you have to listen to the likes of the CISO of FaceCult drone on about how they are going to save the world in between laser light shows (YAY HOOLICON!)

Jesus fuck I am too old for this shit…

Next year maybe I will just do SANS…

Dr. K.


Flash Drives for Freedom

August 9, 2017, 5:57 am
$
0
0

At Defcon the one highlight of the con for me was seeing Flashdrives for Freedom having a booth in the vendor area. If you have not heard of them before, they are a group that is infiltrating news, movies, and messages into the hermit kingdom by passing USB’s from China over the river. The information reaching the general populace in DPRK is a fundamental means of attempting to bring some freedom, at least of information and thought, to the North Korean populace who only have the propaganda machine of Un constantly pressuring them into utter compliance.

Some of you may be asking yourselves; “Wait, they have computers that can use USB?” The answer to that is yes, some do, but many more have phones that can take USB (many asian phones have USB ports as well as micro USB) in addition to media players that can handle USB and play videos of varying types. So yes, if you send a drive these people can then turn that into a means of getting real news and information from the free world to North Korea. If we can get more USB’s to Flashdrives for Freedom, that means more data can be infiltrated which in turn means that more people in the North can get the truth.

In turn, if more people have a feed of information then perhaps more of them can in turn pass that along to others there …And if more people pass that on …Well, maybe some change can happen there right? At the very least given everything that is happening RIGHT NOW would it not make more sense to get as much information to the North Koreans as we can? So please, go through your junk drawers and pull out all those old USB sticks and micro drives and send them to Flashdrivesforfreedom.org by going to their page and following the instructions there.

I know you wanna.

If for no other reason than to poke ol’ Un in the eye right?

Go on… Empty that drawer of USB’s

Dr. K.


Inspire 17 Train Derail Operations

August 15, 2017, 9:52 am
$
0
0

 

Inspire is back trying to “inspire” the jihadi’s after taking a forced hiatus after many of the AQAP magazine’s creators got whacked by some raptor hellfire missiles. The latest installment is a call for those would be “lone wolves” in the USA to take up arms against our trains it seems. As usual from Inspire we have the normal calls to jihad using their interpretations of the Koran to push the agenda of radical terrorism. The long winded screeds on the rationalization of killing civilians is just that, long winded, and overall does not conform to anything but their own desires to kill and maim anyone who does not believe as they do. Honestly, I think if Saladin came back from the dead and saw this shit he would be bitch slapping them all the way back to Medina but here we are today again dealing with AQAP and AQ as Da’esh’s alleged caliphate crumbles and the movement dies a slow death.

To be honest the actions of those who claimed to be with Da’esh here in the States were to me just mentally unstable persons who needed an outlet to feel important and not impotent, so they went on rampages. Da’esh has never had the reach in the states that they seem to have had for a brief time in Europe but now they are marginalized enough to say that they are not a serious mass casualty threat in the way that AQ and AQAP still is. As terrorist groups go AQ and it’s subs has a far better grasp of OPSEC and operations as well as money and capabilities that we should still be worrying about. With this issue of Inspire not only do we see that they have re-constituted their graphics department but also that they also see the power vacuum that is taking place as Da’esh declines and becomes more marginalized.

Not only are they seeing their opportunity, they are also kind of calling out Da’esh as well in this issue for stealing their ideas down to the fact that Da’esh whole cloth plagiarized their magazine format and ideas for their own with the Dabiq knockoff’s they pimped over the years. It is amusing to watch as AQAP calls out Da’esh with the graphic above and chides them over failed operations as well as calling into doubt the operators choices like that of Sideeq (Orlando) for going after only “one” group. Basically they spent some time on the graphic to slap Zarqawi’s monsters for their lack of righteousness and operational planning. All in all it is just a slap fight between the overly pedantic AQ org with Ayman as their leader and Da’esh, with their Schrodinger’s Imam Baghdadi. The problem is that the precepts of both of their movements are advocating this open source jihad that AQAP invented, something that is now even being used by the white supremacists in actions like those in Charlottesville VA this last weekend.

This the new old problem that we always have been facing but never seem to be able to grapple with on how to stop. These magazines are passed out online and end up in many places including archive.org for anyone to grab. I got this one from <REDACTED> when it came out over the weekend but seriously, the genie is out of the bottle with this stuff. With this latest iteration though, the AQAP has given a lot of thought to honing their exhortations to open source jihad with a simple yet effective attack and vector; trains. The choice of trains is kind of a change for the AQ set in that for the most part they have advocated going directly for people and places where they congregate in the past. Now, with train attacks they can maximize damage and buzz with events that could not only cause deaths but mass deaths as well as huge news coverage.

Train attacks to me always remind me of T.E. Lawrence and the attacks he and the Arabs carried out on Turkish trains in WWI. These actions really did help stop Turkey from retaining power in the region during the war using asymmetric destruction of trains and tracks to damage or halt the supply chain for the Turks. In this modern scheme put forth by AQAP, they have moved the bar lower in many ways by not calling on their lone wolves to create and use explosives as much as use a tool to derail the trains in hopes of a 1970’s car flip explosion kind of thing. I have to say though, were they able to carry off the attack that they direct their followers to perform it could be rather messy depending on the train and it’s load.

The device the OSJ is proposing is a tool that the railroads have themselves but may be harder to acquire so these guys have plans to make your own in your mom’s kitchen (old joke) Anyway, the device is called a derailer, a simple piece of metal that attaches to the tracks. It’s function is simple enough, it raises and diverts the wheels off the track and boom, derailment. This has been used as a stopgap for runaway trains I hear and other functions that I do not care to go Google up right now. In this case though the Inspire folks want their minions to use it to derail trains off of high cliffs or into buildings from what they allude to in the magazine. Of course their solution to making one seems a bit too low tek DIY and might just smash into bits as the train hits it from what I am looking at.

I will not go into detail on the fabrication of the device they present to the lone wolves but suffice to say that I believe the percentage of success from this thing are low in my opinion. Perhaps if they had access to a serious 3D printer and some strong plastic maybe but not what they have laid out in this issue. However, I could be wrong and others out there may do their own mods to the fabrication process to make something more sturdy. If the thing works then it could be problematic and we could see some derailments come to pass. So yeah, the tech may work and the magazine spends some more time after the fabrication phase into the planning and carrying out of the attack phase with targeting advice that includes quite a bit of open sourced information on the railroads in the USA.

Recently at BlackHat myself and Kodor talked about OSINT being used to attack infrastructure by targeting leaked documentation and information. Well, it seems that the Inspire folks have the same idea here. In laying out the attack scenarios they give up some key points on the railroads, their weak spots, and the collateral damage from various scenarios of attack using the derailer. They also allude (as you can see from the picture above) that the attack is easier to hide and harder to detect if done properly. Honestly I think that last bit will be easy to see, I mean are they expected to run into the derailment and grab their tool back? One would assume too that unless you do a real job of it, one would leave forensically viable evidence in the device too so it could be tracked back to the culprit(s).

Frankly I should think that the DHS and other groups have a copy of this open on their desktops too right about now and working up some TLP’s for the railroads and authorities. I hope that is the case because this one is easy enough for the usual lone wolf jihobbyist to try at home and not blow themselves up without much effort. The question for me now is where will these guys try this? The exhortations are to do so with the most flare to cause the most fear. Honestly if they wanted to just be a pain in the ass and mess with the supply chain they could go out anywhere in the wilds where tracks are and pull this off. I guess time will tell but a recent link sent to me at least has this idea in the forefront of the minds of the security wonks for railroads.

Let’s hope they take this Inspire’s scenarios as seriously.

K.


Search

Extortion Phishing: So, closer to the point. You surfed the internet with роrn, which I’ve placed with the virus…

September 1, 2017, 4:51 am
$
0
0

A series of extortion emails have gone out this last month that caught my eye. The phish are simple straight forward attempts at extorting users by claiming they had been hacked and watched surfing porn. The phishers then demand that the user pay a certain amount of bitcoins to them and all their trouble will go away. Basically it is the equivalent of the old “Say, that’s a nice family you have there, it’d be a shame if something happened to it” routine familiar to anyone who has seen a mafia movie. I had a user get one and so I began the usual looking around to see if more came in and what the deal was with it. Once I began Googling key words and phrases I saw that this had been making the rounds since at least August 14th and that this last round had actually made some money for the extortionists.

I then began the usual OSINT on the domain that the emails came from after collecting as much info as I could from Reddit and other places where people had mentioned the extortion attempts. What I came up with is an arcology of malware and phishing that seem to tie back to one individual in Ukraine who may be the nexus of it all. Before I go down the OSINT rabbit hole though, I just want to take a moment to consider this threat and the psychology of it. One might think that if you got this email you would just laugh it off and then trash it. Some people though had guilty minds or had in fact been surfing “the porn”, as we all do mind you, (come on you all do and you know it!) so they got worried and they actually paid this guy off to make it all go away and this is interesting to me. Do those who paid really think that an extortionist, once successful at getting them to pay them will just walk away after such an easy exploit?

*shakes head*

You fools…

Anywho, it seems that even a non exploit exploit of just threatening a user’s browsing habits with “I am gonna email all your contacts with your pron habits” is can work and potentially give the attacker some pin money at least. So I tracked the emails and the IP’s that these came from to Ukraine. Specifically to a subnet of systems owned by one guy: Roman Shurbarev.

From: return@aukcion.org

Received: from nat5.aukcion.org (nat5.aukcion.org [188.225.27.25])

As you can see there are porn like sites in there…

The domain owner of not only the domain in question that was set up as a mailer for these phish but also a string of other domains that he owns connected to other malware and phish sites and activities that include, wait for it… Wait… Ransomware! Yup, this guy has it all goin on! Now, when I started poking at the system that this all came from I ran an Nmap and the shit is tight, there were no open ports and the firewall as filtering everything so I kinda doubt that this guy has been popped and being used as a relay for these. So I went on to profile all his domains and got the following malware connections:

 

PICK A MALWARE! ANY MALWARE!

So yeah, this guy has many bad connections but not anything directly connected to his domains themselves that I could see, at least in the sense that they were hosting the malware or being used as a C2. Now though I would like to talk about the money. These poor fools who actually paid this scammer have netted him about .28794615 Bitcoins which is about 80516.75 Rubles or $1,375.29 dollars as of yesterday when I looked. The money has been moved around a lot from the series of wallets used in this extortion scheme:

156eSKJU22jHHUEr6zznqMiDyR1L7DFFPY
1FJND3abrT4TjwijUbfYPD8jogCFeSbL
1Pku8VSnjgZePRt8yLF3QWfUYMTAjhA3io
1DGgLh6xeDmasCBHaLEQXwJ7C9gEvpYvWr
12pRJwZfZKi3RZa2eFijVCjmjCbB1YcXXXrA
15YhkTnuTprtPDRsdxiE2y8sMqiSmLPx2g
17qDi9fFG8C7a4mmTBBjsV7QmUN9QUBScZ
1H6DRf3XvHYudc7g6RvCiMbunHHKpbjhD2
1Nu2hju7Bs4vkUw2xyqi4E3ktSgx2VJEJq
13HSMufjTvzGJKoHdSQsLiJbsPcQcVMf4K <— 7 transactions

 

 

 

It ain’t Wannacry money but it would buy some shit in Ukraine I guess. There has been some movement of money around so I am wondering if they are trying to mixmaster or what. I did not go down that rabbit hole so if you all want to go right ahead. As for me I thought that this post should be put out there for others to see the actor, the act, and maybe as a PSA to put a stop to it. So, here are the other variations on the theme. The emails all pretty much say the same thing with some variations on “I see you have been surfing porn because I infected your machine with porn!” and ask for the money;

So there you have it. You don’t have to be anyone special, you don’t have to be 1337 to scam people with an email…

Yay internet!

K.


Voicemail Phish: Cerber Ransomware

September 7, 2017, 10:44 am
$
0
0

Yesterday a new phish went around in an email ostensibly concerning a voicemail that the user was to collect. The hyperlink though lead to a .js load on a php site that then downloaded Cerber/locky ransomware on the unsuspecting users. In the case of the org I had hands on with the email was a spoof that alleged to come from an inside system and thus bypassed some protections they had. After the email went wide and was picked up on I began to do the reversal and the tracking of the C2’s etc. This post is the post mortum of all my research on the malware and the infrastructure they used to send them as well as infect systems. I have seen others out on Twitter talking about this campaign so I thought I would expand outside of the malware events I had direct access to and did some ancillary searches. These searches led me to other campaigns within the same grouping but using a few other C2’s etc.

 

Obfuscated .js file

Onion site used for the bitcoin ransome (as of yesterday 0 coins in the wallet)

Searches in Google for remnants in the malware that show other iterations by the same actors

Basically the conclusion is that the campaign is by an actor that has been at it since 2016 at least. In the searches of snippets from the reverse on the malware and the obfuscated .js file gives one the picture of the activity by the same folks. The darknet site also shows that it has been around since February 2017 but when you start looking at analogous malware samples with the same characteristics the picture emerges of a the same malware or the same coder/user adding certain characteristics (callouts and infrastructures) that lead to a single actor or group. This included infrastructures that did not work and mistakes by the campaigns actors that in some cases caused the malware not to work.

All in all nothing too exciting but it was prolific enough that I thought maybe people would want a more fuller accounting of malware files and C2’s to put into their respective protection schemes.

Have fun!

K.

DATA:

Reversals:

https://www.hybrid-analysis.com/sample/e32dd73f5737309c83a890abf07b74060cba4f0b73cedf6fbf062b59f3caff12?environmentId=100

https://malwr.com/analysis/ODYyMWFlOTFlMDIwNDk2MDgzNjUwYzhjM2MxZWQ5YTU/

https://malwr.com/analysis/OGI3YWY4Y2NmOThkNDgzM2EzODRlMDNjOWRmYWQxYzQ/

https://www.hybrid-analysis.com/sample/524b71df0f5db492c43103f566c7a1f2ca9f436e603519f0b0fd7abf5df491ab?environmentId=100

https://www.hybrid-analysis.com/sample/5a918eb9958c7fa07f72e30bb035ceec993ea315ebc33b36948db48a7601ae83?environmentId=100

https://www.hybrid-analysis.com/sample/7d6cd1e9d47057c1c12f3cf8bf6a183ade93ea549c26d6a99b804f4fee13302d?environmentId=100

https://www.hybrid-analysis.com/sample/9f641227b8e5e176b29630376a125949b22389b07253b664a44371642f1dc400?environmentId=100 EXE

https://www.hybrid-analysis.com/sample/e9981527fade0266ec18c73bf3cb066738ed12c3c3530a30a2e56a790d180107?environmentId=100 euskull.exe

https://malwr.com/analysis/Y2UzOGU5ZDg0NTVjNGFmZjk4NDQ5OGEzM2E4YWU0NWY/ .js file

https://www.hybrid-analysis.com/sample/08c8c2c02bf3eb55b6b644059610661abfc29a63286e9195262457f14b9aa895?environmentId=100 .js file

https://malwr.com/analysis/ZjU5YjZkYjhjMDkxNDM3MmFhOWFkMDJlZjA2Mjg5MjY/ .js file

URL IN STRINGS COMMON: torproje_.or9

https://www.hybrid-analysis.com/sample/7860c1f59a177687d290e790b1e3853ccdb42d36695c29423b544e85b75a098a?environmentId=100

https://www.reverse.it/sample/7c64806989a9fb08495eef54638b2c3c605ec9c04e25c896b9b8e5d5d15bb7b9?environmentId=100

https://www.reverse.it/sample/8daf870902e98c6f898a258c116b703b7d72aa94195ba90b605b2aaaf24cecf5?environmentId=100

https://www.reverse.it/sample/c52a6589aec7883433e60189a3a53c2452e2627f3b4d0bdf4eca0bbeb0b86833?environmentId=100

STRING COMMONALITY:

https://www.hybrid-analysis.com/sample/27d400086d315ff4ad5fc2840adaef210750436c772245c772a9f1c6536960c1?environmentId=100

https://www.hybrid-analysis.com/sample/65f89cbf0bf8edd68192b24ac3e1fa6516b783ece7ef44262806c283242f7110?environmentId=100

https://www.reverse.it/sample/bd749b89dcd97d501d3762f37b4a378f8606a3d904a04805602d5474ed80010b?environmentId=100

https://www.reverse.it/sample/4b1cd133cb3e8689189fdb8a5c434ea11c335f3b88de200ac76e2e7e2ff1bda3?environmentId=100

https://www.reverse.it/sample/e98dfc7ca6799ecd83924900a8f342087f85dafb0e05ac269f2482ccd636f193?environmentId=100

C2’s and Hashes:

autoecolejeanluc.com 193.227.248.241
autoecolejeanluc.com 3c288ad1347d21125d18c43f968636620be2ac662bcae6cc381947981a0c5d11
autoecolejeanluc.com 4cdc0e6cd4c8d020b1d90c49352c9f4e7b279248b6a851cad6dd6f600b55920f
autoecolejeanluc.com http://autoecolejeanluc. com/
autoecolejeanluc.com http://autoecolejeanluc. com/876tYU6tg8e
autoecolejeanluc.com http://autoecolejeanluc. com/876tyu6tg8e
autoecolejeanluc.com http://autoecolejeanluc. com/voice.html
culturando.org 62.149.161.147
culturando.org http://culturando. org/
culturando.org http://culturando. org/b/095635ecd85.html
culturando.org http://culturando. org/circuit.php
culturando.org http://culturando. org/ixixuak.exe
gclubrace.info 130.204.119.26
gclubrace.info 176.102.207.142
gclubrace.info 176.36.98.125
gclubrace.info 176.8.210.181
gclubrace.info 178.151.153.8
gclubrace.info 178.158.106.161
gclubrace.info 178.217.165.165
gclubrace.info 31.133.78.157
gclubrace.info 46.164.175.8
gclubrace.info 46.185.63.45
gclubrace.info 46.98.200.217
gclubrace.info 46.98.55.106
homecarpetshopping.com 17db7e6bb5b643fdc4bdb2c3ba7bc55784cf37932d818c30ad58316e5e998b5c
homecarpetshopping.com 208.79.200.218
homecarpetshopping.com 9f641227b8e5e176b29630376a125949b22389b07253b664a44371642f1dc400
homecarpetshopping.com aa36ae501dd09617500a6b38de7917dc5c7313fffb2841bcfdcafa9d567621f0
homecarpetshopping.com http://homecarpetshopping. com/
homecarpetshopping.com http://homecarpetshopping. com/bxxomjv.exe
homecarpetshopping.com http://homecarpetshopping. com/bxxomjv.exe/
homecarpetshopping.com http://www.homecarpetshopping. com
karakascit.com 185.12.111.126
karakascit.com 9f641227b8e5e176b29630376a125949b22389b07253b664a44371642f1dc400
karakascit.com aa36ae501dd09617500a6b38de7917dc5c7313fffb2841bcfdcafa9d567621f0
karakascit.com http://karakascit.com/kdivrdr.exe
karakascit.com http://karakascit.com/makeup/displayx.php
lpdata.com aa36ae501dd09617500a6b38de7917dc5c7313fffb2841bcfdcafa9d567621f0
lpdata.com http://lpdata.com/qteglbq.exe
mandovandoga.net 02b872d1dcecf27fac5a7d760127a1e22764bc361e85223c2a74827490ac9b12
mandovandoga.net 0da6f47613c59ca378f05b364e85375f3be9661a04473094f322c349d614efce
mandovandoga.net 195.123.218.58
mandovandoga.net 25656e541e1a24b63f2758f7781e1ab6f22e1332f6ac22160ca84476643e0ebd
mandovandoga.net 2c2c23e58d9d84635da8a3e7a7d881464e39b208d98a90300d9f31d12016140f
mandovandoga.net 599c7e31f84a5bf8ae68102fa5aa3a9732eb402e8f85741903c2c4cbd94e93c5
mandovandoga.net 66ff05dc0f390437146f43df667c7efc3f42399dd8c54da710f3bfd2438ad61d
mandovandoga.net 6c54773163b77efa77a388c60ac5ab7785dc70f06821ccc0cdac4a29671a5b97
mandovandoga.net 9bf96825a5e92d652da3bd0edb489aa7762259f541e3435ca10e964a54022aba
mandovandoga.net 9c5e5c164f81b25c85e972f1289da5173b26f308bac21d1d57e5e7d66663118d
mandovandoga.net c02b573b2f8f481cb03887958be795af1cffc61db97b81770cd4230413e01dda
mandovandoga.net de33eb2ede37bc3977c77575d19ccc37319b5ce7e729aa155bcd5a7728618310
mandovandoga.net f11eb844dfad8688bc487e978ab083c3f4beecb8d7a405d2fd60f2508ec1078f
ndsiportal.info 4a80b395e3719d863a7083d66afa4d2d838ed3d5617570715cd610030d2b3493
ndsiportal.info 99b1f708a95dbe35d75ee56397fc29f0d3d30a3bf58c3424ba2ddb7ccc3fa506
ndsiportal.info ca77337ab82b7d8d1aa041510baf7c4a90b1654337fd20836320129f8caf5224
ndsiportal.info f98e07a6c106033db3ed7d0725ac1cf02b269ca7803b4cf083bae9deb6d33b4c
ndsiportal.info http://ndsiportal. info/
ndsiportal.info http://ndsiportal. info/invoicing.php
ndsiportal.info http://ndsiportal. info/msg.php
ndsiportal.info http://ndsiportal. info/p66/gfykjh.exe
paulcruse.com 91.215.186.147
paulcruse.com http://paulcruse. com/
paulcruse.com http://paulcruse. com/jnxuqah.exe
paulcruse.com mail.paulcruse. com
paulcruse.com http://www.paulcruse. com

EQUIHAX

September 14, 2017, 4:38 am
$
0
0

Trawling the darknet as one does, I came across this little simple page this morning. It claims to be the real EQUIFAX hackers, unlike the last darknet site that was soon taken down by morons. I have looked at all the data on the pages (see screen shots below) and have come to the conclusion that whoever this is they too had access to Equifax. As this is an evolving nightmare I thought it prudent to do a quick write up on this site and let you all know. These actors are offering a crowd source solution to the whole database for the same amount as the fake site the other day (600btc) but also are offering single records as well as 1,000,000 entries for 4 bitcoins or 56 ETC for the same amount of records.

This time the actors actually give you samples, a taste, as they say on the street as bona fides…

 

These samples are what makes me think that this actor had access. I know for a fact that as the ongoing arguments take place online over what the compromise consisted of (what attack worked) that I personally saw a tweet from an alleged Russian actor claiming to have shell access on one of their servers online. This later was proven out to have ADMIN/ADMIN as the log and pass which is just horrid security, or should I say lack thereof? Anyway, you can see above that those records seem legit as do the screen shots of the access to the systems using real internal server names etc.

An onion scan of the site turns up no real vulnerabilities…

The bitcoin wallet shows no activity as yet.

EDIT/UPDATE:

In the process of watching this a change has been made to a small point of data that leads me to believe that this is a fake. Someone pointed out that the data for Bill Gates address was incorrect. Since then it has changed…

Oopsies… State : WA

BEFORE

Screenshot from 2017-09-14 14-16-55

AFTER

Screenshot from 2017-09-14 14-07-43

UPDATE TWO:

A new story has surfaced online that makes the claim that the site creators have access to Equifax and there are other screen shots. I am still concerned with the changes to the data seen here but for what it’s worth here’s the link to the story.

https://t.co/IGoKPCXcDD


The CYBER Wars

September 14, 2017, 6:02 am
$
0
0

We met in an old, drab, and odd Russian eatery cum bar this year. A matronly Russian woman made us order things from the menu as a young girl sang Russian kulturny songs on a cheap sound system in the back corner. I had come to talk to someone in the IC about “Cyber War” and hoped that our mutual experiences could give me an insight or direction for this post. After sitting with this person for about an hour I had to go but in that time I had several revelations from our discourse. This post is the culmination of that conversation and my further ruminations about the current state of “cyber warfare”

Firstly, the conversation that we had was very roundabout, going back to the dawn of the ARPANET and other systems but all the while with a bent on economics. This kind of threw me for a bit but I listened further and within that long and winding road two things became clear from this IC warriors career. All cyber war is really Information Warfare, and second that all information warfare has an economic component. These things had not really occurred to me in the past but the revelation made me think differently about all of it. Thinking about the economics certainly easily led to all the Chinese hacking and theft of IP surely, but on a macro scale all warfare has its economic drivers right? Someone wants the things you have or they want to stop you from getting those things to others. So the motivation is always there in some way on a nation state level and all of the techniques used in information war or hacking can be used to great effect on these problems.

Once I had some time to think about all that I had heard I started to contemplate everything that had taken place over the last election and what is still happening today. It became clear to me today that my convictions on “cyber” war were the same as they always had been but with some caveats. Primarily for me is the notion that “cyber” war is really just information warfare. It is even still information warfare when something physically is caused to blow up or eat itself like the centrifuges in Natanz back in 2011. Information warfare since then though has been escalated with the active measures by the GRU and SVR (KGB) that took place in our last election cycle. Clearly it was information being used to manipulate the populace and their opinions. The hacking or “cyber” as many like to call it was just a component, an element of this and it was the information that was a key to this. The net effect here is that once again I put it to you all, the “cyber” war doesn’t exist, it is all just information war using hacking and code as a force multiplier.

What you all need to worry about now is the use of technology to manipulate just like the active measures campaign did in 2016. The revelations on Facebook’s being used by Russia to manipulate public opinion is just one instance and a more nuanced approach needs to be applied to information warfare henceforth. I see articles every day now asking how do we fight this kind of warfare and honestly I see no easy way to do so. People are easily led and much more so now that the electronic media is so prevalent and easily manipulated by ad buy’s, hacks, and open source troll accounts. That people now have their digital bubbles cum echo chambers makes it even worse with their cognitive dissonance at eleven. Honestly, much of the time lately I feel like Joshua and have decided not to play the game at all and go dark.

Maybe you should too.

K.


Equifax and Musicians

September 20, 2017, 8:14 am
$
0
0

Screenshot from Zerohedge

 

So here’s my thing; It isn’t about the fact she was a music major and had two degrees in that. What it is really all about is the fact that she had no discernible security experience in the time she was working in the position or before to make her qualified to handle the job. THIS IS THE ISSUE PEOPLE! It is not about that she had a degree in nothing to do with security. So please stop all the 140 character bullshit and get it through your thick heads that even if you have a degree in IT this does not make you qualified necessarily to handle a job in information security ok?

Now that the CSO’s and CISO’s linkedin pages are redacted you can’t see much of anything but before they took them down I looked and neither had the requisite experience that would make me consider them for a position as an executive in charge of insuring that the security of the company and more importantly, the security of the clients data was in capable hands. Look. let’s face it you can say that the exec is just there as an advocate or to manage Trust me though, if they have no experience in the arena either they listen to their guys in the field and implicitly trust them and advocate or they just are compliance monkeys of the worst order.

I have lived it and I have seen it throughout my career in security. So please stop all the fuckery about “I have a degree in animal science and woe is me I am unfit for security!”

BULLSHIT

If you have a degree or not, you have to have put in the hours of study and actually doing the things! If you haven’t then you are out of your depth and bad things will happen.

Just look at Equifax.

K.


What’s eating you?: On-line Cannibalism in the darknet and clearnet

September 25, 2017, 2:08 pm
$
0
0

 

There are so many mis-perceptions about the “Darknet” out there but when you really start to dig right down into the bone and sinew of it you start to see that it really isn’t so dark and certainly not as spooky as one might see on CSI Cyber. I for one have had a yen lately for a serving of cannibalism content on the darknet and boy I was kinda let down by the deep dark nopesauce that I found. See, when you look into the darknet and it blinks back you know you have come to the end of the line and it is time to go back to the clearnet for some real horror.

So yeah, I was messing about in the darknet with my spider looking for some marbled fleshy goodness that I had heard was available out there on the clearnet. You know how you Google something and the usual tinfoil alien type of search results come up? Well the same can be said for things like necrophilia and all the other paraphilias out there. The spiders turned up only one site that had cannibalism in there as a subject so I went there. The site is titled “Japanese Lady Extermination” and it is true to its name in content.There’s a lot of Japanese lady killin going on in there on film and yeah, no, I am gonna opt out of the bitcoin purchases there. No, what I wanted was full on cannibalism for realz and I was bound and determined to find it!

I finally found a link in the darknet to a clearnet Reddit site that had the url to an archived version of “The Cannibal Cafe Forum” a now defunct site that was archived by the nascent “Wayback Machine” at archive.org. Now this site was stood up in 2001 (May 2nd was the spider) and it served up a board feature for those who wanted to roll play cannibalism …Maybe? I am not quite sure on how many of these “Fine Young Cannibals” were serious about their desires and how many weren’t, well, except for the one case where the guy actually killed and ate the other guy!

…but now I am getting a head of myself….

*snicker*

OK! So this board on (necrobabes.org) was stood or was run by someone calling themselves “Perro Loco” or the “Mad Dog” and they ran the show using an email address for their own domain of perroloco.net (see whois data below *wink*) which still exists today and in fact has spawned another site in the aftermath of the flame out of necrobabes circa 2003. As you can see from the screen shots below this site was pretty active and they had a bunch of links for services, offerings, and an application to become …well …uh …meat?

Livestock available

Application to be …Livestock

Films and animations

“Stockman” Association I guess you could join the “club”

Loco’s actual daughter who wanted to get into porn….

Another one to be served up

I can’t even make this shit up!

Click me…

Right, well looking at all those images you get a sense of what the flip was going on in there back in the day. It was all good, if you can call it that, until it went bad for Perro and his merry gang of paraphiliacs. I mean, never mind that he is serving up his own daughter in this thing and all of the cray cray “eat me” discourse that is fairly graphic but man these people had no idea what they were doing OPSEC wise either. I understand it was 2001 and really the net was new but boy oh boy did they leave a trail to their real identities here. If you decide to take a look at the archive note that their IP’s were captured for each post as well as they were offering up their email addresses that they CONTINUE TO USE! I have looked up several and located their real names and locations today.

<BLINK>

OY VEY!

</BLINK>

Now I am going to pause here for a moment to take all this in and maybe say a couple things about pathology and psychological illness…

Eh fuck it.

On to the CRAZIER CRAZY!

So yeah everything was just super great in the Cannibal clearnet back in 2001 until a certain character showed up on the board. His name was “Franky” and he was a German dude who wanted to eat someone and this was the hot spot for this kind of thing right? Well, maybe it was and maybe it wasn’t. I mean all these folks may actually have been just living out their fantasies right? Well Franky would have none of that, he was gonna chow down and he was gonna have a nice time at it provided he could “meat” someone at necrobabes.

Oddly enough you all may know of Franky through the IT Crowd. Does everyone remember the IT Crowd episode titled “I want to cook with you” ? Well, this parody is based on Franky, the German IT guy who put an ad out for someone to eat.

Go on, click the video, I know you wanna… I will be waiting below.

Franky

Young Boys

MOAR FRANKY

Frankalicious

Armin Meiwes

Franky, aka Armin Meiwes literally wanted to eat someone and had wanted to do so since he was eight years old. He met a poor sod on the cannibal site who agreed (Bernd Brandes) of whom he ate about 20kg of his flesh. You can read the grizzly bit below on how that happened and the whole article right here. It seems that Bernd was rather tasty and Miewes took his time with the rest saving it in the freezer for later. I am guessing that after Miewes was caught and the searches were begun it quickly became apparent that he had been on the necrobabes site. I kinda have to wonder at how they all took it on that site. I mean, they were all into the cannibal thing, they talked a good game but just how many of them were all McConaughey about it…

So the site pulls the cannibal board and sometime later the site kinda dies itself. Meanwhile your friendly neighborhood “loco” is like “I am gonna start my own site now man, I need me some cannibalism!” and get’s a new domain started. This site is supposed to be private and you have to email to get an invite. So, me being me, I decided to use a cutout and send an email in to get that freaky e-vite! I got turned down though, so I was disappoint! That is until I decided to use my super Google Fu and shit, he really hasn’t secured the site. You can see all the shit in there with a good Goog session and in the end there isn’t much traffic in there at all. I guess you can’t keep a good cannibal down but you can not sign up for his whacky site and just move on to other places right?

His site is still up and MAN is it GEOSHITTIES

DUDE DUDE DUDE NO MENTION OF DOLCETTEGIRLS?

Who is this Poizner cat?

The perro himself…

dolcettegirls.com

Inside dolcette

More boards and it’s all quiet

For more just use the Google Fu: site:dolcettgirls.com
Now you can just say well that guy is a bit whack and move on but once you start going down the rabbit hole on him you kinda just get sucked into the Nick Cage level shit in Eight Millimeter. Ancillary searches on this guy turned up some real crazy shit. I mean just look at that photo of him above here!

Holy Church of Dolcette?

WHAT THE?

I CAN’T!

It seems like ol’ Perro wanted to have himself a cannibalistic religious org that could maybe be tax exempt? I can imagine that might be hard to get past the IRS, I mean, how are you gonna make that a religio… Wait.. Wafer and wine…

SHIT!

Whoa!

Anyway, Perro is still kicking around on the tubes and seems to have slowed down but where have all those cannibals gone since the necrobabes site went bye bye? Well, it isn’t to the darknet as far as I can tell from all my searches. Nope, it is once again the clearnet that hosts this kind of crazy and I found the new mother load by accident.

It seems all the kids are now at ForumJar which is a low end board much like the original necrobabes but this one is much more sedate and hidden. These people are offering themselves and looking for others to consume just like the old days so I guess you really can’t keep a cannibal down eh? These guys though seems to be a little more savvy about their security but even so, one I looked at is looking for a “chunky” female and offers a kik address to chat them up. I read this and just had a flash of Hannibal Lecter asking Starling if Bill’s ladies were “roomy”

New board

Secondary board

Take me!

“Chunky female”

Well, I guess it’s time to put the lotion on the skin…

Remember, this is what happens when I have idle hands kids. All in all, this is pretty twisted and it all lives mostly in the clearnet so don’t believe all the BOOGA BOOGA DARKNET shit you hear. The clearnet is maybe even more scary and when you think about it, kids today can just google this up and get an eye full.

…. Even if you have those filters on your router.

Heh.

K.

UPDATE: As if by some quirk of fate this turns up today in the news… 30 people eaten at least! http://www.independent.co.uk/news/world/europe/cannibal-couple-eat-30-people-russia-dmitry-baksheev-natalia-military-aviation-academy-krasnodar-a7967216.html


Who’s Molesting Your Corpse?: Necrophilia and Snuff In The Darknet & Clearnet

September 28, 2017, 11:01 am
$
0
0

Vault of Sex and the Dead

Just when you thought I could delve no more deeply into the darknet I bring you this….

RIGHT! Well, since my deep dive into the world of cannibalism, I began to look at the other links out there to other paraphilia’s on offer in the darknet and once again to the clearnet. Today’s menu consists of Necrophilia and Snuff, which is quite the taboo really and something you would expect to be in the so called Darknet. In as much as what is indexed currently out there in the darknet there are a total of two sites that really cater to these two particular bents. The first being the one you see above in the screen shot. This one requires bitcoin payment just to see the content but you can get a taste by clicking on their samples.

Sex & The Dead

 

Sex & The Dead

What seems to be on offer here is a melange of snuff films and images that are staged mixed with actual gore photos culled from the clearnet and other places I suspect. Generally, it is all pretty vile and all rather violent which then in tandem with the data concerning how much money their bitcoin wallet has ($3140.76) one wonders just how many people are buying this service and how many are here just for the day or are return customers. The nominal fee to gain entry is (0.027 BTC) which is presently ($112.06) per entry fee. So, let’s tally that one up shall we?

Lesee, carry the one….

That’s thirty users of this site. Thirty people have paid over one hundred dollars to get into this site with bitcoin and wank to this stuff.

*shiver*

Oh and look someone just bought access on the 25th of this month!

So someone has at least some pocket money it seems from this little darknet adventure. I guess it all depends on how much you put into it though eh? I mean, how much is the hosting per month? Are you hosting this yourself? Web design seems to be not so much something they care about so no real expense there. Overall, this site seems to be a going concern because it is affordable and maybe has some content these thirty people want. I do wonder just how many though are seriously “using” the content as opposed to how many investigative entities bought access to “investigate” criminal activity. I suppose we could take all those bitcoin wallets and do some mining to see if anyone made some OPSEC mistakes but meh.

The second site in the darknet has a theme in that it is called “Japanese Lady Extermination” and they live up to that name with a lot of Asian/Japanese content. Between you, me, and the lamp post, we all know that the Japanese have some particular, well, shall we call them tastes in porn? On first look this site has much more content and the design is a bit better but is it a hub for this activity? How many people use it? Well, it seems that this one is the high price callgirl of the darknet in that they want some big bucks to get in on the action.

Dig this, they have two options for access. One is for a month of access which they want 0.6 bitcoins and the other for three months which costs a whopping 1.2 bitcoins! That translates into the one month access being $2493.34 and the three month plan being $5026.27! Now that is steep for access to some lady killin and if you have sticker shock so to do all the would be customers of this site as well. In looking at the wallets for the plans both have nothing in them. There are no transactions at all for both so this is a bust for the lady killers owners it seems.

Three months

One month

Three month wallet

Zilch

Nada

 

One month wallet

 

It seems to me that Japanese Lady Killin just ain’t a money making concern so far. Of course it seems that a lot of this content could be gotten via the clearnet and a vendor in Japan willing to ship a DVD so there is that. So that brings me to the conclusion that the darknet is not that scary and dark when you really take a look into it. Nope, what’s much more scary is the prevalence of this kind of thing on the clearnet available to all and easily gotten to by mistyping a URL. When I began Googling for links the first one that came up was darksites.net which is another site designed by our friends at Geocities.

My god.

…The horror.

The domain was created in 2000 so that probably answers the question right there. Why upgrade the site when you have a good thing going right? The site has a couple names attached over time from the WHOIS history and one of them goes back to a “Michael Guy” which has info out there. Just another rabbit hole one could go down to ask why? WHY? But I will continue on with the sites contents.

Domain Name: DARKSITES.NET
Registry Domain ID: 20065601_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2017-02-18T07:42:12Z
Creation Date: 2000-02-17T20:13:39Z
Registry Expiry Date: 2018-02-17T20:13:39Z
Registrar: eNom, Inc.
Registrar IANA ID: 48
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unsigned

 

Darksites

Darksites

Darksites

Darksites

This site is the clearing house of all things deviant. All your desires can be sated with this list of things.

There are things I have never heard of here…

Like the whole cannibal thing I reported on before, all of this could just be fantasy and acting or it could lead to actual committing of crimes. As we saw on the cannibal sites it was all fun and games until someone got really eaten by that whacky German guy right? I am not trying to say that these desires are bad or dirty but the paraphilia’s could lead one down the wrong path if they go too far or are unbalanced to start with. In the case of Miewes in Germany he had been fascinating about eating people since he was eight years old. At what point do kinks turn into actual crimes? Now add to this that the clearnet seems to be the biggest purveyor of this fantasy fuel free on the net (or for a nominal fee) one has to start wondering just how many people have stepped over that line after becoming addicted to this kind of content.

I also have to look at the psychology of being exposed to this stuff and becoming hooked on it. You become inured to it and it becomes pedestrian, then you need more of it to sate yourself and perhaps even things that are even further outside the norms just to feel the thrill? I have read such things in treatises by psychiatrists in the past, so now instead of having to really do the leg work and go somewhere to get the content you can just Google it up. Think about the pathology here…

Interesting stuff.

Anyway, the other outcome from my foray into this dark world is that the darknet is not really so dark. Well, at least where it concerns this stuff, the clearnet has it beat by a mile in amounts and ease of access. And this is one of the things I started down this path wanting to get out there. Other than the voyeuristic aspects here, I wanted to take a plain look at the oft spookily talked about darknet and defuse the hype. It’s not that scary and it isn’t that hard to get into no matter what Hollywood would like you to think. Nope, it’s just another space for people to do things they probably shouldn’t with a cool name.

But hey, at least in the darknet I found a manual on how to Necrophilia…

Woo!

K.


Search

LOOK MORTY! I’M A DANGEROUS PAGE MORTY!

October 2, 2017, 6:16 am
$
0
0

 

Still the page is marked as bad yet no malware can be shown to live here.


MORTY! LOOK MORTY! I AM NO LONGER A MALICIOUS SITE MORTY! SOMEHOW THIS IS ANTICLIMACTIC MORTY! BRRRRP!

October 3, 2017, 1:33 pm

Russian Active Measures: Propaganda, Targeted Ad’s, and The Mob

October 5, 2017, 7:51 am
$
0
0

Handbook of Russian Information Warfare 2016

 

With all the talking heads on CNN expounding on the ad buy’s in Rubles and the oblique presentments by the senators yesterday on the Russia collusion investigation on C-Span, I felt the needs to drop some knowledge. All of these measures are not new but it seems like the general populace, the government, and the media all cannot comprehend that fact. Propaganda has been around since the dawn of civitas and today it is just more able to be used more nimbly in our hyper-connected society. With the advent of social media, the use of propaganda has been been turned into a more precision tool using demographics, analytics, and a medium that engenders itself as a new asymmetric warfare tool and this should be no surprise to anyone.

Propaganda has long been a tool for the radio, print, and television media to be paid and or tricked into releasing content that serves one of the political masters out there. However, the new wrinkle is the heuristics of computing and social dynamics data thereof of all the data points that we now collect on everyone who is using the internet or sites like Facebook, Google, or Twitter. So much information is collected today that it is possible to accurately determine how a person thinks and acts given their preferences and their secret activities that are seen by the algorithms inside these systems. Unless someone today takes greater pains to obfuscate their activities, companies, and governments can easily mine that data for ammunition to create such things as the black propaganda we saw used in the 2016 election cycle here. Since people really don’t pay attention to the other countries out there, they too would have seen the same measures used in places like Ukraine if they had been paying attention.

Previously I had posted about such measures in Ukraine that included the whole cloth creation of a media company to manipulate the populace there with propaganda as well as the use of malware to spy on the populace. Today I am covering the precepts of the use of our own systems of social media as well as our collective group psychologies to sow chaos. Given the outcomes in the 2016 elections and the continued attacks on our psyche’s by Russia post election we now have a pretty good idea of how the dynamic works. One must though take into account that human nature plays the largest roll in this type of warfare for it is the base of the equation that the Russians are trying to manipulate. The targeting of ads to key states and cities was just a targeting mechanism to the overall more targeted PSYOPS operation that was at play. The Russians parlayed the divisions within the US by creating echoes within already nascent echo chambers for those who are of like minds on social media systems. Once the psychology was worked out it was just a matter of locating those pockets of people and then creating the media (e.g. fake news) to feed into those systems and agitate those people into a frenzy.

Once again, human nature was keenly leveraged to sow chaos as well as being a vehicle for those noise to signal messages (dog whistles) for the believers and I can appreciate that. Frankly I am in awe of the techniques used while at the same time I am concerned that there are no real ways to mitigate these kinds of attacks due to that said same human nature. We all have our bias’ and we all ascribe to our own echo chambers whether we do so consciously or not. Social media in itself is the perfect medium for this and we just fall into place as the lizard brain takes over. So when people today ask the questions around how to combat this type of thing I often say that there is no real way to stop it. We can of course use people to look at ads like Facebook is doing now, having hired or in the process of hiring thousands to do so. Or we could just look at the ad buys and insure that they are not being paid for in Rubles… But these means are clunky and the adversary has many other options so in the end it will not work.

The ongoing Senate investigation into collusion and the Russian active measures campaign in 2016 has many people also asking specifically about the targeting data. Did the targeting data come from the Trump organization? Well, yeah, it may well have come from them or it could have just been collated from online searches and a working knowledge of the electoral system. You see, this attack was simple enough to calculate if you wanted to attempt to win the electoral college. One can Google the states that are key to winning the electoral vote but it is the fact that it seems the targeting went down to actual names and addresses that matters. I for one would be asking Cambridge Analytica about that data and how it may have come into the possession of the Russians. Now it is possible that the Russians had their own parallel program for this, or it is also possible they hacked into Analytica for it, and as far as I am aware of no one has asked for a forensic analysis of CA’s security there. Of course the data could have been handed off by someone like Paul Manafort as a quid pro quo (black caviar) right? Or perhaps it was Jared as a means of paying off his Russian friends in hopes of a loan to cover his bad real estate debts? I also think that it is possible that the rolls hacking that happened in the same time frame could also be the answer to this. It is possible that all those rolls were copied, sifted, and used for targeting of propaganda at the final stage of the race to the White House.

At the end of the day though, the problems of social media, cognitive biases within the populace and the mob mentality that humans tend to fall into (Republican/Democrat/TeaParty) will not be going away. We are creatures of habit and limited by our own brain biology. Do not expect that knowing that there is a propaganda campaign will stop those willing to receive it from buying into it whole heartedly. Social media isn’t going away anytime soon and the idea of algorithms being the key to stopping this is a falsehood. It all really just matters how you consume this media and how you react to it. If you fall into the echo chamber of cognitive bias or bent, then you will likely become a part of that machine and not be able to separate the truths from the bias truths that you personally ascribe to. So when you all ask how this happened remember that we are the culprits, the people.

K.


Trump Personal Emails for Government Business: How Many Sites Do They Have?

October 9, 2017, 9:57 am
$
0
0

The recent story about Javanka’s personal email server that they had used for government business made me ponder when it had been created and just how many others the Trumps may have out there. So after looking at the pastebin listing all their domains I noticed a couple things. The first thing I noticed was that after doing the WHOIS on their domain in question recently, was that it was a new acquisition. The domain had been created 12/31/16 which means it is pretty new as their domains go. Secondly, this domain is not attached to the over one thousand domains owned by Trump which kinda made me go “hmmmmm that there looks like obfuscation” and made mu Spidey sense tingle.

Ivanka and Jared’s Server: IJKFAMILY.COM

Domain Name: IJKFAMILY.COM
Registry Domain ID: 2086283293_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-03-06T06:55:27Z
Creation Date: 2016-12-31T01:33:34Z
Registry Expiry Date: 2017-12-31T01:33:34Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com

If you will take note that all of the other domains (see link above) are affiliated with the Trump name but this one was under the radar so to speak (IJKFAMILY.COM) being it is not overtly Trumpian in it’s name scheme. So my first question became “Did they set this up for this sole purpose? Or was it just a domain they had in the wings for something but decided to spin up port 25 and SMTP?” I am not sure on either of those reasons behind the creation of this particular domain but it did start the wheels of my mind turning toward the notion that out of all the Trump domains out there, how many could support an easy means of email under the radar for Donny and his brood? Well, the real answer here is that there are over one thousand possible domains that could immediately be set up to send email. However, upon looking into all those domains there are only 25 presently that have the ports open for email and running the services to allow for emails to be sent via them. Some of those systems have the ports filtered but many others do not and interestingly some of these also have secure protocols in place for emails using encryption which is very interesting indeed…

25 Instances on 8 Domains SMPT/POP/IMAP Already Running:

chicagotrumplimo.com
estatesattrumpnational.com
realdonaldtrump.info
theestatesattrumpnational.com
tirpromotions.com
trumpgolfscoring.com
trumppuntadeleste.com
votefordonaldtrump.com
trumpublican.org
200riversideboulevard.com
220rb.com
240rb.com
502parkavenue.com
721fifth.com
trumpparceast.com
trumpworldtower.com
votefordonaldtrump.com
chicagotrumplimo.com
estatesattrumpnational.com
realdonaldtrump.info
theestatesattrumpnational.com
tirpromotions.com
trumpgolfscoring.com
trumppuntadeleste.com
trumpwaikiki.com

So, all of these domains should be on the radar of the investigators out there in the Senate, House, FBI, IC etc and  I would hope that is the case. If I were those investigatory bodies I would be asking for some records from those domains if I were them, ya know, just to see if there were some emails going out concerning government business like Javanka’s little mishap recently. It is utterly fatuous that these people, who made a feast of Hillary’s email server are using private domains and emails to bypass the national record are doing this so flagrantly. Many of the servers also have some interesting ports open but I digress. Suffice to say that these people have patterns of behaviour so I would not be surprised if more turned up on other domains or that they may have even started new domains under the radar like Javanka there to hide the emails.

Now, on another note, I noticed something else as I was doing this little investigation. I noted a few domains that involved Russia and the Baltics. Once I did the WHOIS on them I also noted that they all were created around the same time in 2008. I have yet to really look into the timeline around 2008 for Trump but I have to ask just what was happening then that he thought to buy these domains? Were these domains bought after a possible deal had been struck or in hopes that talks would work out? I mean, if that is the case how could Trump make that claim that he had no business with Russia?

Well, yeah I know he lies like a bad toupee but really…

Domain Name: TRUMPRUSSIA.COM
Registry Domain ID: 1508991998_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-06-28T20:25:15Z
Creation Date: 2008-07-17T20:24:29Z
Registry Expiry Date: 2018-07-01T03:59:59Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS49.DOMAINCONTROL.COM
Name Server: NS50.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-10-09T13:04:03Z <<< Domain Name: TRUMPUKRAINE.COM Registry Domain ID: 1508992006_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2017-06-28T20:26:04Z Creation Date: 2008-07-17T20:24:29Z Registry Expiry Date: 2018-07-01T03:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: 480-624-2505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS49.DOMAINCONTROL.COM Name Server: NS50.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2017-10-09T13:26:27Z <<< Domain Name: TRUMPBAKIAZERBAIJAN.COM Registry Domain ID: 1679227892_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2017-06-28T20:27:01Z Creation Date: 2011-09-27T14:00:19Z Registry Expiry Date: 2018-06-30T11:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: 480-624-2505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS49.DOMAINCONTROL.COM Name Server: NS50.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2017-10-09T16:52:03Z <<<

So what made them buy all but one of these domains on July 17th 2008 I wonder? Now, one might then want to look into say Felix Sater’s domains that he might own on the internet as well right? After all Felix was the point man on all these deals with Russia that seem to keep bubbling back up. Not that I would go and do some digging like that…

Right?

Maybe next post…

Oh well, there’s a data dump for you all. Interesting stuff no?

Dr. K.

 


Bluebox2600: Darknet Games

October 12, 2017, 7:32 am
$
0
0

It all started for me yesterday when a new darknet site popped up on the spider. The page primarily consisted of the image above that contained a movie that plays automatically. The movie consists of what looks like a hooded figure bringing in a small corpse of some kind and through cut scenes begins to dissect it with a kitchen knife. This of course intrigued me so I went down the darknet rabbit hole to find out more. Luckily for me the breadcrumb trail was left on the page listing the previous sites that the user had created “games” on in the past.

 

I then copied down the urls in that image file above and began to call them all up in the browser. It turns out I had seen these sites before and dug around a bit on them in the past. The reason for my interest back then, which waned eventually, was that each site had embedded codes in the html to break. These codes weren’t hard really and I wondered if I was missing something else but you know me, I get bored and I walked away after a bit. Of course now with this new site I had to go back and take another look.

Once I went down the rabbit hole, I kinda found myself in an interesting esoterica hell. The pages pretty much all lead to one after the other when you decode the hidden codes. Note that I have only looked at the HTML and not into the imagery itself (e.g. looking for Steg) and maybe I will do that after a time. Anyway, these are the sites as linked by code and the “puzzle” that this person(s) has put out on the darknet for the chosen few to work out. It all comes down to some kind of esoterica that is supposed to enlighten the puzzler.

I don’t feel too illuminated but it was fun. I did get a little turned around a couple times and I still have not quite solved the math problem into a URL. I do dig the imagery used especially all the old creepy photos and shops of things like the anthropomorphic rabbit. I don’t quite know what about him there is that makes it nightmare fuel for me but I am all up into that. These pages though as a whole don’t seem to give you a way to talk to the creator, but maybe they were watching the hits on the pages to see if people were working them out. As I show in the post here I also was able to dig up a WHOIS and a name as well as an email address used in Domain Tools so I may have nailed down who made these and what else they have online. I will look more into that later on and let you know…

For now, enjoy the puzzling and know that the images at the top here? Well, they are back at it and I already am going down the new rabbit puzzle hole too.

K.

Illuminati

Code in HTML:

.-.. .. --. .... - .- --.. .--. .. -.. --- -..- -.- --.- -.-. . .-.-.- --- -. .. --- -. -..-. - .... . -.. --- .-.. .-.. .- .-. .-.-.- .... - -- .-..

Translation: LIGHTAZPIDOXKQCE.ONION/THEDOLLAR.HTML

The Dollar

HTML code:

http://lightazpidoxkqce.onion/_ _ _.html Looking for 3 letters here .. Type illuminati backwards then add .com what is the abbreviation of the organization this leads you to.

itanimulli.com redirects to the NSA website

TEXT

WHOIS info on this is interesting…

Domain Name: ITANIMULLI.COM
Registry Domain ID: 92386827_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-06-22T22:32:21Z
Creation Date: 2002-11-20T07:54:13Z
Registrant Name: John Fenley
Registrant Organization:
Registrant Street: 1985N 360E
Registrant City: Provo
Registrant State/Province: Utah
Registrant Postal Code: 84604-1803
Registrant Country: US
Registrant Phone: 8014273274
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: pontifier@hotmail.com
Registry Admin ID: Not Available From Registry
Admin Name: John Fenley

Crop Circles

Code in HTML:

<!–
2+3=8,
3+7=27,
4+5=32,
5+8=60,
6+7=72,
7+8=?? 98
/??.html

As a math problem:

*1 + 3 *2 = 2+6 = 8

*2 + 7 *3 = 6+21 =27

*3 + 5 *4 = 12+20 = 32

*4 + 8 *5 = 20+40 = 60

*5 + 7 *6 = 30+42 = 72

*6 + 8 *7 = 42+56 = 98

SOLVE: 7+8 = 98

I never quite got this one… Can you put this solve into a URL?

To Wonderland

Code in HTML:

01101000 01110100 01110100 01110000 00111010 00101111 00101111 01100011 01110010 01100101 01100101 01110000 01111001 01101101 01101000 01110000 01100111 01101001

01100010 01110011 01100101 01110111 01110010 00101110 01101111 01101110 01101001 01101111 01101110 00101111 01110100 01101000 01100101 01110010 01100001 01100010

01100010 01101001 01110100 00101110 01101000 01110100 01101101 01101100

Binary Translation: http://creepymhpgibsewr.onion/therabbit.html

The Rabbit

Code in HTML:

WVVoU01HTkViM1pNTWs1NVdsZFdkMlZYTVc5alIyUndXVzVPYkdRelNYVmlNalZ3WWpJMGRtUkhhR3hhTWtaNllsZEdlbUY1Tlc5a1J6RnpTVU13ZEZveU9YWmFRMEp4WWpKSlBRPT0=

Base 64 decode thrice = http://creepymhpgibsewr.onion/thegasmask.html –good job

The Gas Mask

Code in HTML: 68 74 74 70 3a 2f 2f 63 72 65 65 70 79 6d 68 70 67 69 62 73 65 77 72 2e 6f 6e 69 6f 6e 2f 66 61 63 65 6c 65 73 73 2e 68 74 6d 6c

HEX decode: http://creepymhpgibsewr.onion/faceless.html

Faceless

Code in HTML:

\x68\x74\x74\x70\x3a\x2f\x2f\x63\x72\x65\x65\x70\x79\x6d\x68 \x70\x67\x69\x62\x73\x65\x77\x72\x2e\x6f\x6e\x69\x6f\x6e\x2f \x68\x61\x6c\x6c\x6f\x77\x65\x65\x6e\x2e\x68\x74\x6d\x6c

HEX Decode: http://creepymhpgibsewr.onion/halloween.html

Halloween

Code in HTML:

104 116 116 112 58 47 47 99 114 101 101 112 121 109 104 112 103 105 98 115 101 119 114 46 111 110 105 111 110 47 116 104 101 115 99 114 101 97 109 46 104 116 109 108

Decimal Decode: http://creepymhpgibsewr.onion/thescream.html

The Scream

Code in HTML: http://creepymhpgibsewr.onion/thepic.jpg

The Pic

This kinda dead ends for me….

Page # The Witch

Code in HTML:

V1ZWb1UwMUhUa1ZpTTFwTlRUSlNkMXBGWkU5aU1EVklWR3BhYTFZeFNuWlhWRTV2WVZad1dHUXpWbWxOYWxaM1dXcEpNR1J0VFhsU2FrSmFWbnBTTVZsVmFGTmtSMHBFVVZoU1RWWXlVakpaYWtwU1dqSkdkRTlYYXowPQ==

Base64 Decode: http://witch4czudhcxbel.onion/satan.html –good job

I am going to assume that the witch is the solve for the math problem converted into a URL…

Satan

Code in HTML:

WVVoU01HTkRWWHBSVTFWNVVtbFZlVkp1WkhCa1IwNXZUa2RPTm1SWFVtOVpNMmhwV2xkM2RXSXlOWEJpTWpSc1RXdGFlbVZYTVdsaU1uaDZURzFvTUdKWGQzSk1VekZ5V2xkV2Qwc3laSFpoVnpWdQ==

Base 64 Decode: http//witch4czudhcxbel.onion/symbols.html+–keep+going

Symbols

Code in HTML:

YUhSMGNEb3ZMM2RwZEdOb05HTjZkV1JvWTNoaVpXd3ViMjVwYjI0dmRHaGxaRzl2Y25NdWFIUnRiQT09

Base 64 Decode: http://witch4czudhcxbel.onion/thedoors.html

Doors

Choose your doors…

Door One “Gore 226”

Code in HTML:

Base 64 Decode: http://gore226jrod4ia2c.onion/gore911/ — enter

Once you put in the url you get the following text on the new page:

Door Two “Grandma’s Garden”

I have yet to play with this one… I will get round to that.

Door Three “The End”

Code in HTML:

Congrats!! You broke the witches code.There will be more puzzles to come. Hope you enjoyed this Bluebox2600 @ http://blueboxlxc4o7mvk.onion/

Now the Esoterica begins…

Door Four “Sacred Geometry”

Code in HTML:

“Once in a while you get shown the light In the strangest of places if you look at it right”

Right! Well we are back to esoteric teachings that seem to be Illuminati in nature. I am not sure where this guy is going but it was a fun trip.

 


Viewing all 452 articles
Browse latest View live
Search