all InfoSec news
Who’s Behind GoatRAT?
Security Boulevard securityboulevard.com
In this brief analysis I'll take a look at who's behind GoatRAT in terms of social media activity C&C servers and actual personally identifiable information.
Personally identifiable information:
hxxp://bit[.]ly/nubankmodulo
hxxp://goatrat[.]com/apks/apk20[.]apk
Sample MD5s:
6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7
9a8e85cf1bbd32c71f0efa42ffedf1a0
hxxp://api[.]goatrat[.]com:3008
Social Media:
hxxp://t[.]me/sickoDevz
hxxp://t[.]me/goatmalware
Web site:
hxxp://criminalmw[.]fun
hxxp://clientes[.]criminalmw[.]fun
WhatsApp - +5511987457894
ba5833b49e2c6501f5bbce90b7948a85
Code Signing Certificate Signed By: Mr[.] Paxton Doyle PhD
SSL: 94ba7810ece1a1b227e6a5b509c8bb228e7285a1a5cee5f0ee26542783d4b09a
Sample C&C servers:
104[.]244[.]75[.]74
138[.]197[.]166[.]92
142[.]251[.]143[.]110
142[.]251[.]143[.]129
142[.]251[.]143[.]142
142[.]251[.]143[.]163
142[.]251[.]143[.]193
142[.]54[.]162[.]114
159[.]69[.]27[.]103
174[.]128[.]250[.]164
185[.]204[.]1[.]84
185[.]225[.]68[.]133
188[.]214[.]132[.]49
216[.]239[.]32[.]36
216[.]239[.]34[.]36
31[.]133[.]1[.]108
51[.]148[.]150[.]203
51[.]81[.]93[.]37
80[.]241[.]214[.]102 …
amp analysis api apk certificate code code signing fun goatrat information media personally identifiable information sample servers signing social social media ssl terms web whatsapp