The Pareto Botnet – Advanced Cross-Platform Android Malware Using Amazon AWS Spotted in the Wild – An Analysis | WhoisXML API

White Papers

Read other articles

The Pareto Botnet – Advanced Cross-Platform Android Malware Using Amazon AWS Spotted in the Wild – An Analysis

We decided to a look at the recently discovered Pareto Botnet using Maltego in combination with WhoisXML API’s integration to provide additional actionable intelligence on the campaign, which could be useful to researchers and vendors on their way to tracking down and responding to the cyberattack campaigns.

In this article we’ll elaborate on the Pareto Botnet and offer practical and actionable intelligence on the actual C&C infrastructure which also includes the use of Amazon’s AWS for C&C (Command and Control) purposes.

Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s Integration

Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s Integration

Sample malicious C&C server domains known to have participated in the campaign:

  • aminaday[.]com
  • iamadsco[.]com
  • admarketingads[.]com
  • mobileadsrv[.]com
  • adsrvus[.]com
  • admobilerv[.]com
  • webadsrv[.]com
  • adstreamrv[.]com
  • adadsrv[.]com
  • advertisementforyou[.]com
  • adservernet[.]co
  • kryptonads[.]com
  • videoscommercials[.]com
  • streamadsonline[.]com
  • springrollfit[.]com
  • rolladstech[.]com
  • fullfacility[.]net
  • digitalmobilespace[.]com
  • admguide[.]com
  • admmart[.]com
  • digimobileworld[.]com
Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s Integration

Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s Integration

Sample malicious and rogue IPs known to have participated in the campaign:

  • 4[.]236[.]25[.]172
  • 54[.]86[.]138[.]219
  • 52[.]23[.]54[.]114
  • 52[.]39[.]34[.]238
  • 54[.]68[.]196[.]177
  • 34[.]217[.]164[.]136
  • 44[.]239[.]49[.]7
  • 44[.]229[.]182[.]18
  • 54[.]144[.]32[.]227

Sample known Amazon AWS C&C server domains known to have been involved in the Pareto Botnet:

  • hl-legals[.]s3-us-west-2[.]amazonaws[.]com
  • ui2beehome[.]s3-us-west-2[.]amazonaws[.]com
  • 774f913e-production-weconv-abee-330827228[.]us-east-1[.]elb[.]amazonaws[.]com
  • crew-mobile-assets[.]s3-us-west-2[.]amazonaws[.]com
  • bsftassets[.]s3-us-west-2[.]amazonaws[.]com
  • cmpplatform-556433186[.]us-east-1[.]elb[.]amazonaws[.]com
  • mcpemasterconfig[.]s3[.]amazonaws[.]com
  • eee4fwd0cpfbtg8n-9e855e4b9bb4d371[.]elb[.]eu-central-1[.]amazonaws[.]com
  • s3-1-w[.]amazonaws[.]com
  • c4-710722927[.]us-west-2[.]elb[.]amazonaws[.]com
  • pro-api-lb-212444944[.]ap-southeast-1[.]elb[.]amazonaws[.]com
  • adn-cronus-vg-external-2138794050[.]us-east-1[.]elb[.]amazonaws[.]com
  • up-cm-vpc-137845722[.]us-west-1[.]elb[.]amazonaws[.]com
  • adn-tksetting-fk-451124493[.]eu-central-1[.]elb[.]amazonaws[.]com
  • www-pangu-net-1090115676[.]eu-west-1[.]elb[.]amazonaws[.]com
  • ludo-userserver-158076954[.]ap-south-1[.]elb[.]amazonaws[.]com
  • business-1539604941[.]eu-west-1[.]elb[.]amazonaws[.]com
  • s3[.]amazonaws[.]com
  • bigdatasdk-1248540703[.]us-west-2[.]elb[.]amazonaws[.]com
  • cm-infoc-2-1663642949[.]us-west-2[.]elb[.]amazonaws[.]com
  • ttm-pub-stuff[.]s3-us-west-2[.]amazonaws[.]com
  • clientapps-us[.]s3-us-west-2[.]amazonaws[.]com
  • s3-r-w[.]us-west-1[.]amazonaws[.]com
  • cmwww-1879783141[.]us-west-1[.]elb[.]amazonaws[.]com
  • s3-us-west-2[.]amazonaws[.]com
  • s3-us-west-2-r-w[.]amazonaws[.]com
  • s3-r-w[.]eu-central-1[.]amazonaws[.]com
  • cmwww-https-net-1244732952[.]us-west-1[.]elb[.]amazonaws[.]com
  • bc20[.]s3[.]eu-central-1[.]amazonaws[.]com
  • c3-1760408482[.]us-west-2[.]elb[.]amazonaws[.]com
  • dcs-edge-va6-802167536[.]us-east-1[.]elb[.]amazonaws[.]com
  • cms-cbk-prod-ks-1959301343[.]us-west-2[.]elb[.]amazonaws[.]com
  • up-pangu-net-1224294475[.]eu-west-1[.]elb[.]amazonaws[.]com
  • Mdl2021[.]s3-us-west-2[.]amazonaws[.]com
Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s Integration

Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s Integration

Malicious MD5s known to have participated in the campaign:

ca195236ac7dc0758a631ffd9c23b53bb6fe7b3e30cd83d7c07eefc8cc285185
21f8d957e240ab7001469efd1de6131b809d075ca6f7496200eb15803cd5896f
a7a70033e6920b6ba8cd5e689bbc53f7fdb100d0cdc8da8fdeadf2d7edaf21a6
91869c892e41c041533e31ae00f5050d0ed37eaa160d911d41f1a99038e1c96b
788ae59a7ab36816ecb40a1285d1e23ab7882a76f647db4bb62d066f857cffd6
28ff90e82fafcc7ec4578e1504ca2c4180f610069591a97879777334262e8115
572418fad463daae11a0276cc877a8d72cefa0c930f953f72dfaf83e9ded0e8e
32c1afd4b048e9845f5ad991bf2a7ad5c239921f234df6e70a864bc099699033
258967b20ec5642d9a8fa421f46c8676ae875fffb1552a33ffa14c892d64d4ca
a4c84d172dc94cb84c88f7ccafe66d85af96a4ee3c72292932714afe9ed526ac
6a833f608de32591b000848158b7e1b9483a4e806ce41e20ecddd137a223101b
ab723f72c56376479a80db7b3b238edff75b514630cfc26bfe2a73ff1db81dd5
442de86cbf6ae906667cd592002c5a2df60a04b4988102f9bc025c4003f87eea
edbac42951cbceffdd41c6f9083d01dc6aa5e53f7429bf6a033d6432de542de4
df026264a6d526fbad7618ea19299f27a641ce06a47794413c07cffbbdbea226
1df30a1a55c1973b47b4e91d2a47174c2499ffe0b38aeae03c86b68766b2e61c
0d8a30f7e906efcfdc559caf3a24f4d20405fa0e074aab7e1602bd64c5e0a80d
950f0668a6177535ef029268c5cb8ed5389f115f1447a929f5744a54c9b487fc
bd849ca8c742e2a877074f64eb6c2b570f07abd08bd28b70b67338dea653cebe
41d474271b8047ba8277243f0ba8ca770c4496c7ee8e80780dd5a98463fd28f8
b5dbc486182520c7d91fa1889691d5a9009dcc653f816a46cc764c71c4d909ed
42a3389db708f9baf380aef440662e1fe3fce79ed8f5250f3d38e99b07d3fb5b
9a41e742087c743164e53044cc40a24543288e93ad54a8d4ac1a508ffda37ab6
7888ddd272b260952b71005eeb872d02dcfe5db634c0f120df2b69df14dae0d4
0349ebd6d81311a2109e329685dfea39b47be580c9f60bda564ac06796aaf4dc
0148bc701b3f7887e26222eb8b3a6942997cfa78b2d18311371bcdd128b7caa6
5e156b8426391cf12fc0b4b67ed0b465eefe10fd8a60d0fbe52ea9da5e31bcfa
68126bbec7381a5b58979177e677417470c2102d97491780f1c38b275fd1942b
46144fa18d7af4fdf324a406c9a6ab2ae619788f791eb8725c2261dd46e78b26
f2cf75a6d1576ac28dc7f0ac64996cb25a489b3fa55f240c413c0ab9234a6889
f8ad2ecd52bfa09bc08341a2db527d89761cfa156b72971d6fb9820edfdd1eda
d39580dcb86f8ace33c5aa00cabc95d65bdb5a065a2fa89826e7c7aab6dc3492
8616cbe383c88f7825f1296a90dcf378333b6914bfd89b33f30a12920a0bbc80
3c5620a69f55b9eaef9518a5732977c59be4aadb2c9806a2f197db965589bf32
c8b9d96741f8d1532afd41db12d015a4887bbb19e6d3f603be0bb237c2c96188
f56d9910b44d2836aa17ef4580984a2625a12dd0a1da872058f4e3d7ec6bceac
0ce16b5bddc47e28577b6cf9d75a82b02cd52faf2a73aeeb0c0666f88c61c63d
ce21a6c2f8773756017e6660636d32c3a93a4f0969ab3119999919849eea3d1d
88568455bda1bf1b0a7a59190112032042bb1843805204f48644e28b5dd162e9
9a9e0ac14b03dcf6fdb0c2489fae13c78988dbc2ebb24e5fb64f6807909f2040
d5db71ef3799c088fa67e0f3eef37e831fb3e93cd187c800d867442f6bcb4e01
7d8beea898738b641ef782ecc42b3fe3161dec5878657fd48b4887db23bf0e4c
25bbcf4b21e8140936a2eb8340ec264dda63ea73ae14d6d4aa809151489d038a
9e33fc18f293d9958ee58fcc2960e47aa55e5e1aa8488810a8448a15b47a19c4
166a93d0826c4cb439f295aa63c11c376d7ec60b8de94fda8381359636e649a1
0cb13aeb54a350e36c20c0bb45172e5757c75722333f078bc68b54168120257a
aee9eae90776132d16e5914a052ca9bc6abe95c8ae0642c2efca0d4dacb918ae
30950aaa64a76c2a5506f228e70ffa6a07fc5fff38e1e93b2c61c38015ad6d48
f3ffabef5041bf29539140399793f8dde09cb8bcf394c421ab8196096451b758
bb2309b346d47361cb860800f32059fee08d8bbd72ff7c92d16f99ab9e05d90e
06e4e84f1df481767c7ec2a1e0b23622523af6cbc434529ecd40943b8bbd3cf4
413c0f994f3dd82fe05c9d67ae7f129a10e301d0d5b61ead430f15ee6dab88ca
32f26c3c5e9f00e869449885ec5aae19e2d911d9acd42dbd1ab2e734d6fecf3c
209ecfe1964550d34d3187d019f615af251828d00f4a82adff37db38143d573f
120f13ef5d5ce2ffc11a2e24a73beb5b82f8ce7d99433fdbba3348099bce386f
54f6364a8a261f1caf99944896be0544bd2e55c68fc6fb8fd120e56a71b8ae33
e6bcd86f90473200e16b5520341dba5c092ebb7312df295c960fc5ca7e2835d8
0885b8a18b7acefb670813cda3d17ebeeb0ceaf739b3ee5eb77dd6de8a4972d5
04f8b63572d64182835f19242376fc91c7d67c4f4322780a4168fa5ed2853692
91466e4df53dcce1a5ce330c9a80ceb0e2c392531a2f0b1e36d997451a45c7ec
4b75464a9e9006d83f3138266ab63849fd9f364860fde59b79168f11696137b3
70d90d88e95dd24634cf1cb76787a4ef1e5778915e1c30428c05b0a66d65a852
b468b86289e4edb99a7d34f0f15fc6c8c88721587a5eb9dbee9424123d13e6d9
9aac7755573002ef86b73995d31b3b61cadb58810af7210f8cd72e4073c03785
1cdfd6d9107c22533836ca62da08afb74197c08247274796f46257142eb0dd1d
adfdbd4db2dcf4dad8f2b2b72ead7c81213ebac3b582fdec045662596450a9f3
f33816198fd1a6d6c43073ff13e5e77c66132765c7df384c975cedfdc945dbb9
9464d25ab15a49ef60a496903b455a25bbcd20f88753fa4c8fee594ba06b2385
171e8677502148743ba72860e539b8c2efb7b90291bb182ba57fde280a2425bd
302e7257a661d2e15eb0c5e1abd95a4b4f1adc9a020856f971705d2450b4739b
6648bc58c4831b136e354c723c438504a0c38ca07ab2d433ef5daff3c068d4fe
f550d2c649c81173d7a8c2bdc08e80f32410ec3dc06e2f8e92456d35d84f2523
225fb46443a033d9d7f60fd7aa25287045410ec2a030883dc7fb36058fbbd1ec
b8d067cc06ecf8f8a40c28a4837bc29cd971246ad3dd4a57e4ce5a737aad8935
c8a461a3b6c84bfcff0c205956e893c56acb84f0b8dbd3f6d7b9b4b13810965f
9fb8d4ce5f543ce87a34eeead28034f6f58a2e9ac8566f144d915355c213617a
4fb558f694386acaea6daa11287bfc81a0772f09f0cd6d29e275633748108dfb
1517844c08b58b78a34d97e64c38b7b96e87a9d2ae0b6592345713ce66691427
8eb7c7e666166b43ae92d17c272a47adf9d0114ef2ff241bb7d0bc74d07a0f0c
084c838c63b15f151fdaa08509b83fae2b3de2324903043e0c0b3c582ab24d43
98d1a0475f16fb932982eee6267e2b3bf0a22054a683d2b63bccbba1f98917e5
1ae75f041c036da4bc1ba6e6839a7870254afecaad13fecb3193f5a75465df49
61e0595cb0bef4f5bf7b3754de26945dc967d8b78c667c7241b14f47c8f28e7a
a257070db410438a2aea8283164b3a4db9db10188d147322efb9af6a92a3e565
4f76db3aa57951cb4fe19765061db47f1907047d1571d1aeceb6dd6a5000beb8
5f29793422e3830addbbf967a295f5ed3e43aad456bf3882456c59978f290af8
6967d08bb721e73b1b5ca5c2fe146f6f2537eaff20756c4f1f6bc6a4711333dd
0f9e9135e5bb7ad3948fa41023f392353e0dc1d7f4822de76fb7fd5f4e9d76fd
1373c1b43c6f99c7e2990420592d13b937c861c6b1bbbc0a13f37599ae191d7b
513786001fd7425896f6ad8a0ac329b871f0f60627de6974564855c3c3ef6c20
ef38d5d07d2707f643cd56dcbcd5b522814276cc2f7f58daf269dc8d8f8ea32f
cdbc01ad19f4ada0aee92fbbcca463cbd03a46183ca038bfd850f64dbda5f182
e4b1850ebdaff1594c1160f926cafa5fb9e740ede962219d8cb2dc21f50618ff
d9e2985a60dabbaed3a1052faa973cd4c3a6175c188d9c9329b565de8176f668
def6496ce297a9042f93087cb156fefc4293c3caf225f497287b45379e927739
95be5411d538dbaa9e7682653a623b1be169b165be0fcd3fdc052731bb2aa239
56e635151abd74731f16b05a801a4b5078a17b8957c3219403abbcc622aecbe8
1ac9dc9f1082dc73ffbd5c827b657fcc1cba7fc8d95a30c546db139d81512d5b
50c5bf018ba0856057d8102ff106af58248ffcac51287073fb1f3b9335e40ae3
a92cabc0f66b7449cd3008383aef14b3446e13031f3d54ef25fb75fd64f992db
4c316c635c8abd5f5a0213cf1c5a1e1ed6392f8e50b1b51a33a3867c18bacb2b
76e9d5ec934de4c9ff2aee38ccbb2bf6f242c6aa6c6a69d68fd920227388aa10
6e8c5c210717d227098c1683cba93926475a6074e0c4a2c77b941276edf37329
dfc0727708363005a2ef486ae93cb6892f69252f8ba8095319db61963a27a7ab
47f30c3858c702b3f721d257c708f0c5f452cf8f32054d7d5fe270c764a6fd8d
44877308fad0e76e335f38c8084b503fdc77e520686618c0fd4aa7f28e65a7a2
3b9116b3d554ad1ef9715139d7c14ec5f0f297e6af2f5f91b91aa0bba94c6fd0
7488bcd88f44d848a2b587a74cadb1cda5589404ba7efc997572a5eed1f68fb1
fda1e17893995a73f605df3e4340b07416ec829fa29416feffdbe23f590e4e31
cbc8a117b072d5630ba0f88e1f851ddde6d3b8a98bca185f30a7a69be9430f5c
b0029f8fc48869e6aecaf9748ab9fe6aab2bb3461c9a1843fa649145d39f518d
46f8ecdf408d282a89d52867b05568b983899529171398492bc79374ab547a44
d47bf5c316925eb7a25d276f5636524354ce2705c626d322457ec7a9f1869d2b
fdc92e40c65a1a365a96e59b91c153c94af351da684c2733865074aff4798eaf
6324dc820b2fd04d6595a4ad8f3e1d2470f8bb7edbba57e921bec0f524249a74
f1edb36e6a3b4db9751e27b9dd4a1a0200901345ef20c77faabc471df94504df
Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s Integration

Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s Integration

We’ll continue monitoring the campaign and post updates as soon as new developments occur.

Read other articles
Try our WhoisXML API for free
Get started