Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-07-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

BTC pickpockets are back

Published: 2018-07-21
Last Updated: 2018-07-21 15:25:58 UTC
by Didier Stevens (Version: 1)
3 comment(s)

About 8 months after their first visit, my server gets another visit from the Bitcoin pickpockets.

It's another IP address this time (again an VPN exit node), but the user agent string is exactly the same:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0

The requested filenames are identical, except for 4 new files/folders (3 of them highlighted in red in the picture below). The order of request is different from the first time.
It seems they made a small update to their script. The scan is much faster this time: about 4 minutes long compared to about 40 minutes the first time.

If you have observed this too or have a remark, please post a comment.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: bitcoin pickpocket
3 comment(s)
Diary Archives