Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

BTC pickpockets are back

Published: 2018-07-21
Last Updated: 2018-07-21 15:25:58 UTC
by Didier Stevens (Version: 1)
3 comment(s)

About 8 months after their first visit, my server gets another visit from the Bitcoin pickpockets.

It's another IP address this time (again an VPN exit node), but the user agent string is exactly the same:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0

The requested filenames are identical, except for 4 new files/folders (3 of them highlighted in red in the picture below). The order of request is different from the first time.
It seems they made a small update to their script. The scan is much faster this time: about 4 minutes long compared to about 40 minutes the first time.

If you have observed this too or have a remark, please post a comment.

Didier Stevens
Senior handler
Microsoft MVP

Keywords: bitcoin pickpocket
3 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Weblogic Exploit Code Made Public (CVE-2018-2893)
Jul 20th 2018
1 day ago by Kevin Liston (0 comments)

Reporting Malicious Websites in 2018
Jul 19th 2018
2 days ago by Kevin Liston (2 comments)

Request for Packets: Port 15454
Jul 18th 2018
3 days ago by Kevin Liston (1 comment)

Oracle Critical Patch Update Release
Jul 18th 2018
4 days ago by ScottF (0 comments)

Searching for Geographically Improbable Login Attempts
Jul 17th 2018
5 days ago by Xme (5 comments)

Extracting BTC addresses from emails
Jul 16th 2018
6 days ago by DidierStevens (0 comments)

Video: Retrieving and processing JSON data (BTC example)
Jul 15th 2018
1 week ago by DidierStevens (1 comment)

View All Diaries →

Latest Discussions

Windows Long File Path
created Jul 19th 2018
3 days ago by Shishir (0 replies)

Windows Long File Path
created Jul 18th 2018
4 days ago by Shishir (0 replies)

Botnet brute forcing mail accounts?
created Jun 22nd 2018
4 weeks ago by Anonymous (0 replies)

Simple SMTP/network routing questions
created Jun 14th 2018
1 month ago by Anonymous (0 replies)

HTTP Headers Illicit Characters
created Jun 13th 2018
1 month ago by David (2 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
11 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
7 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
11 months ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
10 months ago by Renato (0 comments)