Lnkr Adware: Malicious browser extension campaign

If you are using browser extensions, Be-aware lnkr browser extensions are Rapidly spreading across the internet.

What is browser extensions ?

Extensions are small software programs that customize the browsing experience. They enable users to tailor browser functionality and behavior to individual needs or preferences. They are built on web technologies such as HTML, JavaScript, and CSS.

Browser extensions extend your web browser with additional features, modify web pages, and integrate your browser with the other services you use, for example Ad-blocker, VPN and HTTPS Everywhere.

Since users across the globe have accepted and have become dependent on the browser extensions, attacker have started leveraging this technology to attack browser extensions.

What is lnkr, what is its motive and how it works ?

Lnkr

Its categorized as a type of Adware [ JS/Adware Script Injector], its an adware but still it can do some serious damage depending upon where its redirecting you.

Motive

Their purpose is simple, redirect traffic to malicious or c2c domains, and get personal details about you or your finances.

Working methodology of Lnkr

  • Attackers first clones the legit or semi legit browser extensions and inject them with their malicious code.
  • Attackers distribute this cloned malicious version of extension on Google Chrome Store.
  • Main goal of these malicious extensions it to inject malicious java script in the web pages browsed by the user.
  • Once web pages becomes compromised with these Java script, they redirect the user browsing these compromised web pages to several c2c domains like : lnkr[dot]us and lnkr[dot]fr that seem to be part of this malware campaign, as they appear to be fully controlled by the attackers. or to several harmless ad-poppers and harmless advertisements sites.

Also make note that these malicious extensions have the potential to send sensitive data to command-and-control (C2) servers. These types of servers are often used by attackers to keep a channel open with the compromised systems.

Master-Mind behind Lnkr

Brocode, a shell company registered in Hong Kong, seems to be the company behind the code, although the attackers have left a few footprints that lead us to suspect Eastern European, likely Ukrainian or Russian, culprits may be involved, without any direct relationship to government confirmed.

Using our domain and IP intelligence platform SurfaceBrowser™, we were able to fetch the relevant WHOIS information—and it seems to belong to a guy named Sergei Filov, from Ukraine.

Securitytrails.com

Technical explanation of Lnkr Adware

  • When an user visits or browses a compromised web site – ryersonrams[dot]ca
    Compromised web page URL:
    http://www.rec.ryersonrams[dot]ca/ViewArticle.dbml?DB_OEM_ID=22310&ATCLID=204919766&DB_OEM_ID=22310
Compromised web-page
  • If we check the source code running behind this web page, we can see embedded malicious Java script in it. See that highlighted part in image below.
Embedded Java script in compromised web page
  • In-order to see the flow of data, we captured the traffic and analyzed it, which shows that once user browse the compromised web page mentioned above, this embedded JS is downloaded on user’s system in background without user’s concern.
HTTP request for Embedded Java Script
Packet analysis showing request for java script was referred from compromised web-page
  • once infected with malicious java script, post-infection traffic starts and redirected to unnecessary sites. Post-infection traffic consist of some significant keywords like sid, tid and rid, where value of rid signifies function name which can be seen in the malicious java script.
Post-Infection Traffic

Analysis of embedded Java script

Sandbox analysis of the script

OSINT analysis of this malicious Java Script:

Sandbox Analysis of this Java Script:

For more technically detailed explanation please click at given github link : Github-Lnkr

IOCs Observed in this campaign

List of IPs observed in this campaign:

  • 23.111.228.220
  • 23.111.228.228
  • 23.111.228.4
  • 64.58.121.60
  • 64.58.126.236
  • 93.190.140.94
  • 109.236.93.206
  • 138.201.253.2
  • 138.201.253.3
  • 144.76.185.168
  • 217.23.4.32

List of domains observed in this campaign:

  • ableoriginal.cool
  • adnotbad.com
  • adrs.me
  • adserv.info
  • amiok.org
  • analyzecdn.xyz
  • analyzefeeds.xyz
  • analyzenetwork.xyz
  • apiurl.org
  • appmakedev.xyz
  • appsource.cool
  • becovi.com
  • sugabit.net
  • adshot.net
  • asex.su
  • chromestore.co
  • clck.us
  • linkrlab.com
  • mobilock.net
  • vortexad.com

To find other IOCs observed so far in LNKr activity, click here : Lnkr – Indication of Compromise [ IOCs ]

Can we get rid of Lnkr ?

Blocking the attack isn’t easy either, as the attackers are using generic S3 bucket names, along with rotating C2 domain names and IP addresses spread across multiple hosting providers.

How to protect yourself from malicious extensions?

  • Use less number of extensions, use only necessary ones.
  • Remove all unused extensions as extension you no longer use becomes a potential future security risk
  • Always keep updating you extensions.
  • Before downloading any extension, try to find if it is legit, look for developer reputation and its reviews, the more new extensions, more dangerous it can be, not able find it legit, then wait till browser it self add such extensions in their coming releases.
  • Before installing extensions make sure to see what permissions are granted to it and make sure it have access of browser only and no file sharing access is given.

I’ve installed a malicious browser extension. How can I remove it?

  • Click on the three dots at the top right corner of your Chrome browser
  • Then click on the ‘More Tools’ option
  • Select the ‘Extensions’ option
  • Locate the extension you want to remove
  • Click the remove tab.

To get rid of malware or adware, please visit my previous post at:
http://www.securitystreets.com/what-is-malware-and-its-type-and-how-to-identify-and-remove-it/

Tell us how you liked this knowledge share. Please stay tuned with us for more cyber stuff !

9 thoughts on “Lnkr Adware: Malicious browser extension campaign”

  1. Saish Pramod Urumkar

    Great stuff .. Detailed explanation along with examples is just what is needed to best understand the vulnerability.
    Thanks for sharing!

    1. Cyber Security Analyst

      Thanks Saish for your valuable input, please stay tuned for more interesting cyber stuff.

  2. Here is a sample of data I can send you related to this threat actor:

    DATA FOR IOC INGESTION

    List of websites with confirmed connections (mostly businesses) to LNKR domains:

    https://camping-lemontjolibois[.]com/
    https://www[.]blsac[.]org/
    http://elsabato[.]economicas[.]uba[.]ar/talleres/
    https://thewardrummer[.]com/
    http://www[.]dadpokercast[.]com/
    http://decolornaranja[.]net/
    http://desardacollege[.]com/
    http://djmatman[.]com/
    http://www[.]esteworldmedicalgroup[.]uk/
    http://excelerateca[.]com/
    https://haroonca[.]com/
    http://kezipoggyasz[.]hu/
    http://www[.]koopzondaghaarlem[.]nl/
    https://new-sannan[.]org/
    http://sandoval501[.]org/
    http://swananda[.]org/
    http://www[.]totaltele[.]com/
    http://www[.]dadpokercast[.]com/
    http://www[.]esteworldmedicalgroup[.]uk/
    http://www[.]eurogites[.]org/
    http://www[.]gohasties[.]com/
    http://www[.]ikaruga-milk[.]co[.]jp/
    http://www[.]jibistore[.]com/
    http://www[.]krishgen[.]com/
    http://www[.]leonaventura[.]com/
    http://www[.]lms[.]lincolnps[.]org/
    http://www[.]nursespedia[.]in/
    https://www[.]procupkarting[.]com/
    http://www[.]richyrice[.]com/

    Stage 2a URLS:

    https://s3[.]amazonaws[.]com/js-cache/18b181560802361ac2%5B.%5Djs
    https://s3[.]amazonaws[.]com/js-cache/1d073454a5f6e5bf7b%5B.%5Djs
    https://s3[.]amazonaws[.]com/cashe-js/143e7cdebf193d2764%5B.%5Djs
    https://s3[.]amazonaws[.]com/jscript-files/20d8758f26eaa9dcdd%5B.%5Djs
    http://s3[.]amazonaws[.]com/jscache/16a168f0af2da0c3c2%5B.%5Djs
    http://s3[.]amazonaws[.]com/jscache/1630a6e4881d8dfc9c%5B.%5Djs
    http://s3[.]amazonaws[.]com/jscache/1a8ce8c0d6206bde4e%5B.%5Djs
    http://s3[.]amazonaws[.]com/jscache/17416ac5a9194609e3%5B.%5Djs
    http://s3[.]amazonaws[.]com/js-cache/1d073454a5f6e5bf7b%5B.%5Djs
    http://s3[.]amazonaws[.]com/js-cache/16dd869573922fa693%5B.%5Djs
    http://s3[.]amazonaws[.]com/cashe-js/1e76dead7cc096eedb%5B.%5Djs
    http://s3[.]amazonaws[.]com/cashe-js/1c4db3ed7dccaa2a19%5B.%5Djs
    http://s3[.]amazonaws[.]com/js-cache/2055c6a0fd2a6f8cee.js

    Other domains the actor uses that have simliar Javascript that his chrome extensions will reach out to include:

    http://cardinaldata[.]net/1fa16f6ccbee745a0c%5B.%5Djs
    http://promclickapp[.]biz/1e6ab715a3a95d4603%5B.%5Djs
    http://onlinekey[.]biz/1f9f5ee62aefca3cb1%5B.%5Djs
    http://scrlink[.]cool/1f64ae463ad99be7d8%5B.%5Djs
    https://sourcestars[.]net/1f876f04ecfeddb00c%5B.%5Djs

    Stage 3 Domains:
    These are a result of JS (from above) running.

    http://actextdev[.]com/optout/set/lat?jsonp=__twb_cb_25377220&key=1ccb1bd3ea423efe3a&cv=1536785895&t=1536785895097
    http://actextdev[.]com/optout/set/lt?jsonp=__twb_cb_743038220&key=1ccb1bd3ea423efe3a&cv=90698&t=1536785895097
    https://actextdev[.]com/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    https://actextdev[.]com/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    http://cdnswf[.]xyz/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://cdnswf[.]xyz/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    http://cdnswf[.]xyz/offers/swananda%5B.%5Dorg%5B.%5Djs?subid=51317_4466_
    http://cdnswf[.]xyz/ext/1172cd4648930bbc56%5B.%5Djs?sid=51317_4466_&title=&blocks%5B%5D=1f755&blocks%5B%5D=02aed
    http://cupdevlink[.]xyz/optout/set/lat?jsonp=__twb_cb_864183434&key=15128072bb38a0dfc7&cv=1538494920&t=1538494921302
    http://cupdevlink[.]xyz/optout/set/lt?jsonp=__twb_cb_786225006&key=15128072bb38a0dfc7&cv=16630&t=1538494921303
    https://datapro[.]website/optout/get?jsonp=__twb_cb_843449528&key=20d8758f26eaa9dcdd&t=1557513837408
    https://datapro[.]website/optout/get?jsonp=__twb_cb_862265318&key=20d8758f26eaa9dcdd&t=1557513837409
    https://datapro[.]website/metric/?mid=&wid=52529&sid=&tid=8408&rid=LAUNCHED&t=1557513837403
    https://datapro[.]website/metric/?mid=&wid=52529&sid=&tid=8408&rid=LOADED&custom1=www%5B.%5Dyoutube%5B.%5Dcom&custom2=%2Fwatch&t=1557513837408
    https://dataprovider[.]website/optout/set/lat?jsonp=__twb_cb_545767806&key=143e7cdebf193d2764&cv=1528202063&t=1528202062855
    https://dataprovider[.]website/offers/www%5B.%5Dblsac%5B.%5Dorg%5B.%5Djs?subid=51847_5182_
    https://dataprovider[.]website/optout/set/lt?jsonp=__twb_cb_138875573&key=143e7cdebf193d2764&cv=29734&t=1528202062855
    https://dataprovider[.]website/optout/set/lt?jsonp=__twb_cb_10666904&key=143e7cdebf193d2764&cv=33107&t=1528824614776
    http://dataprovider[.]website/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://dataprovider[.]website/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://devappstor[.]com/metric/?mid=&wid=51824&sid=&tid=6967&rid=FINISHED&custom1=draft%5B.%5Dblogger%5B.%5Dcom&t=1546512606312
    https://devappstor[.]com/metric/?mid=&wid=51824&sid=&tid=6967&rid=FINISHED&custom1=draft%5B.%5Dblogger%5B.%5Dcom&t=1546827570592
    http://devappstor[.]com/optout/set/lt?jsonp=__twb_cb_215932631&key=1b378c47aa1d605558&cv=208708&t=1537263841677
    http://devappstor[.]com/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://devappstor[.]com/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    http://devlinkin[.]xyz/
    http://extcuptool[.]com/optout/set/lat?jsonp=__twb_cb_192032182&key=1b3622eba14d06227e&cv=1534288907&t=1534288907164
    http://extcuptool[.]com/optout/set/lt?jsonp=__twb_cb_958066518&key=1b3622eba14d06227e&cv=40240&t=1534288907164
    https://extnotecat[.]com/metric/?mid=&wid=51824&sid=&tid=6321&rid=LAUNCHED&t=1557107014058
    http://infoprovider[.]group/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://infoprovider[.]group/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    http://mixappdev[.]com/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://mixappdev[.]com/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://netanalyzer[.]space/offers/my%5B.%5Dekklesia360%5B.%5Dcom%5B.%5Djs?subid=51847_5182_
    https://netanalyzer[.]space/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://netanalyzer[.]space/offers/app%5B.%5Dpagecloud%5B.%5Dcom%5B.%5Djs?subid=51847_5182_
    https://netanalyzer[.]space/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://pageanalytics[.]space/optout/set/lat?jsonp=__twb_cb_179616868&key=1a9acd9db766915ce7&cv=1528123805&t=1528123804904
    https://pagevalidation[.]space/optout/set/lt?jsonp=__twb_cb_947436491&key=18b181560802361ac2&cv=49513&t=1530647524352
    https://pagevalidation[.]space/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://pagevalidation[.]space/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://poplinkapp[.]xyz/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://poplinkapp[.]xyz/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    http://poplinkapp[.]xyz/offers/elsabato%5B.%5Deconomicas%5B.%5Duba%5B.%5Dar%5B.%5Djs?subid=51847_5182_
    http://poplinkapp[.]xyz/optout/set/lat?jsonp=__twb_cb_855261503&key=143e7cdebf193d2764&cv=1533132580&t=1533132580649
    http://poplinkapp[.]xyz/optout/set/lat?jsonp=__twb_cb_855261503&key=143e7cdebf193d2764&cv=1533132580&t=1533132580649
    http://poplinkapp[.]xyz/optout/set/lt?jsonp=__twb_cb_570295433&key=143e7cdebf193d2764&cv=1493&t=1533132581493
    https://profflinkgo[.]com/metric/?mid=&wid=51847&sid=&tid=5182&rid=LAUNCHED&t=1557110235981
    https://profflinkgo[.]com/metric/?mid=&wid=51847&sid=&tid=5182&rid=LAUNCHED&t=1557110235987
    https://profflinkgo[.]com/optout/get?jsonp=__twb_cb_674296444&key=143e7cdebf193d2764&t=1557110240555
    http://profflinkgo[.]com/optout/set/lat?jsonp=__twb_cb_602197230&key=1e74875aa42e1bf570&cv=1539856139&t=1539856139666
    https://profflinkgo[.]com/optout/set/userid?jsonp=__twb_cb_986125179&key=143e7cdebf193d2764&cv=10&t=1557109141240
    https://profflinkgo[.]com/optout/set/strtm?jsonp=__twb_cb_994105417&key=143e7cdebf193d2764&cv=1557109133&t=1557109141241
    https://profflinkgo[.]com/optout/set/lat?jsonp=__twb_cb_183512180&key=143e7cdebf193d2764&cv=1557109133&t=1557109141244
    http://profflinkgo[.]com/metric/?mid=&wid=51847&sid=&tid=5182&rid=LAUNCHED&t=1557426923951
    http://profflinkgo[.]com/metric/?mid=90f06&wid=51847&sid=&tid=5182&rid=MNTZ_LOADED&t=1557426928221
    http://realtodom[.]xyz/optout/set/lt?jsonp=__twb_cb_302776623&key=1b378c47aa1d605558&cv=44973&t=1533204067013
    http://realtodom[.]xyz/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://realtodom[.]xyz/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://sourcelog[.]cool/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://sourcelog[.]cool/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://sourcelog[.]cool/optout/get?jsonp=__twb_cb_604822027&key=1d073454a5f6e5bf7b&t=1558136261721
    http://sourcelog[.]cool/metric/?mid=&wid=52319&sid=&tid=7431&rid=LAUNCHED&t=1558136261715
    http://sourcelog[.]cool/metric/?mid=&wid=52319&sid=&tid=7431&rid=LOADED&custom1=whois%5B.%5Darin%5B.%5Dnet&custom2=%2Fui&t=1558136261720
    http://statvalidation[.]website/optout/set/lt?jsonp=__twb_cb_783342895&key=1c51b85e49935c930d&cv=8015&t=1531689604558
    http://statvalidation[.]website/optout/set/lat?jsonp=__twb_cb_318783416&key=1c51b85e49935c930d&cv=1531689604&t=1531689604557
    http://statvalidation[.]website/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://statvalidation[.]website/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://trafficanalytics[.]cool/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://trafficanalytics[.]cool/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    https://trafficanalytics[.]cool/optout/set/lat?jsonp=__twb_cb_986008979&key=1bb5a0f9e542673e45&cv=1528991651&t=1528991651057
    https://trafficanalytics[.]cool/optout/set/lt?jsonp=__twb_cb_594910486&key=1bb5a0f9e542673e45&cv=60543&t=1528991651059
    http://trafficpage[.]cool/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://trafficpage[.]cool/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    http://trafficvalidation[.]tools/optout/set/lat?jsonp=__twb_cb_363450291&key=1c57e6506f8c00bef4&cv=1531154779&t=1531154779740
    http://trafficvalidation[.]tools/optout/set/lt?jsonp=__twb_cb_315395381&key=1c57e6506f8c00bef4&cv=14746&t=1531154779741
    http://trafficvalidation[.]tools/addons/lnkr5%5B.%5Dmin%5B.%5Djs
    http://trafficvalidation[.]tools/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
    https://trafficvalidation[.]tools/metric/?mid=&wid=51847&sid=&tid=5394&rid=FINISHED&custom1=www%5B.%5Deurogites%5B.%5Dorg&t=1531219423975
    http://worldnaturenet[.]xyz/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51710x7255x&r=36
    http://worldnaturenet[.]xyz/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51807x6810x&r=14
    http://worldnaturenet[.]xyz/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51317x4466x&r=3

    Stage 4 Domains (found specifically and mainly in compromised websites):

    https://apiurl[.]org/filter-domains?stub=17190&domains=ukinnovationscienceseedfund%5B.%5Dco%5B.%5Duk
    https://apiurl[.]org/filter-domains?stub=92310&domains=thewardrummer%5B.%5Dcom
    https://apiurl[.]org/filter-domains?stub=6739&domains=thecross%5B.%5Dfamily
    http://apiurl[.]org/filter-domains?stub=79951&domains=richyrice%5B.%5Dcom
    http://apiurl[.]org/filter-domains?stub=53655&domains=krishgen%5B.%5Dcom
    https://apiurl[.]org/filter-domains?stub=41142&domains=camping-lemontjolibois%5B.%5Dcom
    http://apiurl[.]org/filter-domains?stub=85887&domains=gohasties%5B.%5Dcom
    https://cdn-javascript[.]net/api?key=a1ce18e5e2b4b1b1895a38130270d6d344d031c0&uid=8408x&format=arrjs&r=1557513839193
    https://eluxer[.]net/code?id=105&subid=51824_7008_
    http://linkredirect[.]org/api?key=6ad604c17a3c6e228ff6db3f03bc6a7e5eeee448&format=arrjs&uid=91a2556838a7c33eac284eea30bdcc29
    http://linkredirect[.]org/api?key=6ad604c17a3c6e228ff6db3f03bc6a7e5eeee448&format=arrjs&uid=91a2556838a7c33eac284eea30bdcc29
    http://loadsource[.]org/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51824x5953x&r=1535695315903
    http://loadsource[.]org/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51824x7796x&r=1539856137433
    https://loadsource[.]org/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51807x6810x&r=1538542812420
    https://srvvtrk[.]com/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=52096x8060x&r=1552807224292
    https://srvvtrk[.]com/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=52096x8060x&r=1554067442053
    https://srvvtrk[.]com/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=52096x8060x&r=1554067075427

    Other Domains of Interest:

    http://extore[.]space/inspire/agkicnjkbankpckaomnhfjglafjcegkk/
    http://extore[.]space/crx_patched/agkicnjkbankpckaomnhfjglafjcegkk/2%5B.%5D2%5B.%5Dzip?md5=iGw3pemtfMtCjn9UeegaMA

    IP Infrastructure for Above Domains:

    Time,Method,IP address,Hostname,Comments
    2019-05-05 9:46:31 PM,GET,217[.]23[.]4[.]32,actextdev[.]com,
    2019-05-05 10:19:00 PM,GET,138[.]201[.]253[.]3,apiurl[.]org,
    2019-05-10 2:44:00 PM,GET,88[.]99[.]151[.]223,cdn-javascript[.]net,
    2019-05-05 9:48:03 PM,GET,217[.]23[.]4[.]32,cupdevlink[.]xyz,
    2019-05-10 2:44:00 PM,GET,172[.]241[.]69[.]20,datapro[.]website,
    2019-05-05 10:18:54 PM,GET,109[.]236[.]93[.]206,dataprovider[.]website,
    2019-05-05 10:37:38 PM,GET,64[.]58[.]121[.]60,dataprovider[.]website,
    2019-05-05 10:33:55 PM,GET,64[.]58[.]126[.]236,devappstor[.]com,
    2019-05-05 10:33:55 PM,GET,93[.]190[.]140[.]94,devappstor[.]com,
    2019-05-05 10:22:14 PM,GET,23[.]111[.]228[.]4,devappstor[.]com,
    2019-05-05 10:31:28 PM,GET,5[.]45[.]77[.]124,eluxer[.]net,
    2019-05-05 9:43:41 PM,GET,23[.]111[.]228[.]4,extnotecat[.]com,
    2019-05-05 10:28:00 PM,GET,159[.]69[.]42[.]212,infoprovider[.]group,
    2019-05-09 2:35:26 PM,GET,88[.]99[.]151[.]223,linkredirect[.]org,
    2019-05-05 10:35:43 PM,GET,138[.]201[.]253[.]3,loadsource[.]org,
    2019-05-05 10:30:00 PM,GET,138[.]201[.]253[.]2,loadsource[.]org,
    2019-05-05 10:01:53 PM,GET,144[.]76[.]185[.]168,loadsource[.]org,
    2019-05-05 10:28:33 PM,GET,64[.]58[.]126[.]236,mixappdev[.]com,
    2019-05-05 10:35:00 PM,GET,109[.]236[.]93[.]206,netanalyzer[.]space,
    2019-05-05 9:57:17 PM,GET,109[.]236[.]93[.]206,pageanalytics[.]space,
    2019-05-05 9:43:31 PM,GET,64[.]58[.]126[.]236,pagevalidation[.]space,
    2019-05-05 10:37:17 PM,GET,23[.]111[.]228[.]220,profflinkgo[.]com,
    2019-05-05 10:19:01 PM,GET,109[.]236[.]93[.]206,profflinkgo[.]com,
    2019-05-09 2:35:24 PM,GET,217[.]23[.]4[.]32,profflinkgo[.]com,
    2019-05-05 10:22:47 PM,GET,138[.]201[.]253[.]3,srvvtrk[.]com,[#9881]
    2019-05-05 10:26:04 PM,GET,23[.]111[.]228[.]220,statvalidation[.]website,
    2019-05-05 10:29:38 PM,GET,109[.]236[.]93[.]206,trafficanalytics[.]cool,
    2019-05-05 10:35:43 PM,GET,93[.]190[.]140[.]94,trafficpage[.]cool,
    2019-05-05 10:30:42 PM,GET,109[.]236[.]93[.]206,trafficvalidation[.]tools,
    2019-05-17 7:35:18 PM,GET,104[.]31[.]68[.]242,extore[.]space,

  3. Pingback: Lnkr : Indication of Compromise [ IOCs ] | Security@Speaks

  4. Some of those domains are not related to Lnkr. Lnkr itself is a project of Monetizus company (monetizus.com).

Leave a Comment

Your e-mail address will not be published. Required fields are marked *