Lnkr : Indication of Compromise [ IOCs ]

All the IOCs seen in LNKR activity so far has been listed down below, this great collection has been possible because of our viewer ( Mr. Baber Parvez and some of his friends from Proofpoint ) contribution, who actively shared these IOCs with us, if you too have some thing to share with us, then just reach out to us.

To read on Lnkr adware please click here : Lnkr Adware: Malicious browser extension campaign

List of websites with confirmed connections (mostly businesses) to LNKR domains:

https://camping-lemontjolibois[.]com/
https://www[.]blsac[.]org/
http://elsabato[.]economicas[.]uba[.]ar/talleres/
https://thewardrummer[.]com/
http://www[.]dadpokercast[.]com/
http://decolornaranja[.]net/
http://desardacollege[.]com/
http://djmatman[.]com/
http://www[.]esteworldmedicalgroup[.]uk/
http://excelerateca[.]com/
https://haroonca[.]com/
http://kezipoggyasz[.]hu/
http://www[.]koopzondaghaarlem[.]nl/
https://new-sannan[.]org/
http://sandoval501[.]org/
http://swananda[.]org/
http://www[.]totaltele[.]com/
http://www[.]dadpokercast[.]com/
http://www[.]esteworldmedicalgroup[.]uk/
http://www[.]eurogites[.]org/
http://www[.]gohasties[.]com/
http://www[.]ikaruga-milk[.]co[.]jp/
http://www[.]jibistore[.]com/
http://www[.]krishgen[.]com/
http://www[.]leonaventura[.]com/
http://www[.]lms[.]lincolnps[.]org/
http://www[.]nursespedia[.]in/
https://www[.]procupkarting[.]com/
http://www[.]richyrice[.]com/

Stage 2a URLS:

https://s3[.]amazonaws[.]com/js-cache/18b181560802361ac2%5B.%5Djs
https://s3[.]amazonaws[.]com/js-cache/1d073454a5f6e5bf7b%5B.%5Djs
https://s3[.]amazonaws[.]com/cashe-js/143e7cdebf193d2764%5B.%5Djs
https://s3[.]amazonaws[.]com/jscript-files/20d8758f26eaa9dcdd%5B.%5Djs
http://s3[.]amazonaws[.]com/jscache/16a168f0af2da0c3c2%5B.%5Djs
http://s3[.]amazonaws[.]com/jscache/1630a6e4881d8dfc9c%5B.%5Djs
http://s3[.]amazonaws[.]com/jscache/1a8ce8c0d6206bde4e%5B.%5Djs
http://s3[.]amazonaws[.]com/jscache/17416ac5a9194609e3%5B.%5Djs
http://s3[.]amazonaws[.]com/js-cache/1d073454a5f6e5bf7b%5B.%5Djs
http://s3[.]amazonaws[.]com/js-cache/16dd869573922fa693%5B.%5Djs
http://s3[.]amazonaws[.]com/cashe-js/1e76dead7cc096eedb%5B.%5Djs
http://s3[.]amazonaws[.]com/cashe-js/1c4db3ed7dccaa2a19%5B.%5Djs
http://s3[.]amazonaws[.]com/js-cache/2055c6a0fd2a6f8cee.js

Other domains the actor uses that have simliar Javascript that his chrome extensions will reach out to include:

http://cardinaldata[.]net/1fa16f6ccbee745a0c%5B.%5Djs
http://promclickapp[.]biz/1e6ab715a3a95d4603%5B.%5Djs
http://onlinekey[.]biz/1f9f5ee62aefca3cb1%5B.%5Djs
http://scrlink[.]cool/1f64ae463ad99be7d8%5B.%5Djs
https://sourcestars[.]net/1f876f04ecfeddb00c%5B.%5Djs

Stage 3 Domains:
These are a result of JS (from above) running.

http://actextdev[.]com/optout/set/lat?jsonp=__twb_cb_25377220&key=1ccb1bd3ea423efe3a&cv=1536785895&t=1536785895097
http://actextdev[.]com/optout/set/lt?jsonp=__twb_cb_743038220&key=1ccb1bd3ea423efe3a&cv=90698&t=1536785895097
https://actextdev[.]com/addons/lnkr5%5B.%5Dmin%5B.%5Djs
https://actextdev[.]com/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
http://cdnswf[.]xyz/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://cdnswf[.]xyz/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
http://cdnswf[.]xyz/offers/swananda%5B.%5Dorg%5B.%5Djs?subid=51317_4466_
http://cdnswf[.]xyz/ext/1172cd4648930bbc56%5B.%5Djs?sid=51317_4466_&title=&blocks%5B%5D=1f755&blocks%5B%5D=02aed
http://cupdevlink[.]xyz/optout/set/lat?jsonp=__twb_cb_864183434&key=15128072bb38a0dfc7&cv=1538494920&t=1538494921302
http://cupdevlink[.]xyz/optout/set/lt?jsonp=__twb_cb_786225006&key=15128072bb38a0dfc7&cv=16630&t=1538494921303
https://datapro[.]website/optout/get?jsonp=__twb_cb_843449528&key=20d8758f26eaa9dcdd&t=1557513837408
https://datapro[.]website/optout/get?jsonp=__twb_cb_862265318&key=20d8758f26eaa9dcdd&t=1557513837409
https://datapro[.]website/metric/?mid=&wid=52529&sid=&tid=8408&rid=LAUNCHED&t=1557513837403
https://datapro[.]website/metric/?mid=&wid=52529&sid=&tid=8408&rid=LOADED&custom1=www%5B.%5Dyoutube%5B.%5Dcom&custom2=%2Fwatch&t=1557513837408
https://dataprovider[.]website/optout/set/lat?jsonp=__twb_cb_545767806&key=143e7cdebf193d2764&cv=1528202063&t=1528202062855
https://dataprovider[.]website/offers/www%5B.%5Dblsac%5B.%5Dorg%5B.%5Djs?subid=51847_5182_
https://dataprovider[.]website/optout/set/lt?jsonp=__twb_cb_138875573&key=143e7cdebf193d2764&cv=29734&t=1528202062855
https://dataprovider[.]website/optout/set/lt?jsonp=__twb_cb_10666904&key=143e7cdebf193d2764&cv=33107&t=1528824614776
http://dataprovider[.]website/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://dataprovider[.]website/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://devappstor[.]com/metric/?mid=&wid=51824&sid=&tid=6967&rid=FINISHED&custom1=draft%5B.%5Dblogger%5B.%5Dcom&t=1546512606312
https://devappstor[.]com/metric/?mid=&wid=51824&sid=&tid=6967&rid=FINISHED&custom1=draft%5B.%5Dblogger%5B.%5Dcom&t=1546827570592
http://devappstor[.]com/optout/set/lt?jsonp=__twb_cb_215932631&key=1b378c47aa1d605558&cv=208708&t=1537263841677
http://devappstor[.]com/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://devappstor[.]com/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
http://devlinkin[.]xyz/
http://extcuptool[.]com/optout/set/lat?jsonp=__twb_cb_192032182&key=1b3622eba14d06227e&cv=1534288907&t=1534288907164
http://extcuptool[.]com/optout/set/lt?jsonp=__twb_cb_958066518&key=1b3622eba14d06227e&cv=40240&t=1534288907164
https://extnotecat[.]com/metric/?mid=&wid=51824&sid=&tid=6321&rid=LAUNCHED&t=1557107014058
http://infoprovider[.]group/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://infoprovider[.]group/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
http://mixappdev[.]com/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://mixappdev[.]com/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://netanalyzer[.]space/offers/my%5B.%5Dekklesia360%5B.%5Dcom%5B.%5Djs?subid=51847_5182_
https://netanalyzer[.]space/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://netanalyzer[.]space/offers/app%5B.%5Dpagecloud%5B.%5Dcom%5B.%5Djs?subid=51847_5182_
https://netanalyzer[.]space/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://pageanalytics[.]space/optout/set/lat?jsonp=__twb_cb_179616868&key=1a9acd9db766915ce7&cv=1528123805&t=1528123804904
https://pagevalidation[.]space/optout/set/lt?jsonp=__twb_cb_947436491&key=18b181560802361ac2&cv=49513&t=1530647524352
https://pagevalidation[.]space/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://pagevalidation[.]space/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://poplinkapp[.]xyz/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://poplinkapp[.]xyz/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
http://poplinkapp[.]xyz/offers/elsabato%5B.%5Deconomicas%5B.%5Duba%5B.%5Dar%5B.%5Djs?subid=51847_5182_
http://poplinkapp[.]xyz/optout/set/lat?jsonp=__twb_cb_855261503&key=143e7cdebf193d2764&cv=1533132580&t=1533132580649
http://poplinkapp[.]xyz/optout/set/lat?jsonp=__twb_cb_855261503&key=143e7cdebf193d2764&cv=1533132580&t=1533132580649
http://poplinkapp[.]xyz/optout/set/lt?jsonp=__twb_cb_570295433&key=143e7cdebf193d2764&cv=1493&t=1533132581493
https://profflinkgo[.]com/metric/?mid=&wid=51847&sid=&tid=5182&rid=LAUNCHED&t=1557110235981
https://profflinkgo[.]com/metric/?mid=&wid=51847&sid=&tid=5182&rid=LAUNCHED&t=1557110235987
https://profflinkgo[.]com/optout/get?jsonp=__twb_cb_674296444&key=143e7cdebf193d2764&t=1557110240555
http://profflinkgo[.]com/optout/set/lat?jsonp=__twb_cb_602197230&key=1e74875aa42e1bf570&cv=1539856139&t=1539856139666
https://profflinkgo[.]com/optout/set/userid?jsonp=__twb_cb_986125179&key=143e7cdebf193d2764&cv=10&t=1557109141240
https://profflinkgo[.]com/optout/set/strtm?jsonp=__twb_cb_994105417&key=143e7cdebf193d2764&cv=1557109133&t=1557109141241
https://profflinkgo[.]com/optout/set/lat?jsonp=__twb_cb_183512180&key=143e7cdebf193d2764&cv=1557109133&t=1557109141244
http://profflinkgo[.]com/metric/?mid=&wid=51847&sid=&tid=5182&rid=LAUNCHED&t=1557426923951
http://profflinkgo[.]com/metric/?mid=90f06&wid=51847&sid=&tid=5182&rid=MNTZ_LOADED&t=1557426928221
http://realtodom[.]xyz/optout/set/lt?jsonp=__twb_cb_302776623&key=1b378c47aa1d605558&cv=44973&t=1533204067013
http://realtodom[.]xyz/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://realtodom[.]xyz/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://sourcelog[.]cool/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://sourcelog[.]cool/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://sourcelog[.]cool/optout/get?jsonp=__twb_cb_604822027&key=1d073454a5f6e5bf7b&t=1558136261721
http://sourcelog[.]cool/metric/?mid=&wid=52319&sid=&tid=7431&rid=LAUNCHED&t=1558136261715
http://sourcelog[.]cool/metric/?mid=&wid=52319&sid=&tid=7431&rid=LOADED&custom1=whois%5B.%5Darin%5B.%5Dnet&custom2=%2Fui&t=1558136261720
http://statvalidation[.]website/optout/set/lt?jsonp=__twb_cb_783342895&key=1c51b85e49935c930d&cv=8015&t=1531689604558
http://statvalidation[.]website/optout/set/lat?jsonp=__twb_cb_318783416&key=1c51b85e49935c930d&cv=1531689604&t=1531689604557
http://statvalidation[.]website/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://statvalidation[.]website/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://trafficanalytics[.]cool/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://trafficanalytics[.]cool/addons/lnkr5%5B.%5Dmin%5B.%5Djs
https://trafficanalytics[.]cool/optout/set/lat?jsonp=__twb_cb_986008979&key=1bb5a0f9e542673e45&cv=1528991651&t=1528991651057
https://trafficanalytics[.]cool/optout/set/lt?jsonp=__twb_cb_594910486&key=1bb5a0f9e542673e45&cv=60543&t=1528991651059
http://trafficpage[.]cool/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://trafficpage[.]cool/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
http://trafficvalidation[.]tools/optout/set/lat?jsonp=__twb_cb_363450291&key=1c57e6506f8c00bef4&cv=1531154779&t=1531154779740
http://trafficvalidation[.]tools/optout/set/lt?jsonp=__twb_cb_315395381&key=1c57e6506f8c00bef4&cv=14746&t=1531154779741
http://trafficvalidation[.]tools/addons/lnkr5%5B.%5Dmin%5B.%5Djs
http://trafficvalidation[.]tools/addons/lnkr30_nt%5B.%5Dmin%5B.%5Djs
https://trafficvalidation[.]tools/metric/?mid=&wid=51847&sid=&tid=5394&rid=FINISHED&custom1=www%5B.%5Deurogites%5B.%5Dorg&t=1531219423975
http://worldnaturenet[.]xyz/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51710x7255x&r=36
http://worldnaturenet[.]xyz/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51807x6810x&r=14
http://worldnaturenet[.]xyz/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51317x4466x&r=3

Stage 4 Domains (found specifically and mainly in compromised websites):

https://apiurl[.]org/filter-domains?stub=17190&domains=ukinnovationscienceseedfund%5B.%5Dco%5B.%5Duk
https://apiurl[.]org/filter-domains?stub=92310&domains=thewardrummer%5B.%5Dcom
https://apiurl[.]org/filter-domains?stub=6739&domains=thecross%5B.%5Dfamily
http://apiurl[.]org/filter-domains?stub=79951&domains=richyrice%5B.%5Dcom
http://apiurl[.]org/filter-domains?stub=53655&domains=krishgen%5B.%5Dcom
https://apiurl[.]org/filter-domains?stub=41142&domains=camping-lemontjolibois%5B.%5Dcom
http://apiurl[.]org/filter-domains?stub=85887&domains=gohasties%5B.%5Dcom
https://cdn-javascript[.]net/api?key=a1ce18e5e2b4b1b1895a38130270d6d344d031c0&uid=8408x&format=arrjs&r=1557513839193
https://eluxer[.]net/code?id=105&subid=51824_7008_
http://linkredirect[.]org/api?key=6ad604c17a3c6e228ff6db3f03bc6a7e5eeee448&format=arrjs&uid=91a2556838a7c33eac284eea30bdcc29
http://linkredirect[.]org/api?key=6ad604c17a3c6e228ff6db3f03bc6a7e5eeee448&format=arrjs&uid=91a2556838a7c33eac284eea30bdcc29
http://loadsource[.]org/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51824x5953x&r=1535695315903
http://loadsource[.]org/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51824x7796x&r=1539856137433
https://loadsource[.]org/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=51807x6810x&r=1538542812420
https://srvvtrk[.]com/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=52096x8060x&r=1552807224292
https://srvvtrk[.]com/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=52096x8060x&r=1554067442053
https://srvvtrk[.]com/91a2556838a7c33eac284eea30bdcc29/validate-site%5B.%5Djs?uid=52096x8060x&r=1554067075427

Other Domains of Interest:

http://extore[.]space/inspire/agkicnjkbankpckaomnhfjglafjcegkk/
http://extore[.]space/crx_patched/agkicnjkbankpckaomnhfjglafjcegkk/2%5B.%5D2%5B.%5Dzip?md5=iGw3pemtfMtCjn9UeegaM

Lnkr compromised sites: IOCs

actextdev[dot]com
appmakedev[dot]xyz
browfileext[dot]com
bugdepromo[dot]com
caplinkff[dot]com
cdnanalytics[dot]xyz
cdnnetwok[dot]xyz
cdnnetwork[dot]xyz
clicksource[dot]cool
cloffext[dot]com
comthelink[dot]xyz
contendevff[dot]com
coolpagecup[dot]com
cupdevlink[dot]xyz
dataanalytic[dot]biz
dataprovider[dot]website
devappgrant[dot]space
devappstor[dot]com
domainanalyzing[dot]xyz
eluxer[dot]net
evenffext[dot]com
extcoolff[dot]com
extcoolmake[dot]xyz
extnetcool[dot]com
extnotecat[dot]com
flowanalytic[dot]site
glganltcs[dot]space
glgnltks[dot]xyz
groproext[dot]com
higedev[dot]cool
infoanalytics[dot]tools
keysformapp[dot]com
lancheck[dot]net
licupexthis[dot]com
linkpowerapp[dot]com
loadsource[dot]org
lokimtogo[dot]xyz
makesource[dot]cool
manextdev[dot]com
medownet[dot]xyz
metrext[dot]com
mixappdev[dot]com
modelwork[dot]org
netanalitics[dot]space
netanalyzer[dot]space
networkanalytics[dot]xyz
nextextlink[dot]com
nexttextlink[dot]com
nowexttype[dot]com
onlinekey[dot]biz
pageanalytics[dot]space
pagescr[dot]cool
pagevalidation[dot]space
poplinkapp[dot]xyz
primalsuper[dot]com
printapplink[dot]com
privextlink[dot]com
profflinkgo[dot]com
promclickapp[dot]biz
promfflinkdev[dot]com
promlinkdev[dot]com
proxdevcool[dot]com
scrbizim[dot]xyz
serenityart[dot]biz
signagetop[dot]org
sourcelog[dot]cool
spedcheck[dot]space
spidtest[dot]space
srvvtrk[dot]com
statcounter[dot]biz
statsrc[dot]cool
statvalidation[dot]website
supplyroute[dot]co[dot]kr
trafficpage[dot]cool
trafficvalidation[dot]tools
untsorce[dot]cool
validcdn[dot]xyz
windinspext[dot]com
workapplink[dot]com
workdevapp[dot]com
worksrc[dot]cool

If you have any other IOCs in regards to Lnkr, please feel free to share and contribute with us.

Leave a Comment

Your e-mail address will not be published. Required fields are marked *