Monday, September 25, 2017

Equifax Hack #2 - Binary Cookies

Binary Cookies
Binary Cookies

BinaryCookies is a file (sometimes) found in the Library/Cookies folder.  Research indicates breach occurred in Nashville.  Traffic for an AI-created website (with direct help from live hackers), or network of sites, was routed through Chicago using IP address (in one recorded instance), registered through Fastly (based in Illinois).  Firefox overlaying Safari from a Linux/Android device using a Windows Server, installed clandestinely on this workstation or another on the network, appears to have been employed in this operation, though this may also simply be record of a chain of intrusions (possibly by more than one intruder) using various devices.  This event occurred prior to "TigerX Migration Successful" being found in at least one file, possibly accomplished through _launchservicesd (hidden user).

Original intrusion may have originated out of Fort Worth, TX on July 12-13, 2017.  A Charter Communications account, registered under the name of a contractor who may or may not be aware of the incident, was opened at an empty, residential home (for sale) on this date.  Most, if not all, affected files connected to the Equifax breach (found so far) have a July 12 or 13 timestamp.

An HSTS.plist file similar to the following (in part) was also present in Library/Cookies directory:

¯Wwiz.biz_ www.logentries.com_ mutantmonkey.sexy_]itriskltd.com_ passwordbox.com_ www.capitainetrain.com_ hostinginnederland.nlYsouyar.usZairbnb.comZedmodo.com_ inertianetworks.comZsimple.com_^koordinate.netYjelmer.uk_^www.python.org_ braintreegateway.com_ webmail.mayfirst.org_ forum.linode.comYbetnet.fr_ sandbox.mydigipass.comYcrypto.isYbaruch.me_\]^torproject.org_ blog.cyveillance.comYgmail.com_ www.apollo-auto.comZtoner24.pl_ www.heliosnet.com_ www.irccloud.com_ isitchristmas.com_ business.lookout.com_]loenshotel.de_ www.opsmate.com_ guthabenkarten-billiger.de_ wf-pentest.appspot.com_ gemeinfreie-lieder.de_ sprueche-zur-hochzeit.deXzoo24.de_[secuvera.de_]detectify.comZkitsta.comWnpw.net_ www.makeyourlaws.orgYromab.com_\www.aclu.org_[[epoxate.com_ jonas-keidel.de_\^www.roddis.net_ forewordreviews.comZcybozu.comZsquare.com_^\ottospora.nl_ musicgamegalaxy.de_\certible.com_^it-schwerin.de_ matteomarescotti.name_]m.gparent.orgXtonex.nlVsol.io_[[lockify.com_ !webfilings-mirror-hrd.appspot.com_ get.zenpayroll.com_\seifried.org_ mountainroseherbs.com_[jackyyf.comWtent.io_ www.intercom.io_\konklone.com_\squareup.com_ login.persona.org_ calyxinstitute.org_ hausverbrauch.de_ paste.linode.comWheha.co_^boxcryptor.com_][cloudup.com_ pressfreedomfoundation.org_ winhistory-forum.net_ appseccalifornia.org_ sprueche-zum-valentinstag.de_ chromiumcodereview.appspot.comWkura.io_]]][[gmantra.org_\simpletax.ca_\ethitter.com_^]^\bl4ckb0x.com_ webmail.gigahost.dk_ rapidresearch.meZriseup.net_ ecosystem.atlassian.net_]^\]]^mondwandler.de_ raiseyourflag.com_ mobile.usaa.comYnexth.net_ apn-einstellungen.de_ blocksatz-medien.de_\freeshell.de_ lifeguard.aecom.com_ ssl.panoramio.comYjitsi.org_^]\schwarzer.it_ payroll.xero.com_[sherbers.de_ reserve-online.netZscrambl.is_ pay.gigahost.dkYpalava.tv_\[]blacklane.com_ webfilings-eu.appspot.com_ ng-

Cookies generated through a variety of methods, mostly including GoogleAPIs, further redirect URL traffic and make changes to the user's surfing experience.  The most dramatic attack occurred after visiting the TigerSwan site, a domestic (and Federally-funded) terrorist group used by oil companies during the Standing Rock pipeline protest.

Some sources have tied the Equifax Breach to a CIA base in the UK.  Operatives may have then used proceeds to invest in Canadian energy stocks after funneling the money through a number of world banks to BitCoin.  While the latter is demonstrable through such files as that above, the former has not been confirmed by this author (at this time).

No US authorities, at any level, have contacted me regarding the Equifax breach, Sakula outbreak throughout the South (North America), or any other issues being discussed.  All evidence indicates the Equifax breach, and similar criminal activity, is being conducted by actors with Federal clearance and access -- actors such as (and including) TigerSwan and similar mercenary groups -- known as "Federal Defense Contractors" working in "Extra-Judicious" (above, or outside of, the constraints of Law) capacity.  The actors responsible for the Equifax Breach will have military backgrounds, and may be active service members, with direct ties to government organizations at the State and Federal level. 

At least one major, paramilitary contractor is operating in and around the Decatur County, TN area.  This "Neo-Confederate hate group" (a cover, or "front") appears to have direct ties to either the DOD or DHS, and may be receiving funding from these branches of the US government that often outsource their domestic terrorist efforts, known colloquially as "gangstalking."  

Sakula malware is known to be a preferred methodology of the US government.

© Copyright 2017, The Cyberculturalist

No comments: