{"id":17331,"date":"2020-01-02T19:40:06","date_gmt":"2020-01-03T03:40:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/02\/news-11067\/"},"modified":"2020-01-02T19:40:06","modified_gmt":"2020-01-03T03:40:06","slug":"news-11067","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/02\/news-11067\/","title":{"rendered":"DeathRansom Part II: Attribution"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Introduction<\/h2>\n<p>FortiGuard Labs recently discovered an ongoing DeathRansom malicious campaign. Our first <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/death-ransom-new-strain-ransomware.html\">blog<\/a> on this new variant was devoted to a technical analysis of the samples that had been gathered. In this second part, we will try to shed a light on how this DeathRansom campaign is connected with other campaigns, and who might be behind them.<\/p>\n<h2>False Scent and Connections with Vidar Stealer<br \/> <i style=\"font-weight: 700;\">False Language Lead<\/i><\/h2>\n<p>We start our investigation with the sample 13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1, which was mentioned in our previous blog. This sample has debug paths, but we could not recognize the language used. In addition, it has nine resources, with a LANG_SLOVAK identifier constant (0x041B) in the resource section. This means that the sample could have been compiled on a machine with a Slovak language installed by default.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image.img.png\/1577484678594\/deathransom-two-one.png\" alt=\"Figure 1: A debug path inside the sample\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: A debug path inside the sample<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1660729560.img.png\/1577484727073\/deathransom-two-two.png\" alt=\"Figure 2.  Part of the .rsrc section of the sample\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2.  Part of the .rsrc section of the sample<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We tried to translate a PDB path from Slovak by splitting the words in different ways and then feeding the results to various automatic translation services. However, none of these attempts led to a correct translation. In fact, the word \u201cduzuk\u201d<i> <\/i>was recognized by Google Translate not as Slovak, but as Basque (for the English \u201cyou have\u201d).<\/p>\n<p>A Basque word was an intriguing lead, since this sample was downloaded from a domain in the <i>.es<\/i> domain zone (Spain). We believe that this domain was hacked, therefore we will not disclose the domain name here.<\/p>\n<p>The name of the sample was also interesting: <i>Wacatac_2019-11-20_00-10.exe<\/i>. The word<i> <\/i>\u201cWacatac\u201d<i> <\/i>can be translated from Basque in several different meaningful ways, so we decided to dig deeper.<\/p>\n<p>Since the file name has a clearly distinguishable name-date-time construction, we decided to search for this pattern among all known files. Nine files were found. Their details are provided in Figure 3.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_2055722721.img.png\/1577484784407\/deathransom-two-three.png\" alt=\"Figure 3. A part of our investigation table\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. A part of our investigation table<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Again, we were a little disappointed: the resource language ID\u2019s were changed from Nepali to Slovak then to Neutral then back to Slovak at a very fast pace. In addition, the debug paths look like machine-generated gibberish rather than any paths a human programmer would use.<\/p>\n<p>Therefore, we had to conclude that a Basque trace was just a coincidence. However, the Slovak and Nepali traces are not. Most probably, they were intentionally inserted to mislead potential investigators.<\/p>\n<h2>Bitbucket Profile<\/h2>\n<p>In spite of these disappointments, these new samples also gave us an important clue. One of the samples shown on Figure 3 was downloaded not from the hacked .es site, but from a different URL:<\/p>\n<p>hxxp:\/\/bitbucket[.]org\/<b>scat01<\/b>\/1\/downloads\/Wacatac_2019-11-16_14-06.exe<\/p>\n<p>The link was not accessible, and neither was the <i>scat01<\/i> profile itself:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_873016790.img.png\/1577484920390\/deathransom-two-four.png\" alt=\"Figure 4. Bitbucket message shown on an access attempt to the scat01 profile\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Bitbucket message shown on an access attempt to the scat01 profile<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Nevertheless, when we searched for other malicious samples which attempted to access this Bitbucket directory, we found an interesting connections log from May 2019. The sample was related to the Vidar stealer malware family.\u00a0<i><\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1680547606.img.png\/1577484994433\/deathransom-two-five.png\" alt=\"Figure 5. A part of a connections log for the Vidar sample\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. A part of a connections log for the Vidar sample<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The name pattern has an obvious resemblance to our <i>Wacatac <\/i>sample:<\/p>\n<p><i>Wacatac_2019-11-20_00-10.exe<\/i><\/p>\n<p><i>scat01_2019-05-20_06-13.exe<\/i><\/p>\n<p>Next, we decided to search among the connections logs for a connection by the URL mask<\/p>\n<p><i>bitbucket[.]org\/scat01\/*<\/i><\/p>\n<p>One of the connections logs found on VirusTotal is shown on Figure 6 (sample dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1082987655.img.png\/1577485055842\/deathransom-two-six.png\" alt=\"Figure 6. Contacted URL via a fresh malicious sample \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Contacted URL via a fresh malicious sample <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Let\u2019s now analyze these connections. The connections shown in the green frame should be familiar to anyone who has dealt with Vidar stealers, as they are standard Vidar libraries used to extract passwords from different browsers.<\/p>\n<p>The connection shown in the red frame is an attempt to access an executable file with another <i>Wacatac<\/i> name. Unfortunately, this link was not accessible during the Vidar sample sandbox analysis, therefore we don\u2019t have a <i>Wacatac_2019-11-16_17-03.exe<\/i> sample.<\/p>\n<p>Nevertheless, as you may remember from our first blog, DeathRansom uses the name \u2018Wacatac\u2019 to store crypto keys in a registry. Therefore, we have strong reason to believe that the inaccessible <i>Wacatac_2019-11-16_17-03.exe<\/i> sample was another DeathRansom variant.<\/p>\n<p>Therefore, based on the same \u201cmalware hosting\u201d, the same name pattern, and the fact that the Vidar sample tried to download a DeathRansom sample, we can conclude that the Vidar campaign and the DeathRansom campaign are run by the same actor, who uses <i>scat01 <\/i>as a Bitbucket profile name as well as a name for some malware samples.<\/p>\n<p>We decided to dig deeper and see what could be found about this <i>scat01<\/i>.<\/p>\n<h2>Following scat01<\/h2>\n<p>We started to look for fresh malware containing the string <i>scat01 <\/i>in it. Here is a short summary of our findings:<\/p>\n<ul>\n<li>One of the samples we found was the \u201c<b>Azorult<\/b>\u201d stealer malware that connects to a C2 server \u201c<i>scat01[.]tk<\/i>\u201d. a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284<\/li>\n<li>We also managed to find a C2 panel of \u201c<b>1ms0rryStealer<\/b>\u201d with the name <i>scat01<\/i> in the Benkow \u201cPanel Tracker\u201d service:\u00a0<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_175675213.img.png\/1577485169098\/deathransom-two-seven.png\" alt=\"Figure 7. Archived record of the stealer control panel\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Archived record of the stealer control panel<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>The most important sample was found here:<br \/> <i style=\"\">hxxp:\/\/gameshack[.]ru\/<b>scat01.exe<br \/> <\/b><\/i>e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06\n<p> This sample is a non-obfuscated Evrial stealer. When we check its configuration, we see the following \u201cOwner\u201d field:<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1152771513.img.png\/1577485253183\/deathransom-two-eight.png\" alt=\"Figure 8. Malware owner field\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Malware owner field<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The last sample was downloaded from a root folder of the website <i>gameshack[.]ru<\/i>. This could mean that attackers somehow control this webserver. Therefore, we decided to see what else could be found on this webserver.\u00a0<\/p>\n<h2>Gameshack[.]ru Portal<\/h2>\n<p>We found many malicious samples, which were downloaded directly from a root folder on Gameshack[.]ru. We decided to analyze all available samples and extract any information that could help us in our investigation.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1789906695.img.png\/1577485364990\/deathransom-two-nine.png\" alt=\"Figure 9. Malicious samples downloaded from \u201cgameshack[.]ru\u201d (according to VirusTotal)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Malicious samples downloaded from \u201cgameshack[.]ru\u201d (according to VirusTotal)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The malware samples \u201chosted\u201d on the <i>gameshack[.]ru<\/i> website were downloaders. This means that their purpose was to download a payload and run it. The main payload was of two types:<\/p>\n<ul>\n<li>Evrial stealer;<\/li>\n<li>Miner+Clipper+Stealer (Supreme miner).<\/li>\n<\/ul>\n<p>The Evrial stealer samples were not obfuscated and contained the same \u201cOwner\u201d field \u2013 \u201c<b>scat01<\/b>\u201d.<\/p>\n<p>The Supreme miner samples were obfuscated by \u201cNULL SHIELD\u201d (Confuser variant) and had an e-mail embedded: <b>vitasa01[@]yandex.ru<\/b>.<\/p>\n<p>Figure 11 shows part of the strings from the miner \u201cSupreme.exe\u201d (sample 1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251). This miner also had the Evrial stealer inside its body:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1913758157.img.png\/1577485625866\/deathransom-two-ten.png\" alt=\"Figure 10. Strings from the miner\u2019s part of the malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Strings from the miner\u2019s part of the malware<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can see, this sample uses the same <i>iplogger<\/i> service for counting the infected hosts as the DeathRansom samples (see our recent blogpost for details.)<\/p>\n<p>The Evrial stealer inside has the same \u201cscat01\u201d ownership:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1311260959.img.png\/1577485671786\/deathransom-two-eleven.png\" alt=\"Figure 11. Strings from the Evrial stealer\u2019s part of the malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Strings from the Evrial stealer\u2019s part of the malware<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can see, the website \u201c<i>gameshack[.]ru<\/i>\u201d is controlled by attackers and they distribute malicious samples with <i>scat01<\/i> attribution strings inside.<\/p>\n<p>Here is a short summary of the info about the attackers that we have found so far, including the spread of malware families associated with them:<\/p>\n<ul>\n<li>DeathRansom<\/li>\n<li>Vidar stealer<\/li>\n<li>Azorult stealer<\/li>\n<li>Evrial stealer<\/li>\n<li>1ms0rryStealer<\/li>\n<li>Supreme miner<\/li>\n<\/ul>\n<p>As well as attribution info:<\/p>\n<ul>\n<li><b>scat01<\/b> nickname;<\/li>\n<li><b>vitasa01[@]yandex.ru<\/b> e-mail.<\/li>\n<li>Control over <b>gameshack[.]ru<\/b><\/li>\n<\/ul>\n<p>It seems obvious that these attackers use a Russian email service and a Russian domain zone <i>.ru<\/i>. In addition, we must remember that DeathRansom performs a check for the system language, and it will not encrypt files if it detects locales from an ex-USSR country.<\/p>\n<p>In addition, when we analyze the stealers used by this group, we find that they can be purchased on Russian underground forums. Therefore, we decided to continue our search there.<\/p>\n<h2>Russian Underground<\/h2>\n<p>Once we searched for \u201cscat01\u201d and \u201cvidar\u201d on the Russian underground forums, we found a person with the same nickname providing a review (in Russian) of the <b>Vidar stealer<\/b>:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1378445219.img.png\/1577485915647\/deathransom-two-twelve.png\" alt=\"Figure 12. Feedback for Vidar stealer left by scat01\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. Feedback for Vidar stealer left by scat01<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We found another post left by <b>scat01<\/b> on another forum. This time it concerns the <b>Evrial stealer<\/b>. He is afraid that someone might access his logs from that Evrial stealer, as all the information goes to the malware seller\u2019s servers.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1410914963.img.png\/1577485964127\/deathransom-two-thirteen.png\" alt=\"Figure 13. Complaints of scat01 regarding Evrial stealer seller\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. Complaints of scat01 regarding Evrial stealer seller<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Another post with a review was found on another Russian underground forum. This time the review is for <b>Supreme miner<\/b>:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_96768699.img.png\/1577486011043\/deathransom-two-fourteen.png\" alt=\"Figure 14. Feedback for Supreme miner\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. Feedback for Supreme miner<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Moreover, a user with the same name was active on yet another Russian underground forum (from now on, we will refer to this underground forum as <i>Russian underground forum #4).<\/i> The user is currently banned for having multiple accounts with different names. Please pay attention to the profile picture used here.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1210770212.img.png\/1577486053847\/deathransom-two-fifteen.png\" alt=\"Figure 15. Scat01 profile on the Russian underground forum #4\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. Scat01 profile on the Russian underground forum #4<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Now, having found his\/her profiles on the underground forums, we next extended our search, comparing the information. One interesting piece we discovered is a product review on Yandex.Market \u2013 the same company that provides the email service in the @yandex.ru domain.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_840754103.img.png\/1577486173659\/deathransom-two-sixteen.png\" alt=\"Figure 16. Review for a purchase\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16. Review for a purchase<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the review there is no text (only a score), but we can see its location. The review was made from Aksay. Aksay is a small Russian town near <b>Rostov-on-Don <\/b>(we will come back to this clue a little later).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1160520038.img.png\/1577486229531\/deathransom-two-seventeen.png\" alt=\"Figure 17. Aksay on Google Maps\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17. Aksay on Google Maps<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Another important clue here is the username of the reviewer account: <i>vitasa01<\/i>. Therefore, it is highly probable that this reviewer has access to the email <i>vitasa01[@]yandex.ru,<\/i> which we have seen in previous malicious samples.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1735153404.img.png\/1577486291521\/deathransom-two-eighteen.png\" alt=\"Figure 18. Yandex username in the URL string\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18. Yandex username in the URL string<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Also, please pay attention to the picture used in this profile. It is the same picture shown in Figure 15. Therefore, we have a triple match:<\/p>\n<ul>\n<li>the profile picture<\/li>\n<li>current username<\/li>\n<li>Yandex username<\/li>\n<\/ul>\n<p>At this point, we are pretty sure that this Yandex profile is related to the <i>scat01<\/i> profile we found on the <i>Russian underground forum #4<\/i> as well as to the malware distributed from g<i>ameshack[.]ru<\/i>.<i> <\/i>But how can we find the possible real identity of this author? We decided to see what info we could find about g<i>ameshack[.]ru <\/i>itself.<\/p>\n<h2>Gameshack[.]ru Portal<\/h2>\n<p>We found an interesting YouTube channel that promotes the website <i>gameshack[.]ru<\/i>. The link to <i>gameshack[.]ru <\/i>is named: \u201cour game portal.\u201d<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1277999487.img.png\/1577486548143\/deathransom-two-nineteen.png\" alt=\"Figure 19. YouTube channel advertising malicious website\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 19. YouTube channel advertising malicious website<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The username given here is \u201cSoftEgorka.\u201d \u201c<i>Egorka\u201d<\/i> is a diminutive for the Russian name \u201c<i>Egor.\u201d<\/i> The avatar picture also refers to <i>gameshack[.]ru<\/i>.<\/p>\n<p>Another interesting piece of information we found is a Skype link. In figure 20, you can see that it refers to the skype username <i>SoftEgorka:<\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_666397075.img.png\/1577486615259\/deathransom-two-twenty.png\" alt=\"Figure 20. Skype link in the YouTube profile\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 20. Skype link in the YouTube profile<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When we searched for a \u201cSoftEgorka\u201d skype user, we found the following user profile on the same <i>Russian underground forum #4. <\/i>This time the username \u201cSuper info\u201d is used.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_2072074732.img.png\/1577486666634\/deathransom-two-twentyone.png\" alt=\"Figure 21. \u201cSuper info\u201d profile on the Russian underground forum #4\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 21. \u201cSuper info\u201d profile on the Russian underground forum #4<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The Skype address corresponds to the YouTube channel discussed above. The user states that he lives in <b>Italy<\/b>. Moreover, searching further for his messages, we found another confirmation that this could be true:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_947359037.img.png\/1577486714210\/deathransom-two-twentytwo.png\" alt=\"Figure 22. The actor claims that he\/she is from Italy\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 22. The actor claims that he\/she is from Italy<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>By digging further among <i>Super Info<\/i> posts, we found an announcement about game accounts sales (Steam, WoT, Origin). Here we should note that stealers observed above are capable of stealing passwords from different games and game distribution platforms. This more indirect evidence that Super Info may be connected to the ongoing stealers campaign.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_826238619.img.png\/1577486767625\/deathransom-two-twentythree.png\" alt=\"Figure 23. A message with a WebMoney ID and the known skype link inside\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 23. A message with a WebMoney ID and the known skype link inside<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the contacts section of the sale, you find \u201cSkype: SoftEgorka\u201d as well as the WebMoney ID <b>372443071304<\/b>. This same WMID is mentioned in another post from the same user. It is also related to Steam accounts for sale. And this time, another skype profile is mentioned: <b>nedugov99<\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_783389959.img.png\/1577486871527\/deathransom-two-twentyfour.png\" alt=\"Figure 24. A message with the same WMID and skype account nedugov99\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 24. A message with the same WMID and skype account nedugov99<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Searching again, this time for this new Skype ID, an old advertisement for the sale of a game account shows up:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_57532403.img.png\/1577486923866\/deathransom-two-twentyfive.png\" alt=\"Figure 25. Old advertisement of a game account for sale\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 25. Old advertisement of a game account for sale<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Here, we can see several important pieces of information:<\/p>\n<p style=\"margin-left: 40.0px;\">User name: undefined_Nedugov<\/p>\n<p style=\"margin-left: 40.0px;\">The skype id: <b>nedugov99<\/b><\/p>\n<p style=\"margin-left: 40.0px;\">The phone: +7951****311<\/p>\n<p style=\"margin-left: 40.0px;\">Vkontakte SNS id: <b>id154704666<\/b><\/p>\n<p>We checked the mobile phone number and it belongs to the <b>Rostov-on-Don<\/b> region.<\/p>\n<p>Next, we checked out the VK <b>id154704666<\/b> profile:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_40320462.img.png\/1577487023610\/deathransom-two-twentysix.png\" alt=\"Figure 26. Vkontakte SNS profile of Egor Nedugov\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 26. Vkontakte SNS profile of Egor Nedugov<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The name \u201cEgor\u201d corresponds to one of the underground nicknames, \u201cSoft<b>Egor<\/b>ka,\u201d and the surname \u201cNedugov\u201d corresponds to the Skype account \u201c<b>nedugov99<\/b>\u201d. According to the profile, this individual lives in Rostov-on-Don. Remember that the Yandex review made by <i>scat01<\/i> was done from Aksay \u2013 a small town near Rostov-on-Don.<\/p>\n<p>And even more interesting, he is following (or maybe even administrating?) the \u201cGameshack[.]ru official group\u201d. The link to the same group is found in the YouTube profile shown in Figures 20-21.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_2084914192.img.png\/1577487141170\/deathransom-two-twentyseven.png\" alt=\"Figure 27. \u201cEgor Nedugov\u201d is following the malicious website VK group\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 27. \u201cEgor Nedugov\u201d is following the malicious website VK group<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Here an astute reader might ask: \u201cRostov-on-Don? But what about Italy, mentioned in Figures 21-22?\u201d To get an answer, we have to visit Egor\u2019s Instagram page:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1103210272.img.png\/1577487215450\/deathransom-two-twentyeight.png\" alt=\"Figure 28. Instagram account of Egor Nedugov\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 28. Instagram account of Egor Nedugov<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As we might learn from his Instagram and Facebook accounts, he indeed lived in Italy for some time.<\/p>\n<p>There is one more thing here. At this point in the investigation, we asked ourselves: \u201cwhat if <i>scat01<\/i> and <i>SoftEgorka<\/i> are different actors? The former one compiles malware and the later one \u201chosts\u201d it on Gameshack[.]ru portal?\u201d Obviously, we have connections via <i>gameshack[.]ru<\/i> and geographical connections, but what if they are friends and live in the same region?<\/p>\n<p>Well, we found yet another clue: the profile on <i>csgo-stats[.]net<\/i> is shown in Figure 29. The user with the username <i>scat01<\/i> names himself as <i>Egor<\/i> (Russian: \u0415\u0433\u043e\u0440). We must note that the name \u201cEgor\u201d is rare in Russia.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image_1958834419.img.png\/1577487304074\/deathransom-two-twentyninee.png\" alt=\"Figure 29. Scat01 profile on csgo-stats[.]net\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 29. Scat01 profile on csgo-stats[.]net<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We also found many other profiles of the same actor. According to information on underground forums, this person is responsible for account stealing, carding, malware distribution, and even the phishing and scamming of his forum mates. That is why nearly all his accounts on underground forums were eventually banned.<\/p>\n<h2>Conclusion<\/h2>\n<p>FortiGuard Labs established a significant connections between the ongoing DeathRansom and Vidar malware campaigns. They share the naming pattern and infrastructure used. We also found evidence that a Vidar sample tried to download the DeathRansom malware.<\/p>\n<p>We believe that an actor with the nickname <i>scat01 <\/i>could be<i> <\/i>responsible for the latest DeathRansom attack, as well as other malicious attacks. We also found evidence of strong Russian roots in the malware being distributed.<\/p>\n<p>Based on the evidence left on Russian underground forums, we were able to find a person who seems to likely to be behind these malicious campaigns.<\/p>\n<h2>Solution<\/h2>\n<p>All samples mentioned in this article are detected by the FortiGuard antivirus engine:<\/p>\n<p>05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029 &#8211; W32\/Kryptik.GYME!tr<br \/> 0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915 &#8211; W32\/Kryptik.GYQI!tr<br \/> 13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1 &#8211; W32\/Kryptik.ANT!tr<br \/> 2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8 &#8211; W32\/GenKryptik.DYFO!tr<br \/> 4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c &#8211; W32\/GenKryptik.DYBP!tr<br \/> 6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762 &#8211; W32\/GenKryptik.DXWB!tr<br \/> 66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def &#8211; W32\/Kryptik.GYMH!tr<br \/> dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4 &#8211; W32\/GenKryptik.DXWQ!tr<br \/> f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b &#8211; W32\/GenKryptik.DXWH!tr<br \/> fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8 &#8211; W32\/Kryptik.GYQI!tr<br \/> a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284 &#8211; W32\/Generic!tr.pws<br \/> e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06 &#8211; MSIL\/Agent.QJH!tr<br \/> 1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251 &#8211; MSIL\/CoinMiner.AHY!tr<\/p>\n<p>The FortiGuard Web Filtering service blocks the following URLs as malicious: <\/p>\n<p>iplogger[.]org\/1Zqq77<br \/> bitbucket[.]org\/scat01\/\u00a0<br \/> scat01.mcdir[.]ru<br \/> gameshack[.]ru<br \/> scat01[.]tk<\/p>\n<h2>IOC<\/h2>\n<h3>SHA256:<\/h3>\n<p>05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029<br \/> 0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915<br \/> 13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1<br \/> 2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8<br \/> 4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c<br \/> 6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762<br \/> 66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def<br \/> dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4<br \/> f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b<br \/> fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8<br \/> a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284<br \/> e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06<br \/> 1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251<\/p>\n<h3>URL:<\/h3>\n<p>iplogger[.]org\/1Zqq77<br \/> bitbucket[.]org\/scat01\/\u00a0<br \/> scat01.mcdir[.]ru<br \/> gameshack[.]ru<br \/> scat01[.]tk<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/MiIeFN4jA-Q\/death-ransom-attribution.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-attribution\/_jcr_content\/root\/responsivegrid\/image.img.png\/1577484678594\/deathransom-two-one.png\"\/><br \/>In part two of our DeathRansom blog series, our FortiGuard Labs researchers try to shed light on how this DeathRansom campaign is connected with other campaigns, and who might be behind them.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/MiIeFN4jA-Q&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17331","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17331"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17331\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17331"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}