The story of how Devin Nunes and other GOP candidates may have been compromised.
As we looked more closely at the domains assigned to the server still hosting the malicious code we found on Devin Nunes’s campaign website, devinnunes.net, a pattern emerged. It became clear that all the websites on this computer were associated with the Nebraska company Northstar Campaign Services. It also became clear that the malicious code we found was not an accident.
The Devin Nunes Server and Tracking the IP
We checked the IP address of the devinnunes.net server and found that it hosts at least one other website, northstarcampaigns.com. But, like devinnunes.net, that website has disappeared. Specifically, we get a “404” error when we try to navigate to it with a web browser. This means that the files that display the website have been removed from the server.
This IP address — 18.104.22.168 — belongs to a server provided by Microsoft’s Azure hosting service. VirusTotal shows us that there is another domain associated with this IP address, Drinkstocks.com.
What did we find when we browsed to drinkstocks.com? It directed us to another URL. An apparent login form for a site called ezpolitix.com.
The most recent Registrant for both of these domains is Andrew Northwall.
This is bizarre indeed. Why would a domain called drinkstocks.com redirect to the log-in page for a political site? We continued our investigation.
We next had a closer look at the domain northstarcampaigns.com. Surprisingly, five different IP addresses have hosted northstarcampaigns.com in the past two years. That means that the same IT team likely controls all these IP addresses and servers associated with them.
Surprise, it’s a virus
Looking at the IP addresses that had hosted this domain, one stood out — the server associated with the address 22.214.171.124. This IP address is associated with hosting service Cosentry. Cosentry is an entirely different hosting provider from the 126.96.36.199 IP address.
Cosentry hosted Northstarcampaigns.com previously along with a number of political-looking domains. But, what else did Cosentry host? Well according to VirusTotal, a very nasty virus file “calls home” to this server. So, a code running on other computers was programmed to communicate specifically with this server.
Let’s look at the viruses associated with this file.
What is this Trojan file and what is it capable of doing? McAfee describes this as a “trojan threat designed to steal data from victim’s system.”
One of the computers that recently hosted northstarcampaigns.com is serving malicious code disguised to look like a JPEG image file. Meanwhile, another computer that recently hosted northstarcampaigns.com is receiving communications from computers infected with an information-stealing Trojan Horse.
Two different computers, two different hosting providers. And both computers are associated with North Star Campaigns as well as some very nasty spyware.
This raises many questions. What is the company North Star Campaigns? How is North Star Campaigns associated with Devin Nunes? How is North Star Campaigns associated with EZPolitix? Who is behind all this?
Read Part I here.
Written by Unhackthevote