Month: February 2016

Phishing Sites at Myjino.ru

Here is what I found in our customers traffic: myjino[.]ru/ mc.yandex[.]ru/ wildblue-net-upd.myjino[.]ru/35c6cfba69650ab1fc8ff49f3bcb4532/db.php login.wildblue[.]net/ http://www.jino[.]ru/ account.jino[.]ru/ mc.yandex[.]ru/ mc.yandex[.]ru/ jino[.]ru/help/ Staring at traffic in a SIEM for hours each day you get really good at identifying patterns of traffic that look suspicious. Obviously not ALL traffic to Russian domains is an IOC. However, when you see an ...

A

A Brief History, and a Current Status, of the EITest Campaign

The EITest campaign isn’t anything new. In fact, Jérôme Segura from Malwarebytes wrote a detailed article about the this malware campaign in 2014. What he discovered was that this wasn’t your normal drive-by download as the campaign is using a Flash-based redirection mechanism. Below are three examples of compromised sites that I’ve found in the ...

E

EITest Gate at 85.93.0.32 Leads to Angler EK at 83.220.169.231

I found these GET requests in our customers traffic: zeboms[.]tk/show_content.php?fgpimk=lrsuk&id=4642B3AD8EB1331F63B111F171C670700DA304E3EFF16822032449944AB075E487805D one.theleadersummit[.]com/boards/viewtopic.php?t=0i3&f=o5aew38bpq8ca58engnpikp4ucvwuef5z9ej1ctm014keykgo-q773pf_ahi58p76yvzpoffylkdqe_-8k4eih0j03n2t-i1y Unfortunately for our analyst we don’t always get packets so we can’t easily locate the referer in every case. Typically the GET request for the compromised site is in the traffic surrounding the event. As you can see from the HTTP requests surrounding the ...

E

EITest Campaign at 85.93.0.32

IOCs: 85.93.0.32 – EITest Gate SHA256 1384b089c4524dd996a60f58ca1465bf89cd8f39e2711846ea394f14c4c87913 This isn’t going to be an extensive look into the EITest Campaign as Brad from Malware-traffic-analysis.net has already done great work on this subject. You can also check on my post here for more details. It is more or less an update in some activity I’ve been seeing ...

Another Spam Email Redirecting Host to Forskolin Pages

Email found in my inbox: Clicking on the link generated the following HTTP traffic:   As you can see this is the same sort of traffic I saw in my previous blog post. The redirect (lhdjzr[.]com/?c=wl) contains an obfuscated script that has been encoded and reversed. Once reversed, decoded and deobfuscated you can see how ...

Forskolin Spam Emails

I found these GET requests in our customers traffic, likely originating from spam emails: hxxp://gallipolicountryandsea[.]it/therfgds1.php hxxp://www.gallipolicountryandsea[.]it/therfgds1.php hxxp://dutbbc[.]com/?a=374762&c=wl_con&s=nw-404-1che What drew my attention to it at first was the .IT TLD, as well as this traffic seemed out of place in the context of this persons web browsing patterns. Furthermore, the two request to gallipolicountryandsea[.]it were resolving ...