Month: August 2016

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 50.97.68.34 – eddieoneverything.com – Compromised Site 138.68.18.73 – null.delayofgame.com – Afraidgate JS 5.2.73.124 – aqxsgncqro.anyoneshall.top – Neutrino EK HTTP requests URL: hxxp://95.85.19.195/data/info.php TYPE: POST URL: hxxp://188.127.249.32/data/info.php TYPE: POST URL: hxxp://dutluhnnx.info/data/info.php TYPE: POST URL: hxxp://kqudpyjbcd.biz/data/info.php TYPE: POST DNS requests dutluhnnx.info (69.195.129.70) afgmbssj.org vlrdkvkt.pw jybqbxjcwowph.xyz ggfwsvmnsunvb.work kqudpyjbcd.biz (58.158.177.102) TCP connections 95.85.19.195:80 188.127.249.32:80 69.195.129.70:80 58.158.177.102:80 Hashes: SHA256: ...

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 195.58.170.31 – skopikundlohn[.]at – Compromised Site 138.68.18.73 – crew.nbbgradstudents.com – Afraidgate JS 5.2.73.124 – kqccnxro.thatset.top – Neutrino EK 188.127.249.32 – POST /data/info.php – callback traffic 95.85.19.195 – POST /data/info.php – callback traffic Hashes: SHA256: 2cf21f333d42cd888e7f6020163a7af668ebafbe705475163bced6a49f1a0550 File name: crew.nbbgradstudents.com.js SHA256: 26feb600f68f086bad98105c114c6d8703a2feda1a58d8adb7cf21a4fd22c1b9 File name: Neutrino EK Landing Page.htm SHA256: 2ed2853579cfaceb90d064de061aedfee2f958d4125724a86cf5707029d5332b File name: Neutrino EK SWF Exploit.swf ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs: 181.224.139.64 – stjoeschool[.]org – Compromised Website 74.208.161.160 – besucador.me-audio.co.uk – Neutrino EK 85.14.243.9 – CryptMIC post-infection traffic via TCP port 443 Hashes: SHA256: f370ed0da244a4d8eeda498dd211fa224289398ffc6c068030327aec53952d0f File name: Neutrino EK Landing Page.html SHA256: 43db664f321a9ad0b4413f8bfff65e776fa052f278bb902156d6ccedf16d7bd4 File name: Neutrino EK SWF Exploit.swf SHA256: 35f97fefe5a6f02b00ebf3b5ac41bd8d8bfdab38aef3b737063d9774db1fcfc6 File name: rad050CF.tmp.dll So again we find that the pseudo-Darkleech campaign has been leading ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs: 181.224.138.165 – etratech[.]com – Compromised Website 74.208.161.160 – spuitvissen.mycasemanager.co.uk – Neutrino EK 85.14.243.9 – CryptMIC post-infection traffic over TPC port 443 Hashes: SHA256: 3f8bedcc1f738469b7fae7446387aeeb5b4e1b8f1b5bb810a155be25fb148410 File name: Neutrino EK Landing Page.html SHA256: bc2f96dbdca32491b5966fcf4ee22bda4ad25c5abcb660780ce7baddc2e00d2c File name: Neutrino EK SWF Exploit.swf SHA256: dc5a6e8098e30ee0d2fad66dd038ca76801e70d82db36903db7040b9c2cb3f05 File name: rad63FC3.tmp.dll Infection chain is pseudoDarkleech campaign to Neutrino EK to CryptMIC ransomware. ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.192.10 Which Drops CryptMIC Ransomware

IOCs: 216.58.216.99 – moanavoyage.org – Compromised Site 74.208.192.10 – biodynaaminen.pahiremidlands.co.uk – Neutrino EK 85.14.243.9 –  CryptMIC post-infection traffic over TCP port 443 Hashes: SHA256: 44ea0ce673f1c5cd0637a2212d2b9370e9cffc8487ce96209c8fae3236461170 File name: Neutrino EK Landing Page.html SHA256: 373c2de51a57012eb0b9f212caff5442b6107e35040f13ff2dd180d74d54b335 File name: Neutrino EK SWF Exploit.swf SHA256: 49c845bf2371b515b71787464e7225a76bbb3724b92bc9a80fad843eba6d9b69 File name: radE41AE.tmp.dll This is another typical pseudo-Darkleech to Neutrino EK infection chain. Below ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.192.13 Which Then Drops CryptMIC Ransomware

IOCs: 72.10.49.22 – ionedds.com – Compromised Site 74.208.192.13 – arkisempaa-mycobutin.smoothbadger.uk – Neutrino EK 85.14.243.9 – Post-infection CryptMIC callback traffic over TCP port 443 Hashes: SHA256: c2e931c5b81ecc0cb617f7e9ebf20e7626f2dee496e6f0e1e65bc19eb42a365c File name: Neutrino EK Landing Page SHA256: 0a42e068479e729d295a0d5e9505d7e291c201d557e315f5327e009455ea81df File name: Neutrino EK SWF Exploit SHA256: ca7a59c4a6106e1f74f7519250c19e1bf48ea0aeed2cdf22b0a4715f0a858b81 File name: rad7318C.tmp.dll – Payload in %APPDATA% The infection chain starts with a ...

E

EITest Gate at 85.93.0.110 Leads to Rig EK at 178.32.92.122 and Drops Vawtrak

IOCs: 88.208.252.222 – cam-machine.com – Compromised Website 85.93.0.110 – focecu.xyz – EITest Gate 178.32.92.122 – eeuo5tu8.top – Rig EK 108.61.99.79 – GET /module/d1967c99c0c7f9b468f2e08e59e41ffe GET /module/311ac29c5a8f6b4e7a247db98207fd6e GET /module/96df1c84c7fb13e880e399f9627e0db0 GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d GET /module/a104f2955999a2f1a1c881e8930b82f6 Post-Infection DNS Queries resolving to 91.235.129.178: zmluvsfe.com machinabat.pw baltolux.bid twoggis.bid Post-Infection DNS Queries resolving to 185.4.67.154: chanpie.pw zoomir.bid buhnuti.bid wermoo.pw DNS standard query responses ...

E

EITest Gate at 85.93.0.13 Leads to Rig EK at 109.234.38.67 Which Drops Cerber Ransomware

IOCs: 85.93.0.13 – kavafo.xyz – EITest Gate 109.234.38.67 – qw.thesleepdoctormattress.com – Rig EK 162.250.144.215 – ip-api.com – GET /json – IP Check 115.28.36.224 – http://www.doswf.com – Associated with Rig EK Flash Exploit 91.223.89.201 – Decryptor Site – Associated Files 148.251.6.214 – btc.blockr.io – Associated with BitCoin Information 31.184.234.0/24 and 31.184.235.0/24 via UDP port 6892 Hashes: ...

A

Afraidgate Leads to Neutrino EK at 176.31.223.167 Which Drops Locky Ransomware

IOCs: red.kamyuenenterprise.hk – JS Redirect – 138.197.128.173 vsjgvbaz.anythingwork.top – Neutrino EK – 176.31.223.167 194.67.210.183 POST /php/upload.php – Locky post-infection callback traffic Hashes: JS file: 049add46d0a527b50a605573c98330ceabaf533559f06e6fc4795cf6ca326bc1 Neutrino EK landing Page: 2bf38bb619b4c89f39356b5e1dac87ffd013e1aefb95617b3d015a5f74856757 Neutrino EK Flash Exploit: fbf67ebbf326ec0b6379d5461b3893eb864fc6c346f71c93a467e90e8aea3354 Neutrino EK Locky Payload: 542209ebd40928a0b4e016fcdd0813f3444dbf139ae3adfc194843abeacdf1fd Visiting the compromised site and looking at the source code I found a script within the HTML tags ...

Phishing For Passwords via FormBuddy.com

Most InfoSec professionals have heard of “layer 8” as the unofficial layer of the OSI Model. For those of you that don’t know Layer 8 refers to people. Meaning, no matter how good your security posture there is always that very predictably unpredictable and unpatchable vulnerability known as the user. It is often easier to ...