Month: November 2016

3

302 Redirects from Traffic Distribution System Led to RIG-V EK at 194.87.238.156. Dropped Downloader & “XKeyScore” Keylogger

IOCs: GET /in/traf/ – 302 redirect via port 18001 (BossTDS port) GET /boom/mix.php – 302 redirect via port 18001 (BossTDS port) 194.87.238.156 – try.uludan.com – Rig-V EK (landing page, Flash exploit, and payload) 111.221.47.162 – POST /faa38820fa/dd6c45917a/d23d3e97c0/chat.php – Base64 encoded data being POSTed back 188.40.248.71 – GET /~mysuperp/crypt2_7038.exe – Additional malware downloaded 91.107.108.124 – POST ...

E

EITest Leads to Rig EK at 70.39.114.242

IOCs: 192.185.36.129 – hwcollectorsnews.com – Compromised website 70.39.114.242: rm96.ppw0u8za.top – Rig EK (1st run – failed) fw61yxp.wlj92st.top – Rig EK (2nd and 3rd run) k81qe.m1s5xy1u1.top – Rig EK (4th run) Post-infection DNS queries for VitaeTortorVitaesUsciPit.us (created on 11-3-16) Query responses = server failure Traffic (1st – 4th run, in that order): Hashes: SHA256: 8167b2d11e4123bcb5ffb1d7d2852dd7b72aa8d5188005dd428274adaea33bde File ...

M

Malspam Contains WSF, Downloads Locky (.thor) (/linuxsucks.php)

IOCs: 93.185.104.25 – bestline.cz – GET /76vvyt?cFqotowK=rUUwhHw 37.153.89.141 – carmenortigosa.com – GET /76vvyt?cFqotowK=rUUwhHw 108.163.209.27 – decactus.cl – GET /76vvyt?cFqotowK=rUUwhHw 194.1.239.152 – POST /linuxsucks.php 51.255.107.20 – POST /linuxsucks.php 194.28.87.26 – POST /linuxsucks.php Traffic: DNS Requests: Domain IP Address Country iyemdymjdev.pl qcatgljdsgfvcqq.pw pllyggakgcuto.org moyihqyicfciqf.ru mygyylys.biz uxwamyckkeyfndcrg.xyz odysdabvtgvjqguls.pw bestline.cz 93.185.104.25 Czech Republic decactus.cl 108.163.209.27 United States hrogqamrchfj.info qsrxtej.info ...

&

“Urgent Payment Request” Malspam Leads to Locky (.thor) (/message.php)

IOCs: 185.17.41.83 – dx-team.org – GET /jhb6576?GChuOAtzYEq=GVUYNDbBRRE 69.195.129.70 – disvfthejnadoufh.biz – POST /message.php 176.103.56.119 – POST /message.php 109.234.35.230 – POST /message.php Traffic: DNS Requests: Domain IP Address Country xbgokbdvilnrlw.info cwvmkawujq.su ukyrrqcxd.su jkvhihqdaaoyd.org ihdteyhyewuaid.click bjbsbpmhlpwaxf.pl torproject.org 82.195.75.101 Germany ojxbkeexoqrbirtq.org bqpkcrxsx.su dx-team.org 185.17.41.83 Poland mwddgguaa5rj7b54.onion.to 185.100.85.150 Romania kcnwtdns.pw jyvityqhfggxicasf.pw mwddgguaa5rj7b54.tor2web.org 38.229.70.4 United States Hashes: SHA256: 9fd3e2fc50b2b44d174cb37964016ea0a12c2c8657a32ae6039c4fdc851e9be0 File ...

E

EITest Leads to Rig EK 185.141.26.72, 185.141.25.207 and 185.141.25.234

IOCs: 46.252.207.1 – amberhsu.com – Compromised site 185.141.25.207 – za95uur.ag0clk.top – Rig EK run #1 (blocked by ESET) 185.141.25.234 – h01wi.d7riwiu.top – Rig EK run #2 185.141.26.72 – gyu1f1.eowjl2.top – Rig EK run #3 222.206.156.2, 208.73.206.179, 23.108.245.93 – post infection DNS queries shown below. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org ...

P

PushDo Checkin Traffic Update

I infected my computer with PushDo on Oct. 20, 2016, which you can read about HERE. I ran the computer again today and re-collected some callback traffic (ET TROJAN Backdoor.Win32.Pushdo.s Checkin). I’m adding this update because there were some new domains and IPs in the traffic. Below you will find an Excel sheet of the ...