All posts by malwarebreakdown

I infect hosts, find IOCs, and post them online.

HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot.

Network based IOCs 34.193.201.92 – arrassley.info – RoughTed domain 80.77.82.41 – heydrid-info – HookAds fake ad server 188.225.78.240 – RIG exploit kit 144.168.45.110 – Dreambot C2 52.2.59.254 – ipinfo.io – External IP lookup Post-infection DNS queries and additional post-infection traffic: resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com wdwefwefwwfewdefewfwefw.onion Hashes SHA256: ab4db9eff5259f56e1c9f21444b9b8024d8ce2ffc841e178b10b9a522a750c3c File name: heydrid.info pre-landing page.txt SHA256: b712653deece760b1b981c7d93da44e62b58630ce0bfd511a2d621672cc2f7d6 File ...

“Despicable” Malvertising Campaign Redirects to RIG EK at 188.225.77.106, Drops Chthonic Banking Trojan.

Read about the Despicable (aka Despicable .ME) malvertising campaign HERE. This infection chain resulted from me visiting a website that streams sporting events. Below is a partial and edited image of the malvertising chain being filtered in Wireshark: The host is redirected to adrunnr.com, which then redirects to done.witchcraftcash.com. done.witchcraftcash.com then redirects the host to the ...

Finding a Good Man: Part 2

Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...

“Despicable” Malvertising Campaign

Myself and a couple other coworkers stumbled across a malvertising campaign that I’ve playfully dubbed “Despicable” for its heavy use of the .ME TLD. So far, I haven’t found any public documentation about this campaign. Having said that, I wouldn’t be surprised if it was currently on other people’s radars. Background into the campaign Research ...

Seamless Malvertising Campaign Drops Ramnit from RIG EK at 80.93.187.194

Shout-out to thlnk3r‏ for giving me the referer! Using the referer qstoo.voluumtrk[.]com redirected my host to the Seamless gate at 193.124.89.196: The Seamless gate returns a “302 Found” that points to the RIG exploit kit landing page at 80.93.187.194: The Ramnit malware payload was dropped in %Temp% and then copied to %AppData% in the folder mykemfpi: There ...

RELST Campaign Delivering Pony, Downloads Chthonic.

On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code: In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit ...

HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot

IOCs HTTP Traffic: Decoy site [hidden] – GET /popunder.php – Redirects to remainland.info 80.77.82.41 – remainland.info – GET /banners/uaps – Pre-landing page 194.87.93.114 – RIG EK 144.168.45.144 – GET /images/[removed]/.avi 144.168.45.144 – GET /tor/t32.dll – Tor module 35.166.90.180 – ipinfo.io – GET /ip – Checks your public IP address DNS Queries: resolver1.opendns.com myip.opendns.com Traffic: Hashes: SHA256: 732637809542bf1e174249104d2b1c88dc79da20862318a749accc052638b8f1 File name: ...

RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK.

On 06/03/17 I stumbled across a malvertising chain that led to RIG exploit kit. What was unusual about this malvertising chain is that it was also leading to a lot of social engineering scams. After some research I have discovered that it could be related to the “RoughTed” malvertising campaign. You can read more about ...

Seamless Campaign Still Redirecting to RIG EK and Dropping Ramnit. Follow-up Malware Dropped on the System is Smoke Loader (aka Dofoil & Sharik).

IOCs HTTP Traffic: 193.124.201.22 – GET /lol3.php 81.177.141.140 – need.aqadim.com – RIG EK (1st Run) VirusTotal report on 81.177.141.140 81.177.141.202 – RIG EK (direct IP used instead of subdomain) VirusTotal report on 81.177.141.202 118.127.42.199 – www[.]elitelockservice[.]com[.]au – GET /wp-content/themes/twentythirteen/RIG1.exe – Smoke Loader (2nd run) DNS Queries: atw82ye63ymdp.com – 188.93.211.166 (1st Run) hdyejdn638ir8.com – 134.0.117.8 (2nd ...

HookAds Campaign Leads to RIG EK at 188.227.74.169 and 5.200.52.203, Drops Dreambot

IOCs HTTP Traffic: Decoy site – GET /popunder.php 80.77.82.41 – goverheast.info – GET /banners/uaps? 80.77.82.41 – recenties.info – GET /banners/uaps? (second run) 188.227.74.169 – set.acceleratehealthcaretransformation.com – RIG EK VirusTotal report on 188.227.74.169 (shows full URLs) 5.200.52.203 – set.accumen.info – RIG EK (second run) VirusTotal report on 5.200.52.203 (shows full URLs) 144.168.45.144 – GET /images/[removed]/.avi 144.168.45.144 – ...