All posts by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Roboto Condensed Delivers Downloader Which Downloads a CoinMiner.

My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this. The pages presented to both Chrome and Firefox users can be seen below: Here is an image of the page source: The binary file, fontpackupd60.exe, is being hosted on a compromised website in the /plugins/ ...

Malvertising Leads to RIG EK and Drops Remcos RAT.

On 9/22/17, @thlnk3r had tweeted out images of an infection chain involving some malvertising and RIG exploit kit. Below is an image of the Tweet: One of the images seems to show a referer from PopCash.net, which is a popunder advertising network: The URI used by the popcash.net referer contains a base64/URL encoded string that ...

Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer.

I decided to go hunting for some malvertising today and got redirected to a Seamless gate, which of course redirected me to RIG EK. For those of you who don’t know about the Seamless campaign, click HERE. Also, my archived posts on the Seamless campaign can be seen HERE. Let’s begin by peeking at the infection ...

HookAds Campaign Leads to RIG EK and Drops ZeuS Panda.

The HookAds campaign is still active and there have been some recent changes. For starters, this campaign usually drops a variant of Ursnif known as Dreambot. However, the sample that I got today seems more likely to be a ZeuS variant. This was later confirmed by my friend @Antelox  who identified it as ZeuS Panda. Let’s first ...

“Re: Details” Malspam Downloads CoreBot Banking Trojan

I got some malspam on 09/07/17 and decided to play around with it a bit. Below is an image of the email: The email is pretending to come from “Signa Air” and the subject is “Re: Details”. The text of the email is as follows: FYI, I sent this earlier with my regular email but ...

Roboto Condensed Social Engineering Scheme Delivers DELoader (aka Terdot or ZLoader).

My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this, which can be seen HERE. The page presented to both Chrome and Firefox users: Looking at the page source shows a different .ZIP file for Chrome and Firefox users: Chrome users download “Chrome_Font.zip”, which is ...

“IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.

I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns ...