Category: Exploit Kit

Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer.

I decided to go hunting for some malvertising today and got redirected to a Seamless gate, which of course redirected me to RIG EK. For those of you who don’t know about the Seamless campaign, click HERE. Also, my archived posts on the Seamless campaign can be seen HERE. Let’s begin by peeking at the infection ...

HookAds Campaign Leads to RIG EK and Drops ZeuS Panda.

The HookAds campaign is still active and there have been some recent changes. For starters, this campaign usually drops a variant of Ursnif known as Dreambot. However, the sample that I got today seems more likely to be a ZeuS variant. This was later confirmed by my friend @Antelox  who identified it as ZeuS Panda. Let’s first ...

The Seamless Campaign Isn’t Losing Any Steam

Some security researchers on Tuesday had noted that their requests for the Seamless gates were failing. However, if there was any noticeable stoppage, it certainly didn’t last very long. Shortly after hearing about this I started checking my logs for any exploit kit activity and, as usual, I found a detection for RIG EK from ...

Seamless Campaign Uses RIG EK to Drop Ramnit Trojan

Below is a partial and edited flowchart of the malvertising chain that I got during this infection: An edited image of the infection chain is shown below: You can see that the Ramnit sample seems to check for Internet connectivity before making DNS queries for ujndhe7382uryhf.com, which resolves to 46.173.214.170. Following the DNS resolutions is ...

Fobos Campaign Using RIG EK to Drop Bunitu Trojan

This campaign has been dubbed “Fobos” because the actors were using the registrant email address fobos@mail.ru. FireEye first published an article back in March 2017, that talked about Fobos in relation to RIG exploit kit called “Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits.” The article mentioned that they started tracking ...

Seamless Campaign Uses RIG EK to Drop Ramnit. Ramnit Drops AZORult.

I’m still seeing a lot of Seamless campaign out there. Let’s look at the HTTP requests and DNS queries from my most recent infection: We start out with the request for /usa, which redirects to /usa/ via a 301. /usa/ returns a page containing script that grabs the time zone information from the host. That ...

Rulan Campaign Redirects to RIG EK at 188.225.33.43 and Drops a Miner

Watcha know about Mining!? Today I was doing some digging (no pun intended) into numerous domains used during recent malvertising redirection chains. These domains appear to be related to a campaign dubbed “Rulan”. Let’s start off with showing the redirection chain: As you can see from the TCP streams there are a lot of 302 ...

Campaign Leads to RIG EK and Fake Flash Player Update Site. RIG Drops URLZone and Fake Flash Player Update Drops a Miner.

On 08/02/17 I used the domain www2[.]davidhelpling[.]org to redirect my host to a RIG EK landing page located at 188.225.79.139. RIG ended up dropping URLZone, which is a banking Trojan first discovered in 2009. More recently URLZone has been seen targeting Japan via malspam campaigns. You can read more about URLZone at the link below, as ...

Malvertising Chain Leads to the HookAds Campaign. RIG Drops Dreambot.

The site I used for today’s malvertising chain appears to be a legitimate adult website, however, downstream of more popular ones. According to traffic estimates the site has received roughly 637,100 visitors over the last 30 days. Alexa.com currently ranks the site in the top 33,000 globally, with most of its visitors coming from India ...

Seamless Campaign Leads to RIG EK at 188.225.35.149, Drops Digitally Signed Ramnit.

The website that I used for this malvertising chain was much smaller in terms of traffic than my previous runs. In total the site received an estimated 126,000 visitors in July, 2017. According to Alexa it is currently ranked around 200,000 globally and 44,000 in the United States. Below is a flowchart of the infection ...