Category: Exploit Kit

E

EITest Gate at 85.93.0.110 Leads to Rig EK at 178.32.92.122 and Drops Vawtrak

IOCs: 88.208.252.222 – cam-machine.com – Compromised Website 85.93.0.110 – focecu.xyz – EITest Gate 178.32.92.122 – eeuo5tu8.top – Rig EK 108.61.99.79 – GET /module/d1967c99c0c7f9b468f2e08e59e41ffe GET /module/311ac29c5a8f6b4e7a247db98207fd6e GET /module/96df1c84c7fb13e880e399f9627e0db0 GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d GET /module/a104f2955999a2f1a1c881e8930b82f6 Post-Infection DNS Queries resolving to 91.235.129.178: zmluvsfe.com machinabat.pw baltolux.bid twoggis.bid Post-Infection DNS Queries resolving to 185.4.67.154: chanpie.pw zoomir.bid buhnuti.bid wermoo.pw DNS standard query responses ...

E

EITest Gate at 85.93.0.13 Leads to Rig EK at 109.234.38.67 Which Drops Cerber Ransomware

IOCs: 85.93.0.13 – kavafo.xyz – EITest Gate 109.234.38.67 – qw.thesleepdoctormattress.com – Rig EK 162.250.144.215 – ip-api.com – GET /json – IP Check 115.28.36.224 – http://www.doswf.com – Associated with Rig EK Flash Exploit 91.223.89.201 – Decryptor Site – Associated Files 148.251.6.214 – btc.blockr.io – Associated with BitCoin Information 31.184.234.0/24 and 31.184.235.0/24 via UDP port 6892 Hashes: ...

A

Afraidgate Leads to Neutrino EK at 176.31.223.167 Which Drops Locky Ransomware

IOCs: red.kamyuenenterprise.hk – JS Redirect – 138.197.128.173 vsjgvbaz.anythingwork.top – Neutrino EK – 176.31.223.167 194.67.210.183 POST /php/upload.php – Locky post-infection callback traffic Hashes: JS file: 049add46d0a527b50a605573c98330ceabaf533559f06e6fc4795cf6ca326bc1 Neutrino EK landing Page: 2bf38bb619b4c89f39356b5e1dac87ffd013e1aefb95617b3d015a5f74856757 Neutrino EK Flash Exploit: fbf67ebbf326ec0b6379d5461b3893eb864fc6c346f71c93a467e90e8aea3354 Neutrino EK Locky Payload: 542209ebd40928a0b4e016fcdd0813f3444dbf139ae3adfc194843abeacdf1fd Visiting the compromised site and looking at the source code I found a script within the HTML tags ...

F

For the First Time Ever, EITest Gate Leads to Rig EK

IOCs: 85.93.0.12 – epanofap.top – EITest IP/Domain 185.158.152.118 – free.giftofhair.org – Rig EK Hashes: EITest Gate Flash Redirect: 2e562c81b88c1a2061c6aa591c25f90c EITest Gate Landing Page: 859a8994f27d2f9ded7d3aab783d4680 Rig EK Landing Page: 50ad7f7a888954b8a79469f8662864a2 Rig EK Flash Exploit: c6014a32cc06f862ea44db720dfcf553 Rig EK Payload: 7e1622d13f59a7e9f6c0939a2c35ba45     I believe today is the first time that anyone has ever seen the EITest gate leading to a Rig Exploit ...

E

EITest Gate at 85.93.0.12 Leads to Neutrino EK at 107.6.177.5 Which Delivers CryptMIC

IOCs: 85.93.0.12 – hesamut.top – EITest gate IP and domain 107.6.177.5 – kierrell.bartonjuniorschool.com – Neutrino EK 85.14.243.9 – CryptMIC ransomware post-infection callback Decryption Domains: hxxp://7aggi2bq4bms4dfo.onion.to hxxp://7aggi2bq4bms4dfo.onion.city Ransom Notes: README.html README.txt README.bmp File Hashes: EITest Gate Flash Redirect: 93838c299f7dfd0365023dc51d92b27395dca449b8a8bc6e7ad10fc6abc39ebc Neutrino EK Flash Exploit: 80f8636298193c9965b9e9d3f7759207ebaf3cd1b4c7c3f4d6a2462026ebce25 I’ve written about EITest gate for the last couple of months and ...

p

pseudoDarkleech Script Leads to Neutrino EK at 92.222.122.52 Which Drops CryptMIC Ransomware

IOCs: 92.222.122.52 – seyhocacm.assistkd.com – Neutrino Exploit Kit 85.14.243.9 – CryptMIC Ransomware C2 via TCP port 443 (clear text) Payment Sites: hxxp://ccjlwb22w6c22p2k.onion.to hxxp://ccjlwb22w6c22p2k.onion.city Ransom notes: README.txt README.bmp README.html As Brad Duncan from malware-traffic-analysis.net points out there has been a recent change in patterns for the pseudoDarkleech campaign. It has shifted from large blocks of obfuscated ...

U

Update for the EITest Gate

I’ve been following the EITest campaign for a couple months now and I have just recently noticed something different in the traffic. The threat actors are still using compromised sites by injecting them with the same EITest script:   The EITest script above causes the host to retrieve a Flash file from EITest gate. However, ...