Category: Exploit Kit

The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.

Although there continues to be an overall decrease in EK activity I’m still seeing a decent amount of malvertising leading to EKs. One campaign that I run into a lot is Seamless. It’s like other malvertising campaigns in that much of the traffic originates from streaming video sites. These kinds of sites make good targets ...

HookAds Continues to use RIG EK to Drop Dreambot

A couple days ago RIG changed its URI parameters. This isn’t unusual as it seems to happen at least once a month. However, one thing to note is that RIG, at this moment, is using some base64 encoded strings in the URI. Examples taken from this infection chain include the following: /?MzQwNDg3NTE= decodes to /?34048751= /?MTU2NzMzOTY= ...

RIG EK at 188.225.76.222 Drops Dreambot

This infection chain would have most likely came from malvertising. Instead of recreating the entire chain I used a compromised site (created on 11/30/2014) that redirects to various RIG EK gates. Below is an image of the traffic being filtered in Wireshark: Found in page source: We then see the GET request for dNw3XwZXSc6ysO.js at en.sundayloop.com. ...

Seamless Campaign Drops Ramnit from RIG Exploit Kit at 188.225.76.204

This infection chain started from a malvertising chain that eventually led to the Seamless campaign. Background on the Seamless campaign can be found HERE. Below is an image of the HTTP traffic from the infection chain: The malvertising chain used various redirects to reach the RIG EK landing page. Below is an image of the ...

Seamless Campaign Leads to RIG EK at 188.225.79.43 and Drops Ramnit

As I was checking logs in the SIEM console over the weekend I came across another detection for the Seamless campaign. You can see from the HTTP logs that there are two direct IPs, 194.58.60.51 and 194.58.60.52, being used by the Seamless campaign. Examining the URLs in the HTTP logs shows an interesting base64 encoded string: ...

RIG EK Delivers Pushdo / Cutwail Botnet and RELST Campaign Still Pushing Chthonic.

Background on RELST campaign: https://malwarebreakdown.com/2017/06/05/roughted-malvertising-operation-leads-to-relst-domains-and-rig-ek/ https://malwarebreakdown.com/2017/06/06/relst-campaign-delivering-pony-downloads-chthonic/ On 06/26/17 @thlnk3r had informed me that they located a RELST domain: The source code from webshoot.pw (104.18.32.54 and 104.18.33.54) shows “relst” in the iframe id: The RELST campaign uses different social engineering tactics in order to convince users to download ZIP files (Photo05.zip) that contain malicious scripts (Photo.js). Click HERE to view ...

Malvertising Leads to HookAds Campaign Which Redirects to RIG EK at 188.225.74.13. RIG EK Drops Dreambot.

I captured another malvertising chain that included the HookAds campaign. To read more about the HookAds campaign click HERE. You can also find all my HookAds related post HERE. Below is an image of a 302 redirect that led to the HookAds decoy XXX website: The referer for the decoy XXX website, according to the ...