Category: Informational

Neptune Exploit Kit

On 03/10/17 there were postings on various forums about an exploit kit named Neptune. The author claims it has 17 different exploits, including some fresh CVEs from 2017. Below is an image from one of the advertisements: Claimed features include a malicious domain detect rotation trigger, stenography, domain auto-rotator, professional user interface (template for the interface can be found HERE), ...

Finding A ‘Good Man’

On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant. My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a ...

Changes to the Pre-Landing Page

On December 4th, 2016, I had discovered that campaigns started using what would be called the “pre-landing” page or “pre-filter” page. If you’re looking at the file hosted on the server then you can see that it is named firstDetect.js. It was also uploaded to one of RIG’s backend servers on January 13th, 2017. The basic idea ...

Thousands of Compromised Websites Leading to Fake Flash Player Update Sites. Payload is Qadars Banking Trojan.

Traffic: Infection Chain (Run on 02/10/17): There appears to be thousands of websites that were compromised and had been redirecting users to fake Flash Player update sites. For the most part they seem to be delivering Qadars banking malware.  I was originally tipped off to a potentially compromised site a couple weeks ago by somebody ...

BossTDS and Exploit Kits

Download the Appendix – bosstds-and-exploit-kits.xlsx Appendix A – DNS resolutions for 188.68.252.146. Appendix B – Advetisement page Whois information. Appendix C – Host pairs. Appendix D – Summary of investigations: IPs, domains, redirection methods, EKs, hashes. Appendix E – BossTDS Whois information. Appendix F – Additional IP Whois information. BossTDS Capabilities Traffic control software, like BossTDS, offers users highly ...

Sundown EK using 40.69.68.179, Which is Assigned to Microsoft Corporation (MSFT).

Here is a picture of traffic collected during some of my investigations today: I didn’t think to look at the Whois information belonging to 40.69.68.179 until one of my friends, @Ledtech3, pointed this out: Checking the IPs resolution history shows the first time a domain resolved to it was today, 01/25/17. All of the domains appear to ...

Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.

IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...

Sundown EK: Pre-Landing Page.

IOCs: 93.190.143.82 – dp.jev.mobi and nso.fzo.mobi – Sundown EK Traffic: Hashes: SHA256: 37d479720f7d5f5bc2ec8ff93568798ba891bc35514925f4969cbc5a48c869c0 File name: iedetector.js SHA256: 1230ef25fd9d4238ad80d5e4a0e5d489075edfe9b7321c691f99972de640541b File name: index2.php.html SHA256: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e File name: 9643522803.swf SHA256: 5aaaa4f18ff200eb46f8be49f720f2462e954c2ef216d1258c6c3ed99ec1d4bf File name: 947545190441&id=257.swf SHA256: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6 File name: 78493521.swf Today I saw Sundown EK using a “pre-landing” page containing script pointing to JavaScript files via relative paths. File /trafficScript/iedetector.js contains ...

T

Traffic Distribution System is Funneling Traffic to RIG-v Exploit Kit

On November 28th of this year my host was redirected to a RIG-v exploit kit server, however, this time the redirect came from a suspicious looking web page. This was somewhat unusual for me as the majority of exploit kit infections that I deal with begin when a user visits a legitimate site. These vulnerable ...

P

PushDo Checkin Traffic Update

I infected my computer with PushDo on Oct. 20, 2016, which you can read about HERE. I ran the computer again today and re-collected some callback traffic (ET TROJAN Backdoor.Win32.Pushdo.s Checkin). I’m adding this update because there were some new domains and IPs in the traffic. Below you will find an Excel sheet of the ...