E

EITest Gate at 85.93.0.12 Leads to Neutrino EK at 107.6.177.5 Which Delivers CryptMIC

IOCs: 85.93.0.12 – hesamut.top – EITest gate IP and domain 107.6.177.5 – kierrell.bartonjuniorschool.com – Neutrino EK 85.14.243.9 – CryptMIC ransomware post-infection callback Decryption Domains: hxxp://7aggi2bq4bms4dfo.onion.to hxxp://7aggi2bq4bms4dfo.onion.city Ransom Notes: README.html README.txt README.bmp File Hashes: EITest Gate Flash Redirect: 93838c299f7dfd0365023dc51d92b27395dca449b8a8bc6e7ad10fc6abc39ebc Neutrino EK Flash Exploit: 80f8636298193c9965b9e9d3f7759207ebaf3cd1b4c7c3f4d6a2462026ebce25 I’ve written about EITest gate for the last couple of months and ...

p

pseudoDarkleech Script Leads to Neutrino EK at 92.222.122.52 Which Drops CryptMIC Ransomware

IOCs: 92.222.122.52 – seyhocacm.assistkd.com – Neutrino Exploit Kit 85.14.243.9 – CryptMIC Ransomware C2 via TCP port 443 (clear text) Payment Sites: hxxp://ccjlwb22w6c22p2k.onion.to hxxp://ccjlwb22w6c22p2k.onion.city Ransom notes: README.txt README.bmp README.html As Brad Duncan from malware-traffic-analysis.net points out there has been a recent change in patterns for the pseudoDarkleech campaign. It has shifted from large blocks of obfuscated ...

R

Ransomware IOCs and Trends in Late 2015 and Early 2016

Ransomware continues to evolve and there are many articles online that detail its continual changes. For that reason I won’t be rehashing all the evolutionary changes of ransomware. Instead this post seeks to point out some of the key trends in 2015 and 2016, as well as give analysts extra resources that will hopefully help ...

U

Update for the EITest Gate

I’ve been following the EITest campaign for a couple months now and I have just recently noticed something different in the traffic. The threat actors are still using compromised sites by injecting them with the same EITest script:   The EITest script above causes the host to retrieve a Flash file from EITest gate. However, ...

Phishing Sites at Myjino.ru

Here is what I found in our customers traffic: myjino[.]ru/ mc.yandex[.]ru/ wildblue-net-upd.myjino[.]ru/35c6cfba69650ab1fc8ff49f3bcb4532/db.php login.wildblue[.]net/ http://www.jino[.]ru/ account.jino[.]ru/ mc.yandex[.]ru/ mc.yandex[.]ru/ jino[.]ru/help/ Staring at traffic in a SIEM for hours each day you get really good at identifying patterns of traffic that look suspicious. Obviously not ALL traffic to Russian domains is an IOC. However, when you see an ...

A

A Brief History, and a Current Status, of the EITest Campaign

The EITest campaign isn’t anything new. In fact, Jérôme Segura from Malwarebytes wrote a detailed article about the this malware campaign in 2014. What he discovered was that this wasn’t your normal drive-by download as the campaign is using a Flash-based redirection mechanism. Below are three examples of compromised sites that I’ve found in the ...

E

EITest Gate at 85.93.0.32 Leads to Angler EK at 83.220.169.231

I found these GET requests in our customers traffic: zeboms[.]tk/show_content.php?fgpimk=lrsuk&id=4642B3AD8EB1331F63B111F171C670700DA304E3EFF16822032449944AB075E487805D one.theleadersummit[.]com/boards/viewtopic.php?t=0i3&f=o5aew38bpq8ca58engnpikp4ucvwuef5z9ej1ctm014keykgo-q773pf_ahi58p76yvzpoffylkdqe_-8k4eih0j03n2t-i1y Unfortunately for our analyst we don’t always get packets so we can’t easily locate the referer in every case. Typically the GET request for the compromised site is in the traffic surrounding the event. As you can see from the HTTP requests surrounding the ...

E

EITest Campaign at 85.93.0.32

IOCs: 85.93.0.32 – EITest Gate SHA256 1384b089c4524dd996a60f58ca1465bf89cd8f39e2711846ea394f14c4c87913 This isn’t going to be an extensive look into the EITest Campaign as Brad from Malware-traffic-analysis.net has already done great work on this subject. You can also check on my post here for more details. It is more or less an update in some activity I’ve been seeing ...

Another Spam Email Redirecting Host to Forskolin Pages

Email found in my inbox: Clicking on the link generated the following HTTP traffic:   As you can see this is the same sort of traffic I saw in my previous blog post. The redirect (lhdjzr[.]com/?c=wl) contains an obfuscated script that has been encoded and reversed. Once reversed, decoded and deobfuscated you can see how ...

Forskolin Spam Emails

I found these GET requests in our customers traffic, likely originating from spam emails: hxxp://gallipolicountryandsea[.]it/therfgds1.php hxxp://www.gallipolicountryandsea[.]it/therfgds1.php hxxp://dutbbc[.]com/?a=374762&c=wl_con&s=nw-404-1che What drew my attention to it at first was the .IT TLD, as well as this traffic seemed out of place in the context of this persons web browsing patterns. Furthermore, the two request to gallipolicountryandsea[.]it were resolving ...

Browse Categories