E

EITest Gate at 85.93.0.32 Leads to Angler EK at 83.220.169.231

I found these GET requests in our customers traffic: zeboms[.]tk/show_content.php?fgpimk=lrsuk&id=4642B3AD8EB1331F63B111F171C670700DA304E3EFF16822032449944AB075E487805D one.theleadersummit[.]com/boards/viewtopic.php?t=0i3&f=o5aew38bpq8ca58engnpikp4ucvwuef5z9ej1ctm014keykgo-q773pf_ahi58p76yvzpoffylkdqe_-8k4eih0j03n2t-i1y Unfortunately for our analyst we don’t always get packets so we can’t easily locate the referer in every case. Typically the GET request for the compromised site is in the traffic surrounding the event. As you can see from the HTTP requests surrounding the ...

E

EITest Campaign at 85.93.0.32

IOCs: 85.93.0.32 – EITest Gate SHA256 1384b089c4524dd996a60f58ca1465bf89cd8f39e2711846ea394f14c4c87913 This isn’t going to be an extensive look into the EITest Campaign as Brad from Malware-traffic-analysis.net has already done great work on this subject. You can also check on my post here for more details. It is more or less an update in some activity I’ve been seeing ...

Another Spam Email Redirecting Host to Forskolin Pages

Email found in my inbox: Clicking on the link generated the following HTTP traffic:   As you can see this is the same sort of traffic I saw in my previous blog post. The redirect (lhdjzr[.]com/?c=wl) contains an obfuscated script that has been encoded and reversed. Once reversed, decoded and deobfuscated you can see how ...

Forskolin Spam Emails

I found these GET requests in our customers traffic, likely originating from spam emails: hxxp://gallipolicountryandsea[.]it/therfgds1.php hxxp://www.gallipolicountryandsea[.]it/therfgds1.php hxxp://dutbbc[.]com/?a=374762&c=wl_con&s=nw-404-1che What drew my attention to it at first was the .IT TLD, as well as this traffic seemed out of place in the context of this persons web browsing patterns. Furthermore, the two request to gallipolicountryandsea[.]it were resolving ...

Browse Categories