RIG EK at 188.225.76.222 Drops Dreambot

This infection chain would have most likely came from malvertising. Instead of recreating the entire chain I used a compromised site (created on 11/30/2014) that redirects to various RIG EK gates. Below is an image of the traffic being filtered in Wireshark: Found in page source: We then see the GET request for dNw3XwZXSc6ysO.js at en.sundayloop.com. ...

Tech Support Scams Using Numeric Domains

According to Microsoft, tech support scams (TSS) are a growing problem with 2 out of 3 consumers reporting that they’ve encountered them in recent years. As somebody who often captures malvertising chains I can tell you that I too have seen a big uptick in redirects leading to tech support scam pages. A lot of the times ...

Seamless Campaign Drops Ramnit from RIG Exploit Kit at 188.225.76.204

This infection chain started from a malvertising chain that eventually led to the Seamless campaign. Background on the Seamless campaign can be found HERE. Below is an image of the HTTP traffic from the infection chain: The malvertising chain used various redirects to reach the RIG EK landing page. Below is an image of the ...

Seamless Campaign Leads to RIG EK at 188.225.79.43 and Drops Ramnit

As I was checking logs in the SIEM console over the weekend I came across another detection for the Seamless campaign. You can see from the HTTP logs that there are two direct IPs, 194.58.60.51 and 194.58.60.52, being used by the Seamless campaign. Examining the URLs in the HTTP logs shows an interesting base64 encoded string: ...

RIG EK Delivers Pushdo / Cutwail Botnet and RELST Campaign Still Pushing Chthonic.

Background on RELST campaign: https://malwarebreakdown.com/2017/06/05/roughted-malvertising-operation-leads-to-relst-domains-and-rig-ek/ https://malwarebreakdown.com/2017/06/06/relst-campaign-delivering-pony-downloads-chthonic/ On 06/26/17 @thlnk3r had informed me that they located a RELST domain: The source code from webshoot.pw (104.18.32.54 and 104.18.33.54) shows “relst” in the iframe id: The RELST campaign uses different social engineering tactics in order to convince users to download ZIP files (Photo05.zip) that contain malicious scripts (Photo.js). Click HERE to view ...

Malvertising Leads to HookAds Campaign Which Redirects to RIG EK at 188.225.74.13. RIG EK Drops Dreambot.

I captured another malvertising chain that included the HookAds campaign. To read more about the HookAds campaign click HERE. You can also find all my HookAds related post HERE. Below is an image of a 302 redirect that led to the HookAds decoy XXX website: The referer for the decoy XXX website, according to the ...

Seamless Campaign Leads to RIG EK at 92.222.48.83 and Drops Ramnit

The infection vector for this Ramnit compromise was RIG exploit kit. The user was redirected to the exploit kit via a malvertising chain using the Seamless campaign. The Seamless campaign has been dropping Ramnit for awhile now. You can read more about the Seamless campaign HERE. The referer used for this infection was the Seamless ...

HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot.

Network based IOCs 34.193.201.92 – arrassley.info – RoughTed domain 80.77.82.41 – heydrid-info – HookAds fake ad server 188.225.78.240 – RIG exploit kit 144.168.45.110 – Dreambot C2 52.2.59.254 – ipinfo.io – External IP lookup Post-infection DNS queries and additional post-infection traffic: resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com wdwefwefwwfewdefewfwefw.onion Hashes SHA256: ab4db9eff5259f56e1c9f21444b9b8024d8ce2ffc841e178b10b9a522a750c3c File name: heydrid.info pre-landing page.txt SHA256: b712653deece760b1b981c7d93da44e62b58630ce0bfd511a2d621672cc2f7d6 File ...

“Despicable” Malvertising Campaign Redirects to RIG EK at 188.225.77.106, Drops Chthonic Banking Trojan.

Read about the Despicable (aka Despicable .ME) malvertising campaign HERE. This infection chain resulted from me visiting a website that streams sporting events. Below is a partial and edited image of the malvertising chain being filtered in Wireshark: The host is redirected to adrunnr.com, which then redirects to done.witchcraftcash.com. done.witchcraftcash.com then redirects the host to the ...

Seamless Malvertising Campaign Drops Ramnit from RIG EK at 80.93.187.194

Shout-out to thlnk3r‏ for giving me the referer! Using the referer qstoo.voluumtrk[.]com redirected my host to the Seamless gate at 193.124.89.196: The Seamless gate returns a “302 Found” that points to the RIG exploit kit landing page at 80.93.187.194: The Ramnit malware payload was dropped in %Temp% and then copied to %AppData% in the folder mykemfpi: There ...

Browse Categories