Seamless Malvertising Campaign Still Leading to RIG EK and Dropping Ramnit

On May 10th, 2017, the Twitter user thlnk3r sent a Tweet with a referer for the seamless campaign: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 185.31.160.55 as my referer. Here is the traffic from my run: This tactic proved to be successful as I was redirected from 185.31.160[.]55/flow335.php to ...

RIG EK at 92.53.119.66 Drops Dreambot

IOCs HTTP Traffic: 80.77.82.41 – guerritor.info – Gate (fake ad domain) 92.53.119.66 – new.ibconsultants.net – RIG EK To see the full URLs for RIG exploit kit landing pages resolving to this IP address please refer to the VirusTotal address below: https://www.virustotal.com/en/ip-address/92.53.119.66/information/ 158.69.176.173 – Dreambot post-infection traffic DNS Queries: ip-addr.es resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com There is also post-infection ...

Malspam Leads to Malicous Word Document Which Downloads Geodo/Emotet Banking Malware

Download location where I got the malicious Word document: 192.232.223.76 – kinonah.com – GET /Cust-4762868855/ – Compromised website hosting malicious Word document VirusTotal Report Hybrid-Analysis Report SHA256: d8cfe351daa5276a277664630f18fe1e61351cbf3b0a17b6a8ef725263c0cab4 Additional Word document download locations: 213.190.161.210 – avenueevents.co.uk/Cust-PBP-03-D683320/ 67.212.91.221 – kingstoncybermall.com/Cust-3647227423/ 5.10.105.46 – theuntoldsorrow.co.uk/ORDER.-XI-80-UY913942/ 173.236.177.156 – visuals.com/CUST.-VT-38-RH422386/ 192.254.251.86 – thenursesagent.com/ORDER.-9592209302/ 192.185.148.240 – tiger12.com/TGA-48-76252-doc-May-04-2017/ 192.185.216.220 – gabrielramos.com.br/lxu-3h-ip079-zgmg.doc/ 146.185.16.121 ...

Decimal IP Campaign

For a background on the Decimal IP Campaign please read this article written on March 29th, 2017, by Jérôme Segura over at Malwarebytes Lab: https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/ I got the decimal IP used for this infection from @nao_sec‘s blog post found HERE. IOCs: 104.156.250.131 – IP decimal redirector 162.220.246.254 – Fake Flash Player update landing page 23.56.113.194 – java.com ...

Tech Support Scams

Below is a link to an article from Malwarebytes Lab explaining tech support scams: https://blog.malwarebytes.com/tech-support-scams/ Some recent examples that I collected on 05/02/17 are shown below. Network Activity: 174.137.155.139 – xml.pdn-1.com – 302 redirect to tech support scam 107.180.1.35 – binmsisooso.life – Tech support scam landing page 46.30.213.100 – bunt.truncomp.com – Tech support scam server Network ...

Update on GoodMan

I discovered the GoodMan campaign on January 20th, 2017. You can read a detailed report on GoodMan HERE. Since March, 2017, I’ve seen more domains being registered by “goodmandilaltain@gmail.com” and I’ve recorded GoodMan delivering Sage 2.2 ransomware, ZeusVM, something with a file description of “Neighbur Readiness Ransomware,” and now what looks like LatentBot. Below is a list of some recent domains being ...

EITest Leads to RIG EK at 188.225.36.196 And Drops Quant Loader. Downloads ZLoader/Zbot.

IOCs 199.116.248.108 – saywitzproperties.com – Compromised website (shout-out to thlnk3r‏ who gave me the site) 188.225.36.196 – fds.japanbioenergy.org – RIG Exploit Kit 52.90.24.205 – unisdr.top – GET /mail.index.php – Response contains download locations for additional malware at trackerhost.us 52.90.24.205 – trackerhost.us – GET /drop/lsmk.exe – Additional malware 52.90.24.205 – gerber.gdn – POST / info.php – Post-infection traffic DNS ...

Hacked Sites Redirecting Users to Various Malvertising Campaigns

I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...

EITest Campaign Leads to RIG EK at 188.225.39.227. EK Drops Matrix Ransomware v3.

IOCs Network Activity: 104.27.184.144 – teknonisme.com – Compromised WordPress site 188.225.39.227 – fix.russianpropoganda.com – RIG exploit kit 195.248.235.240 – stat6.s76.r53.com.ua – GET / addrecord.php? and POST /uploadextlist.php – C2 traffic 148.251.13.83 – stat6.s76.r53.com.ua – GET / addrecord.php? – C2 traffic Additional answers from the DNS query: 195.248.235.241 – stat6.s76.r53.com.ua – C2 traffic 31.41.216.90 – stat6.s76.r53.com.ua – C2 ...

Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan

On April 5th, 2017, the Twitter user thlnk3r sent a message to Brad and myself about a malvertising chain using onclkds.com to redirect hosts to RIG exploit kit. Here is the Tweet: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 194.58.38.64 as my referer. Here is the traffic ...

Browse Categories