Phishing For Passwords via FormBuddy.com

Most InfoSec professionals have heard of “layer 8” as the unofficial layer of the OSI Model. For those of you that don’t know Layer 8 refers to people. Meaning, no matter how good your security posture there is always that very predictably unpredictable and unpatchable vulnerability known as the user. It is often easier to ...

F

For the First Time Ever, EITest Gate Leads to Rig EK

IOCs: 85.93.0.12 – epanofap.top – EITest IP/Domain 185.158.152.118 – free.giftofhair.org – Rig EK Hashes: EITest Gate Flash Redirect: 2e562c81b88c1a2061c6aa591c25f90c EITest Gate Landing Page: 859a8994f27d2f9ded7d3aab783d4680 Rig EK Landing Page: 50ad7f7a888954b8a79469f8662864a2 Rig EK Flash Exploit: c6014a32cc06f862ea44db720dfcf553 Rig EK Payload: 7e1622d13f59a7e9f6c0939a2c35ba45     I believe today is the first time that anyone has ever seen the EITest gate leading to a Rig Exploit ...

E

EITest Gate at 85.93.0.12 Leads to Neutrino EK at 107.6.177.5 Which Delivers CryptMIC

IOCs: 85.93.0.12 – hesamut.top – EITest gate IP and domain 107.6.177.5 – kierrell.bartonjuniorschool.com – Neutrino EK 85.14.243.9 – CryptMIC ransomware post-infection callback Decryption Domains: hxxp://7aggi2bq4bms4dfo.onion.to hxxp://7aggi2bq4bms4dfo.onion.city Ransom Notes: README.html README.txt README.bmp File Hashes: EITest Gate Flash Redirect: 93838c299f7dfd0365023dc51d92b27395dca449b8a8bc6e7ad10fc6abc39ebc Neutrino EK Flash Exploit: 80f8636298193c9965b9e9d3f7759207ebaf3cd1b4c7c3f4d6a2462026ebce25 I’ve written about EITest gate for the last couple of months and ...

p

pseudoDarkleech Script Leads to Neutrino EK at 92.222.122.52 Which Drops CryptMIC Ransomware

IOCs: 92.222.122.52 – seyhocacm.assistkd.com – Neutrino Exploit Kit 85.14.243.9 – CryptMIC Ransomware C2 via TCP port 443 (clear text) Payment Sites: hxxp://ccjlwb22w6c22p2k.onion.to hxxp://ccjlwb22w6c22p2k.onion.city Ransom notes: README.txt README.bmp README.html As Brad Duncan from malware-traffic-analysis.net points out there has been a recent change in patterns for the pseudoDarkleech campaign. It has shifted from large blocks of obfuscated ...

R

Ransomware IOCs and Trends in Late 2015 and Early 2016

Ransomware continues to evolve and there are many articles online that detail its continual changes. For that reason I won’t be rehashing all the evolutionary changes of ransomware. Instead this post seeks to point out some of the key trends in 2015 and 2016, as well as give analysts extra resources that will hopefully help ...

U

Update for the EITest Gate

I’ve been following the EITest campaign for a couple months now and I have just recently noticed something different in the traffic. The threat actors are still using compromised sites by injecting them with the same EITest script:   The EITest script above causes the host to retrieve a Flash file from EITest gate. However, ...

Phishing Sites at Myjino.ru

Here is what I found in our customers traffic: myjino[.]ru/ mc.yandex[.]ru/ wildblue-net-upd.myjino[.]ru/35c6cfba69650ab1fc8ff49f3bcb4532/db.php login.wildblue[.]net/ http://www.jino[.]ru/ account.jino[.]ru/ mc.yandex[.]ru/ mc.yandex[.]ru/ jino[.]ru/help/ Staring at traffic in a SIEM for hours each day you get really good at identifying patterns of traffic that look suspicious. Obviously not ALL traffic to Russian domains is an IOC. However, when you see an ...