Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader. Downloaded Neutrino Bot (AKA Kasidet).

Brief History These infection chains began from IOCs collected by Zain Gardezi over at FireEye. You can read the report HERE. The report contained a lot of IOCs, but the one that I want to highlight is the IP address 173.208.245.114. I was interested in this IP because the host using it was acting as a shadow server, hosting numerous ...

Good Man Gate Leads to RIG EK, Drops ZeusVM (KINS)

IOCs Network: 188.215.92.104 – hurtmehard.net – Good Man gate 86.106.131.120 – bestdoosales.club – RIG exploit kit 185.100.87.161 – badlywantyou.top – GET /smk/config.jpg – ZeusVM config URL 185.100.87.161 – badlywantyou.top – POST /smk/gate.php – ZeusVM dropzone URL 77.88.55.88 – yandex.ru – Connectivity check File System: o32.tmp is dropped and executed in %TEMP% (self-deletes) The payload q2tlgu9t.exe is dropped ...

EITest Leads to RIG EK at 92.53.124.144 and Drops Dreambot

IOCs Network: 104.27.179.62 – thelifestyle.guru – Compromised website 92.53.124.144 – free.fabuloussatchi.com – RIG EK 91.121.251.22 – GET /images/[removed]/.avi – CnC Beacon 91.121.251.22 – GET /tor/t64.dll – Tor module The User-Agent string used during the callback is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), which is the indentifier for IE 8 37.48.122.26 – curlmyip.net – Used to ...

RIG EK at 5.200.52.238 Drops Ransom Locker

The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...

HookAds Campaign Leads to RIG EK at 92.53.104.78

The HookAds campaign was first discovered by researchers at Malwarebytes back in mid August of 2016. This campaign leverages decoy adult sites to spread malware. In this case the user would be browsing a legitimate website, often an adult website, and then they would be redirected to a decoy adult site through a malvertising chain. On the decoy adult ...

SAGE 2.2 Ransomware from Good Man Gate

IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...

Neptune Exploit Kit

On 03/10/17 there were postings on various forums about an exploit kit named Neptune. The author claims it has 17 different exploits, including some fresh CVEs from 2017. Below is an image from one of the advertisements: Claimed features include a malicious domain detect rotation trigger, stenography, domain auto-rotator, professional user interface (template for the interface can be found HERE), ...

Finding A ‘Good Man’

On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant. My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a ...

Changes to the Pre-Landing Page

On December 4th, 2016, I had discovered that campaigns started using what would be called the “pre-landing” page or “pre-filter” page. If you’re looking at the file hosted on the server then you can see that it is named firstDetect.js. It was also uploaded to one of RIG’s backend servers on January 13th, 2017. The basic idea ...

RIG EK at 92.53.127.21 Drops Dreambot

IOCs: 209.126.118.90 – cominents.gdn – Fake ad infrastructure. Server returned RIG’s pre-filter page which contained the URL for the landing page 92.53.127.21 – try.werrew.info – RIG EK 176.223.111.198 – GET /images/[removed]/.avi 176.223.111.198 – GET /tor/t64.dll – Tor module 208.43.71.133 – avast.com – GET /images/[removed]/.jpeg or .gif- ET Trojan Ursnif Variant CnC Beacon 4 37.48.122.26 – ...

Browse Categories