RELST Campaign Delivering Pony, Downloads Chthonic.

On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code: In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit ...

HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot

IOCs HTTP Traffic: Decoy site [hidden] – GET /popunder.php – Redirects to remainland.info 80.77.82.41 – remainland.info – GET /banners/uaps – Pre-landing page 194.87.93.114 – RIG EK 144.168.45.144 – GET /images/[removed]/.avi 144.168.45.144 – GET /tor/t32.dll – Tor module 35.166.90.180 – ipinfo.io – GET /ip – Checks your public IP address DNS Queries: resolver1.opendns.com myip.opendns.com Traffic: Hashes: SHA256: 732637809542bf1e174249104d2b1c88dc79da20862318a749accc052638b8f1 File name: ...

Seamless Campaign Still Redirecting to RIG EK and Dropping Ramnit. Follow-up Malware Dropped on the System is Smoke Loader (aka Dofoil & Sharik).

IOCs HTTP Traffic: 193.124.201.22 – GET /lol3.php 81.177.141.140 – need.aqadim.com – RIG EK (1st Run) VirusTotal report on 81.177.141.140 81.177.141.202 – RIG EK (direct IP used instead of subdomain) VirusTotal report on 81.177.141.202 118.127.42.199 – www[.]elitelockservice[.]com[.]au – GET /wp-content/themes/twentythirteen/RIG1.exe – Smoke Loader (2nd run) DNS Queries: atw82ye63ymdp.com – 188.93.211.166 (1st Run) hdyejdn638ir8.com – 134.0.117.8 (2nd ...

HookAds Campaign Leads to RIG EK at 188.227.74.169 and 5.200.52.203, Drops Dreambot

IOCs HTTP Traffic: Decoy site – GET /popunder.php 80.77.82.41 – goverheast.info – GET /banners/uaps? 80.77.82.41 – recenties.info – GET /banners/uaps? (second run) 188.227.74.169 – set.acceleratehealthcaretransformation.com – RIG EK VirusTotal report on 188.227.74.169 (shows full URLs) 5.200.52.203 – set.accumen.info – RIG EK (second run) VirusTotal report on 5.200.52.203 (shows full URLs) 144.168.45.144 – GET /images/[removed]/.avi 144.168.45.144 – ...

HookAds Malvertising Campaign Leads to RIG EK at 185.154.53.33, Drops LatentBot

IOCs Network Traffic: 80.77.82.41 – nairolonia.info – Pre-landing page 185.154.53.33 – post.divakarshenoy.com – RIG EK VirusTotal report showing URLs resolving to 185.154.53.33 23.249.162.164 – GET /Base64 encoded URI string 23.249.162.164 – GET /yor8Vzpo75Y9b1f1pri/[random numbers].zip – LatentBot modules 23.249.162.164 – POST /web/?ACTION=HELLO 23.249.162.164 – POST /web/?ACTION=START&ID=[32 alphanumeric character ID] 23.249.162.164 – POST /web/?ID=[32 alphanumeric character ID] 23.249.162.164 – ...

Seamless Malvertising Campaign Leads to RIG EK at 185.154.53.33 and Drops Ramnit

IOCs HTTP Traffic: 185.31.160.55 – GET /flow339.php – Seamless campaign redirector 185.154.53.33 – new.cloudarchieve.com – RIG EK VirusTotal report showing the full RIG EK URLs resolving to that IP address. DNS Queries: doisafjsnbjesfbejfbkjsej88.com notalyyj.com – 185.118.66.84 bheabfdfug.com – 185.156.179.126 sinjydtrv.com fbtsotbs.com fkqrjsghoradylfslg.com aofmfaoc.com – 34.194.213.50 ctiprlgcxftdsaiqvk.com mrthpcokvjc.com wgwuhauaqcrx.com – 87.106.190.153 npcvnorvyhelagx.com – 87.106.190.153 Post-infection traffic ...

RIG Exploit Kit at 185.154.53.7 Drops Pony, Downloads Philadelphia Ransomware.

IOCs HTTP Traffic: 160.153.131.96 – serene.rushpcb.co.uk – GET /usde.php 185.154.53.7 – add.venicebeachsurflodge.com – RIG exploit kit VirusTotal report showing URLs resolving to that IP 89.45.67.99 – POST /ppp/gate.php – Pony callback traffic 86.106.93.17 – GET /degate/de.exe – Philadelphia ransomware 86.106.93.17 – GET /de/de.php? – Philadelphia ransomware callback traffic Hashes: SHA256: 19f765ddf0242a6676e9eb2fb28f8095211ab1edad15025c3532f662de3aa954 File name: serene.rushpcb.co.ukusde.php.txt SHA256: ...

Seamless Malvertising Campaign Still Leading to RIG EK and Dropping Ramnit

On May 10th, 2017, the Twitter user thlnk3r sent a Tweet with a referer for the seamless campaign: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 185.31.160.55 as my referer. Here is the traffic from my run: This tactic proved to be successful as I was redirected from 185.31.160[.]55/flow335.php to ...

RIG EK at 92.53.119.66 Drops Dreambot

IOCs HTTP Traffic: 80.77.82.41 – guerritor.info – Gate (fake ad domain) 92.53.119.66 – new.ibconsultants.net – RIG EK To see the full URLs for RIG exploit kit landing pages resolving to this IP address please refer to the VirusTotal address below: https://www.virustotal.com/en/ip-address/92.53.119.66/information/ 158.69.176.173 – Dreambot post-infection traffic DNS Queries: ip-addr.es resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com There is also post-infection ...

Malspam Leads to Malicous Word Document Which Downloads Geodo/Emotet Banking Malware

Download location where I got the malicious Word document: 192.232.223.76 – kinonah.com – GET /Cust-4762868855/ – Compromised website hosting malicious Word document VirusTotal Report Hybrid-Analysis Report SHA256: d8cfe351daa5276a277664630f18fe1e61351cbf3b0a17b6a8ef725263c0cab4 Additional Word document download locations: 213.190.161.210 – avenueevents.co.uk/Cust-PBP-03-D683320/ 67.212.91.221 – kingstoncybermall.com/Cust-3647227423/ 5.10.105.46 – theuntoldsorrow.co.uk/ORDER.-XI-80-UY913942/ 173.236.177.156 – visuals.com/CUST.-VT-38-RH422386/ 192.254.251.86 – thenursesagent.com/ORDER.-9592209302/ 192.185.148.240 – tiger12.com/TGA-48-76252-doc-May-04-2017/ 192.185.216.220 – gabrielramos.com.br/lxu-3h-ip079-zgmg.doc/ 146.185.16.121 ...

Browse Categories