EITest Leads to Sundown EK at 93.190.143.82 and Drops Cerber

IOCs: 93.190.143.82 – cfx.hvb.mobi – Sundown EK 93.190.143.82 – hxrheg.fve.mobi – Sundown EK Cerber check-in traffic via UDP port 6892: 90.2.1.0/27 90.3.1.0/27 91.239.24.0/23 (CIDR Address Range: 91.239.24.0 – 91.239.25.255) 162.220.244.29 – p27dokhpz2n7nvgr.onion – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1kja1j.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1dlcbk.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.15l2ub.top – Cerber Decryptor page HTTP Method and URIs: GET ...

EITest Leads to RIG-v EK at 92.53.120.233 Drops CryptoMix

IOCs: 68.178.254.116 – westwoodenabler.com – Compromised website 92.53.120.233 – top.tbn1.us – RIG-v EK 91.121.244.84 – CryptoMix callback traffic Traffic: Hashes: SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335 File name:RIG-v Flash Exploit.swf SHA256: 3ff4c80212d97aa64154dc3bd6a361766286c5073d15ec65cb32fe2755f8a703 File name: QTTYUADAF SHA256: 038bfb53f45a596762be789c66663966ef9bf04c1c80aae339f40e9a5fe3088c File name: “radC79C9.tmp.exe” and “Spy Security SoftWare_91bf6e5_aed68d54.exe” Hybrid-Analysis Report Infection Chain: The infection chain started off with me browsing to the compromised ...

Afraidgate at 178.62.242.179 Leads to RIG-v EK at 92.53.120.233, Godzilla Loader Grabs Locky (.osiris)

IOCs: 138.128.171.35 – northcoastmed.com – Compromised website 178.62.242.179 – dropname.syncroweb.com – Afraidgate subdomain 92.53.120.233 – red.telco.news – RIG-v EK 200.7.102.105 – lingvitopr.com – Godzilla loader GET for Locky 188.127.239.53 – Locky post-infection traffic – POST /checkupdate Traffic: Hashes: SHA256: 443b3bb140553acc8c861ddc2a0275936a5a26489030b424703775d2f3242ae8 File name: northcoastmed.com.html SHA256: cebd2b86b7830c3b11414581de5068d6d152873731a4a1f3fa7270d21a7a3fb2 File name: dropname.syncroweb.com Afraidgate.js SHA256: eb8fb3f87093c0a9e24047cee0f472373d3d78212ced708d235825b31a70df4b File name: RIG-v Pre-Landing ...

Advertisement Domain Led to BossTDS, Which Redirected Host to RIG-v Exploit Kit at 92.53.120.207

IOCs: 92.53.120.207 – good.chronic.news – RIG-v EK 79.134.225.49 – hpservice.zapto.org – Post-infection traffic via TCP port 5044 DNS query for hpservice.zapto.org, response from authoritative NS: nf1.no-ip.com nf2.no-ip.com nf3.no-ip.com nf4.no-ip.com Traffic: Hashes: SHA256: 7334e5f058f0ae9a0bbe073da49bb155255855705907ea84fa40098994ba3c27 File name: Flash Exploit RIG-v.swf SHA256: 51ce2615b3b0784f55d03d1ba3f77d13aaca40931c72df750b0e298edaf6e3c4 File name: ETTYUADAF SHA256: 01028a0702188f86b8c743cb3af891073df63310e4f3013ae7aeba0aee01e40e File name: rad94DC8.tmp.exe, drivupdater.exe Hybrid-Analysis Submission Infection Chain: I have ...

p

pseudoDarkleech to RIG-v EK’s

IOCs: 107.181.172.103 – lovlose.com – Compromised site 109.234.37.178 – new.buttock.toys – RIG-v EK Cerber check-in traffic via UDP port 6892 1.22.15.0/27 2.23.16.0/27 91.239.24.0/24 91.239.25.0/24 IOCs: 184.168.136.128 – tarboushgrill.com – Compromised site 81.177.139.86 – see.soulartspublishing.com – RIG-v EK Cerber check-in traffic via UDP port 6892 77.4.1.0/27 77.15.1.0/27 91.239.24.0/24 91.239.25.0/24 IOCs: 141.138.168.111 – hoolhoevebriards.com – Compromised site ...

&

“Scanned copy” Malspam Drops Locky Ransomware (.osiris) (/checkupdate)

IOCs: 211.149.241.201 – phpwind.0592yt[.]com/result – Download location 115.29.247.219 – 902f[.]com/result- Download location 176.114.0.20 – shema.org[.]ua/result – Download location 162.144.211.154 – directprotectsolutions.co[.]uk/result – Download location 202.133.118.222 – aqua-inter[.]com/result – Download location 194.28.49.140 – cdsp[.]pl/result – Download location 216.110.144.152 – hanavanpools[.]com/result – Download location 209.126.99.6 – aguamineralsantacruz.com[.]br/result – Download location 193.201.225.124 – POST /checkupdate – Locky C2 ...

T

Traffic Distribution System is Funneling Traffic to RIG-v Exploit Kit

On November 28th of this year my host was redirected to a RIG-v exploit kit server, however, this time the redirect came from a suspicious looking web page. This was somewhat unusual for me as the majority of exploit kit infections that I deal with begin when a user visits a legitimate site. These vulnerable ...

&

‘Tis the Season for Cerber: Rig-V EK at 195.133.201.249 and Drops, you guessed it, Cerber Ransomware

IOCs: 205.251.140.114 – northrivercommission.org – Compromised site 195.133.201.249 – add.medlucency.info – RIG-v EK Cerber check-in traffic via UDP port 6892: 93.223.40.0/27 92.145.32.0/27 91.239.24.0/24 91.239.25.0/24 148.251.6.214 – btc.blockr.info – Bitcoin block explorer 84.200.4.130 – ffoqr3ug7m726zou.17vj7b.top – Cerber Decryptor site Traffic: Hashes: SHA256: a309461e89391f4432949d391d8ba4bcc8fee4f1def2bf01bf439da1c11e21dd File name: RIGV EK UA Gate.html SHA256: 052d05cbca3b82357ccd8d19fe4c2ed2207ba8286d57b0d4f24f88dce8ce6611 File name: RIGV EK Landing ...

p

pseudoDarkleech Script Redirects Host to Rig-V EK at 195.161.62.232. EK Drops Cerber.

IOCs: 184.172.50.36 – chicago.fdmaps.com – Compromised site 195.161.62.232 – new.underinsuredamerican.org – Rig-V EK Cerber check-in traffic via UDP port 6892: 37.15.20.0/27 77.1.12.0/27 91.239.24.0/24 91.239.25.0/24 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 84.200.4.130 – ffoqr3ug7m726zou.1mstqg.top – Cerber Decryptor site Traffic: Hashes: SHA256: 814d06968bd54aadd13f3e352d5c6b792decdb1c8eeec8d35e7aeaa0cde72b57 File name: RigV UA check.html SHA256: 7e285aee3f54b9a289d03f8a6904eeed8dd88c3028f92ce9d62d8f2c333a52d7 File name: RigV EK Landing Page.html ...

p

pseudoDarkleech Redirects Host to Rig-V EK at 81.177.6.49 and Drops Cerber

IOCs: 162.255.161.10 – luckystavern.com – Compromised site 81.177.6.49 – will.warondoctors.info – Rig-V EK Cerber check-in traffic via UDP port 6892: 37.15.20.0/27 77.1.12.0/27 91.239.24.0/24 91.239.25.0/24 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 23.152.0.137 – ffoqr3ug7m726zou.13inb1.top – Cerber Decryptor site Traffic: Hashes: SHA256: 948785c8a2c441345317ea80e1fd7c622599932dade375872b9c5b9030a61145 File name: RigV UA check page.html SHA256: 699fe5529a3a6928717e47300646d18f36a6ce21823228fffdd52d06e9aa9cd5 File name: RigV EK Landing ...

Browse Categories