Malvertising Chain Leads to the HookAds Campaign. RIG Drops Dreambot.

The site I used for today’s malvertising chain appears to be a legitimate adult website, however, downstream of more popular ones. According to traffic estimates the site has received roughly 637,100 visitors over the last 30 days. Alexa.com currently ranks the site in the top 33,000 globally, with most of its visitors coming from India ...

Seamless Campaign Leads to RIG EK at 188.225.35.149, Drops Digitally Signed Ramnit.

The website that I used for this malvertising chain was much smaller in terms of traffic than my previous runs. In total the site received an estimated 126,000 visitors in July, 2017. According to Alexa it is currently ranked around 200,000 globally and 44,000 in the United States. Below is a flowchart of the infection ...

Dreambot Dropped by HookAds

This will be a quick post as I just wanted to put out some updated IOCs. “popunder.php” from the HookAds decoy site: balkali[.]info/banners/countryhits: HookAds is still pushing Dreambot via RIG EK. Network Based IOCs HTTP: 80.77.82.41 – balkali.info – GET /banners/countryhits – HookAds server 188.225.33.164 – IP-literal hostname used by RIG EK 104.223.89.174 – GET ...

The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.

Although there continues to be an overall decrease in EK activity I’m still seeing a decent amount of malvertising leading to EKs. One campaign that I run into a lot is Seamless. It’s like other malvertising campaigns in that much of the traffic originates from streaming video sites. These kinds of sites make good targets ...

HookAds Continues to use RIG EK to Drop Dreambot

A couple days ago RIG changed its URI parameters. This isn’t unusual as it seems to happen at least once a month. However, one thing to note is that RIG, at this moment, is using some base64 encoded strings in the URI. Examples taken from this infection chain include the following: /?MzQwNDg3NTE= decodes to /?34048751= /?MTU2NzMzOTY= ...

RIG EK at 188.225.76.222 Drops Dreambot

This infection chain would have most likely came from malvertising. Instead of recreating the entire chain I used a compromised site (created on 11/30/2014) that redirects to various RIG EK gates. Below is an image of the traffic being filtered in Wireshark: Found in page source: We then see the GET request for dNw3XwZXSc6ysO.js at en.sundayloop.com. ...

Tech Support Scams Using Numeric Domains

According to Microsoft, tech support scams (TSS) are a growing problem with 2 out of 3 consumers reporting that they’ve encountered them in recent years. As somebody who often captures malvertising chains I can tell you that I too have seen a big uptick in redirects leading to tech support scam pages. A lot of the times ...