HookAds Malvertising Campaign Leads to RIG EK at 185.154.53.33, Drops LatentBot

IOCs Network Traffic: 80.77.82.41 – nairolonia.info – Pre-landing page 185.154.53.33 – post.divakarshenoy.com – RIG EK VirusTotal report showing URLs resolving to 185.154.53.33 23.249.162.164 – GET /Base64 encoded URI string 23.249.162.164 – GET /yor8Vzpo75Y9b1f1pri/[random numbers].zip – LatentBot modules 23.249.162.164 – POST /web/?ACTION=HELLO 23.249.162.164 – POST /web/?ACTION=START&ID=[32 alphanumeric character ID] 23.249.162.164 – POST /web/?ID=[32 alphanumeric character ID] 23.249.162.164 – ...

Seamless Malvertising Campaign Leads to RIG EK at 185.154.53.33 and Drops Ramnit

IOCs HTTP Traffic: 185.31.160.55 – GET /flow339.php – Seamless campaign redirector 185.154.53.33 – new.cloudarchieve.com – RIG EK VirusTotal report showing the full RIG EK URLs resolving to that IP address. DNS Queries: doisafjsnbjesfbejfbkjsej88.com notalyyj.com – 185.118.66.84 bheabfdfug.com – 185.156.179.126 sinjydtrv.com fbtsotbs.com fkqrjsghoradylfslg.com aofmfaoc.com – 34.194.213.50 ctiprlgcxftdsaiqvk.com mrthpcokvjc.com wgwuhauaqcrx.com – 87.106.190.153 npcvnorvyhelagx.com – 87.106.190.153 Post-infection traffic ...

RIG Exploit Kit at 185.154.53.7 Drops Pony, Downloads Philadelphia Ransomware.

IOCs HTTP Traffic: 160.153.131.96 – serene.rushpcb.co.uk – GET /usde.php 185.154.53.7 – add.venicebeachsurflodge.com – RIG exploit kit VirusTotal report showing URLs resolving to that IP 89.45.67.99 – POST /ppp/gate.php – Pony callback traffic 86.106.93.17 – GET /degate/de.exe – Philadelphia ransomware 86.106.93.17 – GET /de/de.php? – Philadelphia ransomware callback traffic Hashes: SHA256: 19f765ddf0242a6676e9eb2fb28f8095211ab1edad15025c3532f662de3aa954 File name: serene.rushpcb.co.ukusde.php.txt SHA256: ...

Seamless Malvertising Campaign Still Leading to RIG EK and Dropping Ramnit

On May 10th, 2017, the Twitter user thlnk3r sent a Tweet with a referer for the seamless campaign: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 185.31.160.55 as my referer. Here is the traffic from my run: This tactic proved to be successful as I was redirected from 185.31.160[.]55/flow335.php to ...

RIG EK at 92.53.119.66 Drops Dreambot

IOCs HTTP Traffic: 80.77.82.41 – guerritor.info – Gate (fake ad domain) 92.53.119.66 – new.ibconsultants.net – RIG EK To see the full URLs for RIG exploit kit landing pages resolving to this IP address please refer to the VirusTotal address below: https://www.virustotal.com/en/ip-address/92.53.119.66/information/ 158.69.176.173 – Dreambot post-infection traffic DNS Queries: ip-addr.es resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com There is also post-infection ...

Malspam Leads to Malicous Word Document Which Downloads Geodo/Emotet Banking Malware

Download location where I got the malicious Word document: 192.232.223.76 – kinonah.com – GET /Cust-4762868855/ – Compromised website hosting malicious Word document VirusTotal Report Hybrid-Analysis Report SHA256: d8cfe351daa5276a277664630f18fe1e61351cbf3b0a17b6a8ef725263c0cab4 Additional Word document download locations: 213.190.161.210 – avenueevents.co.uk/Cust-PBP-03-D683320/ 67.212.91.221 – kingstoncybermall.com/Cust-3647227423/ 5.10.105.46 – theuntoldsorrow.co.uk/ORDER.-XI-80-UY913942/ 173.236.177.156 – visuals.com/CUST.-VT-38-RH422386/ 192.254.251.86 – thenursesagent.com/ORDER.-9592209302/ 192.185.148.240 – tiger12.com/TGA-48-76252-doc-May-04-2017/ 192.185.216.220 – gabrielramos.com.br/lxu-3h-ip079-zgmg.doc/ 146.185.16.121 ...

Decimal IP Campaign

For a background on the Decimal IP Campaign please read this article written on March 29th, 2017, by Jérôme Segura over at Malwarebytes Lab: https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/ I got the decimal IP used for this infection from @nao_sec‘s blog post found HERE. IOCs: 104.156.250.131 – IP decimal redirector 162.220.246.254 – Fake Flash Player update landing page 23.56.113.194 – java.com ...

Tech Support Scams

Below is a link to an article from Malwarebytes Lab explaining tech support scams: https://blog.malwarebytes.com/tech-support-scams/ Some recent examples that I collected on 05/02/17 are shown below. Network Activity: 174.137.155.139 – xml.pdn-1.com – 302 redirect to tech support scam 107.180.1.35 – binmsisooso.life – Tech support scam landing page 46.30.213.100 – bunt.truncomp.com – Tech support scam server Network ...

Update on GoodMan

I discovered the GoodMan campaign on January 20th, 2017. You can read a detailed report on GoodMan HERE. Since March, 2017, I’ve seen more domains being registered by “goodmandilaltain@gmail.com” and I’ve recorded GoodMan delivering Sage 2.2 ransomware, ZeusVM, something with a file description of “Neighbur Readiness Ransomware,” and now what looks like LatentBot. Below is a list of some recent domains being ...

EITest Leads to RIG EK at 188.225.36.196 And Drops Quant Loader. Downloads ZLoader/Zbot.

IOCs 199.116.248.108 – saywitzproperties.com – Compromised website (shout-out to thlnk3r‏ who gave me the site) 188.225.36.196 – fds.japanbioenergy.org – RIG Exploit Kit 52.90.24.205 – unisdr.top – GET /mail.index.php – Response contains download locations for additional malware at trackerhost.us 52.90.24.205 – trackerhost.us – GET /drop/lsmk.exe – Additional malware 52.90.24.205 – gerber.gdn – POST / info.php – Post-infection traffic DNS ...