Tag: Dreambot

RIG EK at 92.53.119.66 Drops Dreambot

IOCs HTTP Traffic: 80.77.82.41 – guerritor.info – Gate (fake ad domain) 92.53.119.66 – new.ibconsultants.net – RIG EK To see the full URLs for RIG exploit kit landing pages resolving to this IP address please refer to the VirusTotal address below: https://www.virustotal.com/en/ip-address/92.53.119.66/information/ 158.69.176.173 – Dreambot post-infection traffic DNS Queries: ip-addr.es resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com There is also post-infection ...

Hacked Sites Redirecting Users to Various Malvertising Campaigns

I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...

EITest Leads to RIG EK at 92.53.124.144 and Drops Dreambot

IOCs Network: 104.27.179.62 – thelifestyle.guru – Compromised website 92.53.124.144 – free.fabuloussatchi.com – RIG EK 91.121.251.22 – GET /images/[removed]/.avi – CnC Beacon 91.121.251.22 – GET /tor/t64.dll – Tor module The User-Agent string used during the callback is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), which is the indentifier for IE 8 37.48.122.26 – curlmyip.net – Used to ...

Finding A ‘Good Man’

On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant. My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a ...

RIG EK at 92.53.127.21 Drops Dreambot

IOCs: 209.126.118.90 – cominents.gdn – Fake ad infrastructure. Server returned RIG’s pre-filter page which contained the URL for the landing page 92.53.127.21 – try.werrew.info – RIG EK 176.223.111.198 – GET /images/[removed]/.avi 176.223.111.198 – GET /tor/t64.dll – Tor module 208.43.71.133 – avast.com – GET /images/[removed]/.jpeg or .gif- ET Trojan Ursnif Variant CnC Beacon 4 37.48.122.26 – ...

TDS Redirecting Users to RIG Exploit Kit and Other Stuff

I’ve been tracking numerous external TDSs being used in exploit kit infection chains over the last couple of months. This post will focus on one TDS in particular, specifically a Keitaro TDS. During my investigation I was able to track down 12 domains that had been compromised and were redirecting users to this TDS. In the ...

EITest Leads to RIG-v EK at 217.107.34.241 and Drops Dreambot.

IOCs: 192.99.46.21 – littleinspiration.com – Compromised website 217.107.34.241 – zone.klynnholding.com – RIG EK 5.196.159.175 – GET /images/[removed]/.avi – CnC traffic 5.196.159.175 – GET /tor/t64.dll – Tor module download 37.48.122.26 – curlmyip.net – External IP lookup Post-infection Tor traffic via TCP port 443 and 9001 SSH connections to 91.239.232.81, which also host one or more Tor relays according to https://exonerator.torproject.org Additional DNS ...

HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.

IOCs: 104.27.134.78 – multimediaz.net – Website hosting script for onclickads.net 206.54.163.4 – onclickads.net – Checks Flash. Redirects to onclkds.com. 206.54.163.50 – onclkds.com – Returns “302 Moved Temporarily,” new location is set to avatrading.org 185.51.244.202 – avatrading.org – Domain in fake ad network. Contains iframe for stockholmads.info 185.51.244.210 – stockholmads.info – GET /rotation/check-hits? – Contains iframe for RIG-v EK ...

EITest Leads to RIG-v EK at 185.159.130.122. Ursnif Variant Dreambot.

IOCs: 92.243.23.204 – www[.]caltech[.]fr – Compromised website 185.159.130.122 – more.THEBESTDALLASFLORISTS.COM – RIG-v EK 5.196.159.175 – GET /images/[removed]/KTDEi/.avi – CnC traffic 46.4.99.46 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – External IP lookup Post-Infection DNS Queries: resolver1.opendns.com – ET POLICY OpenDNS IP Lookup curlmyip.net 222.222.67.208.in-addr.arpa myip.opendns.com nod32s.com Traffic: Hashes: SHA256: 37f7e78080f85e6f98136e927a69a72ea7d619f230b476b5d6826ebc1eee29a0 ...

Decoy Site Leads to RIG-v EK at 194.87.237.240. Post-Infection Traffic: Ursnif Variant Dreambot.

IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – bethanyads.info – GET /rotation/hits? – Fake ad server 194.87.237.240 – sell.underinsuredinamerica.com – RIG-v EK Post-Infection Traffic: 89.223.31.51 – GET /images/[truncated]/f2NJW2/.avi – ET TROJAN Ursnif Variant CnC Beacon 89.223.31.51 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...