Tag: HookAds

HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot.

Network based IOCs 34.193.201.92 – arrassley.info – RoughTed domain 80.77.82.41 – heydrid-info – HookAds fake ad server 188.225.78.240 – RIG exploit kit 144.168.45.110 – Dreambot C2 52.2.59.254 – ipinfo.io – External IP lookup Post-infection DNS queries and additional post-infection traffic: resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com wdwefwefwwfewdefewfwefw.onion Hashes SHA256: ab4db9eff5259f56e1c9f21444b9b8024d8ce2ffc841e178b10b9a522a750c3c File name: heydrid.info pre-landing page.txt SHA256: b712653deece760b1b981c7d93da44e62b58630ce0bfd511a2d621672cc2f7d6 File ...

HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot

IOCs HTTP Traffic: Decoy site [hidden] – GET /popunder.php – Redirects to remainland.info 80.77.82.41 – remainland.info – GET /banners/uaps – Pre-landing page 194.87.93.114 – RIG EK 144.168.45.144 – GET /images/[removed]/.avi 144.168.45.144 – GET /tor/t32.dll – Tor module 35.166.90.180 – ipinfo.io – GET /ip – Checks your public IP address DNS Queries: resolver1.opendns.com myip.opendns.com Traffic: Hashes: SHA256: 732637809542bf1e174249104d2b1c88dc79da20862318a749accc052638b8f1 File name: ...

HookAds Campaign Leads to RIG EK at 188.227.74.169 and 5.200.52.203, Drops Dreambot

IOCs HTTP Traffic: Decoy site – GET /popunder.php 80.77.82.41 – goverheast.info – GET /banners/uaps? 80.77.82.41 – recenties.info – GET /banners/uaps? (second run) 188.227.74.169 – set.acceleratehealthcaretransformation.com – RIG EK VirusTotal report on 188.227.74.169 (shows full URLs) 5.200.52.203 – set.accumen.info – RIG EK (second run) VirusTotal report on 5.200.52.203 (shows full URLs) 144.168.45.144 – GET /images/[removed]/.avi 144.168.45.144 – ...

HookAds Malvertising Campaign Leads to RIG EK at 185.154.53.33, Drops LatentBot

IOCs Network Traffic: 80.77.82.41 – nairolonia.info – Pre-landing page 185.154.53.33 – post.divakarshenoy.com – RIG EK VirusTotal report showing URLs resolving to 185.154.53.33 23.249.162.164 – GET /Base64 encoded URI string 23.249.162.164 – GET /yor8Vzpo75Y9b1f1pri/[random numbers].zip – LatentBot modules 23.249.162.164 – POST /web/?ACTION=HELLO 23.249.162.164 – POST /web/?ACTION=START&ID=[32 alphanumeric character ID] 23.249.162.164 – POST /web/?ID=[32 alphanumeric character ID] 23.249.162.164 – ...

RIG EK at 92.53.119.66 Drops Dreambot

IOCs HTTP Traffic: 80.77.82.41 – guerritor.info – Gate (fake ad domain) 92.53.119.66 – new.ibconsultants.net – RIG EK To see the full URLs for RIG exploit kit landing pages resolving to this IP address please refer to the VirusTotal address below: https://www.virustotal.com/en/ip-address/92.53.119.66/information/ 158.69.176.173 – Dreambot post-infection traffic DNS Queries: ip-addr.es resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com There is also post-infection ...

Hacked Sites Redirecting Users to Various Malvertising Campaigns

I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...

RIG EK at 5.200.52.238 Drops Ransom Locker

The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...

HookAds Campaign Leads to RIG EK at 92.53.104.78

The HookAds campaign was first discovered by researchers at Malwarebytes back in mid August of 2016. This campaign leverages decoy adult sites to spread malware. In this case the user would be browsing a legitimate website, often an adult website, and then they would be redirected to a decoy adult site through a malvertising chain. On the decoy adult ...

RIG EK at 92.53.127.21 Drops Dreambot

IOCs: 209.126.118.90 – cominents.gdn – Fake ad infrastructure. Server returned RIG’s pre-filter page which contained the URL for the landing page 92.53.127.21 – try.werrew.info – RIG EK 176.223.111.198 – GET /images/[removed]/.avi 176.223.111.198 – GET /tor/t64.dll – Tor module 208.43.71.133 – avast.com – GET /images/[removed]/.jpeg or .gif- ET Trojan Ursnif Variant CnC Beacon 4 37.48.122.26 – ...

RIG EK at 92.53.105.43 Drops ASN1 Ransomware

IOCs: 80.77.82.40 – wrapsing.gdn – GET /rotation/exoclick – Fake ad server points to RIG EK 92.53.105.43 – far.temperedgraces.com – RIG EK dxostywsduvmn6ra.onion – Payment domain Uses HKLM\Software\Microsoft\Windows\CurrentVersion\Run for persistence Ransom notes = !!!!!readme!!!!!.htm Filenames aren’t changed and encrypted files aren’t appended with a new extension SHA256: b14ffe0bdadfbab0de8b5ef1b5d078a7c500e5f4e164d771163171e1ed170542 File name: RIG EK Flash Exploit.swf SHA256: 2f51e6819a2dff508dae58abf95b5d381801debe0cd52b88d6ac05ad05531ba9 ...