Tag: HookAds

HookAds Malvertising Campaign Leads to RIG EK at 185.154.53.33, Drops LatentBot

IOCs Network Traffic: 80.77.82.41 – nairolonia.info – Pre-landing page 185.154.53.33 – post.divakarshenoy.com – RIG EK VirusTotal report showing URLs resolving to 185.154.53.33 23.249.162.164 – GET /Base64 encoded URI string 23.249.162.164 – GET /yor8Vzpo75Y9b1f1pri/[random numbers].zip – LatentBot modules 23.249.162.164 – POST /web/?ACTION=HELLO 23.249.162.164 – POST /web/?ACTION=START&ID=[32 alphanumeric character ID] 23.249.162.164 – POST /web/?ID=[32 alphanumeric character ID] 23.249.162.164 – ...

RIG EK at 92.53.119.66 Drops Dreambot

IOCs HTTP Traffic: 80.77.82.41 – guerritor.info – Gate (fake ad domain) 92.53.119.66 – new.ibconsultants.net – RIG EK To see the full URLs for RIG exploit kit landing pages resolving to this IP address please refer to the VirusTotal address below: https://www.virustotal.com/en/ip-address/92.53.119.66/information/ 158.69.176.173 – Dreambot post-infection traffic DNS Queries: ip-addr.es resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com There is also post-infection ...

Hacked Sites Redirecting Users to Various Malvertising Campaigns

I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...

RIG EK at 5.200.52.238 Drops Ransom Locker

The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...

HookAds Campaign Leads to RIG EK at 92.53.104.78

The HookAds campaign was first discovered by researchers at Malwarebytes back in mid August of 2016. This campaign leverages decoy adult sites to spread malware. In this case the user would be browsing a legitimate website, often an adult website, and then they would be redirected to a decoy adult site through a malvertising chain. On the decoy adult ...

RIG EK at 92.53.127.21 Drops Dreambot

IOCs: 209.126.118.90 – cominents.gdn – Fake ad infrastructure. Server returned RIG’s pre-filter page which contained the URL for the landing page 92.53.127.21 – try.werrew.info – RIG EK 176.223.111.198 – GET /images/[removed]/.avi 176.223.111.198 – GET /tor/t64.dll – Tor module 208.43.71.133 – avast.com – GET /images/[removed]/.jpeg or .gif- ET Trojan Ursnif Variant CnC Beacon 4 37.48.122.26 – ...

RIG EK at 92.53.105.43 Drops ASN1 Ransomware

IOCs: 80.77.82.40 – wrapsing.gdn – GET /rotation/exoclick – Fake ad server points to RIG EK 92.53.105.43 – far.temperedgraces.com – RIG EK dxostywsduvmn6ra.onion – Payment domain Uses HKLM\Software\Microsoft\Windows\CurrentVersion\Run for persistence Ransom notes = !!!!!readme!!!!!.htm Filenames aren’t changed and encrypted files aren’t appended with a new extension SHA256: b14ffe0bdadfbab0de8b5ef1b5d078a7c500e5f4e164d771163171e1ed170542 File name: RIG EK Flash Exploit.swf SHA256: 2f51e6819a2dff508dae58abf95b5d381801debe0cd52b88d6ac05ad05531ba9 ...

HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.

IOCs: 104.27.134.78 – multimediaz.net – Website hosting script for onclickads.net 206.54.163.4 – onclickads.net – Checks Flash. Redirects to onclkds.com. 206.54.163.50 – onclkds.com – Returns “302 Moved Temporarily,” new location is set to avatrading.org 185.51.244.202 – avatrading.org – Domain in fake ad network. Contains iframe for stockholmads.info 185.51.244.210 – stockholmads.info – GET /rotation/check-hits? – Contains iframe for RIG-v EK ...