Tag: IOCs

Fobos Campaign Using RIG EK to Drop Bunitu Trojan

This campaign has been dubbed “Fobos” because the actors were using the registrant email address fobos@mail.ru. FireEye first published an article back in March 2017, that talked about Fobos in relation to RIG exploit kit called “Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits.” The article mentioned that they started tracking ...

Seamless Campaign Uses RIG EK to Drop Ramnit. Ramnit Drops AZORult.

I’m still seeing a lot of Seamless campaign out there. Let’s look at the HTTP requests and DNS queries from my most recent infection: We start out with the request for /usa, which redirects to /usa/ via a 301. /usa/ returns a page containing script that grabs the time zone information from the host. That ...

“IMG_” Malspam Delivers GlobeImposter Ransomware

I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time. The subject line of the malspam samples that I received all started with “IMG_” ...

Rulan Campaign Redirects to RIG EK at 188.225.33.43 and Drops a Miner

Watcha know about Mining!? Today I was doing some digging (no pun intended) into numerous domains used during recent malvertising redirection chains. These domains appear to be related to a campaign dubbed “Rulan”. Let’s start off with showing the redirection chain: As you can see from the TCP streams there are a lot of 302 ...

Campaign Leads to RIG EK and Fake Flash Player Update Site. RIG Drops URLZone and Fake Flash Player Update Drops a Miner.

On 08/02/17 I used the domain www2[.]davidhelpling[.]org to redirect my host to a RIG EK landing page located at 188.225.79.139. RIG ended up dropping URLZone, which is a banking Trojan first discovered in 2009. More recently URLZone has been seen targeting Japan via malspam campaigns. You can read more about URLZone at the link below, as ...

Malvertising Chain Leads to the HookAds Campaign. RIG Drops Dreambot.

The site I used for today’s malvertising chain appears to be a legitimate adult website, however, downstream of more popular ones. According to traffic estimates the site has received roughly 637,100 visitors over the last 30 days. Alexa.com currently ranks the site in the top 33,000 globally, with most of its visitors coming from India ...

Seamless Campaign Leads to RIG EK at 188.225.35.149, Drops Digitally Signed Ramnit.

The website that I used for this malvertising chain was much smaller in terms of traffic than my previous runs. In total the site received an estimated 126,000 visitors in July, 2017. According to Alexa it is currently ranked around 200,000 globally and 44,000 in the United States. Below is a flowchart of the infection ...

Dreambot Dropped by HookAds

This will be a quick post as I just wanted to put out some updated IOCs. “popunder.php” from the HookAds decoy site: balkali[.]info/banners/countryhits: HookAds is still pushing Dreambot via RIG EK. Network Based IOCs HTTP: 80.77.82.41 – balkali.info – GET /banners/countryhits – HookAds server 188.225.33.164 – IP-literal hostname used by RIG EK 104.223.89.174 – GET ...

The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.

Although there continues to be an overall decrease in EK activity I’m still seeing a decent amount of malvertising leading to EKs. One campaign that I run into a lot is Seamless. It’s like other malvertising campaigns in that much of the traffic originates from streaming video sites. These kinds of sites make good targets ...

HookAds Continues to use RIG EK to Drop Dreambot

A couple days ago RIG changed its URI parameters. This isn’t unusual as it seems to happen at least once a month. However, one thing to note is that RIG, at this moment, is using some base64 encoded strings in the URI. Examples taken from this infection chain include the following: /?MzQwNDg3NTE= decodes to /?34048751= /?MTU2NzMzOTY= ...