Tag: IOCs

Malspam Delivers Loki-Bot

Originally posted at malwarebreakdown.com Follow me on Twitter I received some malspam on 03/22/18 that contained two .doc file attachments. The subject of the email was “Order 2018-048 & 049, Please Confirm”. The attached exploit documents were named similarly to the subject of the email, “PO2018-048.doc” and “PO 2018-049.doc”. Below is an image of the email: ...

Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK

Originally posted at malwarebreakdown.com Follow me on Twitter Traffic from 03/21/18: The first part of the redirection chain shown above would be from the Fobos decoy site. The decoy site contains the following Base64 encoded string: The decoded string on the decoy site points to the next step in the redirection chain, the pre-landing page: Unpacked ...

Malspam Delivers Pony and Loki-Bot

Originally posted at malwarebreakdown.com Follow me on Twitter Sender: user1@enteronly.com.tw Subject: RE: Payment IN-2716 – MPA-PI17045 – USD Attachment(s): Payment_001.doc and Payment_002.doc Both Payment_001.doc and Payment_002.doc are malicious RTF documents triggering detections for CVE-2017-11882. Payment_001.doc: Traffic: User-Agent: Windows Installer User Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Pony Panel: Image found at hxxp://paclficinsight[.]com/new1/pony/china.jpg IOCs Network: 94.102.1.194 – hxxps://agahguner.com GET /44.msi 94.102.60.3 ...

Malspam Contains Password Protected Document That Downloads Sigma Ransomware

Follow me on Twitter I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”: The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware. ...

Fobos Campaign Uses HookAds Template and Delivers Bunitu Proxy Trojan via RIG EK

Originally posted at malwarebreakdown.com Follow me on Twitter At closer inspection, it looks like Fobos is redirecting to the HookAds template (thanks Jerome for double-checking that for me). The decoy site that had redirected to HookAds on 03/07/18, shown HERE, is the same code found in this infection chain on 03/11/18. HTTP traffic:   The decoy site contains ...

HookAds Campaign Is Back And Using RIG EK to Deliver Bunitu Proxy Trojan

Originally posted at malwarebreakdown.com Follow me on Twitter I haven’t posted anything on the HookAds campaign since 09/17/2017. Likewise, checking malware-traffic-analysis.net shows the last write up for HookAds on 08/01/17. According to Jérôme Segura, the campaign went away in late October, 2017, and started to resurface in late February, 2018. This is evident by a recent Twitter post from MrHazumhad which ...

Seamless Campaign Uses RIG EK to Deliver More Ramnit

Over the weekend I went hunting for malvertising campaigns hoping to find something other than Seamless. However, on both Saturday (run 1 on 02-24-18) and Sunday (run 2 on 02-25-18), I ended up finding myself the victim of a Ramnit infection, courtesy of the Seamless campaign and RIG EK. I don’t have any hard data ...