Tag: IOCs

Seamless Campaign Uses RIG EK to Deliver Ramnit

Originally posted at malwarebreakdown.com Follow me on Twitter It didn’t take me long to get the redirections that I had gone hunting for. Below is an edited image taken of the redirection chain: Flowchart of the redirection chain: One thing to note, libertex.one, which is currently resolving to 31.31.196.81 (Russian) and was registered on 02/07/2018, ...

RIG Exploit Kit Delivers Ramnit Banking Trojan via Seamless Malvertising Campaign

Last week I decided to play around with some sketchy sites and, not surprisingly, I found myself getting infected with malware. Let’s go over the redirection chain and then I’ll go into brief detail about the malware infection. After browsing on the sketchy site, we see some traffic to buzzadnetwork.com: Alexa shows that buzzadnetworks.com is ...

Malspam Entitled “Invoice attched for your reference” Delivers Agent Tesla Keylogger

I recently got my hands on some malspam entitled “Invoice attched for your reference.” Below is an image of the email: The image of a PDF document links to hxxp://dropcanvas.com/ozbak/1: Dropcanvas.comĀ is a site used to transfer files between users. While not inherently malicious, file sharing sites are often abused in these types of social engineering ...

Malspam Distributing Ursnif (Gozi ISFB)

A user received malspam with a .doc attachment. Static analysis of the file showed it was a Microsoft Word 2007+ document with an embedded macro located in vbaProject.bin. The malware authors trick victims into enabling macros (Enable Content) and, to better evade sandboxes, use AutoClose to execute the macro after the file has been closed. ...

Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.

Note: I took a bit of break, but I will try to get back to posting more regularly. Today’s infection chain is a familiar one as it includes the Seamless campaign delivering Ramnit banking Trojan via RIG exploit kit. Below is an image of the infection chain, specifically the HTTP requests: The infection chain starts ...

Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.

A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us: Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that ...

Seamless Campaign Delivers Ramnit Banking Trojan via RIG EK.

Recent threat hunting had led me to another Seamless gate which used RIG EK to deliver Ramnit banking Trojan. The Seamless campaign, which has been around since at least February 2017, has always Favorited Ramnit as its payload. Often the Ramnit payloads will download additional malware such as AZORult stealer. The publisher (a website that ...