Tag: Keitaro TDS

Finding A ‘Good Man’

On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant. My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a ...

TDS Redirecting Users to RIG Exploit Kit and Other Stuff

I’ve been tracking numerous external TDSs being used in exploit kit infection chains over the last couple of months. This post will focus on one TDS in particular, specifically a Keitaro TDS. During my investigation I was able to track down 12 domains that had been compromised and were redirecting users to this TDS. In the ...

Keitaro TDS Leads to RIG-v EK at 188.225.36.231

IOCs: 188.225.36.231 – hand.stayatsouthpadre.com – RIG-v EK 31.11.32.225 – www pivesso.us – GET /Img/Gif/oni64.gif – Tor client 37.48.122.26 – curlmyip.net – Used for host IP lookup Post-infection Tor traffic going over TCP port 9001 – ET POLICY TLS possible TOR SSL traffic DNS Queries: resolver1.opendns.com – ET POLICY OpenDNS IP Lookup 222.222.67.208.in-addr.arpa myip.opendns.com Traffic: Hashes: SHA256: 0c1b3a0131c98032141d2315902b546bd926d5d4365628dafbbfca165f934f12 ...

Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.

IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...