Tag: Malvertising

Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.

A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us: Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that ...

Seamless Campaign Delivers Ramnit Banking Trojan via RIG EK.

Recent threat hunting had led me to another Seamless gate which used RIG EK to deliver Ramnit banking Trojan. The Seamless campaign, which has been around since at least February 2017, has always Favorited Ramnit as its payload. Often the Ramnit payloads will download additional malware such as AZORult stealer. The publisher (a website that ...

Malvertising Leads to RIG EK and Drops Remcos RAT.

On 9/22/17, @thlnk3r had tweeted out images of an infection chain involving some malvertising and RIG exploit kit. Below is an image of the Tweet: One of the images seems to show a referer from PopCash.net, which is a popunder advertising network: The URI used by the popcash.net referer contains a base64/URL encoded string that ...

Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer.

I decided to go hunting for some malvertising today and got redirected to a Seamless gate, which of course redirected me to RIG EK. For those of you who don’t know about the Seamless campaign, click HERE. Also, my archived posts on the Seamless campaign can be seen HERE. Let’s begin by peeking at the infection ...

HookAds Campaign Leads to RIG EK and Drops ZeuS Panda.

The HookAds campaign is still active and there have been some recent changes. For starters, this campaign usually drops a variant of Ursnif known as Dreambot. However, the sample that I got today seems more likely to be a ZeuS variant. This was later confirmed by my friend @Antelox  who identified it as ZeuS Panda. Let’s first ...

The Seamless Campaign Isn’t Losing Any Steam

Some security researchers on Tuesday had noted that their requests for the Seamless gates were failing. However, if there was any noticeable stoppage, it certainly didn’t last very long. Shortly after hearing about this I started checking my logs for any exploit kit activity and, as usual, I found a detection for RIG EK from ...

Seamless Campaign Uses RIG EK to Drop Ramnit Trojan

Below is a partial and edited flowchart of the malvertising chain that I got during this infection: An edited image of the infection chain is shown below: You can see that the Ramnit sample seems to check for Internet connectivity before making DNS queries for ujndhe7382uryhf.com, which resolves to 46.173.214.170. Following the DNS resolutions is ...