Tag: Ramnit

Seamless Malvertising Campaign Leads to RIG EK at 185.154.53.33 and Drops Ramnit

IOCs HTTP Traffic: 185.31.160.55 – GET /flow339.php – Seamless campaign redirector 185.154.53.33 – new.cloudarchieve.com – RIG EK VirusTotal report showing the full RIG EK URLs resolving to that IP address. DNS Queries: doisafjsnbjesfbejfbkjsej88.com notalyyj.com – 185.118.66.84 bheabfdfug.com – 185.156.179.126 sinjydtrv.com fbtsotbs.com fkqrjsghoradylfslg.com aofmfaoc.com – 34.194.213.50 ctiprlgcxftdsaiqvk.com mrthpcokvjc.com wgwuhauaqcrx.com – 87.106.190.153 npcvnorvyhelagx.com – 87.106.190.153 Post-infection traffic ...

Seamless Malvertising Campaign Still Leading to RIG EK and Dropping Ramnit

On May 10th, 2017, the Twitter user thlnk3r sent a Tweet with a referer for the seamless campaign: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 185.31.160.55 as my referer. Here is the traffic from my run: This tactic proved to be successful as I was redirected from 185.31.160[.]55/flow335.php to ...

Hacked Sites Redirecting Users to Various Malvertising Campaigns

I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...

Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan

On April 5th, 2017, the Twitter user thlnk3r sent a message to Brad and myself about a malvertising chain using onclkds.com to redirect hosts to RIG exploit kit. Here is the Tweet: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 194.58.38.64 as my referer. Here is the traffic ...