Tag: Rig Exploit Kit

Update on GoodMan

I discovered the GoodMan campaign on January 20th, 2017. You can read a detailed report on GoodMan HERE. Since March, 2017, I’ve seen more domains being registered by “goodmandilaltain@gmail.com” and I’ve recorded GoodMan delivering Sage 2.2 ransomware, ZeusVM, something with a file description of “Neighbur Readiness Ransomware,” and now what looks like LatentBot. Below is a list of some recent domains being ...

EITest Leads to RIG EK at 188.225.36.196 And Drops Quant Loader. Downloads ZLoader/Zbot.

IOCs 199.116.248.108 – saywitzproperties.com – Compromised website (shout-out to thlnk3r‏ who gave me the site) 188.225.36.196 – fds.japanbioenergy.org – RIG Exploit Kit 52.90.24.205 – unisdr.top – GET /mail.index.php – Response contains download locations for additional malware at trackerhost.us 52.90.24.205 – trackerhost.us – GET /drop/lsmk.exe – Additional malware 52.90.24.205 – gerber.gdn – POST / info.php – Post-infection traffic DNS ...

Hacked Sites Redirecting Users to Various Malvertising Campaigns

I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...

EITest Campaign Leads to RIG EK at 188.225.39.227. EK Drops Matrix Ransomware v3.

IOCs Network Activity: 104.27.184.144 – teknonisme.com – Compromised WordPress site 188.225.39.227 – fix.russianpropoganda.com – RIG exploit kit 195.248.235.240 – stat6.s76.r53.com.ua – GET / addrecord.php? and POST /uploadextlist.php – C2 traffic 148.251.13.83 – stat6.s76.r53.com.ua – GET / addrecord.php? – C2 traffic Additional answers from the DNS query: 195.248.235.241 – stat6.s76.r53.com.ua – C2 traffic 31.41.216.90 – stat6.s76.r53.com.ua – C2 ...

Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan

On April 5th, 2017, the Twitter user thlnk3r sent a message to Brad and myself about a malvertising chain using onclkds.com to redirect hosts to RIG exploit kit. Here is the Tweet: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 194.58.38.64 as my referer. Here is the traffic ...

A Familiar EK Gets Re-Themed, Again? Meet Eris Exploit Kit.

History of “Neptune EK”: On March 16th, 2017, I received a DM from the author of the now defunct Terror exploit kit. The DM surprised me as he was blocking me on Twitter. The DM was as follows: The bit.ly link redirected me to a server hosting exploits from what was then being marketed by the ...

Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader. Downloaded Neutrino Bot (AKA Kasidet).

Brief History These infection chains began from IOCs collected by Zain Gardezi over at FireEye. You can read the report HERE. The report contained a lot of IOCs, but the one that I want to highlight is the IP address 173.208.245.114. I was interested in this IP because the host using it was acting as a shadow server, hosting numerous ...

Good Man Gate Leads to RIG EK, Drops ZeusVM (KINS)

IOCs Network: 188.215.92.104 – hurtmehard.net – Good Man gate 86.106.131.120 – bestdoosales.club – RIG exploit kit 185.100.87.161 – badlywantyou.top – GET /smk/config.jpg – ZeusVM config URL 185.100.87.161 – badlywantyou.top – POST /smk/gate.php – ZeusVM dropzone URL 77.88.55.88 – yandex.ru – Connectivity check File System: o32.tmp is dropped and executed in %TEMP% (self-deletes) The payload q2tlgu9t.exe is dropped ...

EITest Leads to RIG EK at 92.53.124.144 and Drops Dreambot

IOCs Network: 104.27.179.62 – thelifestyle.guru – Compromised website 92.53.124.144 – free.fabuloussatchi.com – RIG EK 91.121.251.22 – GET /images/[removed]/.avi – CnC Beacon 91.121.251.22 – GET /tor/t64.dll – Tor module The User-Agent string used during the callback is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), which is the indentifier for IE 8 37.48.122.26 – curlmyip.net – Used to ...

RIG EK at 5.200.52.238 Drops Ransom Locker

The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...