Tag: Rig-V

EITest Leads to RIG-v EK at 92.53.120.233 Drops CryptoMix

IOCs: 68.178.254.116 – westwoodenabler.com – Compromised website 92.53.120.233 – top.tbn1.us – RIG-v EK 91.121.244.84 – CryptoMix callback traffic Traffic: Hashes: SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335 File name:RIG-v Flash Exploit.swf SHA256: 3ff4c80212d97aa64154dc3bd6a361766286c5073d15ec65cb32fe2755f8a703 File name: QTTYUADAF SHA256: 038bfb53f45a596762be789c66663966ef9bf04c1c80aae339f40e9a5fe3088c File name: “radC79C9.tmp.exe” and “Spy Security SoftWare_91bf6e5_aed68d54.exe” Hybrid-Analysis Report Infection Chain: The infection chain started off with me browsing to the compromised ...

Afraidgate at 178.62.242.179 Leads to RIG-v EK at 92.53.120.233, Godzilla Loader Grabs Locky (.osiris)

IOCs: 138.128.171.35 – northcoastmed.com – Compromised website 178.62.242.179 – dropname.syncroweb.com – Afraidgate subdomain 92.53.120.233 – red.telco.news – RIG-v EK 200.7.102.105 – lingvitopr.com – Godzilla loader GET for Locky 188.127.239.53 – Locky post-infection traffic – POST /checkupdate Traffic: Hashes: SHA256: 443b3bb140553acc8c861ddc2a0275936a5a26489030b424703775d2f3242ae8 File name: northcoastmed.com.html SHA256: cebd2b86b7830c3b11414581de5068d6d152873731a4a1f3fa7270d21a7a3fb2 File name: dropname.syncroweb.com Afraidgate.js SHA256: eb8fb3f87093c0a9e24047cee0f472373d3d78212ced708d235825b31a70df4b File name: RIG-v Pre-Landing ...

Advertisement Domain Led to BossTDS, Which Redirected Host to RIG-v Exploit Kit at 92.53.120.207

IOCs: 92.53.120.207 – good.chronic.news – RIG-v EK 79.134.225.49 – hpservice.zapto.org – Post-infection traffic via TCP port 5044 DNS query for hpservice.zapto.org, response from authoritative NS: nf1.no-ip.com nf2.no-ip.com nf3.no-ip.com nf4.no-ip.com Traffic: Hashes: SHA256: 7334e5f058f0ae9a0bbe073da49bb155255855705907ea84fa40098994ba3c27 File name: Flash Exploit RIG-v.swf SHA256: 51ce2615b3b0784f55d03d1ba3f77d13aaca40931c72df750b0e298edaf6e3c4 File name: ETTYUADAF SHA256: 01028a0702188f86b8c743cb3af891073df63310e4f3013ae7aeba0aee01e40e File name: rad94DC8.tmp.exe, drivupdater.exe Hybrid-Analysis Submission Infection Chain: I have ...

p

pseudoDarkleech to RIG-v EK’s

IOCs: 107.181.172.103 – lovlose.com – Compromised site 109.234.37.178 – new.buttock.toys – RIG-v EK Cerber check-in traffic via UDP port 6892 1.22.15.0/27 2.23.16.0/27 91.239.24.0/24 91.239.25.0/24 IOCs: 184.168.136.128 – tarboushgrill.com – Compromised site 81.177.139.86 – see.soulartspublishing.com – RIG-v EK Cerber check-in traffic via UDP port 6892 77.4.1.0/27 77.15.1.0/27 91.239.24.0/24 91.239.25.0/24 IOCs: 141.138.168.111 – hoolhoevebriards.com – Compromised site ...

T

Traffic Distribution System is Funneling Traffic to RIG-v Exploit Kit

On November 28th of this year my host was redirected to a RIG-v exploit kit server, however, this time the redirect came from a suspicious looking web page. This was somewhat unusual for me as the majority of exploit kit infections that I deal with begin when a user visits a legitimate site. These vulnerable ...

&

‘Tis the Season for Cerber: Rig-V EK at 195.133.201.249 and Drops, you guessed it, Cerber Ransomware

IOCs: 205.251.140.114 – northrivercommission.org – Compromised site 195.133.201.249 – add.medlucency.info – RIG-v EK Cerber check-in traffic via UDP port 6892: 93.223.40.0/27 92.145.32.0/27 91.239.24.0/24 91.239.25.0/24 148.251.6.214 – btc.blockr.info – Bitcoin block explorer 84.200.4.130 – ffoqr3ug7m726zou.17vj7b.top – Cerber Decryptor site Traffic: Hashes: SHA256: a309461e89391f4432949d391d8ba4bcc8fee4f1def2bf01bf439da1c11e21dd File name: RIGV EK UA Gate.html SHA256: 052d05cbca3b82357ccd8d19fe4c2ed2207ba8286d57b0d4f24f88dce8ce6611 File name: RIGV EK Landing ...

p

pseudoDarkleech Script Redirects Host to Rig-V EK at 195.161.62.232. EK Drops Cerber.

IOCs: 184.172.50.36 – chicago.fdmaps.com – Compromised site 195.161.62.232 – new.underinsuredamerican.org – Rig-V EK Cerber check-in traffic via UDP port 6892: 37.15.20.0/27 77.1.12.0/27 91.239.24.0/24 91.239.25.0/24 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 84.200.4.130 – ffoqr3ug7m726zou.1mstqg.top – Cerber Decryptor site Traffic: Hashes: SHA256: 814d06968bd54aadd13f3e352d5c6b792decdb1c8eeec8d35e7aeaa0cde72b57 File name: RigV UA check.html SHA256: 7e285aee3f54b9a289d03f8a6904eeed8dd88c3028f92ce9d62d8f2c333a52d7 File name: RigV EK Landing Page.html ...

p

pseudoDarkleech Redirects Host to Rig-V EK at 81.177.6.49 and Drops Cerber

IOCs: 162.255.161.10 – luckystavern.com – Compromised site 81.177.6.49 – will.warondoctors.info – Rig-V EK Cerber check-in traffic via UDP port 6892: 37.15.20.0/27 77.1.12.0/27 91.239.24.0/24 91.239.25.0/24 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 23.152.0.137 – ffoqr3ug7m726zou.13inb1.top – Cerber Decryptor site Traffic: Hashes: SHA256: 948785c8a2c441345317ea80e1fd7c622599932dade375872b9c5b9030a61145 File name: RigV UA check page.html SHA256: 699fe5529a3a6928717e47300646d18f36a6ce21823228fffdd52d06e9aa9cd5 File name: RigV EK Landing ...

T

The University of South Florida: Subdomain Injected with EITest Script That Points to Both Rig-V and Rig-E EK. Dropped CryptoMix (CryptFile2) Ransomware.

IOCs: 131.247.120.45 – etc.usf.edu – Compromised subdomain on usf.edu 217.107.37.39 – red.wellnesswatchersmd.net – Rig-V EK 93.115.38.112 – d4sna.rithiperdien.top – Rig-E EK 5.39.84.236 – GET /validator_os/master_valid_os/ms_statistic_os_key.php?info=SCmvxag30Y35DIy7JTzxsJSTLJzUe67VbrPhiiCr4iIe 5.39.84.236 – POST /validator_os/master_valid_os/microsoft_osINFO.php – POSTs files to webserver Traffic: Hashes: SHA256: 36fecf334a7be0e9c33c7a745c09e5daf775438e4018cc7de26e5d056ff9ec0f File name: RigV UA check page.html SHA256: ef89449250ff7e297300bd1bf1c5ca1c4de691b8d23727e481b24121985f69ad File name: RigV Landing Page.html SHA256: 65e938972896e4ffb6c4de3f8314e1a2acd8da5f86fee94f34d35a5d334723e6 File name: ...

p

pseudoDarkleech Redirects to Rig-V at 195.133.49.182 Which Drops Cerber

IOCs: 166.62.25.210 – dunlogginvet.com – Compromised website 195.133.49.182 – art.thinleadermd.com – Rig-v EK sub-domain Cerber check-in traffic via UDP port 6892: 37.15.20.0/27 77.1.12.0/27 91.239.24.0/24 91.239.25.0/24 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 185.82.200.167 – avsxrcoq2q5fgrw2.1gaje2.top – Cerber Decryptor site Traffic: Hashes: SHA256: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf File name: Rig-V Flash Exploit.swf SHA256: 9f93a612da234591aa2645277aa0672ad53cfebe2697bdcf5e38e0920e270d35 File name: OTTYUADAF SHA256: d6a7f7253e30ffbfddc85c34a905dd9022819df0629c698fe71bec384b041f6d ...