Tag: Seamless Campaign

Seamless Malvertising Campaign Drops Ramnit from RIG EK at 80.93.187.194

Shout-out to thlnk3r‏ for giving me the referer! Using the referer qstoo.voluumtrk[.]com redirected my host to the Seamless gate at 193.124.89.196: The Seamless gate returns a “302 Found” that points to the RIG exploit kit landing page at 80.93.187.194: The Ramnit malware payload was dropped in %Temp% and then copied to %AppData% in the folder mykemfpi: There ...

Seamless Campaign Still Redirecting to RIG EK and Dropping Ramnit. Follow-up Malware Dropped on the System is Smoke Loader (aka Dofoil & Sharik).

IOCs HTTP Traffic: 193.124.201.22 – GET /lol3.php 81.177.141.140 – need.aqadim.com – RIG EK (1st Run) VirusTotal report on 81.177.141.140 81.177.141.202 – RIG EK (direct IP used instead of subdomain) VirusTotal report on 81.177.141.202 118.127.42.199 – www[.]elitelockservice[.]com[.]au – GET /wp-content/themes/twentythirteen/RIG1.exe – Smoke Loader (2nd run) DNS Queries: atw82ye63ymdp.com – 188.93.211.166 (1st Run) hdyejdn638ir8.com – 134.0.117.8 (2nd ...

Seamless Malvertising Campaign Leads to RIG EK at 185.154.53.33 and Drops Ramnit

IOCs HTTP Traffic: 185.31.160.55 – GET /flow339.php – Seamless campaign redirector 185.154.53.33 – new.cloudarchieve.com – RIG EK VirusTotal report showing the full RIG EK URLs resolving to that IP address. DNS Queries: doisafjsnbjesfbejfbkjsej88.com notalyyj.com – 185.118.66.84 bheabfdfug.com – 185.156.179.126 sinjydtrv.com fbtsotbs.com fkqrjsghoradylfslg.com aofmfaoc.com – 34.194.213.50 ctiprlgcxftdsaiqvk.com mrthpcokvjc.com wgwuhauaqcrx.com – 87.106.190.153 npcvnorvyhelagx.com – 87.106.190.153 Post-infection traffic ...

Seamless Malvertising Campaign Still Leading to RIG EK and Dropping Ramnit

On May 10th, 2017, the Twitter user thlnk3r sent a Tweet with a referer for the seamless campaign: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 185.31.160.55 as my referer. Here is the traffic from my run: This tactic proved to be successful as I was redirected from 185.31.160[.]55/flow335.php to ...

Hacked Sites Redirecting Users to Various Malvertising Campaigns

I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...

Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan

On April 5th, 2017, the Twitter user thlnk3r sent a message to Brad and myself about a malvertising chain using onclkds.com to redirect hosts to RIG exploit kit. Here is the Tweet: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 194.58.38.64 as my referer. Here is the traffic ...