Tag: Smoke Loader

Finding a Good Man: Part 2

Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...

Seamless Campaign Still Redirecting to RIG EK and Dropping Ramnit. Follow-up Malware Dropped on the System is Smoke Loader (aka Dofoil & Sharik).

IOCs HTTP Traffic: 193.124.201.22 – GET /lol3.php 81.177.141.140 – need.aqadim.com – RIG EK (1st Run) VirusTotal report on 81.177.141.140 81.177.141.202 – RIG EK (direct IP used instead of subdomain) VirusTotal report on 81.177.141.202 118.127.42.199 – www[.]elitelockservice[.]com[.]au – GET /wp-content/themes/twentythirteen/RIG1.exe – Smoke Loader (2nd run) DNS Queries: atw82ye63ymdp.com – 188.93.211.166 (1st Run) hdyejdn638ir8.com – 134.0.117.8 (2nd ...

Decimal IP Campaign

For a background on the Decimal IP Campaign please read this article written on March 29th, 2017, by Jérôme Segura over at Malwarebytes Lab: https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/ I got the decimal IP used for this infection from @nao_sec‘s blog post found HERE. IOCs: 104.156.250.131 – IP decimal redirector 162.220.246.254 – Fake Flash Player update landing page 23.56.113.194 – java.com ...

A Familiar EK Gets Re-Themed, Again? Meet Eris Exploit Kit.

History of “Neptune EK”: On March 16th, 2017, I received a DM from the author of the now defunct Terror exploit kit. The DM surprised me as he was blocking me on Twitter. The DM was as follows: The bit.ly link redirected me to a server hosting exploits from what was then being marketed by the ...

Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader. Downloaded Neutrino Bot (AKA Kasidet).

Brief History These infection chains began from IOCs collected by Zain Gardezi over at FireEye. You can read the report HERE. The report contained a lot of IOCs, but the one that I want to highlight is the IP address 173.208.245.114. I was interested in this IP because the host using it was acting as a shadow server, hosting numerous ...