Tag: Traffic Distribution System

Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.

A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us: Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that ...

Finding a Good Man: Part 2

Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...

Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan

On April 5th, 2017, the Twitter user thlnk3r sent a message to Brad and myself about a malvertising chain using onclkds.com to redirect hosts to RIG exploit kit. Here is the Tweet: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 194.58.38.64 as my referer. Here is the traffic ...

Finding A ‘Good Man’

On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant. My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a ...

Keitaro TDS Leads to RIG-v EK at 188.225.36.231

IOCs: 188.225.36.231 – hand.stayatsouthpadre.com – RIG-v EK 31.11.32.225 – www pivesso.us – GET /Img/Gif/oni64.gif – Tor client 37.48.122.26 – curlmyip.net – Used for host IP lookup Post-infection Tor traffic going over TCP port 9001 – ET POLICY TLS possible TOR SSL traffic DNS Queries: resolver1.opendns.com – ET POLICY OpenDNS IP Lookup 222.222.67.208.in-addr.arpa myip.opendns.com Traffic: Hashes: SHA256: 0c1b3a0131c98032141d2315902b546bd926d5d4365628dafbbfca165f934f12 ...

BossTDS and Exploit Kits

Download the Appendix – bosstds-and-exploit-kits.xlsx Appendix A – DNS resolutions for 188.68.252.146. Appendix B – Advetisement page Whois information. Appendix C – Host pairs. Appendix D – Summary of investigations: IPs, domains, redirection methods, EKs, hashes. Appendix E – BossTDS Whois information. Appendix F – Additional IP Whois information. BossTDS Capabilities Traffic control software, like BossTDS, offers users highly ...

Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.

IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...