Tag: Ursnif

EITest Leads to RIG-v EK at 217.107.34.241 and Drops Dreambot.

IOCs: 192.99.46.21 – littleinspiration.com – Compromised website 217.107.34.241 – zone.klynnholding.com – RIG EK 5.196.159.175 – GET /images/[removed]/.avi – CnC traffic 5.196.159.175 – GET /tor/t64.dll – Tor module download 37.48.122.26 – curlmyip.net – External IP lookup Post-infection Tor traffic via TCP port 443 and 9001 SSH connections to 91.239.232.81, which also host one or more Tor relays according to https://exonerator.torproject.org Additional DNS ...

HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.

IOCs: 104.27.134.78 – multimediaz.net – Website hosting script for onclickads.net 206.54.163.4 – onclickads.net – Checks Flash. Redirects to onclkds.com. 206.54.163.50 – onclkds.com – Returns “302 Moved Temporarily,” new location is set to avatrading.org 185.51.244.202 – avatrading.org – Domain in fake ad network. Contains iframe for stockholmads.info 185.51.244.210 – stockholmads.info – GET /rotation/check-hits? – Contains iframe for RIG-v EK ...

EITest Leads to RIG-v EK at 185.159.130.122. Ursnif Variant Dreambot.

IOCs: 92.243.23.204 – www[.]caltech[.]fr – Compromised website 185.159.130.122 – more.THEBESTDALLASFLORISTS.COM – RIG-v EK 5.196.159.175 – GET /images/[removed]/KTDEi/.avi – CnC traffic 46.4.99.46 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – External IP lookup Post-Infection DNS Queries: resolver1.opendns.com – ET POLICY OpenDNS IP Lookup curlmyip.net 222.222.67.208.in-addr.arpa myip.opendns.com nod32s.com Traffic: Hashes: SHA256: 37f7e78080f85e6f98136e927a69a72ea7d619f230b476b5d6826ebc1eee29a0 ...

Decoy Site Leads to RIG-v EK at 194.87.237.240. Post-Infection Traffic: Ursnif Variant Dreambot.

IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – bethanyads.info – GET /rotation/hits? – Fake ad server 194.87.237.240 – sell.underinsuredinamerica.com – RIG-v EK Post-Infection Traffic: 89.223.31.51 – GET /images/[truncated]/f2NJW2/.avi – ET TROJAN Ursnif Variant CnC Beacon 89.223.31.51 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...

RIG-v at 194.87.144.170. EK Drops Dreambot.

IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – walterboroads.info – GET /rotation/hits? – Malicious redirect 194.87.144.170 – mail.mobildugun.com – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/MK/.avi – ET TROJAN Ursnif Variant CnC Beacon 94.23.186.184 – GET /tor/t32.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...

Iframe Redirects Host to RIG-v EK at 92.53.97.168. TOR Client and Ursnif Variant Dreambot.

IOCs: 88.214.225.168 – amateur.duckporno.com – Compromised adult website 80.77.82.42 – sumterads.info – GET /rotation/hits? 92.53.97.168 – zag.2043kutahya.net – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/y/.avi 91.228.166.47 – nod32.com – GET /images/[truncated]/zpyxRby.jpeg 91.228.166.47 – nod32.com – GET /images/[truncated]/K04.gif 94.23.186.184 – GET /tor/t32.dll – Tor client 37.48.122.26 – curlmyip.net – GETs external IP of host Outbound ...

Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.

IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...