Results for: hookads
Fobos Campaign Uses HookAds Template and Delivers Bunitu Proxy Trojan via RIG EK
Originally posted at malwarebreakdown.com Follow me on Twitter At closer inspection, it looks like Fobos is redirecting to the HookAds template (thanks Jerome for double-checking that for me). The decoy site that had redirected to HookAds on 03/07/18, shown HERE, is the same code found in this infection chain on 03/11/18. HTTP traffic: The decoy site contains ...
HookAds Campaign Is Back And Using RIG EK to Deliver Bunitu Proxy Trojan
Originally posted at malwarebreakdown.com Follow me on Twitter I haven’t posted anything on the HookAds campaign since 09/17/2017. Likewise, checking malware-traffic-analysis.net shows the last write up for HookAds on 08/01/17. According to Jérôme Segura, the campaign went away in late October, 2017, and started to resurface in late February, 2018. This is evident by a recent Twitter post from MrHazumhad which ...
HookAds Campaign Leads to RIG EK and Drops ZeuS Panda.
The HookAds campaign is still active and there have been some recent changes. For starters, this campaign usually drops a variant of Ursnif known as Dreambot. However, the sample that I got today seems more likely to be a ZeuS variant. This was later confirmed by my friend @Antelox who identified it as ZeuS Panda. Let’s first ...
Malvertising Chain Leads to the HookAds Campaign. RIG Drops Dreambot.
The site I used for today’s malvertising chain appears to be a legitimate adult website, however, downstream of more popular ones. According to traffic estimates the site has received roughly 637,100 visitors over the last 30 days. Alexa.com currently ranks the site in the top 33,000 globally, with most of its visitors coming from India ...
Dreambot Dropped by HookAds
This will be a quick post as I just wanted to put out some updated IOCs. “popunder.php” from the HookAds decoy site: balkali[.]info/banners/countryhits: HookAds is still pushing Dreambot via RIG EK. Network Based IOCs HTTP: 80.77.82.41 – balkali.info – GET /banners/countryhits – HookAds server 188.225.33.164 – IP-literal hostname used by RIG EK 104.223.89.174 – GET ...
HookAds Continues to use RIG EK to Drop Dreambot
A couple days ago RIG changed its URI parameters. This isn’t unusual as it seems to happen at least once a month. However, one thing to note is that RIG, at this moment, is using some base64 encoded strings in the URI. Examples taken from this infection chain include the following: /?MzQwNDg3NTE= decodes to /?34048751= /?MTU2NzMzOTY= ...
Malvertising Leads to HookAds Campaign Which Redirects to RIG EK at 188.225.74.13. RIG EK Drops Dreambot.
I captured another malvertising chain that included the HookAds campaign. To read more about the HookAds campaign click HERE. You can also find all my HookAds related post HERE. Below is an image of a 302 redirect that led to the HookAds decoy XXX website: The referer for the decoy XXX website, according to the ...
HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot.
Network based IOCs 34.193.201.92 – arrassley.info – RoughTed domain 80.77.82.41 – heydrid-info – HookAds fake ad server 188.225.78.240 – RIG exploit kit 144.168.45.110 – Dreambot C2 52.2.59.254 – ipinfo.io – External IP lookup Post-infection DNS queries and additional post-infection traffic: resolver1.opendns.com 222.222.67.208.in-addr.arpa myip.opendns.com wdwefwefwwfewdefewfwefw.onion Hashes SHA256: ab4db9eff5259f56e1c9f21444b9b8024d8ce2ffc841e178b10b9a522a750c3c File name: heydrid.info pre-landing page.txt SHA256: b712653deece760b1b981c7d93da44e62b58630ce0bfd511a2d621672cc2f7d6 File ...
HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot
IOCs HTTP Traffic: Decoy site [hidden] – GET /popunder.php – Redirects to remainland.info 80.77.82.41 – remainland.info – GET /banners/uaps – Pre-landing page 194.87.93.114 – RIG EK 144.168.45.144 – GET /images/[removed]/.avi 144.168.45.144 – GET /tor/t32.dll – Tor module 35.166.90.180 – ipinfo.io – GET /ip – Checks your public IP address DNS Queries: resolver1.opendns.com myip.opendns.com Traffic: Hashes: SHA256: 732637809542bf1e174249104d2b1c88dc79da20862318a749accc052638b8f1 File name: ...
HookAds Campaign Leads to RIG EK at 188.227.74.169 and 5.200.52.203, Drops Dreambot
IOCs HTTP Traffic: Decoy site – GET /popunder.php 80.77.82.41 – goverheast.info – GET /banners/uaps? 80.77.82.41 – recenties.info – GET /banners/uaps? (second run) 188.227.74.169 – set.acceleratehealthcaretransformation.com – RIG EK VirusTotal report on 188.227.74.169 (shows full URLs) 5.200.52.203 – set.accumen.info – RIG EK (second run) VirusTotal report on 5.200.52.203 (shows full URLs) 144.168.45.144 – GET /images/[removed]/.avi 144.168.45.144 – ...
Malware breakdown 