2017

Archives:

• 12/20/2017 – Malspam Distributing Ursnif (Gozi ISFB).
• 11/12/2017 – Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.
• 10/10/2017 – Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.
• 10/04/2017 – Seamless Campaign Delivers Ramnit Banking Trojan via RIG EK.
• 10/01/2017 – Roboto Condensed Delivers Downloader Which Downloads a CoinMiner.
• 09/27/2017 – Malvertising Leads to RIG EK and Drops Remcos RAT.
• 09/19/2017 – Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer.
• 09/14/2017 – HookAds Campaign Leads to RIG EK and Drops ZeuS Panda.
• 09/11/2017 – “Re: Details” Malspam Downloads CoreBot Banking Trojan.
• 09/07/2017 – Roboto Condensed Social Engineering Scheme Delivers DELoader (aka Terdot or ZLoader).
• 08/30/2017 – “IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.
• 08/30/2017 – “Roboto Condensed” Social Engineering Attack Targets Both Chrome and Firefox Users.
• 08/23/2017 – The Seamless Campaign Isn’t Losing Any Steam.
• 08/21/2017 – Seamless Campaign Uses RIG EK to Drop Ramnit Trojan.
• 08/16/2017 – Fobos Campaign Using RIG EK to Drop Bunitu Trojan.
• 08/15/2017 – Seamless Campaign Uses RIG EK to Drop Ramnit. Ramnit Drops AZORult.
• 08/08/2017 – “IMG_” Malspam Delivers GlobeImposter Ransomware.
• 08/08/2017 – Rulan Campaign Redirects to RIG EK at 188.225.33.43 and Drops a Miner.
• 08/07/2017 – Campaign Leads to RIG EK and Fake Flash Player Update Site. RIG Drops URLZone and Fake Flash Player Update Drops a Miner.
• 08/03/2017 – Malvertising Chain Leads to the HookAds Campaign. RIG Drops Dreambot.
• 08/01/2017 – Seamless Campaign Leads to RIG EK at 188.225.35.149, Drops Digitally Signed Ramnit.
• 07/27/2017 – Dreambot Dropped by HookAds.
• 07/24/2017 – The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.
• 07/18/2017 – HookAds Continues to use RIG EK to Drop Dreambot.
• 07/13/2017 – RIG EK at 188.225.76.222 Drops Dreambot.
• 07/10/2017 – Tech Support Scams Using Numeric Domains.
• 07/06/2017 – Seamless Campaign Drops Ramnit from RIG Exploit Kit at 188.225.76.204.
• 07/03/2017 – Seamless Campaign Leads to RIG EK at 188.225.79.43 and Drops Ramnit.
• 06/28/2017 – RIG EK Delivers Pushdo / Cutwail Botnet and RELST Campaign Still Pushing Chthonic.
• 06/25/2017 – Malvertising Leads to HookAds Campaign Which Redirects to RIG EK at 188.225.74.13. RIG EK Drops Dreambot.
• 06/23/2017 – Seamless Campaign Leads to RIG EK at 92.222.48.83 and Drops Ramnit.
• 06/20/2017 – HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot.
• 06/19/2017 – “Despicable” Malvertising Campaign Redirects to RIG EK at 188.225.77.106, Drops Chthonic Banking Trojan.
• 06/16/2017 – Finding a Good Man: Part 2.
• 06/11/2017 – “Despicable” Malvertising Campaign.
• 06/07/2017 – Seamless Malvertising Campaign Drops Ramnit from RIG EK at 80.93.187.194.
• 06/06/2017 – RELST Campaign Delivering Pony, Downloads Chthonic.
• 06/06/2017 – HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot.
• 06/05/2017 – RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK.
• 05/31/2017 – Seamless Campaign Still Redirecting to RIG EK and Dropping Ramnit. Follow-up Malware Dropped on the System is Smoke Loader.
• 05/31/2017 – HookAds Campaign Leads to RIG EK at 188.227.74.169 and 5.200.52.203, Drops Dreambot.
• 05/18/2017 – HookAds Malvertising Campaign Leads to RIG EK at 185.154.53.33, Drops LatentBot.
• 05/17/2017 – Seamless Malvertising Campaign Leads to RIG EK at 185.154.53.33 and Drops Ramnit.
• 05/15/2017 – RIG Exploit Kit at 185.154.53.7 Drops Pony, Downloads Philadelphia Ransomware.
• 05/11/2017 – Seamless Malvertising Campaign Still Leading to RIG EK and Dropping Ramnit.
• 05/09/2017 – RIG EK at 92.53.119.66 Drops Dreambot.
• 05/06/2017 – Malspam Leads to Malicous Word Document Which Downloads Geodo/Emotet Banking Malware.
• 05/03/2017 – Decimal IP Campaign.
• 05/03/2017 – Tech Support Scams.
• 04/26/2017 – Update on GoodMan.
• 04/24/2017 – EITest Leads to RIG EK at 188.225.36.196 And Drops Quant Loader. Downloads ZLoader/Zbot.
• 04/18/2017 – Hacked Sites Redirecting Users to Various Malvertising Campaigns.
• 04/09/2017 – EITest Campaign Leads to RIG EK at 188.225.39.227. EK Drops Matrix Ransomware v3.
• 04/06/2017 – Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan.
• 04/04/2017 – A Familiar EK Gets Re-Themed, Again? Meet Eris Exploit Kit.
• 04/03/2017 – Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader. Downloaded Neutrino Bot (AKA Kasidet).
• 04/03/2017 – Good Man Gate Leads to RIG EK, Drops ZeusVM (KINS).
• 03/29/2017 – EITest Leads to RIG EK at 92.53.124.144 and Drops Dreambot.
• 03/27/2017 – RIG EK at 5.200.52.238 Drops Ransom Locker.
• 03/21/2017 – HookAds Campaign Leads to RIG EK at 92.53.104.78.
• 03/16/2017 – SAGE 2.2 Ransomware from Good Man Gate.
• 03/13/2017 – Neptune Exploit Kit.
• 03/10/2017 – Finding A ‘Good Man’.
• 03/07/2017 – Changes to the Pre-Landing Page.
• 03/06/2017 – RIG EK at 92.53.127.21 Drops Dreambot.
• 03/06/2017 – TDS Redirecting Users to RIG Exploit Kit and Other Stuff.
• 03/02/2017 – RIG EK at 92.53.105.43 Drops ASN1 Ransomware.
• 02/28/2017 – EITest Leads to RIG EK at 188.225.36.251. EK Drops CryptoShield 2.0 Ransomware.
• 02/26/2017 – EITest Leads to RIG-v EK at 217.107.34.241 and Drops Dreambot.
• 02/19/2017 – HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.
• 02/18/2017 – EITest Script Leads to RIG-v EK at 92.53.120.4. EK Drops “CryptoShield 2.0 Dangerous” Ransomware.
• 02/16/2017 – EITest Leads to RIG-v EK at 185.159.130.122. Ursnif Variant Dreambot.
• 02/12/2017 – Thousands of Compromised Websites Leading to Fake Flash Player Update Sites. Payload is Qadars Banking Trojan.
• 02/08/2017 – Keitaro TDS Leads to RIG-v EK at 188.225.36.231.
• 02/07/2017 – Decoy Site Leads to RIG-v EK at 194.87.237.240. Post-Infection Traffic: Ursnif Variant Dreambot.
• 02/05/2017 – EITest Leads to RIG-v EK at 194.87.145.225, Drops CryptoShield 1.1 Ransomware.
• 02/02/2017 – BossTDS and Exploit Kits.
• 01/29/2017 – RIG-v at 194.87.144.170. EK Drops Dreambot.
• 01/27/2017 – Iframe Redirects Host to RIG-v EK at 92.53.97.168. TOR Client and Ursnif Variant Dreambot.
• 01/25/2017 – Sundown EK using 40.69.68.179, Which is Assigned to Microsoft Corporation (MSFT).
• 01/23/2017 – Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.
• 01/22/2017 – Sundown EK: Pre-Landing Page.
• 01/21/2017 – Iframe Points to RIG-v EK at 93.158.215.169. EK Drops Spora Ransomware.
• 01/20/2017 – EITest Leads to Sundown EK at 93.190.143.82 and Drops Cerber.
• 01/15/2017 – EITest Leads to RIG-v EK at 92.53.120.233 Drops CryptoMix.
• 01/14/2017 – Afraidgate at 178.62.242.179 Leads to RIG-v EK at 92.53.120.233, Godzilla Loader Grabs Locky (.osiris).
• 01/09/2017 – Advertisement Domain Led to BossTDS, Which Redirected Host to RIG-v Exploit Kit at 92.53.120.207.