Category: Exploit Kit

E

EITest Gate at 31.184.193.179 Leads to Rig EK at 185.117.73.220 and Drops What Appears to be Betabot

IOCs: 198.15.70.67 – azarsenalsc[.]org – Compromised Site 31.184.193.179 – aliancaadm.top – EITest Gate 185.117.73.220 – zio11q.oa3ri8.top – Rig EK 103.243.38.25 – b.uandmearertyasport1.com – POST /direct/mail9/order.php – Betabot 103.234.37.4 – GET /rd927.exe – Post infection download 66.55.153.57 – and30.blabladomdom.com – POST /bla30/gate.php 104.223.89.174 – and30.blabladomdom.com – POST /bla30/gate.php 107.155.99.135 – and30.blabladomdom.com – POST /bla30/gate.php Reference for ...

R

Rig EK at 74.208.192.129 Drops CryptMIC Ransomware

Rig EK at 74.208.192.129 Drops CryptMIC Ransomware

R

Rig EK at 74.208.99.252 Drops CryptMIC Ransomware

Rig EK Drops CryptMIC Ransomware

E

EITest Gate at 31.184.192.188 Leads to RigEK 185.117.73.207 and Drops Vawtrak

IOCs: 31.184.192.188 – kinepolis.top – EITest Gate 185.117.73.207 – culxw0.b28zu4.top – Rig Exploit Kit 108.61.99.79 – GET Requests via direct IP with the following URI pattern – “/module/[32 alphanumeric characters]” Post Infection DNS Queries: 95.46.98.89 – ctwruhwdk.com 95.46.98.89 – apgtsdeh.com 81.177.13.242 – lkfiravihg.com Hashes: SHA256: 74690c93ce0fef0c40c842fba6e3963c15a4d3c02e230000c0eb8da83deb22d8 File name: EITest Flash File.swf SHA256: 013c1c061383c27273398da975230a752487ae914bcc03892df905b859800a19 File name: ...

p

pseudoDarkleech Leads to Neutrino EK at 188.165.197.194 and Drops CryptMIC Ransomware

IOCs: 184.106.55.84 – busbycabinets.com – Compromised Site 188.165.197.194 – apulaisista.scrubs101webstore.com – Neutrino EK 46.165.246.9 – SSL/HTTPS callback traffic – Contains Ransom Note Hashes: SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae25799224c0893e01d3f069dd9c7c7 File name: Neutrino EK Landing Page.html SHA256: 71db2bde4b377426657ab5a6554e274bb6fbdffd6b6ed3e7ef51ea48364cb17a File name: Neutrino EK Flash Exploit.swf SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad432F6.tmp.dll Traffic: The Infection Chain: The infection chain starts off with the ...

p

pseudoDarkleech Leads to Neutrino EK at 137.74.223.56 and Drops CryptMIC Ransomware

IOCs: 184.106.55.75 – getfueled.com – Compromised Site 137.74.223.56 – baldonafunktionel.kayhaggard.com – Neutrino EK 46.165.246.9 – SSL/HTTPS callback traffic – Contains ransom notes Hashes: SHA256: 2b281628a86db99e4bc0ffb4365b1a2086b1241180553ba02b5f44c8d1fca558 File name: NeutrinoEK Landing Page at 137.74.223.56 SHA256: 6cbdf88c3e91bd421ba1eb44bc437fb703a3711def4d3a524626a01ca345403e File name: NeutrinoEK SWF Exploit SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad8B9FC.tmp.dll The Infection Chain: The infection chain starts off with the compromised ...

E

EITest Gate at 194.165.16.204 Leads to Rig EK at 195.133.201.44 and Drops CryptFile2 Ransomware

IOCs: 184.106.55.122 – deadendbbq[.]com – Compromised Website 194.165.16.204 – nohydyc.top – EITest Gate 195.133.201.44 – rty.exploredowntownwestpalmbeach.com – Rig Exploit Kit 5.39.86.86 – GET /default.jpg 5.39.86.86 – POST /z/setting.php Hashes: SHA256: f0a8452419edab4ad295d9488759f887a37ceeed7a4a0459b07bcf0490736c34 File name: EITest SWF Redirect.swf SHA256: 028df23609481aeaad07f2ab02b934191f0d90930dfee42ab5ccf845dafc44e9 File name: EITest Gate.html SHA256: 896ba2463377dedaa01b1d5a1634db0dc8daac4fed7804e142a7b176cf81377a File name: RigEK Landing Page.html SHA256: b533cff02059e37a312d59ec4e985e4d3d9578853817818e2743a52d9b2b71c6 File name: RigEK SWF ...

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 50.97.68.34 – eddieoneverything.com – Compromised Site 138.68.18.73 – null.delayofgame.com – Afraidgate JS 5.2.73.124 – aqxsgncqro.anyoneshall.top – Neutrino EK HTTP requests URL: hxxp://95.85.19.195/data/info.php TYPE: POST URL: hxxp://188.127.249.32/data/info.php TYPE: POST URL: hxxp://dutluhnnx.info/data/info.php TYPE: POST URL: hxxp://kqudpyjbcd.biz/data/info.php TYPE: POST DNS requests dutluhnnx.info (69.195.129.70) afgmbssj.org vlrdkvkt.pw jybqbxjcwowph.xyz ggfwsvmnsunvb.work kqudpyjbcd.biz (58.158.177.102) TCP connections 95.85.19.195:80 188.127.249.32:80 69.195.129.70:80 58.158.177.102:80 Hashes: SHA256: ...

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 195.58.170.31 – skopikundlohn[.]at – Compromised Site 138.68.18.73 – crew.nbbgradstudents.com – Afraidgate JS 5.2.73.124 – kqccnxro.thatset.top – Neutrino EK 188.127.249.32 – POST /data/info.php – callback traffic 95.85.19.195 – POST /data/info.php – callback traffic Hashes: SHA256: 2cf21f333d42cd888e7f6020163a7af668ebafbe705475163bced6a49f1a0550 File name: crew.nbbgradstudents.com.js SHA256: 26feb600f68f086bad98105c114c6d8703a2feda1a58d8adb7cf21a4fd22c1b9 File name: Neutrino EK Landing Page.htm SHA256: 2ed2853579cfaceb90d064de061aedfee2f958d4125724a86cf5707029d5332b File name: Neutrino EK SWF Exploit.swf ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs: 181.224.139.64 – stjoeschool[.]org – Compromised Website 74.208.161.160 – besucador.me-audio.co.uk – Neutrino EK 85.14.243.9 – CryptMIC post-infection traffic via TCP port 443 Hashes: SHA256: f370ed0da244a4d8eeda498dd211fa224289398ffc6c068030327aec53952d0f File name: Neutrino EK Landing Page.html SHA256: 43db664f321a9ad0b4413f8bfff65e776fa052f278bb902156d6ccedf16d7bd4 File name: Neutrino EK SWF Exploit.swf SHA256: 35f97fefe5a6f02b00ebf3b5ac41bd8d8bfdab38aef3b737063d9774db1fcfc6 File name: rad050CF.tmp.dll So again we find that the pseudo-Darkleech campaign has been leading ...