Category: Informational
Roboto Condensed Delivers Downloader Which Downloads a CoinMiner.
My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this. The pages presented to both Chrome and Firefox users can be seen below: Here is an image of the page source: The binary file, fontpackupd60.exe, is being hosted on a compromised website in the /plugins/ ...
Roboto Condensed Social Engineering Scheme Delivers DELoader (aka Terdot or ZLoader).
My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this, which can be seen HERE. The page presented to both Chrome and Firefox users: Looking at the page source shows a different .ZIP file for Chrome and Firefox users: Chrome users download “Chrome_Font.zip”, which is ...
“Roboto Condensed” Social Engineering Attack Targets Both Chrome and Firefox Users.
A couple days ago I found a dozen or so domains using a social engineering attack like that of the RELST and HoeflerText campaigns. This attack, which I call “Roboto Condensed” for reasons that will become obvious, targets both Chrome and Firefox users. Users are likely to be redirected to these social engineering domains via malvertising, hacked ...
Tech Support Scams Using Numeric Domains
According to Microsoft, tech support scams (TSS) are a growing problem with 2 out of 3 consumers reporting that they’ve encountered them in recent years. As somebody who often captures malvertising chains I can tell you that I too have seen a big uptick in redirects leading to tech support scam pages. A lot of the times ...
Finding a Good Man: Part 2
Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...
“Despicable” Malvertising Campaign
Myself and a couple other coworkers stumbled across a malvertising campaign that I’ve playfully dubbed “Despicable” for its heavy use of the .ME TLD. So far, I haven’t found any public documentation about this campaign. Having said that, I wouldn’t be surprised if it was currently on other people’s radars. Background into the campaign Research ...
RELST Campaign Delivering Pony, Downloads Chthonic.
On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code: In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit ...
Decimal IP Campaign
For a background on the Decimal IP Campaign please read this article written on March 29th, 2017, by Jérôme Segura over at Malwarebytes Lab: https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/ I got the decimal IP used for this infection from @nao_sec‘s blog post found HERE. IOCs: 104.156.250.131 – IP decimal redirector 162.220.246.254 – Fake Flash Player update landing page 23.56.113.194 – java.com ...
Tech Support Scams
Below is a link to an article from Malwarebytes Lab explaining tech support scams: https://blog.malwarebytes.com/tech-support-scams/ Some recent examples that I collected on 05/02/17 are shown below. Network Activity: 174.137.155.139 – xml.pdn-1.com – 302 redirect to tech support scam 107.180.1.35 – binmsisooso.life – Tech support scam landing page 46.30.213.100 – bunt.truncomp.com – Tech support scam server Network ...
Neptune Exploit Kit
On 03/10/17 there were postings on various forums about an exploit kit named Neptune. The author claims it has 17 different exploits, including some fresh CVEs from 2017. Below is an image from one of the advertisements: Claimed features include a malicious domain detect rotation trigger, stenography, domain auto-rotator, professional user interface (template for the interface can be found HERE), ...
Malware breakdown 