Tag: 302 Cushioning
T
Traffic Distribution System is Funneling Traffic to RIG-v Exploit Kit
On November 28th of this year my host was redirected to a RIG-v exploit kit server, however, this time the redirect came from a suspicious looking web page. This was somewhat unusual for me as the majority of exploit kit infections that I deal with begin when a user visits a legitimate site. These vulnerable ...
3
302 Redirects from Traffic Distribution System Led to RIG-V EK at 194.87.238.156. Dropped Downloader & “XKeyScore” Keylogger
IOCs: GET /in/traf/ – 302 redirect via port 18001 (BossTDS port) GET /boom/mix.php – 302 redirect via port 18001 (BossTDS port) 194.87.238.156 – try.uludan.com – Rig-V EK (landing page, Flash exploit, and payload) 111.221.47.162 – POST /faa38820fa/dd6c45917a/d23d3e97c0/chat.php – Base64 encoded data being POSTed back 188.40.248.71 – GET /~mysuperp/crypt2_7038.exe – Additional malware downloaded 91.107.108.124 – POST ...
Malware breakdown 