Tag: Angler Exploit Kit
Neutrino EK Stops Advertisements While Rig EK Activity Increases
I personally haven’t documented a Neutrino EK compromise since September 11, 2016. Before that point Neutrino EK was very active in the EK scene as it took the top spot from Angler following the arrest of the Lurk gang. The question is why has there been such a noticeable drop off in Neutrino activity? Malware ...
A Brief History, and a Current Status, of the EITest Campaign
The EITest campaign isn’t anything new. In fact, Jérôme Segura from Malwarebytes wrote a detailed article about the this malware campaign in 2014. What he discovered was that this wasn’t your normal drive-by download as the campaign is using a Flash-based redirection mechanism. Below are three examples of compromised sites that I’ve found in the ...
EITest Gate at 85.93.0.32 Leads to Angler EK at 83.220.169.231
I found these GET requests in our customers traffic: zeboms[.]tk/show_content.php?fgpimk=lrsuk&id=4642B3AD8EB1331F63B111F171C670700DA304E3EFF16822032449944AB075E487805D one.theleadersummit[.]com/boards/viewtopic.php?t=0i3&f=o5aew38bpq8ca58engnpikp4ucvwuef5z9ej1ctm014keykgo-q773pf_ahi58p76yvzpoffylkdqe_-8k4eih0j03n2t-i1y Unfortunately for our analyst we don’t always get packets so we can’t easily locate the referer in every case. Typically the GET request for the compromised site is in the traffic surrounding the event. As you can see from the HTTP requests surrounding the ...
EITest Campaign at 85.93.0.32
IOCs: 85.93.0.32 – EITest Gate SHA256 1384b089c4524dd996a60f58ca1465bf89cd8f39e2711846ea394f14c4c87913 This isn’t going to be an extensive look into the EITest Campaign as Brad from Malware-traffic-analysis.net has already done great work on this subject. You can also check on my post here for more details. It is more or less an update in some activity I’ve been seeing ...
Malware breakdown 