Tag: Chthonic
RIG EK Delivers Pushdo / Cutwail Botnet and RELST Campaign Still Pushing Chthonic.
Background on RELST campaign: https://malwarebreakdown.com/2017/06/05/roughted-malvertising-operation-leads-to-relst-domains-and-rig-ek/ https://malwarebreakdown.com/2017/06/06/relst-campaign-delivering-pony-downloads-chthonic/ On 06/26/17 @thlnk3r had informed me that they located a RELST domain: The source code from webshoot.pw (104.18.32.54 and 104.18.33.54) shows “relst” in the iframe id: The RELST campaign uses different social engineering tactics in order to convince users to download ZIP files (Photo05.zip) that contain malicious scripts (Photo.js). Click HERE to view ...
“Despicable” Malvertising Campaign Redirects to RIG EK at 188.225.77.106, Drops Chthonic Banking Trojan.
Read about the Despicable (aka Despicable .ME) malvertising campaign HERE. This infection chain resulted from me visiting a website that streams sporting events. Below is a partial and edited image of the malvertising chain being filtered in Wireshark: The host is redirected to adrunnr.com, which then redirects to done.witchcraftcash.com. done.witchcraftcash.com then redirects the host to the ...
“Despicable” Malvertising Campaign
Myself and a couple other coworkers stumbled across a malvertising campaign that I’ve playfully dubbed “Despicable” for its heavy use of the .ME TLD. So far, I haven’t found any public documentation about this campaign. Having said that, I wouldn’t be surprised if it was currently on other people’s radars. Background into the campaign Research ...
RELST Campaign Delivering Pony, Downloads Chthonic.
On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code: In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit ...
RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK.
On 06/03/17 I stumbled across a malvertising chain that led to RIG exploit kit. What was unusual about this malvertising chain is that it was also leading to a lot of social engineering scams. After some research I have discovered that it could be related to the “RoughTed” malvertising campaign. You can read more about ...
EITest Leads to Rig EK at 185.45.193.52 Which Drops PushDo/Cutwail
IOCs: 198.23.50.198 – luxurenailbar.com – Compromised website 185.45.193.52 – jw1f0y.wkfroa.top – Rig EK Post infection POST requests: 62.129.220.170 – infotech.pl 76.12.115.26 – leapc.com 50.63.46.84 – 2print.com 104.25.146.12 – dayvo.com 219.122.1.240 – ex-olive.com 103.241.2.201 – pb-games.com 193.34.148.140 – stnic.co.uk 77.66.54.114 – valdal.com 72.3.177.107 – owsports.ca 23.229.223.161 – nunomira.com 46.30.59.13 – com-sit.com 118.23.162.86 – ora.ecnet.jp 69.163.218.51 – ...
Malware breakdown 