Tag: Cushion Attack
3
302 Redirects from Traffic Distribution System Led to RIG-V EK at 194.87.238.156. Dropped Downloader & “XKeyScore” Keylogger
IOCs: GET /in/traf/ – 302 redirect via port 18001 (BossTDS port) GET /boom/mix.php – 302 redirect via port 18001 (BossTDS port) 194.87.238.156 – try.uludan.com – Rig-V EK (landing page, Flash exploit, and payload) 111.221.47.162 – POST /faa38820fa/dd6c45917a/d23d3e97c0/chat.php – Base64 encoded data being POSTed back 188.40.248.71 – GET /~mysuperp/crypt2_7038.exe – Additional malware downloaded 91.107.108.124 – POST ...
Malware breakdown 