Tag: Latentbot
HookAds Malvertising Campaign Leads to RIG EK at 185.154.53.33, Drops LatentBot
IOCs Network Traffic: 80.77.82.41 – nairolonia.info – Pre-landing page 185.154.53.33 – post.divakarshenoy.com – RIG EK VirusTotal report showing URLs resolving to 185.154.53.33 23.249.162.164 – GET /Base64 encoded URI string 23.249.162.164 – GET /yor8Vzpo75Y9b1f1pri/[random numbers].zip – LatentBot modules 23.249.162.164 – POST /web/?ACTION=HELLO 23.249.162.164 – POST /web/?ACTION=START&ID=[32 alphanumeric character ID] 23.249.162.164 – POST /web/?ID=[32 alphanumeric character ID] 23.249.162.164 – ...
Update on GoodMan
I discovered the GoodMan campaign on January 20th, 2017. You can read a detailed report on GoodMan HERE. Since March, 2017, I’ve seen more domains being registered by “goodmandilaltain@gmail.com” and I’ve recorded GoodMan delivering Sage 2.2 ransomware, ZeusVM, something with a file description of “Neighbur Readiness Ransomware,” and now what looks like LatentBot. Below is a list of some recent domains being ...
Malware breakdown 