Tag: Malvertising
Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK
Originally posted at malwarebreakdown.com Follow me on Twitter Traffic from 03/21/18: The first part of the redirection chain shown above would be from the Fobos decoy site. The decoy site contains the following Base64 encoded string: The decoded string on the decoy site points to the next step in the redirection chain, the pre-landing page: Unpacked ...
Fobos Campaign Uses HookAds Template and Delivers Bunitu Proxy Trojan via RIG EK
Originally posted at malwarebreakdown.com Follow me on Twitter At closer inspection, it looks like Fobos is redirecting to the HookAds template (thanks Jerome for double-checking that for me). The decoy site that had redirected to HookAds on 03/07/18, shown HERE, is the same code found in this infection chain on 03/11/18. HTTP traffic: The decoy site contains ...
HookAds Campaign Is Back And Using RIG EK to Deliver Bunitu Proxy Trojan
Originally posted at malwarebreakdown.com Follow me on Twitter I haven’t posted anything on the HookAds campaign since 09/17/2017. Likewise, checking malware-traffic-analysis.net shows the last write up for HookAds on 08/01/17. According to Jérôme Segura, the campaign went away in late October, 2017, and started to resurface in late February, 2018. This is evident by a recent Twitter post from MrHazumhad which ...
Seamless Campaign Uses RIG EK to Deliver More Ramnit
Over the weekend I went hunting for malvertising campaigns hoping to find something other than Seamless. However, on both Saturday (run 1 on 02-24-18) and Sunday (run 2 on 02-25-18), I ended up finding myself the victim of a Ramnit infection, courtesy of the Seamless campaign and RIG EK. I don’t have any hard data ...
Seamless Campaign Uses RIG EK to Deliver Ramnit
Originally posted at malwarebreakdown.com Follow me on Twitter It didn’t take me long to get the redirections that I had gone hunting for. Below is an edited image taken of the redirection chain: Flowchart of the redirection chain: One thing to note, libertex.one, which is currently resolving to 31.31.196.81 (Russian) and was registered on 02/07/2018, ...
RIG Exploit Kit Delivers Ramnit Banking Trojan via Seamless Malvertising Campaign
Last week I decided to play around with some sketchy sites and, not surprisingly, I found myself getting infected with malware. Let’s go over the redirection chain and then I’ll go into brief detail about the malware infection. After browsing on the sketchy site, we see some traffic to buzzadnetwork.com: Alexa shows that buzzadnetworks.com is ...
Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.
Note: I took a bit of break, but I will try to get back to posting more regularly. Today’s infection chain is a familiar one as it includes the Seamless campaign delivering Ramnit banking Trojan via RIG exploit kit. Below is an image of the infection chain, specifically the HTTP requests: The infection chain starts ...
Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.
A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us: Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that ...
Seamless Campaign Delivers Ramnit Banking Trojan via RIG EK.
Recent threat hunting had led me to another Seamless gate which used RIG EK to deliver Ramnit banking Trojan. The Seamless campaign, which has been around since at least February 2017, has always Favorited Ramnit as its payload. Often the Ramnit payloads will download additional malware such as AZORult stealer. The publisher (a website that ...
Malvertising Leads to RIG EK and Drops Remcos RAT.
On 9/22/17, @thlnk3r had tweeted out images of an infection chain involving some malvertising and RIG exploit kit. Below is an image of the Tweet: One of the images seems to show a referer from PopCash.net, which is a popunder advertising network: The URI used by the popcash.net referer contains a base64/URL encoded string that ...
Malware breakdown 