Tag: Malvertising
RIG EK at 5.200.52.238 Drops Ransom Locker
The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...
RIG EK at 92.53.127.21 Drops Dreambot
IOCs: 209.126.118.90 – cominents.gdn – Fake ad infrastructure. Server returned RIG’s pre-filter page which contained the URL for the landing page 92.53.127.21 – try.werrew.info – RIG EK 176.223.111.198 – GET /images/[removed]/.avi 176.223.111.198 – GET /tor/t64.dll – Tor module 208.43.71.133 – avast.com – GET /images/[removed]/.jpeg or .gif- ET Trojan Ursnif Variant CnC Beacon 4 37.48.122.26 – ...
HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.
IOCs: 104.27.134.78 – multimediaz.net – Website hosting script for onclickads.net 206.54.163.4 – onclickads.net – Checks Flash. Redirects to onclkds.com. 206.54.163.50 – onclkds.com – Returns “302 Moved Temporarily,” new location is set to avatrading.org 185.51.244.202 – avatrading.org – Domain in fake ad network. Contains iframe for stockholmads.info 185.51.244.210 – stockholmads.info – GET /rotation/check-hits? – Contains iframe for RIG-v EK ...
BossTDS and Exploit Kits
Download the Appendix – bosstds-and-exploit-kits.xlsx Appendix A – DNS resolutions for 188.68.252.146. Appendix B – Advetisement page Whois information. Appendix C – Host pairs. Appendix D – Summary of investigations: IPs, domains, redirection methods, EKs, hashes. Appendix E – BossTDS Whois information. Appendix F – Additional IP Whois information. BossTDS Capabilities Traffic control software, like BossTDS, offers users highly ...
Malvertising in Action
ShadowGate IOCs: IP = 212.116.121.239 IP = 5.200.55.173 Watch a host be compromised in real time! The original article is from Nick Biasini over at Talos. Click on this link to read more about this particular gate, malvertising, and how ShadowGate was eventually taken down!
Malware breakdown 