Tag: Pony
Malspam Delivers Pony and Loki-Bot
Originally posted at malwarebreakdown.com Follow me on Twitter Sender: user1@enteronly.com.tw Subject: RE: Payment IN-2716 – MPA-PI17045 – USD Attachment(s): Payment_001.doc and Payment_002.doc Both Payment_001.doc and Payment_002.doc are malicious RTF documents triggering detections for CVE-2017-11882. Payment_001.doc: Traffic: User-Agent: Windows Installer User Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Pony Panel: Image found at hxxp://paclficinsight[.]com/new1/pony/china.jpg IOCs Network: 94.102.1.194 – hxxps://agahguner.com GET /44.msi 94.102.60.3 ...
RELST Campaign Delivering Pony, Downloads Chthonic.
On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code: In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit ...
RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK.
On 06/03/17 I stumbled across a malvertising chain that led to RIG exploit kit. What was unusual about this malvertising chain is that it was also leading to a lot of social engineering scams. After some research I have discovered that it could be related to the “RoughTed” malvertising campaign. You can read more about ...
RIG Exploit Kit at 185.154.53.7 Drops Pony, Downloads Philadelphia Ransomware.
IOCs HTTP Traffic: 160.153.131.96 – serene.rushpcb.co.uk – GET /usde.php 185.154.53.7 – add.venicebeachsurflodge.com – RIG exploit kit VirusTotal report showing URLs resolving to that IP 89.45.67.99 – POST /ppp/gate.php – Pony callback traffic 86.106.93.17 – GET /degate/de.exe – Philadelphia ransomware 86.106.93.17 – GET /de/de.php? – Philadelphia ransomware callback traffic Hashes: SHA256: 19f765ddf0242a6676e9eb2fb28f8095211ab1edad15025c3532f662de3aa954 File name: serene.rushpcb.co.ukusde.php.txt SHA256: ...
Decimal IP Campaign
For a background on the Decimal IP Campaign please read this article written on March 29th, 2017, by Jérôme Segura over at Malwarebytes Lab: https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/ I got the decimal IP used for this infection from @nao_sec‘s blog post found HERE. IOCs: 104.156.250.131 – IP decimal redirector 162.220.246.254 – Fake Flash Player update landing page 23.56.113.194 – java.com ...
Malspam Leads to Hancitor, Downloads pm.dll (Pony) and inst.exe (Vawtrak)
IOCs: 77.246.149.178 – ledintutat[.]com/ls5/gate.php – Hancitor C2 81.169.145.93 – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony 77.246.149.178 – ledintutat[.]com/zapoy/gate.php – Pony C2 104.31.87.182 – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak 185.75.46.13 – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC) Traffic: IDS Events: Hashes: SHA256: d84b585409fb4f538cde666cefc7980ba3a927dc292dfb391bdcd8765d4ce0c8 File name: contract_54262.doc SHA256: 420b028db779bdee1355b568fd1757a579505df41a1f3f620954a34d2b49a926 File name: hancitor.dll SHA256: 903345e2ccc6c0045de61d40c4c85dad625274b0cc7a4fc4e0c3813811e44495 File name: ...
Malware breakdown 