Tag: PushDo

Exploit Kit

RIG EK Delivers Pushdo / Cutwail Botnet and RELST Campaign Still Pushing Chthonic.

Background on RELST campaign: https://malwarebreakdown.com/2017/06/05/roughted-malvertising-operation-leads-to-relst-domains-and-rig-ek/ https://malwarebreakdown.com/2017/06/06/relst-campaign-delivering-pony-downloads-chthonic/ On 06/26/17 @thlnk3r had informed me that they located a RELST domain: The source code from webshoot.pw (104.18.32.54 and 104.18.33.54) shows “relst” in the iframe id: The RELST campaign uses different social engineering tactics in order to convince users to download ZIP files (Photo05.zip) that contain malicious scripts (Photo.js). Click HERE to view ...

By malwarebreakdown on June 28, 2017

P
Exploit KitInformational

PushDo Checkin Traffic Update

I infected my computer with PushDo on Oct. 20, 2016, which you can read about HERE. I ran the computer again today and re-collected some callback traffic (ET TROJAN Backdoor.Win32.Pushdo.s Checkin). I’m adding this update because there were some new domains and IPs in the traffic. Below you will find an Excel sheet of the ...

By malwarebreakdown on November 1, 2016

E
Exploit Kit

EITest Leads to Rig EK at 185.45.193.52 Which Drops PushDo/Cutwail

IOCs: 198.23.50.198 – luxurenailbar.com – Compromised website 185.45.193.52 – jw1f0y.wkfroa.top – Rig EK Post infection POST requests: 62.129.220.170 – infotech.pl 76.12.115.26 – leapc.com 50.63.46.84 – 2print.com 104.25.146.12 – dayvo.com 219.122.1.240 – ex-olive.com 103.241.2.201 – pb-games.com 193.34.148.140 – stnic.co.uk 77.66.54.114 – valdal.com 72.3.177.107 – owsports.ca 23.229.223.161 – nunomira.com 46.30.59.13 – com-sit.com 118.23.162.86 – ora.ecnet.jp 69.163.218.51 – ...

By malwarebreakdown on October 20, 2016