Tag: Quant Loader
Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.
A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us: Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that ...
EITest Leads to RIG EK at 188.225.36.196 And Drops Quant Loader. Downloads ZLoader/Zbot.
IOCs 199.116.248.108 – saywitzproperties.com – Compromised website (shout-out to thlnk3r who gave me the site) 188.225.36.196 – fds.japanbioenergy.org – RIG Exploit Kit 52.90.24.205 – unisdr.top – GET /mail.index.php – Response contains download locations for additional malware at trackerhost.us 52.90.24.205 – trackerhost.us – GET /drop/lsmk.exe – Additional malware 52.90.24.205 – gerber.gdn – POST / info.php – Post-infection traffic DNS ...
Malware breakdown 