Tag: Sundown Exploit Kit
Finding a Good Man: Part 2
Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...
Finding A ‘Good Man’
On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant. My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a ...
Sundown EK using 40.69.68.179, Which is Assigned to Microsoft Corporation (MSFT).
Here is a picture of traffic collected during some of my investigations today: I didn’t think to look at the Whois information belonging to 40.69.68.179 until one of my friends, @Ledtech3, pointed this out: Checking the IPs resolution history shows the first time a domain resolved to it was today, 01/25/17. All of the domains appear to ...
Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.
IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...
Sundown EK: Pre-Landing Page.
IOCs: 93.190.143.82 – dp.jev.mobi and nso.fzo.mobi – Sundown EK Traffic: Hashes: SHA256: 37d479720f7d5f5bc2ec8ff93568798ba891bc35514925f4969cbc5a48c869c0 File name: iedetector.js SHA256: 1230ef25fd9d4238ad80d5e4a0e5d489075edfe9b7321c691f99972de640541b File name: index2.php.html SHA256: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e File name: 9643522803.swf SHA256: 5aaaa4f18ff200eb46f8be49f720f2462e954c2ef216d1258c6c3ed99ec1d4bf File name: 947545190441&id=257.swf SHA256: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6 File name: 78493521.swf Today I saw Sundown EK using a “pre-landing” page containing script pointing to JavaScript files via relative paths. File /trafficScript/iedetector.js contains ...
EITest Leads to Sundown EK at 93.190.143.82 and Drops Cerber
IOCs: 93.190.143.82 – cfx.hvb.mobi – Sundown EK 93.190.143.82 – hxrheg.fve.mobi – Sundown EK Cerber check-in traffic via UDP port 6892: 90.2.1.0/27 90.3.1.0/27 91.239.24.0/23 (CIDR Address Range: 91.239.24.0 – 91.239.25.255) 162.220.244.29 – p27dokhpz2n7nvgr.onion – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1kja1j.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1dlcbk.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.15l2ub.top – Cerber Decryptor page HTTP Method and URIs: GET ...
Malware breakdown 