Tag: Traffic Distribution System
Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.
A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us: Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that ...
Finding a Good Man: Part 2
Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...
Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan
On April 5th, 2017, the Twitter user thlnk3r sent a message to Brad and myself about a malvertising chain using onclkds.com to redirect hosts to RIG exploit kit. Here is the Tweet: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 194.58.38.64 as my referer. Here is the traffic ...
Finding A ‘Good Man’
On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant. My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a ...
Keitaro TDS Leads to RIG-v EK at 188.225.36.231
IOCs: 188.225.36.231 – hand.stayatsouthpadre.com – RIG-v EK 31.11.32.225 – www pivesso.us – GET /Img/Gif/oni64.gif – Tor client 37.48.122.26 – curlmyip.net – Used for host IP lookup Post-infection Tor traffic going over TCP port 9001 – ET POLICY TLS possible TOR SSL traffic DNS Queries: resolver1.opendns.com – ET POLICY OpenDNS IP Lookup 222.222.67.208.in-addr.arpa myip.opendns.com Traffic: Hashes: SHA256: 0c1b3a0131c98032141d2315902b546bd926d5d4365628dafbbfca165f934f12 ...
BossTDS and Exploit Kits
Download the Appendix – bosstds-and-exploit-kits.xlsx Appendix A – DNS resolutions for 188.68.252.146. Appendix B – Advetisement page Whois information. Appendix C – Host pairs. Appendix D – Summary of investigations: IPs, domains, redirection methods, EKs, hashes. Appendix E – BossTDS Whois information. Appendix F – Additional IP Whois information. BossTDS Capabilities Traffic control software, like BossTDS, offers users highly ...
Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.
IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...
Advertisement Domain Led to BossTDS, Which Redirected Host to RIG-v Exploit Kit at 92.53.120.207
IOCs: 92.53.120.207 – good.chronic.news – RIG-v EK 79.134.225.49 – hpservice.zapto.org – Post-infection traffic via TCP port 5044 DNS query for hpservice.zapto.org, response from authoritative NS: nf1.no-ip.com nf2.no-ip.com nf3.no-ip.com nf4.no-ip.com Traffic: Hashes: SHA256: 7334e5f058f0ae9a0bbe073da49bb155255855705907ea84fa40098994ba3c27 File name: Flash Exploit RIG-v.swf SHA256: 51ce2615b3b0784f55d03d1ba3f77d13aaca40931c72df750b0e298edaf6e3c4 File name: ETTYUADAF SHA256: 01028a0702188f86b8c743cb3af891073df63310e4f3013ae7aeba0aee01e40e File name: rad94DC8.tmp.exe, drivupdater.exe Hybrid-Analysis Submission Infection Chain: I have ...
Traffic Distribution System is Funneling Traffic to RIG-v Exploit Kit
On November 28th of this year my host was redirected to a RIG-v exploit kit server, however, this time the redirect came from a suspicious looking web page. This was somewhat unusual for me as the majority of exploit kit infections that I deal with begin when a user visits a legitimate site. These vulnerable ...
302 Redirects from Traffic Distribution System Led to RIG-V EK at 194.87.238.156. Dropped Downloader & “XKeyScore” Keylogger
IOCs: GET /in/traf/ – 302 redirect via port 18001 (BossTDS port) GET /boom/mix.php – 302 redirect via port 18001 (BossTDS port) 194.87.238.156 – try.uludan.com – Rig-V EK (landing page, Flash exploit, and payload) 111.221.47.162 – POST /faa38820fa/dd6c45917a/d23d3e97c0/chat.php – Base64 encoded data being POSTed back 188.40.248.71 – GET /~mysuperp/crypt2_7038.exe – Additional malware downloaded 91.107.108.124 – POST ...
Malware breakdown 