Tag: ZeuS
Roboto Condensed Social Engineering Scheme Delivers DELoader (aka Terdot or ZLoader).
My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this, which can be seen HERE. The page presented to both Chrome and Firefox users: Looking at the page source shows a different .ZIP file for Chrome and Firefox users: Chrome users download “Chrome_Font.zip”, which is ...
EITest Leads to Rig EK 185.141.26.72, 185.141.25.207 and 185.141.25.234
IOCs: 46.252.207.1 – amberhsu.com – Compromised site 185.141.25.207 – za95uur.ag0clk.top – Rig EK run #1 (blocked by ESET) 185.141.25.234 – h01wi.d7riwiu.top – Rig EK run #2 185.141.26.72 – gyu1f1.eowjl2.top – Rig EK run #3 222.206.156.2, 208.73.206.179, 23.108.245.93 – post infection DNS queries shown below. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org ...
EITest Leads to Rig EK at 176.223.111.152. Malicious SSL Certificate Detected.
IOCs: 216.17.111.107 – theconservativeclub.us – Compromised website 176.223.111.152 – bj4lr.xl2sz08.top – Rig EK 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic: Hashes: SHA256: 92594f381dec2034ef0e0f53d0c5dbe8b8f706d36460e84172e9de9a08d3dec3 File name: RigEK Landing Page.html SHA256: 49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd File ...
EITest Leads to Rig EK at 176.223.111.33 and 176.223.111.77, Malicious SSL Certificate Detected
IOCs: 184.168.152.59 – abc-imports.com – Compromised website 176.223.111.33 – hs0ql.hd9ads4fb.top – Rig EK 176.223.111.77 – wub2v.pgpbpgu.top – Rig EK (second run) 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic (first run): Hashes: ...
EITest Leads to Rig EK at 185.45.193.52 Which Drops PushDo/Cutwail
IOCs: 198.23.50.198 – luxurenailbar.com – Compromised website 185.45.193.52 – jw1f0y.wkfroa.top – Rig EK Post infection POST requests: 62.129.220.170 – infotech.pl 76.12.115.26 – leapc.com 50.63.46.84 – 2print.com 104.25.146.12 – dayvo.com 219.122.1.240 – ex-olive.com 103.241.2.201 – pb-games.com 193.34.148.140 – stnic.co.uk 77.66.54.114 – valdal.com 72.3.177.107 – owsports.ca 23.229.223.161 – nunomira.com 46.30.59.13 – com-sit.com 118.23.162.86 – ora.ecnet.jp 69.163.218.51 – ...
Malware breakdown 