Tags » Malvertising

Dreambot Dropped by HookAds

This will be a quick post as I just wanted to put out some updated IOCs.

“popunder.php” from the HookAds decoy site:

balkali[.]info/banners/countryhits:

HookAds is still pushing Dreambot via RIG EK. 258 more words

IOCs

The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.

Although there continues to be an overall decrease in EK activity I’m still seeing a decent amount of malvetising leading to EKs. One campaign that I run into a lot is… 963 more words

IOCs

HookAds Continues to use RIG EK to Drop Dreambot

A couple days ago RIG changed its URI parameters. This isn’t unusual as it seems to happen at least once a month. However, one thing to note is that RIG, at this moment, is using some base64 encoded strings in the URI. 372 more words

IOCs

ipfilterX Codename Quora

>Date 07/07/2017

>UPDATES:

-Blocked Threats:
-Updated Threats: [2]
-IP Added Record: [+11K]
-Deleted:[-]
-Merged/Extended:

>COUNTRIES INVOLVED:

>Parsed lines/entries:23K Found IP ranges:23K Duplicate:0 Merged:0 Time:0 secs… 90 more words

Seamless Campaign Drops Ramnit from RIG Exploit Kit at 188.225.76.204

This infection chain started from a malvertising chain that eventually led to the Seamless campaign. Background on the Seamless campaign can be found HERE. 322 more words

IOCs

Seamless Campaign Leads to RIG EK at 188.225.79.43 and Drops Ramnit

As I was checking logs in the SIEM console over the weekend I came across another detection for theĀ Seamless campaign.

You can see from the HTTP logs that there are two direct IPs, 194.58.60.51 and 194.58.60.52, being used by the Seamless campaign. 318 more words

IOCs

A #Malvertising Campaign that Infects PCs with Mole #Ransomware

Malicious malvertising campaigns have taken the world by storm in the last few years, affecting hundreds of thousands of people all over the world.

#Mole Ransomware
https://goo.gl/qhU6uv