Fallout Exploit Kit is back and targeting the following CVE’s as of 4-8-2020: Vulnerabilities CVE-2018-4878 CVE-2018-15982 CVE-2018-8174 Fallout has been observed in the wild delivering the following malware payloads: Ransomware Stop – Ransomware GandCrab 5 – Ransomware Kraken Cryptor – Ransomware GandCrab – Ransomware Maze – Ransomware Fake Globe – Ransomware Minotaur – Ransomware Matrix – Ransomware Sodinokibi – Ransomware Raccoon Stealer – This sample (also known as Legion, Mohazo, and Racealer) is high-risk trojan-type application that stealthily infiltrates the system and collects personal information. Having this trojan installed on your computer might lead to various issues. 2020-02-24 19:34:02.651895 IP […]

2020-02-19 19:23:32.510874 IP 192.168.4.239.49481 > 3.226.77.126.80: Flags [P.], seq 1:259, ack 1, win 258, length 258: HTTP: GET /go/141657/437555 HTTP/1.1E..*”.@………..M~.I.P….U.$.P….e..GET /go/141657/437555 HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ps.popcash.netConnection: Keep-Alive 2020-02-19 19:23:32.511531 IP 192.168.4.239.49482 > 3.226.77.126.80: Flags [.], ack 1, win 258, length 0E..(“.@………..M~.J.P]L.$CG..P………….2020-02-19 19:23:32.754783 IP 3.226.77.126.80 > 192.168.4.239.49481: Flags [.], ack 259, win 237, length 0E..(..@.?.…M~…..P.IU.$…..P….%.. 2020-02-19 19:23:33.299047 IP 3.226.77.126.80 > 192.168.4.239.49481: Flags [P.], seq 1:485, ack 259, win 237, length 484: HTTP: HTTP/1.1 200 OK E…..@.?.(..M~…..P.IU.$…..P…….HTTP/1.1 200 OKDate: Wed, 19 Feb 2020 23:23:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveServer: nginxVary: Accept-EncodingContent-Encoding: gzip […]

MALICIOUS SUSPICIOUS INFO Changes settings of System certificates rundll32.exe (PID: 2164) Connects to CnC server rundll32.exe (PID: 2164) Loads dropped or rewritten executable regsvr32.exe (PID: 2852) regsvr32.exe (PID: 3052) regsvr32.exe (PID: 1660 2020-02-16 10:55:07.432210 IP 192.168.4.88.49367 > 35.168.149.183.80: Flags [P.], seq 1:259, ack 1, win 258, length 258: HTTP: GET /go/255951/527805 HTTP/1.1E..*..@…k….X#……P..hzS.;tP……GET /go/255951/527805 HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ps.popcash.netConnection: Keep-Alive 2020-02-16 10:55:07.432941 IP 192.168.4.88.49368 > 35.168.149.183.80: Flags [.], ack 1, win 258, length 0E..(..@…l….X#……P.SY8..u.P………….2020-02-16 10:55:07.632809 IP 35.168.149.183.80 > 192.168.4.88.49367: Flags [.], ack 259, win 237, length 0E..(..@.?.7.#……X.P..S.;t..i|P…H…2020-02-16 10:55:07.933694 IP 35.168.149.183.80 […]

A newly identified exploit kit is targeting vulnerable versions of Adobe’s Flash Player, Malwarebytes security researchers say. Dubbed “Lord,” the exploit kit (EK) was initially identified by Virus Bulletin‘s Adrian Luca. The toolkit emerged as part of a malvertising chain via the PopCash ad network. The EK uses a compromised website to redirect unsuspecting victims to its landing page. Initially, the portal was rather rudimentary and in clear text, but the toolkit operators quickly moved to obfuscate it.  The landing page has a function to check for the presence of Flash Player, in an attempt to exploit the CVE-2018-15982 vulnerability.  One thing […]

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1 E….H@….. ..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: 188.225.37.115 Connection: Keep-Alive 2019-08-12 16:57:48.518651 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [.], ack 737, win 64240, length 0 E..(.a….^…%s ..e.P……..U.P…. .. 2019-08-12 16:57:49.127786 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [P.], seq 1:1277, ack 737, win 64240, length 1276: HTTP: HTTP/1.1 200 OK E..$.b….Y…%s ..e.P……..U.P…cL..HTTP/1.1 200 OK Server: nginx/1.10.3 Date: Mon, 12 Aug 2019 20:57:46 GMT Content-Type: text/html;charset=UTF-8 Content-Length: […]