Exploit kits: fall 2018 review
With a fresh exploit kit in town, the drive-by download landscape shows new signs of life in fall 2018.
RIG exploit kit campaign gets deep into crypto craze
We take a look at a prolific campaign that is focused on the distribution of coin miners via drive-by download attacks. We started to notice larger-than-usual payloads from the RIG exploit kit around November 2017, a trend that has continued more recently via a campaign dubbed Ngay.
LatentBot piece by piece
LatentBot is a multi-modular Trojan written in Delphi and known to have been around since 2013. Recently, we captured and dissected a sample distributed by RIG Exploit Kit.
Elusive Moker Trojan is back
We finally have gotten our hands on a sample of Moker Trojan (that was discovered in 2015). This article will be a deep dive in its capabilities.
Websites compromised in ‘Decimal IP’ campaign
This URL is quite probably unlike anything you’ve ever seen before and yet still works and redirects to malware.
The HookAds malvertising campaign
In this post we take a look at a malvertising campaign that we traced back to late August and that is targeting adult traffic. While initially pushing the Neutrino exploit kit, it switched to RIG EK in September. We estimate that at least one million visitors to adult websites were exposed to this particular campaign.
New-looking Sundown EK drops Smoke Loader, Kronos banker
In this post we take a quick glance at some changes made to the Sundown exploit kit. The landing page has been tweaked and uses various obfuscation techniques. Sundown is used in some smaller campaigns and in this particular case dropped a downloader followed by a banking Trojan.
Just For Men website serves malware
The website for Just For Men, a company that sells various products for men, had their website breached and was serving a password stealing Trojan. The malicious code embedded in the WordPress site was part of the EITest campaign and pushed the RIG exploit kit.
Exploit kit shakedown: RIG EK grabs Neutrino EK campaigns
Something unusual happened in the exploit kit ecosystem. Two well-known malware distribution campaigns switched from Neutrino EK to RIG EK. A temporary blip or a more durable change? Only time will tell.
Smoke Loader – downloader with a smokescreen still alive
This time we will have a look at another payload from recent RIG EK campaign. It is Smoke Loader (also known as Dofoil), a bot created several years ago. One of its early versions was advertised on the black marker in 2011.