2018-01-19 - THREE RECENT EXAMPLES OF NGAY CAMPAIGN RIG EK

ASSOCIATED FILES:

  • 2018-01-12-Rig-EK-sends-Smoke-Loader-sends-Monero-coinminer.pcap   (3,183,941 bytes)
  • 2018-01-14-Rig-EK-sends-Monero-coinminer.pcap   (974,045 bytes)
  • 2018-01-19-Rig-EK-sends-Remcos-RAT.pcap   (341,560 bytes)
  • 2018-01-12-Monero-post-infection-artifact-RotlLipoma.cab   (754,387 bytes)
  • 2018-01-12-Monero-post-infection-artifact-garibaldis.dll   (65,536 bytes)
  • 2018-01-12-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2018-01-12-Rig-EK-flash-exploit.swf   (13,806 bytes)
  • 2018-01-12-Rig-EK-landing-page.txt   (96,839 bytes)
  • 2018-01-12-Rig-EK-payload-SmokeLoader.exe   (129,080 bytes)
  • 2018-01-12-follow-up-malware-Monero-coinminer.exe   (849,985 bytes)
  • 2018-01-14-Monero-post-infection-artifact-Biogen.cab   (754,105 bytes)
  • 2018-01-14-Monero-post-infection-artifact-Romaic.dll   (86,016 bytes)
  • 2018-01-14-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2018-01-14-Rig-EK-flash-exploit.swf   (13,796 bytes)
  • 2018-01-14-Rig-EK-landing-page.txt   (96,787 bytes)
  • 2018-01-14-Rig-EK-payload-Monero-coinminer.exe   (855,963 bytes)
  • 2018-01-19-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2018-01-19-Rig-EK-flash-exploit.swf   (13,836 bytes)
  • 2018-01-19-Rig-EK-landing-page.txt   (96,812 bytes)
  • 2018-01-19-Rig-EK-payload-Remcos-RAT.exe   (171,520 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

TRAFFIC


Shown above:  Ngay campaign Rig EK from Friday 2018-01-12.

 


Shown above:  Ngay campaign Rig EK from Monday 2018-01-14.

 


Shown above:  Ngay campaign Rig EK from Friday 2018-01-19.

 

FRIDAY 2018-01-12:

MONDAY 2018-01-14:

FRIDAY 2018-01-19:

 

FILE HASHES

RIG EK FLASH EXPLOITS:

RIG EK PAYLOADS OR FOLLOW-UP MALWARE:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.