SmokeLoader Themed Malware Serving Campaign Spotted in the Wild - An Analysis

 Dear blog readers,

I've decided to share with everyone some technical details behind a currently circulating malicious software serving campaign that's dropping a SmokeLoader variant on the targeted host and is using a variety of C&C server domains for communication with the malicious attackers.

Sample screenshots include:

Sample campaign structure:

MD5: ccaf26afe7db068aa11331f6c5af14d8

hxxp://host-file-host6.com - 34.106.70.53

hxxp://host-host-file8.com

Sample related responding IPs known to have been involved in the campaign include:

hxxp://176.124.221.9

hxxp://23.48.95.144

hxxp://45.91.8.70

hxxp://185.144.28.175

hxxp://31.44.185.182

hxxp://8.209.65.68

hxxp://45.134.27.228

hxxp://2.16.165.19

hxxp://185.251.89.108

hxxp://195.186.210.241

Stay tuned!

Massive Malware Serving Campaign Abuses Portmap A Web Based Port Forwarding Solution - An Analysis

Dear blog readers,

In this post I've decided to further profile a currently circulating malicious software and njRAT malware dropping campaign that's using a popular port forwarding solution as a C&C server with the idea to provide everyone with the necessary situational awareness and technical details regarding the campaign.

Sample campaign C&C and associated domains analysis:

MD5: d8191eee2d99a00cb664d100ffc73b9c

hxxp://enderop44-36084.portmap.host - 193.161.193.99 

URL: hxxp://www.cofo.ga/a/KeyOneA.exe

Botnet C&C: hxxp://cofo.ga - hxxp://52.70.248.161; hxxp://193.161.193.99

Sample screenshots include:

Sample VirusTotal Graph regarding the malicious campaign:

Stay tuned!