API tools faq
paste
Advertisement
MalwareBreakdown

Typosquatting, ZeroPark, and RIG EK

MalwareBreakdown
Oct 9th, 2019
15,859
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.40 KB | None | 0 0
raw download clone embed print report
  1. There was some typosquatting on popular domains that led to RIG Exploit Kit in August, September, and October of 2019. All redirection chains (involving RIG EK or not) have had similar domains like usd.odysseus-nua.com, usa.odysseus-nua.com, usd.godabert-nap.com, usa.godabert-nap.com, etc., in them. PassiveTotal is showing that these domains are associated with ZeroPark domain redirect traffic. You can see a list of ZeroPark domains at https://community.riskiq.com/search/components/Server/ZeroPark-Traffic/. You can also read about ZeroPark's domain redirect traffic at https://zeropark.com/domain-redirect/. ZeroPark is owned and operated by Codewise.
  2.  
  3. Some of these domains are obviously typosquatting popular domains but all these involved ZeroPark redirects and RIG EK:
  4.  
  5. 1freewebhosting.org ---------> https://app.any.run/tasks/4e67a42b-abc6-4edf-af03-728d241c2d48/
  6. ancestrydnatest.net ---------> https://app.any.run/tasks/45e3cea6-9e0c-4bd2-9207-a0f8596a5251/
  7. app.facebookprofileview.com -> https://app.any.run/tasks/df7c9c5e-a306-4226-86de-c86b3740014d/
  8. bloomindales.com ------------> https://app.any.run/tasks/6e250b06-d47d-421d-9aae-b88d9f93bc03/
  9. carefirsst.com --------------> https://app.any.run/tasks/c9534d6a-6ea3-446d-bb85-c689e100b78c/
  10. cryptaloot.pro --------------> https://app.any.run/tasks/84ad2c80-fbf4-4417-957d-09be495a1849/
  11. cunyfirst.com ---------------> https://app.any.run/tasks/3ccc47da-0ea0-4b8a-beef-2110211469d4/
  12. fceacebook.com --------------> https://app.any.run/tasks/98c50023-c3d7-4937-9591-5a03b0563ab9/
  13. ggole.com -------------------> https://app.any.run/tasks/f6fd68c1-02ee-486a-bc4d-5feb3df1f854/
  14. go2batch.com ----------------> https://app.any.run/tasks/0914d7d4-110d-4122-a2af-5b34ce8c0968/
  15. ismetozel.org ---------------> https://app.any.run/tasks/2f61ac2f-d5f9-444f-b954-2a6b8f68a34c/
  16. mishcon.atalassian.net ------> https://app.any.run/tasks/6fb36c41-8ef2-4947-acb2-04d635a5e0c8/
  17. moodystotalreward.com -------> https://app.any.run/tasks/8de9207d-ca80-42ac-9276-36d04d12a692/
  18. nurselabs.com ---------------> https://app.any.run/tasks/7532a1ec-8723-491a-a9fc-04b4e1a40e6f/
  19. onlinebanking.22web.org -----> https://app.any.run/tasks/73877c8b-2c92-414e-a033-ad30df19859f/
  20. pollenradar.nl --------------> https://app.any.run/tasks/16344f64-ba5b-47ad-b3e3-30eecbad74a1/
  21. samsungt.com ----------------> https://app.any.run/tasks/0346fc93-3075-4690-8a62-cfe9dc49aacc/
  22. scotland.ideasfactory.com ---> https://app.any.run/tasks/4c0dd21a-cbe5-4a1b-a2ff-ca6a3d11de9a/
  23. visitbmwusa.com -------------> https://app.any.run/tasks/4c5716d5-3fa1-44b6-8ee0-a0f1c02a793b/
  24. windowsdefender.club --------> https://app.any.run/tasks/fabb95de-8370-46b8-9a33-d2e90b12746d/
  25. worplace.com ----------------> https://app.any.run/tasks/ae214494-bb9a-4bda-a130-ffc185f90439/
  26. wwwdailyforex.com -----------> https://app.any.run/tasks/d1687c63-9260-481c-9839-7d031b0f04b6/
  27.  
  28. Some typosquatting on popular domains that led to a ZeroPark domain redirect but no RIG EK:
  29.  
  30. blackjack-casinos.net -> https://app.any.run/tasks/8236857e-a5c4-40b8-a145-c85bdcbee31c
  31. capitalone.cm ---------> https://app.any.run/tasks/64f144ee-5e16-4701-966d-2a761d41d90c/
  32. gmai.com --------------> https://app.any.run/tasks/851ce0bd-c9b0-47d3-be98-562c007e162d/
  33. gogle.cm --------------> https://app.any.run/tasks/444ab65b-894c-4741-8014-ccf058a99aa2/
  34. googlew.com -----------> https://app.any.run/tasks/3f3ff8b0-017d-4c2b-af6b-5a76717ab0eb/
  35. grubhubc.com ----------> https://app.any.run/tasks/1c2a21e5-7a10-41a2-8d7d-87a571d8e906/
  36. whatsap.com -----------> https://app.any.run/tasks/6ebe86c4-e1de-4710-9ea5-bc6cfc40b186/
  37. williams-soonoma.com --> https://app.any.run/tasks/1b904b4a-527f-446a-be06-29298f88b07a/
  38. youyutbe.com ----------> https://app.any.run/tasks/04d74653-422b-48b4-81da-07596e97417e/
  39.  
  40. Additional IOCs:
  41.  
  42. btcseller.club
  43. mybestdc.com
  44. vapeshout.com
  45.  
  46. advertland.world
  47. advertland1.world
  48. atztds1.world
  49. atztds177.world
  50. atztds2.world
  51. atztds27.world
  52. atztds277.world
  53. atztds3.world
  54. atztds37.world
  55. atztds775.world
  56. mtxtds2.world
  57. mxtds1.world
  58.  
  59. 5.101.181.110
  60. 85.114.146.93
  61. 88.99.89.222
  62. 94.130.90.228
  63.  
  64. RIG EK:
  65. 2.59.41.10
  66. 37.230.117.104
  67. 46.229.213.144
  68. 62.109.26.19
  69. 80.87.200.198
  70. 92.63.103.145
  71. 94.250.251.5
  72. 176.57.217.3
  73. 185.63.191.25
  74. 188.120.244.168
  75. 188.120.244.171
  76. 188.120.254.174
  77. 188.225.27.149
  78. 188.225.32.147
  79. 188.225.34.40
  80. 188.225.38.230
  81. 188.225.46.64
  82. 188.225.47.78
  83. 188.225.83.22
  84. 213.159.208.166
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!