Rig Exploit Kit from 46.30.43.35 sends Tofsee

ASSOCIATED DOMAINS:

  • 46.30.43.35 – gr.stackventilation.com – Rig EK LANDING PAGE
  • 111.121.193.242 – HTTPS POST INFECTION TRAFFIC
  • 1.52.57.168 – PORT 6447 – Tofsee POST INFECTION TRAFFIC
  • 23.194.130.83 – www.ticketmaster.com – Tofsee POST INFECTION TRAFFIC

IMAGES and DETAILS:

Shown above: Compromised site leading to Rig Exploit Kit landing page

 

Shown above: Tofsee encrypted downloader 184 kB

 

Shown above: Tofsee post infection traffic to ticketmaster.com

 

Shown above: Some of Tofsee post SMTP traffic

 

Shown above: Tofsee Windows registry entry

 

Shown above: Tofsee Windows registry entry

 

Shown above: Tofsee Windows registry entry

 

MALICIOUS PAYLOAD FROM RIG EK: