AdGholas Spotted in D3 Community

Dark Cubed community is seeing current threat-related activity associated with a recently reported malvertising campaign from AdGholas.  The customer data we see is anonymous, so we are sharing these indicators with you to enable you to determine if these indicators are present within your network.  The four indicators of interest are as follows:

  • expert-essays[.]com

  • 5.34.180.73

  • jet-travels[.]com

  • 94.156.174.11

We recommend the following actions:  

  1. Detect if these indicators are in your network.
    To search for these indicators, go to your Dark Cubed Threat Table and type in “data:94.156.175.11.” Note: When searching with for domain names, remove the brackets. Those are only added to keep them from becoming clickable links!  
    If this activity was seen on your network, you will see it listed, if not, the table will be empty like the image below.

  2. If you do have activity on your network for one or more of these IPs or Domains, it is probably worth a little more investigation.  

  3. Reach out to us if we can help answer any questions you may have.

D3.png

More detailed information was recently sent directly to D3 community members via email.

To learn more about AdGholas, read this blog posting by Malwarebytes: https://blog.malwarebytes.com/cybercrime/2017/07/adgholas-malvertising-thrives-shadows-ransomware-outbreaks/

 

Not-Petya Malware Update

You may have been reading about the recent Petya based Malware event. As a Dark Cubed customer, we want to give you an update on how our platform is protecting your network.

On Tuesday, the known IOCs for this attack were published. Right now, this attack has come from four IP addresses:

  1. 111.90.139.247
  2. 84.200.16.242
  3. 185.165.29.78
  4. 95.141.115.108

Our Threat Scoring Engine was immediately updated, and any traffic from these IPs is now being scored as an 8.

We also know that across our customer base, we have seen no traffic to or from these four IP addresses. (Remember, your threat scoring requests are made anonymously, so even if we get requests to score these IPs, we can not attribute those requests to a specific customer).

If you have any questions, drop us a note.