An article published by malwarebreakdown two days ago was very interesting.
I supplement that article. This is an article for that.
In that wonderful article some redirect flows and the latter half were introduced. I introduce the flow of the first half.
First redirected to "220.127.116.11/usa" by some malicious Ad. "usa" looks like a general web site, showing part of the actual code.
It looks like a general code, but there is an obfuscated code. It's decoded as follows.
This looks like code for Google Analytics, but it's actually different. It's sending a POST request to "usa".
This is redirecting to "outedward-engrees.com". When you access "outedward-engrees.com", it looks like this.
Please see the malwarebreakdown article after this :)
Well, I had a chance interesting discovery. I investigated "18.104.22.168" in VirusTotal. Then I got this information.
Surprisingly, "japan.php" exists on the same server!
"japan.php" code is exactly the same as "usa", but you have to set the time zone to be sent to Japan so that you will be connected to RigEK.
"usa" was redirected to "signup3.php", but "japan.php" redirects to "signup1.php".
The dropped malware is Ramnit as usual.
P.S. added pcap link
Localization other than Japan may also exist.
If you knew, please let me know ;)