FirstI began observing this campaign around August. Even now it continues to do Drive-by Download attack, serious threat. The domain used in this campaign is distinctive. Therefore, I call it "ngay campaign". I think that this campaign is related to Vietnam. "ngay" (ngày in Vietnamese) means "day". I introduce what I looked into about this campaign.
Traffic ChainLook at the following image. This campaign leads to the RIG Exploit Kit. This campaign seems to have used Disdain Exploit Kit once. Now it is using RIG Exploit Kit.
Such a html is included in the landing page URL of RIG Exploit Kit.
Look of the landing page changes, but previously there was such a thing. This site was in Vietnamese.
IOCsThey prefer the Freenom domain. That is, ".tk", ".cf", ".ml", ".ga", and ".gq". The following domains are the Freenom domains that were used in this campaign that I observed.
In addition, ".club" domains are also used.
These domains are characteristic. Many domains consist of strings and numbers. Strings often include "camp", "ngay", "test", "tonic", "day" or "tds". Also, numbers often include "08", "09", "10", "11" or "17". As the meaning of ngay campaigns, numbers like dates are used frequently.
The IPs corresponding to these domains are as follows. It's all DigitalOcean's VPS.
QuantLoader is downloaded and executed from RIG Exploit Kit. And, QuantLoader downloads cryptocurrency miner.
Miner is hosted in the following domain.
The admin page of QuantLoader is this. Looking at the source code, you can see that this was created by "CPPGURU Software".