Survey of "ngay campaign"

First

I began observing this campaign around August. Even now it continues to do Drive-by Download attack, serious threat. The domain used in this campaign is distinctive. Therefore, I call it "ngay campaign". I think that this campaign is related to Vietnam. "ngay" (ngày in Vietnamese) means "day". I introduce what I looked into about this campaign.

Traffic Chain

Look at the following image. This campaign leads to the RIG Exploit Kit. This campaign seems to have used Disdain Exploit Kit once. Now it is using RIG Exploit Kit.


Such a html is included in the landing page URL of RIG Exploit Kit.


Look of the landing page changes, but previously there was such a thing. This site was in Vietnamese.


IOCs

They prefer the Freenom domain. That is, ".tk", ".cf", ".ml", ".ga", and ".gq". The following domains are the Freenom domains that were used in this campaign that I observed.

In addition, ".club" domains are also used.

These domains are characteristic. Many domains consist of strings and numbers. Strings often include "camp", "ngay", "test", "tonic", "day" or "tds". Also, numbers often include "08", "09", "10", "11" or "17". As the meaning of ngay campaigns, numbers like dates are used frequently.

The IPs corresponding to these domains are as follows. It's all DigitalOcean's VPS.



---

QuantLoader is downloaded and executed from RIG Exploit Kit. And, QuantLoader downloads cryptocurrency miner.

QuantLoader:
e03bbcf5df946d4c0730d7cca14e3cd38c0a6410948b96f35e99f1eca7b0d3ad
77038978efc49e1121c373339762ba9db03925880c49e080a5c76ba11c517350

Coin Miner:
2ccac3cba9d59b1d740b7984b53d6285f2ac85a3457a3d9e3bf707138bd36e31
dc8756e58cf3a2ca560d925f3af89aeb41689f7ebf6ee36cd00db801130a952a

Miner is hosted in the following domain.

The admin page of QuantLoader is this. Looking at the source code, you can see that this was created by "CPPGURU Software".


Conclusion

This campaign has not definitely disappeared. I'll continue to observe. Please don't use vulnerable web browser.