Skip to content
Block-Continue
Go back

Poisoned at the Source

It started with a magazine article.

Someone received a link, an online article the kind of thing that gets forwarded without a second thought. Interesting read, pass it along. A few colleagues got the email. They clicked the link.

Three managed devices were wiped before the week was out.

The Delivery Chain

The site was legitimate. The article was real. What was not legitimate was the ad network serving content in the background. Malicious ads injected into an otherwise clean page are effective precisely because the page itself gives you no reason to be suspicious. The exploit kit running in the background fingerprinted each visiting browser, identified vulnerabilities, and selected the appropriate exploit. Silent, automatic, no user interaction beyond the initial click.

The infrastructure behind it was layered:

rueckec[.]lol was the exploit kit host. When a browser loaded the page, a background request fired here. The kit did its fingerprinting and handed off to the next stage.

confirmyouarehuman[.]top was the initial payload host. The domain name is deliberate misdirection. If anyone noticed it in a proxy log or browser history it reads like a CAPTCHA challenge. Nothing to see here.

tiixeira[.]lol was the secondary payload host, likely delivering the XorBee RAT or establishing persistence. By the time traffic reached this domain, the device was already compromised.

191.44.109.233:4444 was the command and control listener. Port 4444 is Metasploit’s default. Infected devices called home here, exchanging XOR-encrypted check-in packets. 98 sessions in under an hour on one device alone.

The .lol and .top TLDs are a tell. Cheap, fast to register, disposable. Purpose-built for campaigns where infrastructure gets burned and replaced on a short cycle.

What XorBee Looks Like in a Firewall Log

The firewall logged insufficient-data on every session to port 4444. It could not identify the application because XorBee’s traffic is XOR-encrypted, deliberately designed to look like noise to a protocol analyzer. Without the Security Onion signature match on the specific encryption pattern, this traffic blends into a busy workday.

The behavioral data told a different story. Bytes sent clustering at 307 bytes across 42 sessions. Bytes received clustering at 186 bytes across 40 sessions. Fixed-size check-in, fixed-size response, 98 rounds. The implant asking the same question over and over: do you have tasking for me?

The client was resetting 76 of 98 connections itself. Not the server dropping them. The implant cycling through check-ins deliberately, establishing a session, exchanging its encrypted payload, tearing it down. Disciplined. Purposeful.

Why Three Devices

One email. One forward.

The original recipient clicked the link. The device got compromised. Then, before anyone knew anything was wrong, the email got forwarded to colleagues. They clicked the same link. Same exploit kit, same delivery chain, same result.

The forwarding is what turned a single infection into an incident. The original sender did not know. The forwarder did not know. Everyone was sharing an interesting article.

This is the human layer. Not carelessness. The attack was specifically designed to look like something worth sharing, and it did.

Managed Devices, Limited Blast Radius

All three infected devices were managed machines, domain-joined Windows workstations with endpoint protection running. That matters for two reasons.

First, visibility. Firewall logs, Kerberos and LDAP traffic, Security Onion signatures, endpoint telemetry. Managed devices leave a trail. The investigation had something to work with. A BYOD infection in the same scenario would have ended at the firewall log with “unknown dwell time” and a wipe recommendation.

Second, a defined remediation path. Wipe, reimage, restore from backup, rotate credentials, verify. Three devices, same playbook, executed in parallel. The users who touched those devices during the infection window had their passwords scrambled before the end of the day.

The containment was clean. Three managed devices still got wiped because someone forwarded an email.

IOCs

IndicatorTypeRole
rueckec[.]lolDomainExploit kit host
confirmyouarehuman[.]topDomainInitial payload host
tiixeira[.]lolDomainSecondary payload host
191.44.109.233IPXorBee C2, port 4444
103.169.142.20IPMalicious infrastructure (VT confirmed)
103.169.142.21IPMalicious infrastructure (VT confirmed)
Port 4444PortMetasploit default listener
XorBee RATMalwareRemote access trojan, XOR-encrypted C2

Internal infrastructure details and identifying information have been omitted. IOCs are published to support the broader security community. Malvertising delivery vector is based on available evidence from the investigation.


Share this post on:

Previous Post
Home Lab Diaries, Part 1: I Just Wanted a SIEM
Next Post
Today's Special: Juicy Nothing-Burger