RunForestRun (Malware Family)

RunForestRun

aka: Blackhole, Sutra

Active around 2012-2013, this family deployed small JavaScript snippets on infected websites to load exploit kit scripts from DGA-generated domains.
It commonly used the Blackhole exploit kit and the Sutra Traffic Distribution System (TDS), which caused it to sometimes be misnamed as Blackhole or Sutra.

References

2013-11-02 ⋅ The MalwareMustDie Blog ⋅ malwaremustdie
RunForrestRun DGA "Comeback" with new obfuscation
RunForestRun

2013-06-01 ⋅ MalwareMustDie ⋅ malwaremustdie
DGA/PseudoRandom Malicious Domain Research Guideline
RunForestRun

2012-12-05 ⋅ Malware Don't Need Coffee ⋅ Kafeine
The path to infection - Eye glance at the first line of "Russian Underground" - focused on Ransomware
RunForestRun Andromeda Citadel Lyposit Matsnu Reveton Sinowal UPAS Urausy

2012-10-07 ⋅ The MalwareMustDie Blog ⋅ malwaremustdie
Cracking New PseudoRandom (runforestrun) Infector
RunForestRun

2012-08-01 ⋅ securelist ⋅ Marta Janus
“RunForestRun”, “gootkit” and random domain name generation
RunForestRun GootKit

2012-06-22 ⋅ Unmask Parasites ⋅ Denis Sinegubko
Runforestrun and Pseudo Random Domains
RunForestRun

There is no Yara-Signature yet.

RunForestRun Propose Change

References

RunForestRun