Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.


  • – – Sundown EK
  • – – Delivering FlashPlayer.exe – Ursnif variant
  • – – Sundown EK
  • – – Sundown EK
  • – – RIG-v EK

Sundown EK Traffic Run 1 (Traffic exported from SIEM):


FlashPlayer.exe Run 2:


Sundown EK Traffic Run 3:


RIG-v EK Traffic Run 4:


Run 1 (01/17/17):

This infection began when the user went to The website doesn’t have any injected code from campaigns like EITest or pseudo-Darkleech but it is infested with malicious ads that when clicked led to PUAs and malware. This, at least to me,  makes me believe that this infection chain started from a malicious advert.

According to available packet data the user was redirected to the Sundown EK by [redacted] I don’t have access to all the packets so I’m not sure on how [redacted].biz was involved in this particular infection chain.

What do I know? Well, the domain ending in the [redacted].biz TLD is a verifiable Keitaro TDS server. I know this because I located the admin page and checked the source code:

The other domain, [redacted], might be another TDS, however, at this point, I don’t have proof. What I do know is that there are hundreds of directories found on that domain and they were all leading to Exploit Kits and direct malware downloads. Here is just a partial image of what I was able to collect before the scan encountered connection errors:


The infection chain ended with the user being redirected the Sundown EK at (resolves to

Run 2 (01/20/17):

After seeing this I decided I would try and recreate the traffic in my lab, however, it is very difficult to recreate a malvertising infection. For this reason I connected directly to both [redacted] and  [redacted].biz (Keitaro TDS server).

Going directly to the [redacted] redirected the host to the [redacted].biz/1:


Partial image showing iframe

The page contains an iframe pointing to “/1” on the Keitaro TDS server.

This generated a GET request for the directory /1:


The TDS server returns a “302 Moved Temporarily” and gives a new location of: GET /land_flash/index.html

The page /index.html, which appears to be mirrored from, contains the following script: setTimeout(“location.href = ‘download/FlashPlayer.exe’;”, 1000);”. You can this in the image below:


This redirects the user to the relative path /land_flash/download/FlashPlayer.exe. Below is the GET request and response from the server:


Returns malware payload

The user is presented with the following download warning on the bottom of the browser window:


Clicking Run gives the user another warning:


If the user clicks run again the payload is dropped in their %Temp% folder:


Scanning the file returned the following hash:

SHA256: 31d8a6fe4c875f8f5de2ec43e27cf68eecacf23c4ff3ada234e9456d6e3e4f63

The Hybrid-Analysis report shows the malware making POST requests to, which triggered ET alerts for “ET TROJAN Ursnif Variant CnC Beacon 4.”

Run 3 (01/22/17):

Run 3 was different than the first two as this time it went straight from [redacted] to a Sundown EK landing page, skipping [redacted].biz (Keitaro TDS server).

Taking one of the directories that I found on [redacted], /adminstrator/, returned a page mirroring another compromised website. At the very bottom of the source code there is an iframe containing a URL for a Sundown EK landing page:


This of course redirects the host to the landing page were we see the usual requests for Flash exploits and PNG exploit:


Here is the malware payload that was dropped in %Temp%:


Running the file through VirusTotal gave me this hash:

SHA256: 3b482fbb430d9b6e575eb166af630e8624d7731f671f1f42c483ed240291bf90

The Hybrid-Analysis report is identical to the post-infection traffic found in Run 2, which showed the malware making POST requests to and triggering ET alerts for “ET TROJAN Ursnif Variant CnC Beacon 4.”

Checking back an hour later shows that somebody might have forgot to renew their subscription:


Run 4 (01/22/17):

During this run I decided to see if I could skip [redacted] and instead make a direct request for a directory located on the Keitaro TDS server, hosted at [redacted].biz. I used the location “/1” since I knew it had worked before. Here is the result of that request and response from the TDS server:


So we can see that the TDS server returned a “302 Moved Temporarily” with a new location pointing to a RIG-v EK “pre-landing” page. The RIG-v pre-landing page is used to determine if the host is using IE. If the host passes the User-Agent checks it is redirected to the landing page in the form of a POST request.

Following the host being redirected to the landing page we see a GET request for a Flash exploit and the request for what should have been a payload:


Obviously that isn’t a malware payload. Oh well. ¯\_(ツ)_/¯

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: