IOCs:
- 88.214.225.168 – amateur.duckporno.com – Compromised adult website
- 80.77.82.42 – sumterads.info – GET /rotation/hits?
- 92.53.97.168 – zag.2043kutahya.net – RIG-v EK
Post-Infection Traffic:
- 94.23.186.184 – GET /images/[truncated]/y/.avi
- 91.228.166.47 – nod32.com – GET /images/[truncated]/zpyxRby.jpeg
- 91.228.166.47 – nod32.com – GET /images/[truncated]/K04.gif
- 94.23.186.184 – GET /tor/t32.dll – Tor client
- 37.48.122.26 – curlmyip.net – GETs external IP of host
- Outbound requests to various IPs via TCP port 9001 (Tor).
DNS Queries:
- resolver1.opendns.com
- 222.222.67.208.in-addr-arpa
- myip.opendns.com
- nod32.com
- eset.com
Traffic:
IDS Events:
Hashes:
SHA256: 926c914c444a5b6218ff305aaee022386741d0b784fa5c09fe57c80939fde392
File name: rotation hits.html
SHA256: 1c3863f4ba4b78fd22c32774487f488f8abd9a293a3238ad4afd98b94b16ed83
File name: zag.2043kutahya.net pre landing page.txt
SHA256: c5c14e08e160e393a51ced0e8bd15038ad05a7d9503b142f6e7149662f3a51a1
File name: zag.2043kutahya.net landing page.txt
SHA256: c51983e60892d0c011339e123f9058c390f8f4bc162e00fa1879db4a76734029
File name: zag.2043kutahya.net RIG-v EK Flash exploit.swf
SHA256: ceec7a77c12c11bc3c02c5d724db3e6ce4377a240773b5fef86b0bdd8ad84ef5
File name: rad5BA76.tmp.exe
Hybrid-Analysis Report
SHA256: b4e9a4186bbe15e4a32685fcd5d2da493b6431de904256a220388b8e2369d1e2
File name: dot3Core.exe
SHA256: 5d5bda87bb2871b29c63d7a40c3f7e1ef81ebb4c69396059e94d4ce02ece9f10
File name: t32.dll
SHA256: 844e63492bd90551aff973d093be4bf2610bbb3057b86fe1a146f7bc412cfa92
File name: 8D53.bin
Infection Chain:
This infection began with me researching and finding a compromised website, which had the following iframe in the source code:
Loading the page multiple times eventually showed an error stating that there was a connection timeout when trying to reach sumterads.info, which was being loaded in an ad location:
The first time we see a .info domain resolving to 80.77.82.42 was on 11/25/16. Using PassiveTotal I was able to determine that there have been at least 118 .info TLD domains resolving to 80.77.82.42 since 11/25/16.
The entire list of domains can be seen here:
| Domain | First Time | Last Time |
| blufftonads.info | 12/19/2016 4:50 | 1/27/2017 17:05 |
| orangeburgads.info | 12/20/2016 16:17 | 1/27/2017 12:44 |
| irmoads.info | 12/22/2016 8:40 | 1/27/2017 8:54 |
| camdenads.info | 1/2/2017 3:20 | 1/27/2017 6:31 |
| easleyads.info | 12/21/2016 8:30 | 1/27/2017 5:34 |
| tshwater.info | 1/6/2017 0:00 | 1/27/2017 0:00 |
| sumterads.info | 12/17/2016 12:27 | 1/26/2017 20:25 |
| chimneyads.info | 12/18/2016 20:47 | 1/26/2017 18:07 |
| asheboroads.info | 12/18/2016 12:40 | 1/26/2017 11:50 |
| pawleysads.info | 12/22/2016 17:33 | 1/26/2017 10:19 |
| morgantonads.info | 12/18/2016 4:37 | 1/26/2017 7:58 |
| garnerads.info | 12/17/2016 20:30 | 1/26/2017 2:28 |
| goosecreekads.info | 12/21/2016 0:28 | 1/25/2017 23:12 |
| pronomial.info | 1/6/2017 19:42 | 1/25/2017 5:32 |
| ashevilleads.info | 12/12/2016 0:08 | 1/24/2017 20:09 |
| deweyads.info | 1/2/2017 11:37 | 1/24/2017 15:42 |
| fetonads.info | 1/2/2017 19:38 | 1/24/2017 12:42 |
| harrisburgads.info | 12/7/2016 3:59 | 1/22/2017 17:50 |
| beaufortads.info | 12/16/2016 14:21 | 1/21/2017 19:24 |
| auburnads.info | 12/10/2016 10:40 | 1/21/2017 16:40 |
| bethanyads.info | 12/25/2016 1:20 | 1/21/2017 10:26 |
| booneads.info | 12/14/2016 4:46 | 1/21/2017 4:12 |
| winstonads.info | 12/12/2016 0:00 | 1/21/2017 2:45 |
| delawareads.info | 12/25/2016 9:45 | 1/20/2017 12:46 |
| spartanburgads.info | 12/15/2016 7:05 | 1/20/2017 11:03 |
| andersonads.info | 12/16/2016 5:19 | 1/18/2017 7:28 |
| clemsonads.info | 12/15/2016 11:00 | 1/18/2017 7:25 |
| covernment.info | 1/6/2017 20:30 | 1/15/2017 23:24 |
| fenwickads.info | 12/26/2016 1:35 | 1/15/2017 6:33 |
| myrtleads.info | 12/10/2016 20:32 | 1/14/2017 12:01 |
| kosiceads.info | 12/1/2016 10:55 | 1/13/2017 21:35 |
| notablo.info | 1/6/2017 19:42 | 1/13/2017 8:26 |
| flintads.info | 12/9/2016 8:36 | 1/12/2017 21:51 |
| jakarth.info | 1/6/2017 12:25 | 1/12/2017 15:12 |
| augustads.info | 12/23/2016 0:50 | 1/11/2017 14:35 |
| caryads.info | 12/13/2016 12:38 | 1/8/2017 10:38 |
| charlotteads.info | 12/11/2016 7:45 | 1/8/2017 8:24 |
| greensboroads.info | 12/11/2016 15:50 | 1/8/2017 8:19 |
| philadelphiaads.info | 12/6/2016 12:26 | 1/8/2017 5:09 |
| duluthads.info | 12/6/2016 4:26 | 1/8/2017 4:17 |
| fenwikads.info | 12/27/2016 16:16 | 1/7/2017 20:43 |
| laurelads.info | 12/25/2016 17:30 | 1/7/2017 10:50 |
| salemads.info | 12/12/2016 16:02 | 1/6/2017 6:30 |
| trencinads.info | 12/2/2016 0:22 | 1/6/2017 3:59 |
| lexingtonads.info | 12/17/2016 5:07 | 1/5/2017 19:09 |
| simpsonvilleads.info | 12/19/2016 13:05 | 1/5/2017 15:11 |
| greenvilleads.info | 12/10/2016 22:04 | 1/5/2017 14:21 |
| rockhillads.info | 12/15/2016 22:32 | 1/5/2017 8:43 |
| rockads.info | 12/31/2016 11:50 | 1/5/2017 8:41 |
| fayettevilleads.info | 12/12/2016 14:22 | 1/5/2017 8:05 |
| destinads.info | 12/8/2016 2:03 | 1/5/2017 5:08 |
| ketchikanads.info | 12/4/2016 0:00 | 1/3/2017 21:11 |
| selbywilleads.info | 12/28/2016 0:00 | 1/1/2017 19:05 |
| oceanads.info | 12/26/2016 9:40 | 1/1/2017 2:50 |
| walterboroads.info | 12/23/2016 9:04 | 12/30/2016 10:20 |
| charlstonads.info | 12/16/2016 22:25 | 12/29/2016 23:43 |
| highpointads.info | 12/13/2016 20:40 | 12/29/2016 23:19 |
| mountads.info | 12/15/2016 14:26 | 12/29/2016 13:23 |
| millsboroads.info | 12/24/2016 17:16 | 12/29/2016 12:34 |
| newbernads.info | 12/14/2016 18:55 | 12/29/2016 8:43 |
| steyrads.info | 12/14/2016 11:00 | 12/29/2016 8:34 |
| gastoniaads.info | 12/15/2016 0:58 | 12/29/2016 7:11 |
| chapelads.info | 12/13/2016 8:10 | 12/29/2016 4:51 |
| kissimmeeads.info | 12/8/2016 16:20 | 12/27/2016 0:14 |
| wasillaads.info | 12/4/2016 0:00 | 12/26/2016 12:15 |
| erieads.info | 12/7/2016 20:29 | 12/26/2016 4:16 |
| lancasterads.info | 12/7/2016 0:00 | 12/26/2016 4:11 |
| montgomeryads.info | 12/9/2016 12:36 | 12/26/2016 0:46 |
| gainesvilleads.info | 12/8/2016 4:25 | 12/25/2016 22:59 |
| warrenads.info | 12/9/2016 0:32 | 12/25/2016 22:57 |
| lansingads.info | 12/9/2016 0:00 | 12/25/2016 21:25 |
| sitkaads.info | 12/4/2016 12:46 | 12/24/2016 15:55 |
| ocalaads.info | 12/8/2016 8:17 | 12/24/2016 12:48 |
| allentownads.info | 12/7/2016 12:23 | 12/24/2016 12:46 |
| pittsburghads.info | 12/6/2016 20:33 | 12/24/2016 12:44 |
| saintpaulads.info | 12/5/2016 22:17 | 12/24/2016 12:43 |
| minneapolisads.info | 12/5/2016 14:11 | 12/24/2016 11:17 |
| vidinads.info | 11/30/2016 4:39 | 12/23/2016 15:56 |
| summervilleads.info | 12/16/2016 11:36 | 12/23/2016 14:54 |
| sewardads.info | 12/5/2016 0:00 | 12/22/2016 12:22 |
| kodiakads.info | 12/4/2016 20:50 | 12/22/2016 12:00 |
| kenaiads.info | 12/5/2016 11:30 | 12/22/2016 10:55 |
| chillicotheads.info | 12/2/2016 11:10 | 12/22/2016 8:25 |
| fairbanksads.info | 12/3/2016 21:30 | 12/22/2016 7:54 |
| banskaads.info | 12/1/2016 16:20 | 12/22/2016 5:18 |
| juneauads.info | 12/3/2016 13:28 | 12/22/2016 4:38 |
| anchorageads.info | 12/3/2016 0:00 | 12/22/2016 4:31 |
| toledoads.info | 12/2/2016 5:35 | 12/22/2016 4:13 |
| huntsvilleads.info | 12/9/2016 20:40 | 12/22/2016 4:01 |
| daytonads.info | 12/2/2016 0:00 | 12/22/2016 1:05 |
| bratislavaads.info | 12/1/2016 6:08 | 12/22/2016 0:53 |
| charlestonads.info | 12/10/2016 12:27 | 12/18/2016 12:52 |
| akronads.info | 12/1/2016 16:18 | 12/15/2016 10:30 |
| youngstownads.info | 12/2/2016 8:44 | 12/3/2016 8:39 |
| clivelandads.info | 12/1/2016 15:17 | 12/2/2016 15:21 |
| aarhusads.info | 11/26/2016 3:20 | 12/1/2016 12:39 |
| tromsoads.info | 11/30/2016 17:25 | 12/1/2016 8:55 |
| plevenads.info | 11/29/2016 21:35 | 12/1/2016 6:45 |
| aalborgads.info | 11/26/2016 11:20 | 12/1/2016 4:55 |
| stavangerads.info | 11/30/2016 12:44 | 12/1/2016 4:34 |
| nantesads.info | 11/28/2016 16:39 | 12/1/2016 2:44 |
| bergenads.info | 11/30/2016 12:02 | 12/1/2016 1:51 |
| sibiuads.info | 11/30/2016 7:31 | 12/1/2016 1:36 |
| osloads.info | 11/30/2016 10:17 | 12/1/2016 1:35 |
| tronfheimads.info | 11/30/2016 15:17 | 12/1/2016 1:21 |
| odenseads.info | 11/26/2016 19:26 | 11/30/2016 21:14 |
| perugiaads.info | 11/27/2016 19:35 | 11/30/2016 20:07 |
| brasovads.info | 11/30/2016 6:28 | 11/30/2016 18:49 |
| clujads.info | 11/30/2016 6:59 | 11/30/2016 15:07 |
| bucharestads.info | 11/30/2016 5:51 | 11/30/2016 15:01 |
| nurnbergads.info | 11/29/2016 13:33 | 11/30/2016 15:01 |
| amalfiads.info | 11/27/2016 11:35 | 11/30/2016 13:49 |
| selvenads.info | 11/30/2016 5:15 | 11/30/2016 13:40 |
| avignonads.info | 11/28/2016 8:42 | 11/30/2016 9:41 |
| palermoads.info | 11/27/2016 16:04 | 11/30/2016 8:26 |
| kolnads.info | 11/29/2016 5:29 | 11/30/2016 1:45 |
| esbjergads.info | 11/25/2016 15:26 | 11/30/2016 1:35 |
| munchenads.info | 11/29/2016 0:40 | 11/29/2016 13:06 |
Download the list here: info-tld-resolving-to-80-77-82-42.xlsx
The iframe generates a GET request for “/rotation/hits?”, which returned an HTML document that had script identical to the RIG-v “pre-landing.” This script also contains the URL for the RIG-v “pre-landing” page and tells the host to use the POST method. Here is a partial image of “hits?”:
In contrast, campaigns like pseudo-Darkleech include the RIG-v EK “pre-landing” page URL in the iframe.
The host then makes a POST request for the RIG-v pre-landing page (URL shown in the image above). The pre-landing page is returned by the server and it contains the same code except this time the URL contained within the script points the host to the RIG-v landing page:
We then see another POST request for the landing page. To be clear that is two POST requests, one for the pre-landing page and the other for the landing page.
Once on the landing page we see the host make a GET request for a Flash exploit and then the malicious payload.
It was at this point we see rad5BA76.tmp.exe dropped in %Temp% and copied to a folder in Roaming as “dot3Core.exe.” We also see two folders created, as well as a .BI1 file and a lot of .BIN files:
The file 8D53.bin (see in the first picture), which is 2,374 KB is size, is related to the TOR client download. There is also a “cached-microdescs” file created in Roaming, which is used by the Tor client.
Here is the GET request for “/tor/t32.dll”:
Here are some changes made to the registry for persistence and the Tor client:
Post-infection traffic also shows the host making a GET request for curlmyip.net in order to grab the external IP address of the host:
If you’re working in a SOC I would filter network traffic over the last 72 hours and look for any communication to 80.77.82.42. From there I would see if the host was successfully redirected to an EK. You can likely determine if the host has been compromised through signs of AV events or post-infection traffic. Lastly, I would block 80.77.82.42 and 92.53.97.168 at your perimeter firewall(s).
Malware breakdown 