- 126.96.36.199 – duckporno.com – Decoy site
- 188.8.131.52 – walterboroads.info – GET /rotation/hits? – Malicious redirect
- 184.108.40.206 – mail.mobildugun.com – RIG-v EK
- 220.127.116.11 – GET /images/[truncated]/MK/.avi – ET TROJAN Ursnif Variant CnC Beacon
- 18.104.22.168 – GET /tor/t32.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download
- 22.214.171.124 – curlmyip.net – GET for external IP
- Outbound connections via port 9001 – ET POLICY TLS possible TOR SSL traffic
- resolver1.opendns.com – ET POLICY OpenDNS IP Lookup
File name: Walterboroads.info – rotation – hits.html
File name: mail.mobildugun.com RIGv EK pre landing page.html
File name: mail.mobildugun.com RIGv EK landing page.html
File name: mail.mobildugun.com RIGv EK Flash exploit.swf
File name: QTTYUADAF
File name: radB88AE.tmp.exe
File name: t32.dll
File name: B8E9.bin
This infection was basically identical to my last infection. Same domain, same iframe, similar payloads and similar post-infection traffic. Here is the iframe found on the compromised site:
Just like with my previous infection the iframe returned a page from the EK server that contained script meant to identify the browser. According to the library directory on the domains the script is called firstDetect.js.php:
The host will be redirected to the value contained within the NormalURL if they are using IE. Below are partial images of the script which contains the URLs necessary for redirection:
This script also instructs the host to use the POST method when making the request. The server returns basically the same page:
Besides the URIs being different we see a difference with what is returned if BrowserInfo.is_bot == true. Examples are shown below:
It was at this point that the host made a second POST request using the URL found on the pre-landing page.
In the video you can see the location where the malicious code loaded. In my previous write up I got an interesting error loaded on the page:
Needless to say the GET request for the first malicious redirect, rotation/hits?, failed.
Moving on… Once the landing page loaded we see the host make a GET request for a Flash exploit and then the payload. The payload, radB88AE.tmp.exe, was dropped in my %Temp% folder and copied to a new folder in Roaming (dot3Core.exe):
Next we see the creation of folders B950 and FFFE, and files AC39.bi1 and B8E9.bin (Tor client). There are also numerous .bin files created as the system continues to run, along with a cached-microdescs file (used by the Tor client) created in Roaming:
There are also some modifications to the registry:
The last thing we see before the Tor traffic is a GET request for curlmyip.net, which is used to identify the external IP address being used by the host.
I recommend that SOC analysts filter network traffic over the last 72 hours or so and look for any communication to 126.96.36.199. You can correlate connections made to 188.8.131.52 with other suspicious activities, which would include Exploit Kit traffic and any anti-virus events.
Lastly, I would block 184.108.40.206, 220.127.116.11, and 18.104.22.168 at your perimeter firewall(s). Until next time!