Decoy Site Leads to RIG-v EK at 194.87.237.240. Post-Infection Traffic: Ursnif Variant Dreambot.

malwarebreakdown on February 7, 2017

IOCs:

  • 88.214.225.168 – duckporno.com – Decoy site
  • 80.77.82.42 – bethanyads.info – GET /rotation/hits? – Fake ad server
  • 194.87.237.240 – sell.underinsuredinamerica.com – RIG-v EK

Post-Infection Traffic:

  • 89.223.31.51 – GET /images/[truncated]/f2NJW2/.avi – ET TROJAN Ursnif Variant CnC Beacon
  • 89.223.31.51 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download
  • 37.48.122.26 – curlmyip.net – GET for external IP
  • Outbound connections via port 9001 – ET POLICY TLS possible TOR SSL traffic

DNS Queries:

  • resolver1.opendns.com – ET POLICY OpenDNS IP Lookup
  • 222.222.67.208.in-addr.arpa
  • myip.opendns.com
  • nod32.com
  • eset.com

Traffic:

traffic

Hashes:

SHA256: 97c71854b39af2814ae8c06237c3945346a2aaccebb3460f4067ff2caf74018b
File name: hits.html

SHA256: e5872a0a5073189039fcaa0dc0fc026e81e2dbdccb1aeed5c714f492bda43d1d
File name: RIG-v EK Flash Exploit.swf

SHA256: 3f517c7bf5176614ff11f3fc275849155c5bfede0b7a7748781b8aaf36fc6650
File name: QTTYUADAF

SHA256: 188343c4106c1a727a16dfbcf6dfeff082467b57b44d8eb007fb71596106c2c7
File name: docpDump.exe

SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll

Infection Chain:

This infection chain is basically identical to these two:

https://malwarebreakdown.com/2017/01/29/rig-v-at-194-87-144-170-post-infection-traffic-triggers-et-rules-for-tor-module-download-and-ursnif-variant-cnc-beacon/

https://malwarebreakdown.com/2017/01/27/iframe-redirects-host-to-rig-v-ek-at-92-53-97-168-and-drops-loader-and-tor-client/

Here is the iframe on the decoy site:

iframe

The decoy sites are used by a malvertising campaign called HookAds. This was disclosed by Malwarebytes labs on November 1st, 2016.  has written an excellent article about it which you can read HERE. I won’t go into much detail about this campaign on this blog post since Jerome has already covered it

Up to this point we’ve seen 118 domains using the .info TLD resolve to 80.77.82.42:

Domain First Seen Last Seen
pawleysads.info 12/22/2016 17:33 2/7/2017 13:13
irmoads.info 12/22/2016 8:40 2/7/2017 12:50
laurelads.info 12/25/2016 17:30 2/7/2017 5:27
augustads.info 12/23/2016 0:50 2/7/2017 1:54
wasillaads.info 12/4/2016 0:00 2/6/2017 15:03
millsboroads.info 12/24/2016 17:16 2/6/2017 13:50
bethanyads.info 12/25/2016 1:20 2/6/2017 7:16
minneapolisads.info 12/5/2016 14:11 2/5/2017 23:03
camdenads.info 1/2/2017 3:20 2/5/2017 22:58
tshwater.info 1/6/2017 0:00 2/5/2017 21:35
fenwikads.info 12/27/2016 16:16 2/4/2017 22:03
orangeburgads.info 12/20/2016 16:17 2/4/2017 22:02
blufftonads.info 12/19/2016 4:50 2/4/2017 3:15
easleyads.info 12/21/2016 8:30 2/4/2017 3:15
garnerads.info 12/17/2016 20:30 2/3/2017 6:05
walterboroads.info 12/23/2016 9:04 2/3/2017 4:25
gastoniaads.info 12/15/2016 0:58 2/3/2017 3:57
flintads.info 12/9/2016 8:36 2/3/2017 0:43
asheboroads.info 12/18/2016 12:40 2/2/2017 21:24
sumterads.info 12/17/2016 12:27 2/2/2017 19:38
chimneyads.info 12/18/2016 20:47 2/1/2017 23:34
goosecreekads.info 12/21/2016 0:28 2/1/2017 17:02
fetonads.info 1/2/2017 19:38 1/31/2017 15:05
jakarth.info 1/6/2017 12:25 1/31/2017 3:55
booneads.info 12/14/2016 4:46 1/30/2017 21:17
fenwickads.info 12/26/2016 1:35 1/30/2017 15:02
notablo.info 1/6/2017 19:42 1/29/2017 12:34
rockads.info 12/31/2016 11:50 1/28/2017 11:09
mountads.info 12/15/2016 14:26 1/28/2017 10:15
spartanburgads.info 12/15/2016 7:05 1/28/2017 9:52
salemads.info 12/12/2016 16:02 1/28/2017 9:20
andersonads.info 12/16/2016 5:19 1/28/2017 8:49
duluthads.info 12/6/2016 4:26 1/28/2017 7:55
ketchikanads.info 12/4/2016 0:00 1/28/2017 6:04
banskaads.info 12/1/2016 16:20 1/28/2017 5:49
deweyads.info 1/2/2017 11:37 1/28/2017 2:19
morgantonads.info 12/18/2016 4:37 1/26/2017 11:49
pronomial.info 1/6/2017 19:42 1/25/2017 5:32
ashevilleads.info 12/12/2016 0:08 1/24/2017 20:09
harrisburgads.info 12/7/2016 3:59 1/22/2017 17:50
beaufortads.info 12/16/2016 14:21 1/21/2017 19:24
auburnads.info 12/10/2016 10:40 1/21/2017 16:40
winstonads.info 12/12/2016 0:00 1/21/2017 2:45
delawareads.info 12/25/2016 9:45 1/20/2017 12:46
clemsonads.info 12/15/2016 11:00 1/18/2017 7:25
covernment.info 1/6/2017 20:30 1/15/2017 23:24
myrtleads.info 12/10/2016 20:32 1/14/2017 12:01
kosiceads.info 12/1/2016 10:55 1/13/2017 21:35
caryads.info 12/13/2016 12:38 1/8/2017 10:38
charlotteads.info 12/11/2016 7:45 1/8/2017 8:24
greensboroads.info 12/11/2016 15:50 1/8/2017 8:19
philadelphiaads.info 12/6/2016 12:26 1/8/2017 5:09
trencinads.info 12/2/2016 0:22 1/6/2017 3:59
lexingtonads.info 12/17/2016 5:07 1/5/2017 19:09
simpsonvilleads.info 12/19/2016 13:05 1/5/2017 15:11
greenvilleads.info 12/10/2016 22:04 1/5/2017 14:21
rockhillads.info 12/15/2016 22:32 1/5/2017 8:43
fayettevilleads.info 12/12/2016 14:22 1/5/2017 8:05
destinads.info 12/8/2016 2:03 1/5/2017 5:08
selbywilleads.info 12/28/2016 0:00 1/1/2017 19:05
oceanads.info 12/26/2016 9:40 1/1/2017 2:50
charlstonads.info 12/16/2016 22:25 12/29/2016 23:43
highpointads.info 12/13/2016 20:40 12/29/2016 23:19
newbernads.info 12/14/2016 18:55 12/29/2016 8:43
steyrads.info 12/14/2016 11:00 12/29/2016 8:34
chapelads.info 12/13/2016 8:10 12/29/2016 4:51
kissimmeeads.info 12/8/2016 16:20 12/27/2016 0:14
erieads.info 12/7/2016 20:29 12/26/2016 4:16
lancasterads.info 12/7/2016 0:00 12/26/2016 4:11
montgomeryads.info 12/9/2016 12:36 12/26/2016 0:46
gainesvilleads.info 12/8/2016 4:25 12/25/2016 22:59
warrenads.info 12/9/2016 0:32 12/25/2016 22:57
lansingads.info 12/9/2016 0:00 12/25/2016 21:25
sitkaads.info 12/4/2016 12:46 12/24/2016 15:55
ocalaads.info 12/8/2016 8:17 12/24/2016 12:48
allentownads.info 12/7/2016 12:23 12/24/2016 12:46
pittsburghads.info 12/6/2016 20:33 12/24/2016 12:44
saintpaulads.info 12/5/2016 22:17 12/24/2016 12:43
vidinads.info 11/30/2016 4:39 12/23/2016 15:56
summervilleads.info 12/16/2016 11:36 12/23/2016 14:54
sewardads.info 12/5/2016 0:00 12/22/2016 12:22
kodiakads.info 12/4/2016 20:50 12/22/2016 12:00
kenaiads.info 12/5/2016 11:30 12/22/2016 10:55
chillicotheads.info 12/2/2016 11:10 12/22/2016 8:25
fairbanksads.info 12/3/2016 21:30 12/22/2016 7:54
juneauads.info 12/3/2016 13:28 12/22/2016 4:38
anchorageads.info 12/3/2016 0:00 12/22/2016 4:31
toledoads.info 12/2/2016 5:35 12/22/2016 4:13
huntsvilleads.info 12/9/2016 20:40 12/22/2016 4:01
daytonads.info 12/2/2016 0:00 12/22/2016 1:05
bratislavaads.info 12/1/2016 6:08 12/22/2016 0:53
charlestonads.info 12/10/2016 12:27 12/18/2016 12:52
akronads.info 12/1/2016 16:18 12/15/2016 10:30
youngstownads.info 12/2/2016 8:44 12/3/2016 8:39
clivelandads.info 12/1/2016 15:17 12/2/2016 15:21
aarhusads.info 11/26/2016 3:20 12/1/2016 12:39
tromsoads.info 11/30/2016 17:25 12/1/2016 8:55
plevenads.info 11/29/2016 21:35 12/1/2016 6:45
aalborgads.info 11/26/2016 11:20 12/1/2016 4:55
stavangerads.info 11/30/2016 12:44 12/1/2016 4:34
nantesads.info 11/28/2016 16:39 12/1/2016 2:44
bergenads.info 11/30/2016 12:02 12/1/2016 1:51
sibiuads.info 11/30/2016 7:31 12/1/2016 1:36
osloads.info 11/30/2016 10:17 12/1/2016 1:35
tronfheimads.info 11/30/2016 15:17 12/1/2016 1:21
odenseads.info 11/26/2016 19:26 11/30/2016 21:14
perugiaads.info 11/27/2016 19:35 11/30/2016 20:07
brasovads.info 11/30/2016 6:28 11/30/2016 18:49
clujads.info 11/30/2016 6:59 11/30/2016 15:07
bucharestads.info 11/30/2016 5:51 11/30/2016 15:01
nurnbergads.info 11/29/2016 13:33 11/30/2016 15:01
amalfiads.info 11/27/2016 11:35 11/30/2016 13:49
selvenads.info 11/30/2016 5:15 11/30/2016 13:40
avignonads.info 11/28/2016 8:42 11/30/2016 9:41
palermoads.info 11/27/2016 16:04 11/30/2016 8:26
kolnads.info 11/29/2016 5:29 11/30/2016 1:45
esbjergads.info 11/25/2016 15:26 11/30/2016 1:35
munchenads.info 11/29/2016 0:40 11/29/2016 13:06

The first domain to resolve to 80.77.82.42 was on 11/26/2016.

Further examination of the infrastructure shows the following name servers being used:

ns1.topdns.me
ns2.topdns.me
ns3.topdns.me

The exploit kit payload was similar to the other two infections that I’ve written about. Hybrid-Analysis tag the malware sample with #dreambot, #isfb, #ursnif, and #gozi.

https://www.hybrid-analysis.com/sample/188343c4106c1a727a16dfbcf6dfeff082467b57b44d8eb007fb71596106c2c7?environmentId=100

The payload was dropped into %Temp% (rad1F5DA.tmp.exe):

temp

We can also see a registry entry for the Tor client:

registry-1

A registry entry was created in Run for persistence:

registry-run

And we can also see that the file was created in Roaming. The file size did grow after letting the system run for about an hour:

roaming

Post-infection traffic also shows the host making a GET request for curlmyip.net in order to grab the external IP address of the host.

If you’re working in a SOC I would filter network traffic over the last 72 hours and look for any communication to 80.77.82.42. From there I would see if host(s) were successfully redirected to an EK. You can likely determine if the host has been compromised by checking for signs of post-infection traffic or by looking for anti-virus detections. Lastly, I would block 80.77.82.42 and the RIG EK IP at your perimeter firewall(s).

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: