EITest Leads to RIG-v EK at 185.159.130.122. Ursnif Variant Dreambot.

malwarebreakdown on February 16, 2017

IOCs:

  • 92.243.23.204 – www[.]caltech[.]fr – Compromised website
  • 185.159.130.122 – more.THEBESTDALLASFLORISTS.COM – RIG-v EK
  • 5.196.159.175 – GET /images/[removed]/KTDEi/.avi – CnC traffic
  • 46.4.99.46 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download
  • 37.48.122.26 – curlmyip.net – External IP lookup

Post-Infection DNS Queries:

  • resolver1.opendns.com – ET POLICY OpenDNS IP Lookup
  • curlmyip.net
  • 222.222.67.208.in-addr.arpa
  • myip.opendns.com
  • nod32s.com

Traffic:

Traffic.PNG

Hashes:

SHA256: 37f7e78080f85e6f98136e927a69a72ea7d619f230b476b5d6826ebc1eee29a0
File name: RIG-v EK Flash Expoit.swf

SHA256: 2bfe062e8fb089f22d8dbe33184174098e87ba0b7ecc36e3db1290a5896d00c0
File name: QTTYUADAF

SHA256: c845c57e8fe49ae9fa7413cd51d7fdba563e5aeb422d01f4f1d473ca7dcb0a56
File name: radE86B9.tmp.exe
Hybrid-Analysis Report

SHA256: a8f7a0471f65cfad7031d77bf131532fa8d930e9eea86c23584771251d0b51d5
File name: t64.dll

Infection Chain:

Shout-out to @kkrnt who told me about the compromised website. Here is an image of the compromised website:

caltech-dot-fr

Loading the website in my browser and inspecting the TCP stream between my host and the web server showed that the EITest script had been injected into the web page. Below is the EITest script returned by the web server:

eitest-script

The URL within the script redirected my host to the RIG-v EK pre-landing page. The host was then redirected to the landing page after which we see the Flash exploit followed by the malware payload.

We see cmd.exe create QTTYUADAF in %Temp% and execute it. The script causes the host to make a GET request for the malware payload. The malware payload (radE86B9.tmp.exe) is dropped and executed in %Temp%:

temp

The file is also copied to [User]AppDataRoamingcatskend:

docpdump-exe-after-1-hour

docpDump (1).exe is the copy. After an hour it grew in size by 225KB.

There is a registry entry created for persistence:

registry-run

The bot checks-in with the CnC server via 5.196.159.175/images/[removed]/KTDEi/.avi.

We then see the GET request for the Tor client, which is currently being hosted at 46.4.99.46. The most current resolution for 46.4.99.46 is static.46.99.4.46.clients.your-server.de. The name servers include:

Name Servers
ns.second-ns.com
ns1.your-server.de
2a01:4f8:d0a:2006:0:0:0:2
ns3.second-ns.de

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

When the Tor cleint is retrieved from 46.4.99.46 we see the bot create a registry entry in HKCU\SoftwareAppDataLowSoftwareMicrosoft [random guid]:

registry-tor-client-edited

This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was FFDA.bin.

We also see the creation of cached-microdescs, which is used by the Tor client:

roaming

For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

As always I recommend blocking the RIG EK IP address as well as the CnC servers. Until next time!

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: