IOCs:
- 104.27.134.78 – multimediaz.net – Website hosting script for onclickads.net
- 206.54.163.4 – onclickads.net – Checks Flash. Redirects to onclkds.com.
- 206.54.163.50 – onclkds.com – Returns “302 Moved Temporarily,” new location is set to avatrading.org
- 185.51.244.202 – avatrading.org – Domain in fake ad network. Contains iframe for stockholmads.info
- 185.51.244.210 – stockholmads.info – GET /rotation/check-hits? – Contains iframe for RIG-v EK
- 217.107.219.99 – sup.glencoelocksmithil.com – RIG-v EK
- 89.223.31.51 – GET /images/[removed]/.avi – CnC traffic
- 89.223.31.51 – GET /tor/t64.dll – Tor module download
- 37.48.122.26 – curlmyip.net – External IP lookup
- Post-infection Tor traffic via TCP port 9001
Identifying DNS Queries:
- resolver1.opendns.com
- 222.222.67.208.in-addr.arpa
- myip.opendns.com
- nod32.com
- eset.com
Traffic:
Hashes:
SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8
File name: RIG-v Flash Exploit.swf
SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea
File name: QTTYUADAF
SHA256: 968c138d81479711c3c1fea10860cf14bcda165971add20bb14e6671cfd7f5ab
File name: rad763E4.tmp.exe or Deviprov.exe
Hybrid-Analysis Report
SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll (Downloaded when using Windows 64-bit)
SHA256: 5d5bda87bb2871b29c63d7a40c3f7e1ef81ebb4c69396059e94d4ce02ece9f10
File name: t32.dll (Downloaded when using Windows 32-bit)
Infection Chain:
The infection began when I was browsing the WordPress site multimediaz.net. A picture of the site is shown below:
You can see that the ads from ad.propellerads.com returned a 404 Not Found.
Searching this domain via Google doesn’t directly return the homepage. However, the owner of the site appears to be letting it sit idle and it hasn’t been updated in a long time (due to lack of public interest).
As you can see from the picture of my traffic the site’s source code contains script pointing to onclickads.net:
We then see a GET request for onclickads.net/?zoneid=7904&pbk2=2829851022915fd178a61c17ad4940996388365887265502682&r=%2Foc%2Fhan%2Ftomb&uuid=20950899-f385-4e08-9179-7f55bf462380&fs=1
Below is the file found in the return traffic:
We can see that the title is “Redirect” and it tells the browser to do a DNS prefetch for avatrading.org. It also uses a meta-refresh for onclkds.com. We then see some JavaScript that does some checks for Flash. The original full file and a commented out version of the JavaScript can be viewed on my Pastebin account.
Original full file: http://pastebin.com/7ah2Pw9H
Commented JavaScript: http://pastebin.com/tUy3Lehh (shout-out to my buddy “elf” for taking the time to breakdown the script, decode it and comment it!)
This redirects the host to onclkds.com, which in turn returns a 302 Moved Temporarily and redirects the host to avatrading.org/?sw=1280:
It should be noted that I’ve seen a lot of malvertising begin with on OnClickAds.net, which is used by ad network Propeller Ads Media for ad serving.
We then see avatrading.org/?sw=1280 open in a new browser on the Desktop:
AvaTrading.org appears to be a dummy site used by this malvertising campaign. The domain was created on 02/16/17. Below is the Whois information:
| Attribute | Value |
|---|---|
| WHOIS Server | whois.publicinterestregistry.net |
| Registrar | Danesco Trading Ltd. |
|
avatrading.org@whoisprotectservice.net (registrant, admin, tech)
|
|
| Name |
WhoisProtectService.net (registrant, admin, tech)
|
| Organization |
PROTECTSERVICE, LTD. (registrant, admin, tech)
|
| ASN | AS46636 NATCOWEB |
| Street | 27 Old Gloucester Street |
| City | London |
| Postal | WC1N 3AX |
| Country | GB |
| Phone |
4402074195061 (registrant, admin, tech)
|
| NameServers |
ns1.topdns.me
ns2.topdns.me
ns3.topdns.me
|
Notice the name servers? The TopDNS.me name servers are used by the fake ad network and malvertising campaign called “HookAds.” To read more about HookAds see this article written by Jérôme Segura:
https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign/
This domain resolves to 185.51.244.202, with the subnet 185.51.244.0/24 containing other domains in the HookAds infrastructure. That range is operated by Soft-com.biz Inc., with the netname being UK-SOFTCOM-HQHost.
Looking at the source code behind AvaTrading.org shows that it contains an iframe pointing to stockholmads.info:
That iframe redirects the host to “stockholmads[.]info/rotation/check-hits?”. stockholmads.info resolves to 185.51.244.210. The resolution history for 185.51.244.210 is shown below:
| Domain | First Seen | Last Seen |
| stockholmads.info | 11/9/2016 7:56 | 2/19/2017 22:43 |
| leedsads.info | 11/11/2016 16:13 | 2/19/2017 12:35 |
| lilleads.info | 11/4/2016 18:54 | 2/19/2017 12:05 |
| malmoads.info | 11/8/2016 23:48 | 2/19/2017 11:56 |
| ostravaads.info | 11/13/2016 8:52 | 2/19/2017 1:53 |
| trivagoad.com | 1/14/2016 3:58 | 2/19/2017 0:00 |
| bristolads.info | 11/11/2016 8:45 | 2/18/2017 20:40 |
| amsterdamads.info | 11/5/2016 13:18 | 2/18/2017 18:27 |
| lublanads.info | 11/12/2016 0:45 | 2/18/2017 16:24 |
| turkuads.info | 11/10/2016 15:56 | 2/18/2017 12:42 |
| koperads.info | 11/12/2016 16:48 | 2/18/2017 12:10 |
| turinads.info | 11/8/2016 15:48 | 2/18/2017 3:24 |
| varnaads.info | 11/14/2016 1:34 | 2/18/2017 3:11 |
| sevilleads.info | 11/5/2016 0:07 | 2/18/2017 1:15 |
| rotterdamads.info | 11/7/2016 4:52 | 2/18/2017 0:42 |
| naplesads.info | 11/8/2016 8:24 | 2/17/2017 22:19 |
| munichads.info | 11/7/2016 12:39 | 2/17/2017 22:06 |
| mariborads.info | 11/12/2016 8:46 | 2/17/2017 21:07 |
| landads.info | 11/9/2016 14:35 | 2/17/2017 20:32 |
| umeaads.info | 11/9/2016 14:29 | 2/14/2017 11:20 |
| lisbonads.info | 11/5/2016 3:41 | 2/14/2017 7:57 |
| hagueads.info | 11/6/2016 12:24 | 2/13/2017 20:25 |
| brnoads.info | 11/13/2016 0:55 | 2/11/2017 1:33 |
| frankfurtads.info | 11/7/2016 14:02 | 2/10/2017 9:37 |
| tampereads.info | 11/10/2016 16:17 | 2/7/2017 22:31 |
| helsinkiads.info | 11/10/2016 7:54 | 2/7/2017 21:28 |
| utrechtads.info | 11/6/2016 14:50 | 12/26/2016 8:47 |
| sofiaads.info | 11/14/2016 14:36 | 12/26/2016 7:46 |
| hamburgads.info | 11/7/2016 23:16 | 12/23/2016 8:29 |
| pasteero.com | 12/18/2015 3:27 | 12/16/2016 2:04 |
| plivdivads.info | 11/14/2016 0:57 | 12/16/2016 1:33 |
| pilsenads.info | 11/13/2016 16:54 | 11/24/2016 10:52 |
| florenceads.info | 11/8/2016 7:18 | 11/19/2016 18:44 |
| yorkads.info | 11/12/2016 0:04 | 11/12/2016 0:28 |
| liverpoolads.info | 11/3/2016 20:34 | 11/6/2016 20:39 |
| adsrotation.info | 9/8/2016 0:01 | 9/8/2016 14:22 |
| adsdelivery.info | 9/7/2016 10:16 | 9/8/2016 7:26 |
| hoptop.info | 8/28/2016 0:00 | 8/29/2016 16:09 |
| dc-d2922a0b.trivagoad.com | 1/13/2016 11:07 | 1/13/2016 11:07 |
The malicious activity associated with this IP address appears to have begun on 08/28/16. Whois information for 185.51.244.210 is shown below:
| WHOIS Server | whois.ripe.net |
| Registrar | RIPE NCC |
| eugene.stryapin@soft-com.biz (registrant) | |
| Name | UK-SOFTCOM-HQHost (registrant) |
| Eugene Stryapin (admin) | |
| Organization | UK-SOFTCOM-HQHost (registrant) |
| Street | 272 Bath Street (admin, tech) |
| City | Glasgow |
| Postal | |
| Country | GB (registrant) |
| Phone | 380 66 42 32 985 (admin, tech) |
| NameServers |
/check-hits? returns what has been called RIG’s “pre-landing” page. The full page can be seen at my Pastebin account:
While it was called the “pre-landing” page by security researchers the authors are calling it “firstDetect.js”. The file is located at /library/:
firstDetect.js contains the URL for the RIG-v EK landing page and it tells the host to use the POST method for that request.
The EK then sent the Flash exploit and the malware payload.
cmd.exe creates QTTYUADAF in %Temp% and executes it. The script causes the host to make a GET request for the malware payload. The malware payload (rad763E4.tmp.exe) is dropped and executed in %Temp%:
The file is also copied to C:Users[User]AppDataRoamingefsshell as Deviprov.exe:
The original file has “(original)” in the name whereas the file size did grow by 276 KB after only a couple of minutes. I have both samples in there as an example of the change in file size.
There is a registry entry created for persistence:
The bot checks-in with the CnC server via 89.223.31.51/images/[removed]/.avi.
We then see the GET request for the Tor client, which is currently being hosted at 89.223.31.51. The server will return /tor/t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.
According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.
When the Tor cleint is retrieved from 89.223.31.51 we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft [random guid]:
This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was B725.bin (3,088 KB).
We also see the creation of cached-microdescs, which is used by the Tor client:
For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
As always I recommend blocking the nasty stuff, including the HookAds infrastructure, RIG EK IP address as well as the CnC servers. Until next time!
Malware breakdown 
[…] https://malwarebreakdown.com/2017/02/19/hookads-malvertising-redirects-to-rig-v-ek-at-217-107-219-99… […]
LikeLike