HookAds Malvertising Redirects to RIG-v EK at EK Drops Ursnif Variant Dreambot.


  • – multimediaz.net – Website hosting script for onclickads.net
  • – onclickads.net – Checks Flash. Redirects to onclkds.com.
  • – onclkds.com – Returns “302 Moved Temporarily,” new location is set to avatrading.org
  • – avatrading.org – Domain in fake ad network. Contains iframe for stockholmads.info
  • – stockholmads.info – GET /rotation/check-hits? – Contains iframe for RIG-v EK
  • – sup.glencoelocksmithil.com – RIG-v EK
  • – GET /images/[removed]/.avi – CnC traffic
  • – GET /tor/t64.dll – Tor module download
  • – curlmyip.net – External IP lookup
  • Post-infection Tor traffic via TCP port 9001

Identifying DNS Queries:

  • resolver1.opendns.com
  • myip.opendns.com
  • nod32.com
  • eset.com




SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8
File name: RIG-v Flash Exploit.swf

SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea
File name: QTTYUADAF

SHA256: 968c138d81479711c3c1fea10860cf14bcda165971add20bb14e6671cfd7f5ab
File name: rad763E4.tmp.exe or Deviprov.exe
Hybrid-Analysis Report

SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll (Downloaded when using Windows 64-bit)

SHA256: 5d5bda87bb2871b29c63d7a40c3f7e1ef81ebb4c69396059e94d4ce02ece9f10
File name: t32.dll (Downloaded when using Windows 32-bit)

Infection Chain:

The infection began when I was browsing the WordPress site multimediaz.net. A picture of the site is shown below:


You can see that the ads from ad.propellerads.com returned a 404 Not Found.

Searching this domain via Google doesn’t directly return the homepage. However, the owner of the site appears to be letting it sit idle and it hasn’t been updated in a long time (due to lack of public interest).

As you can see from the picture of my traffic the site’s source code contains script pointing to onclickads.net:


We then see a GET request for onclickads.net/?zoneid=7904&pbk2=2829851022915fd178a61c17ad4940996388365887265502682&r=%2Foc%2Fhan%2Ftomb&uuid=20950899-f385-4e08-9179-7f55bf462380&fs=1

Below is the file found in the return traffic:


We can see that the title is “Redirect” and it tells the browser to do a DNS prefetch for avatrading.org. It also uses a meta-refresh for onclkds.com. We then see some JavaScript that does some checks for Flash. The original full file and a commented out version of the JavaScript can be viewed on my Pastebin account.

Original full file: http://pastebin.com/7ah2Pw9H
Commented JavaScript: http://pastebin.com/tUy3Lehh (shout-out to my buddy “elf” for taking the time to breakdown the script, decode it and comment it!)

This redirects the host to onclkds.com, which in turn returns a 302 Moved Temporarily and redirects the host to avatrading.org/?sw=1280:


It should be noted that I’ve seen a lot of malvertising begin with on OnClickAds.net, which is used by ad network Propeller Ads Media for ad serving.

We then see avatrading.org/?sw=1280 open in a new browser on the Desktop:


AvaTrading.org appears to be a dummy site used by this malvertising campaign. The domain was created on 02/16/17. Below is the Whois information:

Attribute Value
WHOIS Server whois.publicinterestregistry.net
Registrar Danesco Trading Ltd.
avatrading.org@whoisprotectservice.net (registrant, admin, tech)
WhoisProtectService.net (registrant, admin, tech)
PROTECTSERVICE, LTD. (registrant, admin, tech)
Street 27 Old Gloucester Street
City  London
Postal  WC1N 3AX
Country  GB
4402074195061 (registrant, admin, tech)

Notice the name servers? The TopDNS.me name servers are used by the fake ad network and malvertising campaign called “HookAds.” To read more about HookAds see this article written by :


This domain resolves to, with the subnet containing other domains in the HookAds infrastructure. That range is operated by Soft-com.biz Inc., with the netname being UK-SOFTCOM-HQHost.

Looking at the source code behind AvaTrading.org shows that it contains an iframe pointing to stockholmads.info:


That iframe redirects the host to “stockholmads[.]info/rotation/check-hits?”. stockholmads.info resolves to The resolution history for is shown below:

Domain First Seen Last Seen
stockholmads.info 11/9/2016 7:56 2/19/2017 22:43
leedsads.info 11/11/2016 16:13 2/19/2017 12:35
lilleads.info 11/4/2016 18:54 2/19/2017 12:05
malmoads.info 11/8/2016 23:48 2/19/2017 11:56
ostravaads.info 11/13/2016 8:52 2/19/2017 1:53
trivagoad.com 1/14/2016 3:58 2/19/2017 0:00
bristolads.info 11/11/2016 8:45 2/18/2017 20:40
amsterdamads.info 11/5/2016 13:18 2/18/2017 18:27
lublanads.info 11/12/2016 0:45 2/18/2017 16:24
turkuads.info 11/10/2016 15:56 2/18/2017 12:42
koperads.info 11/12/2016 16:48 2/18/2017 12:10
turinads.info 11/8/2016 15:48 2/18/2017 3:24
varnaads.info 11/14/2016 1:34 2/18/2017 3:11
sevilleads.info 11/5/2016 0:07 2/18/2017 1:15
rotterdamads.info 11/7/2016 4:52 2/18/2017 0:42
naplesads.info 11/8/2016 8:24 2/17/2017 22:19
munichads.info 11/7/2016 12:39 2/17/2017 22:06
mariborads.info 11/12/2016 8:46 2/17/2017 21:07
landads.info 11/9/2016 14:35 2/17/2017 20:32
umeaads.info 11/9/2016 14:29 2/14/2017 11:20
lisbonads.info 11/5/2016 3:41 2/14/2017 7:57
hagueads.info 11/6/2016 12:24 2/13/2017 20:25
brnoads.info 11/13/2016 0:55 2/11/2017 1:33
frankfurtads.info 11/7/2016 14:02 2/10/2017 9:37
tampereads.info 11/10/2016 16:17 2/7/2017 22:31
helsinkiads.info 11/10/2016 7:54 2/7/2017 21:28
utrechtads.info 11/6/2016 14:50 12/26/2016 8:47
sofiaads.info 11/14/2016 14:36 12/26/2016 7:46
hamburgads.info 11/7/2016 23:16 12/23/2016 8:29
pasteero.com 12/18/2015 3:27 12/16/2016 2:04
plivdivads.info 11/14/2016 0:57 12/16/2016 1:33
pilsenads.info 11/13/2016 16:54 11/24/2016 10:52
florenceads.info 11/8/2016 7:18 11/19/2016 18:44
yorkads.info 11/12/2016 0:04 11/12/2016 0:28
liverpoolads.info 11/3/2016 20:34 11/6/2016 20:39
adsrotation.info 9/8/2016 0:01 9/8/2016 14:22
adsdelivery.info 9/7/2016 10:16 9/8/2016 7:26
hoptop.info 8/28/2016 0:00 8/29/2016 16:09
dc-d2922a0b.trivagoad.com 1/13/2016 11:07 1/13/2016 11:07

The malicious activity associated with this IP address appears to have begun on 08/28/16. Whois information for is shown below:

WHOIS Server whois.ripe.net
Registrar RIPE NCC
Email eugene.stryapin@soft-com.biz (registrant)
Name UK-SOFTCOM-HQHost (registrant)
Eugene Stryapin (admin)
Organization UK-SOFTCOM-HQHost (registrant)
Street 272 Bath Street (admin, tech)
City Glasgow
Country GB (registrant)
Phone 380 66 42 32 985 (admin, tech)

/check-hits? returns what has been called RIG’s “pre-landing” page. The full page can be seen at my Pastebin account:


While it was called the “pre-landing” page by security researchers the authors are calling it “firstDetect.js”. The file is located at /library/:


firstDetect.js contains the URL for the RIG-v EK landing page and it tells the host to use the POST method for that request.

The EK then sent the Flash exploit and the malware payload.

cmd.exe creates QTTYUADAF in %Temp% and executes it. The script causes the host to make a GET request for the malware payload. The malware payload (rad763E4.tmp.exe) is dropped and executed in %Temp%:


The file is also copied to C:Users[User]AppDataRoamingefsshell as Deviprov.exe:


The original file has “(original)” in the name whereas the file size did grow by 276 KB after only a couple of minutes. I have both samples in there as an example of the change in file size.

There is a registry entry created for persistence:


The bot checks-in with the CnC server via[removed]/.avi.

We then see the GET request for the Tor client, which is currently being hosted at The server will return /tor/t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

When the Tor cleint is retrieved from we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft [random guid]:


This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was B725.bin (3,088 KB).

We also see the creation of cached-microdescs, which is used by the Tor client:


For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

As always I recommend blocking the nasty stuff, including the HookAds infrastructure, RIG EK IP address as well as the CnC servers. Until next time!


Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: