IOCs:
- 192.99.46.21 – littleinspiration.com – Compromised website
- 217.107.34.241 – zone.klynnholding.com – RIG EK
- 5.196.159.175 – GET /images/[removed]/.avi – CnC traffic
- 5.196.159.175 – GET /tor/t64.dll – Tor module download
- 37.48.122.26 – curlmyip.net – External IP lookup
- Post-infection Tor traffic via TCP port 443 and 9001
- SSH connections to 91.239.232.81, which also host one or more Tor relays according to https://exonerator.torproject.org
Additional DNS Queries:
- resolver1.opendns.com
- 222.222.67.208.in-addr.arpa
- myip.opendns.com
Traffic:
Hashes:
SHA256: a83064eb620ded9dfcbed8a97146e7fef1bfd1626246a79e734cb48482dbf06f
File name: RIG EK v4.0 Flash Exploit.swf
SHA256: 446dde2f89b5c51d3aac8b655b9372ed74b30430efb97e8dfecd2c7117fe4c9a
File name: QTTYUADAF
SHA256: 6ca805d4fabf2ff863208cecb606307a5a70f81ce798c81741be24a690732f9f
File name: rad10363.tmp.exe
Hybrid-Analysis Report
SHA256: a8f7a0471f65cfad7031d77bf131532fa8d930e9eea86c23584771251d0b51d5
File name: t64.dll
Infection Chain:
The website littleinspiration.com is compromised and was injected with the EITest script. Thanks to @nao_sec for the heads up on the compromised website!
Loading the website in my browser and inspecting the TCP stream between my host and the web server showed that the EITest script had been injected into the web page. Below is the EITest script returned by the web server:
The URL within the script redirected my host to the RIG-v EK pre-filter page, otherwise known as “firstDetect.js.html.” The host was then redirected to the landing page (the URL for RIG EK landing page is contained within firstDetect.js.html) after which we see the Flash exploit in traffic, followed by the malware payload being dropped in %Temp%.
We see cmd.exe create QTTYUADAF in %Temp% and execute it. The script causes the host to make a GET request for the malware payload. The malware payload, rad10363.tmp.exe and rad96B91.tmp.exe (same file), were dropped and executed in %Temp%:
The file is copied to C:Users[User]AppDataRoamingefsshellDeviprov.exe:
There following registry entry was created for persistence:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
The bot checks-in via 5.196.159.175/images/[removed]/.avi.
We then see the GET request for the Tor client at 5.196.159.175. The server will return /tor/t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.
According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.
When the Tor cleint is retrieved from 5.196.159.175 we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft<random guid>:
This key contains the path to the client, which is dropped in the %Temp% folder with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was 65AB.bin (3,088 KB).
We also see the creation of cached-microdescs in %AppData%, which is used by the Tor client:
We also see a registry entry created for ASProtect:
HKCUSoftwareASProtectSpecData
For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
As always I recommend blocking the RIG EK IP address as well as the CnC server. Until next time!
Malware breakdown 