HookAds Campaign Leads to RIG EK at 92.53.104.78

The HookAds campaign was first discovered by researchers at Malwarebytes back in mid August of 2016. This campaign leverages decoy adult sites to spread malware. In this case the user would be browsing a legitimate website, often an adult website, and then they would be redirected to a decoy adult site through a malvertising chain.

On the decoy adult sites there is a malicious iframe that points to a fake ad server acting as a gate for RIG EK:

Decoy site contains iframe pointing to an ad domain acting as a gate

The domain milliption.gdn resolves to 62.75.195.128. The campaign has been using this IP address since February:

Domains	First Seen	Last Seen
milliption.gdn	3/13/2017 2:31	3/20/2017 13:21
decipio.gdn	3/13/2017 2:30	3/18/2017 2:37
africal.gdn	3/17/2017 20:49	3/17/2017 20:49
vessed.gdn	3/13/2017 2:31	3/13/2017 2:31
resourdish.gdn	3/8/2017 10:25	3/8/2017 21:12
wow1.paramework.xyz	1/25/2017 10:00	3/8/2017 19:07
psittan.gdn	3/8/2017 6:57	3/8/2017 9:40
wow3.paramework.xyz	2/24/2017 3:30	2/24/2017 3:30
wow2.paramework.xyz	2/19/2017 13:30	2/24/2017 3:29

The domain first resolved to 209.126.118.91, which showed more malicious domains using the generic TLD .gdn (Global Domain Name):

Domain	First Seen	Last Seen
coolinin.gdn	3/9/2017 23:50	3/20/2017 3:24
procody.gdn	3/8/2017 22:12	3/19/2017 18:59
slightfall.gdn	3/12/2017 9:19	3/14/2017 4:18
restribe.gdn	3/9/2017 10:19	3/14/2017 3:13
milliption.gdn	3/13/2017 2:31	3/13/2017 2:31
vessed.gdn	3/13/2017 2:31	3/13/2017 2:31
africal.gdn	3/10/2017 10:25	3/13/2017 1:06
resourdish.gdn	3/8/2017 0:00	3/12/2017 1:36
psittan.gdn	3/12/2017 1:34	3/12/2017 1:34

All of the .gdn domains being used by this campaign are registered to seoboss@seznam.cz:

Domain	Registrant Email	Registered
decipio.gdn	seoboss@seznam.cz	3/5/2017
restribe.gdn	seoboss@seznam.cz	3/5/2017
procody.gdn	seoboss@seznam.cz	3/5/2017
vessed.gdn	seoboss@seznam.cz	3/5/2017
africal.gdn	seoboss@seznam.cz	3/5/2017
coolinin.gdn	seoboss@seznam.cz	3/5/2017
milliption.gdn	seoboss@seznam.cz	3/5/2017
resourdish.gdn	seoboss@seznam.cz	3/5/2017
werned.gdn	seoboss@seznam.cz	3/1/2017
psittan.gdn	seoboss@seznam.cz	3/1/2017
westponent.gdn	seoboss@seznam.cz	3/1/2017
confidely.gdn	seoboss@seznam.cz	3/1/2017
elecommon.gdn	seoboss@seznam.cz	3/1/2017
cominents.gdn	seoboss@seznam.cz	3/1/2017
slightfall.gdn	seoboss@seznam.cz	2/27/2017
wallther.gdn	seoboss@seznam.cz	2/27/2017
dravitalia.gdn	seoboss@seznam.cz	2/27/2017
paltruise.gdn	seoboss@seznam.cz	2/27/2017
irritorian.gdn	seoboss@seznam.cz	2/27/2017
unexperic.gdn	seoboss@seznam.cz	2/27/2017
centuation.gdn	seoboss@seznam.cz	2/27/2017
germante.gdn	seoboss@seznam.cz	2/27/2017
thousales.gdn	seoboss@seznam.cz	2/26/2017
zachael.gdn	seoboss@seznam.cz	2/26/2017
chromotor.gdn	seoboss@seznam.cz	2/26/2017
wrapsing.gdn	seoboss@seznam.cz	2/26/2017
seconquest.gdn	seoboss@seznam.cz	2/26/2017
hickenzi.gdn	seoboss@seznam.cz	2/26/2017
sidentitis.gdn	seoboss@seznam.cz	2/23/2017
concephall.gdn	seoboss@seznam.cz	2/23/2017
neveraged.gdn	seoboss@seznam.cz	2/22/2017
havenhoek.gdn	seoboss@seznam.cz	2/22/2017
dispanic.gdn	seoboss@seznam.cz	2/22/2017
discussels.gdn	seoboss@seznam.cz	2/22/2017
explosin.gdn	seoboss@seznam.cz	2/22/2017
austribach.gdn	seoboss@seznam.cz	2/22/2017
rulence.gdn	seoboss@seznam.cz	2/22/2017
patteriod.gdn	seoboss@seznam.cz	2/22/2017
sebrisburg.gdn	seoboss@seznam.cz	2/22/2017
becomple.gdn	seoboss@seznam.cz	2/22/2017
entrary.gdn	seoboss@seznam.cz	2/22/2017
mormous.gdn	seoboss@seznam.cz	2/22/2017

The iframe on the decoy site contains the location of ad domains that are acting as a gate. The script on the gate is being used to fingerprint the system.

The fingerprinting checks to see if the current browser is Internet Explorer and makes sure that the browser is not a crawling bot. On March 6th, 2017, I noticed that it added checks for Fiddler, FFDec, VirtualBox, and VMware:

There is also commented out code for NOD32 and Bitdefender AV products

You can read more about the new checks HERE.

The page returned by the server loaded in the location of the banner ad. If the system passes the checks then you will see a POST request using a URL pointing to the RIG exploit kit landing page:

URL points to RIG EK landing page

The RIG exploit kit landing page is loaded in the same location as the gate:

Banner on decoy site

We can see the nonsensical sentences “Trick can you fix my BMW” and “Boys want education ty” are being displayed in the location of the banner ad. However, taking a closer look at the page being returned to host we can clearly see that it is actually the landing page:

The EK dropped 06amrddi.exe and m73hwg6i.exe (same file) in %TEMP%:

Additional IOCs

Network:

• 62.75.195.128 – milliption.gdn – Fake ad domain
• 92.53.104.78 – temp.levvi.com – RIG EK

Hashes:

SHA256: 14be41a97b8d0b4cb626f1a659ba895847436e68721a8119e7ddd05b6cd3d69d
File name: RIG EK Flash Exploit.swf

SHA256: 14fcca3094cef0d5bff90a09eca427ff3975ed15265d46207c2e8b124619df62
File name: 06amrddi.exe and m73hwg6i.exe
Hybrid-Analysis Report
DeepViz Report

Download Artifacts (password is the same word used by other EK researchers):

Malicious Artifacts.zip

References:
https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign/

• Category: Exploit Kit
• Tag: HookAds, IOCs, Rig Exploit Kit

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown