On April 5th, 2017, the Twitter user thlnk3r sent a message to Brad and myself about a malvertising chain using onclkds.com to redirect hosts to RIG exploit kit. Here is the Tweet:
I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 194.58.38.64 as my referer. Here is the traffic from my run:
This tactic proved to be successful as I was redirected from the server to a RIG exploit kit landing page being hosted at the subdomain help.csrabearing.com (185.159.128.228):
As you can see from the TCP stream the GET request for flow339.php returned an iframe containing a URL for a RIG exploit kit landing page. It also contained the following string at the very bottom:
If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html
More on this string later….
The host is then sent the Flash exploit and the malware payload. The malware payload was dropped and executed in %TEMP%. Below is an image of multiple malware payloads (I received numerous identical payloads as the page refreshed itself numerous times):
The malware copies itself to AppData and creates some .log files:
It also creates a .log file in ProgramData (64 characters):
We also see it modify and set some values in the registry:
Access type: "SETVAL"; Path: HKCUSoftwareAppDataLow[GUID]"; Key "Client"; Value: [GUID]
Access type: "SETVAL"; Path: "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"; Key: "LbdUpnlo"; Value: "%LOCALAPPDATA%duoibyaalbdupnlo.exe"
Access type: "SETVAL"; Path: "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"; Key: "UwuAwwru"; Value: "%TEMP%uwuawwru.exe"
Access type: "SETVAL"; Path: "HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon"; Key: "Userinit"; Value: "%WINDIR%system32userinit.exe,%TEMP%uwuawwru.exe,%LOCALAPPDATA%duoibyaalbdupnlo.exe"
It also writes to a start menu file:
%APPDATA%RoamingMicrosoftWindowsStart MenuProgramsStartup
Processes from the Hybrid-Analysis report:
The various file system and registry IOCs confirmed that the malware payload was Ramnit banking Trojan.
I then decided to do some additional digging to see if I could figure out what campaign this was coming from. That is when I found an article written on March 21st, 2017, by Jérôme Segura over at Malwarebytes Labs. The article was entitled “Canada and the U.K. hit by Ramnit Trojan in new malvertising campaign” and in the article Jérôme talked about malvertising activity originating from various adult websites.
Jérôme also mentioned that their honeypot caught Ramnit payloads coming from this malvertising campaign. An interesting note about their investigation is that they documented TDSs (Traffic Distribution System) being used in this malvertising campaign.
Below is an image from Jérôme’s post on March 21st, 2017:
Figure 2
You’ll notice that their Fiddler session captures the same exact string that I discussed earlier in the post. For example, you’ll see “If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html” at the bottom of the image. The traffic and payload (Ramnit) seems to match the campaign that they discovered.
BroadAnalysis had also sent me a DM with a link to an article entitled “Seamless Campaign Delivers Ramnit via Rig EK.” The article is written by Andrea Scarfo, Brad Antoniewicz, and Matt Foley over at the Cisco Umbrella blog. They’re calling it the “Seamless” campaign due to that word being used in the response from the gate (see Figure 1 and Figure 2). Just like with Malwarebytes they too found that this campaign was heavily targeting Canadian hosts and dropping Ramnit banking malware as its payload.
Further reconnaissance showed that there were numerous open ports on 194.58.38.64:
| 21/TCP – Open – FTP: ProFTPD |
| 22/TCP – Open – SSH: OpenSSH 5.3 (protocol 2.0) |
| 25/TCP – Open – SMTP: Exim SMTPD 4.89 |
| 53/TCP – Open – DNS |
| 80/TCP – Open – HTTP: nginx 1.10.2 |
| 110/TCP – Open – POP3: Dovecot POP3D |
| 143/TCP – Open – IMAP: Dovecot IMAPD |
| 465/TCP Open – SSL/SMTP: Exim SMTPD 4.89 |
| 587/TCP – Open – SMTP: Exim SMTPD 4.89 |
| 993/TCP – Open – SSL/IMAP: Dovecot IMAPD |
| 995/TCP – Open – SSL/POP3: Dovecot POP3D |
| 1500/TCP – Open – ISPmanager |
| 3306/TCP – open – MySQL |
It looks as though they’re using ISPManager to manage the web server:
ISPManager provides a feature set for managing websites, creating users, handling domains, emails, databases, etc.
Post-Infection Traffic
Upon execution of the malware payload the host made numerous DNS queries:
| Domain | Address | Country |
| fbtsotbs.com | ||
| npcvnorvyhelagx.com | 87.106.190.153 | Germany |
| mrthpcokvjc.com | ||
| notalyyj.com | 185.118.66.84 | Russian Federation |
| ctiprlgcxftdsaiqvk.com | ||
| aofmfaoc.com | 34.194.213.50 | United States |
| wgwuhauaqcrx.com | 87.106.190.153 | Germany |
| fkqrjsghoradylfslg.com | ||
| doisafjsnbjesfbejfbkjsej88.com | ||
| bheabfdfug.com | 185.156.179.126 | Russian Federation |
| sinjydtrv.com |
The malware then used the following Port/Protocol to contact these hosts:
| IP Address | Port | Protocol | Domain | Country |
| 185.156.179.126 | 443 | TCP | bheabfdfug.com | Russian Federation |
| 34.194.213.50 | 443 | TCP | aofmfaoc.com | United States |
| 87.106.190.153 | 443 | TCP | wgwuhauaqcrx.com | Germany |
| 185.118.66.84 | 443 | TCP | notalyyj.com | Russian Federation |
These events triggered the following rules on my IDS:
- ET TROJAN Win32/Ramnit Checkin
- MALWARE-CNC Win.Trojan.Ramnit variant outbound detected
I then found my infected host making A LOT of ARP requests to IP addresses in its subnet. This traffic was followed by even more connection requests to host in the private address spaces via TCP port 110 (POP3). The POP3 request caused the following ET rule to trigger:
- ET SCAN Rapid POP3 Connections – Possible Brute Force Attack
There was also another ET rule that triggered:
- ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
You will find the hashes for the files below, as well as the malicious artifacts which are zipped and password protected with “infected”. The malware samples can be downloaded from the Hybrid-Analysis reports.
Hashes
SHA256: f5be3eb33c9b6759f3609da0240920184154907f6950e9d885bdf1fd96340e15
File name: RigEK Flash Exploit.swf
SHA256: 702d95d12d03be87d49d15714d221c7019ff48bc96a60b03e893bb55849ff272
File name: o32.tmp
SHA256: 3245c8670600513626941cca7a8ceb56acdda3905524100a2815ee8c9d358c1c
File name: ldzquze7.exe
Hybrid-Analysis Report
SHA256: c823183b49148e7e60d84142ccefc8fe16fe44bec94d5eabdbd623c65cdaff8c
File name: ldzquze7.exe (Ramnit)
Hybrid-Analysis Report
Malicious Artifacts (Flash Exploit and Landing Page)
Until next time!
Malware breakdown 