RIG EK at Drops Dreambot


HTTP Traffic:

  • – guerritor.info – Gate (fake ad domain)
  • – new.ibconsultants.net – RIG EK
  • – Dreambot post-infection traffic

DNS Queries:

  • ip-addr.es
  • resolver1.opendns.com
  • myip.opendns.com

There is also post-infection Tor traffic via TCP port 9001 and 443.




SHA256: 3d44a6f79e6fe3eb21a7afac7e5b71b0c611bff547838fac0862aafa4bd90c16
File name: guerritor.info banners uaps.txt

SHA256: 98755080b844dc5c09c509a12eeb8955aa26408b3d0b0677ed65b799b92032e0
File name: new.ibconsultants.net RIG EK landing page.txt

SHA256: 81549d2ea47649a750bd4fc6e7be0b971c3fc6711a31af2f77ba437218ff63d1
File name: RIG EK Flash Exploit.swf

SHA256: ca287ec67041c47a2220c828ad0b020523f56450b5671b4443dcf2fc8bb5563a
File name: js1jq4ly.exe

SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll

Infection Chain

The infection chain started off with a decoy site that contained an iframe pointing to the URL guerritor.info/banners/uaps?. Typically a user would be redirected to these decoy sites through malvertising.

The GET request for guerritor.info/banners/uaps? returns a version of RIG’s pre-landing page. This pre-landing page contains script that fingerprints the system as well as the URL for the RIG exploit kit landing page. Below is an snippet of the pre-landing page:

pre-landing page

If everything checks out the script tells the host to make a POST request for the landing page.

After the Flash exploit is when the malware payload is dropped and executed in %Temp%:


The executable js1jq4ly.exe is copied over to C:Users<User>AppDataRoamingcatskend as docpDump.exe:

The bot checks-in with the CnC server at[removed]/.avi. We then see the GET request for the Tor client currently being hosted at The server will return /tor/t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.

When the Tor client is retrieved from we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft<random GUID>:


This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was F464.bin (3,088 KB).

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

Persistence used at HKCUSoftwareMicrosoftWindowsCurrentVersionRun:


For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

I’ve uploaded the malicious artifacts (pre-landing page, RIG exploit landing page and the Flash expoit):

Malicious Artifacts.zip (password is “infected”)

As always I recommend blocking the nasty stuff at your perimeter firewall(s). Until next time!

  1. […] that redirected to a fake ad domain. Such gates have been detailed by other researchers such as Malware Breakdown. They contain a pre-landing page which further filters out unwanted visitors before the Rig EK […]



Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: