IOCs
HTTP Traffic:
- 80.77.82.41 – guerritor.info – Gate (fake ad domain)
- 92.53.119.66 – new.ibconsultants.net – RIG EK
- To see the full URLs for RIG exploit kit landing pages resolving to this IP address please refer to the VirusTotal address below:
- 158.69.176.173 – Dreambot post-infection traffic
DNS Queries:
- ip-addr.es
- resolver1.opendns.com
- 222.222.67.208.in-addr.arpa
- myip.opendns.com
There is also post-infection Tor traffic via TCP port 9001 and 443.
Traffic:
Hashes:
SHA256: 3d44a6f79e6fe3eb21a7afac7e5b71b0c611bff547838fac0862aafa4bd90c16
File name: guerritor.info banners uaps.txt
SHA256: 98755080b844dc5c09c509a12eeb8955aa26408b3d0b0677ed65b799b92032e0
File name: new.ibconsultants.net RIG EK landing page.txt
SHA256: 81549d2ea47649a750bd4fc6e7be0b971c3fc6711a31af2f77ba437218ff63d1
File name: RIG EK Flash Exploit.swf
SHA256: ca287ec67041c47a2220c828ad0b020523f56450b5671b4443dcf2fc8bb5563a
File name: js1jq4ly.exe
SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll
Infection Chain
The infection chain started off with a decoy site that contained an iframe pointing to the URL guerritor.info/banners/uaps?. Typically a user would be redirected to these decoy sites through malvertising.
The GET request for guerritor.info/banners/uaps? returns a version of RIG’s pre-landing page. This pre-landing page contains script that fingerprints the system as well as the URL for the RIG exploit kit landing page. Below is an snippet of the pre-landing page:
If everything checks out the script tells the host to make a POST request for the landing page.
After the Flash exploit is when the malware payload is dropped and executed in %Temp%:
The executable js1jq4ly.exe is copied over to C:Users<User>AppDataRoamingcatskend as docpDump.exe:
The bot checks-in with the CnC server at 158.69.176.173/images/[removed]/.avi. We then see the GET request for the Tor client currently being hosted at 158.69.176.173/tor/t64.dll. The server will return /tor/t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.
When the Tor client is retrieved from 158.69.176.173 we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft<random GUID>:
This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was F464.bin (3,088 KB).
According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.
Persistence used at HKCUSoftwareMicrosoftWindowsCurrentVersionRun:
For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
I’ve uploaded the malicious artifacts (pre-landing page, RIG exploit landing page and the Flash expoit):
Malicious Artifacts.zip (password is “infected”)
As always I recommend blocking the nasty stuff at your perimeter firewall(s). Until next time!
Malware breakdown 
[…] that redirected to a fake ad domain. Such gates have been detailed by other researchers such as Malware Breakdown. They contain a pre-landing page which further filters out unwanted visitors before the Rig EK […]
LikeLike