HookAds Campaign Leads to RIG EK at and, Drops Dreambot


HTTP Traffic:

  • Decoy site – GET /popunder.php
  • – goverheast.info – GET /banners/uaps?
  • – recenties.info – GET /banners/uaps? (second run)
  • – set.acceleratehealthcaretransformation.com – RIG EK
  • – set.accumen.info – RIG EK (second run)
  • – GET /images/[removed]/.avi
  • – GET /tor/t64.dll
  • – ipinfo.io – GET /ip

HTTP traffic edited

DNS Queries:

  • ipinfo.io
  • resolver1.opendns.com
  • myip.opendns.com
  • wdwefwefwwfewdefewfwefw.onion

DNS traffic

HTTPS Traffic:

HTTPS traffic

Additional Post-Infection Traffic:

  • Tor traffic via TCP port 9001 and 443
  • via TCP port 22
  • via TCP port 444
  • via TCP port 8090
  • via TCP port 9004
  • via TCP port 21

Here is another sample submitted to VirusTotal on 2017-05-23 that has similar post-infection traffic (look at the Behavioral Information tab):



SHA256: feec9bad0381662e12bcf2c6e5dcb1ba98e852c9d46342f833425a7de20fe884
File name: popunder.php.txt

SHA256: 4d63c81066ee9d7f4d90a9de8f8d2378b7b39e029a5d32b2cdc14fd33acee26d
File name: pre-filter page.txt

SHA256: 15582686f0e76cced06dcece59ab37756b0bfe0e7ee3b4fd60b52a11bd0e6bb6
File name: landing page.txt

SHA256: 8f43aec2986d0705134b6b4af7e745ade1dd48897b95dc7e3844520fa8f9cd18
File name: RIG EK Flash exploit.swf

SHA256: 5f877a85bdf65c2571de02fcbb1439a43624da11274ac2059008a62b8c874843
File name: o32.tmp

SHA256: fcb8b4a36e4327a6f4d228968cdd9838b7a6fc911b438da8feccc437d91ed72b
File name: bclneajk.exe
Hybrid-Analysis Report

SHA256: 74f24a26da3af4ced5d45721ba587d1b42d009c53c93b3d8d80210d952319f77
File name: t64.dll

Infection Chain

This infection chain began with me visiting a decoy site used by the HookAds malvertising campaign. The decoy site also contained a call for /popunder.php:


The PHP file located at the relative path returned the following script:


The function definition is called to write an iframe to a new DOM object containing: the “PopUnderURL” (goverheast.info), statically-defined dimensions for the injected iframe, and the location of the resource at “goverheast[.]info/banners/uaps?”.

goverheast[.]info/banners/uaps? returns RIG’s pre-landing page:

pre-filter page

You can see from the partial image above that the pre-landing page contains the URL for the RIG exploit kit landing page.

File System

During this infection the payload was dropped in %Temp% and was then copied to %AppData% in the folder catskend:

The bot checks-in with the CnC server at[removed]/.avi. We then see the GET request for the Tor client currently being hosted at The server will return t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.

When the Tor client is retrieved from we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft:

This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin.

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

Persistence used at HKCUSoftwareMicrosoftWindowsCurrentVersionRun:


I also noticed the creation of extension-less text files in a folder located at C:Users[Username]AppDataRoamingMicrosoft/{random}:

Interesting 1 edited

These files contained information being sent to websites. For example, here is the text file that was created when I uploaded o32.tmp to VirusTotal:


Here is another file created when I submitted some fake creds on BoA’s website:

Interesting 2


I’ve uploaded some of the malicious artifacts (popunder.php, the pre-landing page, RIG EK landing page and the Flash expoit):

Malicious Artifacts 053017.zip (password is “infected”)

Additional Resources

For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

As always I recommend blocking the nasty stuff at your perimeter firewall(s). Until next time!

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: