IOCs
HTTP Traffic:
- Decoy site [hidden] – GET /popunder.php – Redirects to remainland.info
- 80.77.82.41 – remainland.info – GET /banners/uaps – Pre-landing page
- 194.87.93.114 – RIG EK
- 144.168.45.144 – GET /images/[removed]/.avi
- 144.168.45.144 – GET /tor/t32.dll – Tor module
- 35.166.90.180 – ipinfo.io – GET /ip – Checks your public IP address
DNS Queries:
- resolver1.opendns.com
- myip.opendns.com
Traffic:
Hashes:
SHA256: 732637809542bf1e174249104d2b1c88dc79da20862318a749accc052638b8f1
File name: popunder.php.txt
SHA256: 29f7549ed1df9ca36112936554aac61b39c3f32d718f166f6e51eaf495268bb2
File name: uaps.txt [1st Pre-Landing Page]
SHA256: e9ac5882d5629183863c6e5dcfff7e007d24988f86233480b59e9c957621cb3b
File name: 2nd Pre-Landing Page.txt
SHA256: f7f7ae3a95cf3c3dbbdc5100266aa38b25167e14a7e0ad4597e5bf32fdabd3c2
File name: RIG EK Landing Page.txt
SHA256: 9fc5fb99f72be24ec7d1e2004f1c1f2083885059e0e072314cb712934415bc24
File name: RIG EK Flash Exploit.swf
SHA256: e53444daa029ca5821ef53904ad1136fb24eea721a97300e86b38881cbee8a36
File name: o32.tmp
SHA256: 19983fa4e8cb3207a845e033ff12caeec114c16b8ab9e291a66d796bc11e3e22
File name: gcg2jb8g.exe [Dreambot]
Hybrid-Analysis
SHA256: 5b8f2ce696576eb57266b0b3114bb3b4ae98f8157bc77d8df034f0ce81be603b
File name: t32.dll
Files [password is “infected”]:
Malicious Artifacts 060617 – HookAds Leads to RigEK.zip
Infection Chain
This infection chain began with me visiting a decoy site used by the HookAds malvertising campaign. The decoy site contained a call for /popunder.php:
The PHP file located at the relative path returned the following script:
The function definition is called to write an iframe to a new DOM object containing: the “PopUnderURL” (remainland.info), statically-defined dimensions for the injected iframe, and the location of the resource at “remainland[.]info/banners/uaps”.
remainland[.]info/banners/uaps returns RIG’s pre-landing page:
In this infection chain the NormalURL = contained the location of another RIG pre-landing page, which is why you’re seeing two POST request in the traffic (the pre-landing page uses POST requests to retrieve the next page). In a normal infection chain the pre-landing page would contain the location of the RIG landing page. However, in this infection chain the second pre-landing page contained the URL for the landing page.
File System
During this infection the payload was dropped in %Temp% and was copied to %AppData% as dot3Core.exe:
The bot checks-in with the CnC server at 144.168.45.144/images/[removed]/.avi. We then see the GET request for the Tor client being hosted at 144.168.45.144/tor/t32.dll. The server will return “t64.dll” if the host OS is 64-bit and “t32.dll” if it is 32-bit.
When the Tor client is retrieved from 144.168.45.144 we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft:
This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In my infection chain the file was called 5EC9.bin [see image of %Temp%].
According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.
Persistence used at HKCUSoftwareMicrosoftWindowsCurrentVersionRun:
I also noticed the creation of extension-less text files in a folder located at C:Users[Username]AppDataRoamingMicrosoft[random]:
These files contained information being sent to websites that I visited. For example, here is the text file that was created when was I messing about on Bank of America:
For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
As always I recommend blocking the nasty stuff at your perimeter firewall(s). Until next time!