On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code:
In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit kit, as well as a social engineering page using the “ArialText” font popup (using Internet Explorer):
It should be noted that while I’ve only witnessed the RELST campaign in relationship with malvertising it could also be coming from malspam (malicious spam) containing links to these domains.
The RELST domain that I used for my infection today was holyxxxmamapumpum.pw [NSFW]. This domain is not using the “ArialText” font social engineering trick but instead is using another one aimed at convincing users that their compromising photos will be leaked online [images and text on the webpage have been edited to make it safe for work]:
Click HERE to view the page source code.
As you can see they’re attempting to social engineer the user’s into believing that they must open the downloaded file, in this case a Word document called “Photo.docm”. The document is downloaded from holyxxxmamapumpum[.]pw/files/Photo.docm.
When user’s opens the Word document they are tricked into clicking “Enable Editing” and then “Enable Content”:
We then see an obfuscated JavaScript file called feafdcfffdea.js run:
Click HERE to view the script.
The script is used to download the malware payload. In this case the malware was located at sobberinfo[.]com/gate.php?ff1 (77.72.82.120):
We then see the same executable (same file hash) dropped on the Desktop and in C:ProgramDataMicrosoft Silverlight:
Persists itself using auto-execute at a hidden registry location:
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Machines that are infected with Chthonic should be making POST requests to letit2.bit/home/ at 91.209.77.11.
Traffic:
Hashes:
SHA256: e847294d800e2292631bccc5e8b10c3b966850fad379f8a34f2e5429b32f405d
File name: Video Recording.htm.txt
SHA256: dc9dd8e6d201b6a3f6bbb58666679231b4846ac1c715dbb00189b461277b98e8
File name: Photo.docm
Hybrid-Analysis Report
SHA256: 138a35162d0c9034aab5843e29ad24a6c1d599f5ac17aaeb3b601b70a09fe5e9
File name: feafdcfffdea.js
SHA256: 78001ccd0cece59d95fec02b9e65a6892646e09dce100bd994604b7966c218ad
File name: 0267.exe and wMicrosoftSilverlight.exe
Hybrid-Analysis Report
Files and Malware (password is “infected”):
I recommend blocking the RELST social engineering domains and sobberinfo.com (77.72.82.120) at your perimeter firewall(s). Until next time!
Malware breakdown 