Network based IOCs
34.193.201.92 – arrassley.info – RoughTed domain
80.77.82.41 – heydrid-info – HookAds fake ad server
188.225.78.240 – RIG exploit kit
144.168.45.110 – Dreambot C2
52.2.59.254 – ipinfo.io – External IP lookup
Post-infection DNS queries and additional post-infection traffic:
resolver1.opendns.com
222.222.67.208.in-addr.arpa
myip.opendns.com
wdwefwefwwfewdefewfwefw.onion
Hashes
SHA256: ab4db9eff5259f56e1c9f21444b9b8024d8ce2ffc841e178b10b9a522a750c3c
File name: heydrid.info pre-landing page.txt
SHA256: b712653deece760b1b981c7d93da44e62b58630ce0bfd511a2d621672cc2f7d6
File name: 188.225.78.240 RigEK landing page.txt
SHA256: 892b3990a09bb3391c5a1a591d9908a0e77db7385addc2c38cfcb32db265a970
File name: 188.225.78.240 RigEK Flash exploit.swf
SHA256: 478e311fe3d8ad965f135f5949adb5d894375d7f8b435472b856364bfd0370ca
File name: o32.tmp
SHA256: 1fd7b6b244cbcac394452f540ef373fd5bfaa402273b29252f06edf2fd0432b7
File name: vwgob5qt.exe and Deviprov.exe
Hybrid-Analysis Report
SHA256: 74f24a26da3af4ced5d45721ba587d1b42d009c53c93b3d8d80210d952319f77
File name: voip4.rar
Download the files [password is “infected”]:
Pre-landing page, landing page, and SWF exploit.zip
Infection Chain
Today, as I was doing my usual malvertising runs, I was redirected to RIG exploit kit via a decoy site often used by the HookAds campaign.
Below is an image of some of the malvertising traffic being filtered in Wireshark:
The website that initiated this malvertising traffic and the decoy site are being hidden.
The HookAds decoy sites are designed to redirect users to a RIG exploit kit landing page. Other campaigns that utilize exploit kits (pseudo-Darkleech and EITest) have either disappeared altogether or they have drastically slowed down. However, the HookAds campaign is still rolling along.
This malvertising chain was quite long so I won’t be including every single redirect. Additionally, trying to piece together a malvertising redirection chain can be confusing and time consuming, even for somebody with experience.
I am also seeing traffic to a RoughTed domain (arrassley.info at 34.193.201.92) right before the host is redirected to the decoy site. However, it doesn’t appear that the RoughTed campaign was responsible for the redirection to the HookAds decoy site.
The referer for the HookAds decoy site was from clicksgear.com:
The GET request for clicksgear.com returns a 302 Moved Temporarily that points to the decoy site
The GET request for the decoy site, located at www[.]decoysite[.]com/?adsterra_us, was initiated via a 302 redirect from clicksgear.com. The decoy page contains the following script for /popunder.php:
The GET request for popunder.php returns the following script:
The function definition is called to write an iframe to a new DOM object containing: the PopUnderURL, statically-defined dimensions for the injected iframe, and the location of the resource at “heydrid[.]info/banners/uaps”.
heydrid[.]info/banners/uaps returns RIG’s pre-landing page:
The NormalURL contains the URL for the RIG pre-landing page.
File System
The payload is dropped in %Temp%:
The payload was then copied to %AppData% as Deviprov.exe:
Payload is copied to a folder called “efsshell”
Processes:
The bot checks-in with the CnC server at 144.168.45.110/images/[removed]/.avi. We then see the GET request for the Tor client being hosted at 144.168.45.110/tor/voip4.rar.
When the Tor client is retrieved from 144.168.45.110 we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft {guid}:
This key contains the path to the client (which is dropped in the %Temp% folder) with a filename using the pattern [A-F0-9]{4}.bin. In my infection chain the file was called E5F1.bin.
Persistence:
As I was browsing the web I also noticed the creation of extension-less text files in a folder located at C:Users {Username} AppDataRoamingMicrosoft {random}:
These files contained information about my web sessions.
For a more detailed dive into Dreambot:
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
As always, I recommend blocking the nasty stuff at your perimeter firewall(s).
Until next time!
Malware breakdown 