RIG EK Delivers Pushdo / Cutwail Botnet and RELST Campaign Still Pushing Chthonic.

Background on RELST campaign:

On 06/26/17 @thlnk3r had informed me that they located a RELST domain:

webshoot[.]pw/files/Photo05.zip. Downloads payload from Sobbernews[.]pw/get.php

The source code from webshoot.pw (104.18.32.54 and 104.18.33.54) shows “relst” in the iframe id:

The RELST campaign uses different social engineering tactics in order to convince users to download ZIP files (Photo05.zip) that contain malicious scripts (Photo.js). Click HERE to view Photo.js.

Once the user downloads and executes the script the host will make a GET request for the malware payload being hosted on another one of their servers (sobbernews.pw at 104.27.170.248 and 104.27.171.248):

data.bin from sobbernews.pw

Below is an image of the traffic being filtered in Wireshark:

The payload was dropped in C:ProgramDataWindows Photo Viewer under the name MWindowsPhotoViewer.exe:

Processes:

Post-infection traffic shows callback traffic via POST requests to letit2.bit at 103.52.216.15:

Registry persistence:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun

Hashes:

SHA256: 1e3bb634b2b2c16260b1adb6300a85f040765d6ab4f0967564270b02d585feef
File name: Photo05.zip

SHA256: 27f668b227c57f20d9559085bfc2c9a6112708508e985903641505f050a375ce
File name: Photo.js

SHA256: 4737a87631869ecc8f9109ab045da119b20cb88300a63d4259e5ab99a403fbb5
File name: data.bin

SHA256: e54e3197d33108a76af2247b464aaab3fc59f83c2d8a41ed96c32d3ea27cf471
File name: MWindowsPhotoViewer.exe
Hybrid-Analysis Report

Download the files and malware (password is “infected”):

Malicious Artifacts.zip

This next campaign is also related to RIG exploit kit and it appears to be using malvertising and then decoy websites as their initial infection vector. Hosts are redirected from these compromised or decoy sites to numerous gates being hosted at 193.70.73.251.

These gates appear to be under control of the same threat actor(s) and are redirecting hosts, via different methods, to RIG exploit kit landing pages. Zerophage had documented an example of this campaign on 06/22/17.

Here is an image of the traffic from the gates being filtered in Wireshark:

The first gate, id.azartclubwelcome.compress.to, redirects to scuk.portyankoman.vizvaz.com:

scuk.portyankoman.vizvaz.com then redirects to the RIG exploit kit landing page:

The payload being pushed by this campaign is Pushdo. The Pushdo botnet has been around since 2007. Pushdo is a downloader which infects the system and then downloads the Cutwail spam module.

Post-infection traffic shows a ton of POST requests to various hostnames:

The host will connect to these domains on port 80 and send what looks like bogus HTTP requests.

The host will also attempt to connect to these domains via port 25 (SMTP):

This traffic goes on in what seems like an endless and very noisy loop. Needless to say, a Pushdo / Cutwail infection isn’t difficult to spot if you’re inspecting network traffic.

There are numerous detailed papers on the Pushdo / Cutwail botnet that you can find online. Two good write ups that I found were from Trend Micro and Avast:

IOCs

Network based IOCs:

193.70.73.251 – id.azartclubwelcome.compress.to – GET /?sourceid=7757&sourcename=red
193.70.73.251 – scuk.portyankoman.vizvaz.com – Gate
188.225.78.135 – RIG EK (run 1)
188.225.78.96 – RIG EK (run 2)
POST requests
- User-Agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  - MSIE 6.0 = Internet Explorer version 6.0
  - Windows NT 5.1 = Windows XP
  - SV1 = Windows XP Service Pack 2 installed (Security Version 1)