RIG EK at 188.225.76.222 Drops Dreambot

This infection chain would have most likely came from malvertising. Instead of recreating the entire chain I used a compromised site (created on 11/30/2014) that redirects to various RIG EK gates. Below is an image of the traffic being filtered in Wireshark:

Found in page source:

We then see the GET request for dNw3XwZXSc6ysO.js at en.sundayloop.com. The server returns a “301 Moved Permanently” and points to resource scr.php:

scr.php returns the following RIG LPs:

This unknown campaign is now dropping Dreambot banking Trojan, which was followed by a GET request for a Tor module that is used for post-infection C2 traffic. Tor functionality was incorporated into Dreambot since at least July 2016. On June 28th, 2017, this same campaign was pushing Pushdo/Cutwail Botnet.

https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

We can see some post-infection DNS queries:

The DNS queries triggered the following ET rule:
ET POLICY OpenDNS IP Lookup

Following the delivery and execution of the malware payload we can see a GET request for the Tor module located at www2[.]cloudchai[.]net/t32.bin. The resource would be called “t64.bin” if the OS was 64 bit.

The Tor traffic triggered the following ET rule:
ET POLICY TLS possible TOR SSL traffic

Post-infection traffic (Download .xlsx):

Host Address	Dst Port	Protocol
128.31.0.39	9101	TCP
193.23.244.244	443	TCP
193.70.73.242	50101	TCP
79.197.187.177	443	TCP
144.76.37.242	8443	TCP
89.163.246.127	9001	TCP
138.201.3.75	443	TCP
208.80.154.39	443	TCP
66.170.11.203	443	TCP
79.194.71.36	9001	TCP
212.83.154.33	8443	TCP
51.175.193.142	443	TCP
138.68.102.40	9001	TCP
5.9.61.207	9001	TCP
46.28.207.141	443	TCP
192.42.115.101	9003	TCP
163.172.143.186	443	TCP
91.121.158.17	110	TCP
144.76.253.229	443	TCP
185.15.244.124	443	TCP
128.199.41.238	9001	TCP
185.21.217.29	1337	TCP
213.114.155.106	9001	TCP
51.255.206.74	443	TCP
212.47.245.76	9001	TCP
5.61.34.63	9001	TCP
81.7.14.31	995	TCP
141.255.166.189	443	TCP
37.59.72.132	443	TCP
5.9.7.130	9001	TCP
104.238.167.111	443	TCP
178.63.94.196	9001	TCP
91.121.23.100	9001	TCP
138.68.78.95	443	TCP
163.172.131.111	9001	TCP
138.201.211.235	9001	TCP
91.105.203.92	443	TCP
18.82.3.136	9001	TCP
62.210.36.46	9001	TCP
109.95.51.107	9001	TCP
84.236.37.15	9001	TCP
89.163.141.115	9001	TCP
91.121.230.216	9001	TCP
51.255.168.229	443	TCP
51.254.35.151	9000	TCP
176.158.236.102	9001	TCP
138.201.132.17	9001	TCP
91.121.230.218	443	TCP
109.236.90.209	443	TCP
78.194.220.54	9001	TCP
139.162.248.13	9001	TCP
81.7.10.203	443	TCP
51.15.38.13	9001	TCP
92.222.115.28	9001	TCP
62.227.127.214	9001	TCP
51.254.121.63	9001	TCP
178.254.7.88	9001	TCP
46.105.84.178	9002	TCP
89.163.225.115	443	TCP
81.7.10.93	31337	TCP
163.172.84.95	443	TCP
94.23.204.175	9001	TCP
51.15.128.190	9001	TCP
130.230.113.229	443	TCP
213.239.217.18	1337	TCP
104.238.188.98	443	TCP
62.138.7.171	9001	TCP
93.186.200.68	9001	TCP
212.89.225.242	443	TCP
37.59.29.31	9001	TCP
222.152.191.50	443	TCP
159.203.42.254	9001	TCP
163.172.82.3	443	TCP
178.62.22.36	443	TCP
137.74.229.191	9001	TCP
51.254.120.82	443	TCP
85.145.173.31	443	TCP
46.38.236.122	9001	TCP
148.251.42.164	9001	TCP
104.223.122.213	443	TCP

Network IOCs

• 193.70.73.251 – en.sundayloop.com – Gate
• 188.225.76.222 – RIG EK
• 31.148.219.104 – www2[.]cloudchai[.]net – GET /t32.bin or /t64.bin – Tor module

Hashes

SHA256: 93c2503c802405faa2e8312b96f38de233cc729b72bb36731550782f8e3e51a6
File name: 188.225.76.222 RIG EK LP.txt

SHA256: 6b046933a8f9140e2ade1037c2160cd0b58d459f158e06817061e1c03b511e9f
File name: 188.225.76.222 Flash exploit.swf

SHA256: be27efa783533b55810bbf40516af0d502180e9c8ceb75af3eaf2a54f9b5dd92
File name: ctkw46kh.exe
Hybrid-Analysis Report

SHA256: 9824892f24b5e256d97fe4803fc7a543162a246baaca1a8bd27db855faa4e244
File name: t32.bin

Downloads

Malicious Atifacts.zip

Until next time!

• Category: Exploit Kit
• Tag: Dreambot, IOCs, Rig Exploit Kit

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown