This infection chain would have most likely came from malvertising. Instead of recreating the entire chain I used a compromised site (created on 11/30/2014) that redirects to various RIG EK gates. Below is an image of the traffic being filtered in Wireshark:
Found in page source:
We then see the GET request for dNw3XwZXSc6ysO.js at en.sundayloop.com. The server returns a “301 Moved Permanently” and points to resource scr.php:
scr.php returns the following RIG LPs:
This unknown campaign is now dropping Dreambot banking Trojan, which was followed by a GET request for a Tor module that is used for post-infection C2 traffic. Tor functionality was incorporated into Dreambot since at least July 2016. On June 28th, 2017, this same campaign was pushing Pushdo/Cutwail Botnet.
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
We can see some post-infection DNS queries:
The DNS queries triggered the following ET rule:
ET POLICY OpenDNS IP Lookup
Following the delivery and execution of the malware payload we can see a GET request for the Tor module located at www2[.]cloudchai[.]net/t32.bin. The resource would be called “t64.bin” if the OS was 64 bit.
The Tor traffic triggered the following ET rule:
ET POLICY TLS possible TOR SSL traffic
Post-infection traffic (Download .xlsx):
Host Address | Dst Port | Protocol |
128.31.0.39 | 9101 | TCP |
193.23.244.244 | 443 | TCP |
193.70.73.242 | 50101 | TCP |
79.197.187.177 | 443 | TCP |
144.76.37.242 | 8443 | TCP |
89.163.246.127 | 9001 | TCP |
138.201.3.75 | 443 | TCP |
208.80.154.39 | 443 | TCP |
66.170.11.203 | 443 | TCP |
79.194.71.36 | 9001 | TCP |
212.83.154.33 | 8443 | TCP |
51.175.193.142 | 443 | TCP |
138.68.102.40 | 9001 | TCP |
5.9.61.207 | 9001 | TCP |
46.28.207.141 | 443 | TCP |
192.42.115.101 | 9003 | TCP |
163.172.143.186 | 443 | TCP |
91.121.158.17 | 110 | TCP |
144.76.253.229 | 443 | TCP |
185.15.244.124 | 443 | TCP |
128.199.41.238 | 9001 | TCP |
185.21.217.29 | 1337 | TCP |
213.114.155.106 | 9001 | TCP |
51.255.206.74 | 443 | TCP |
212.47.245.76 | 9001 | TCP |
5.61.34.63 | 9001 | TCP |
81.7.14.31 | 995 | TCP |
141.255.166.189 | 443 | TCP |
37.59.72.132 | 443 | TCP |
5.9.7.130 | 9001 | TCP |
104.238.167.111 | 443 | TCP |
178.63.94.196 | 9001 | TCP |
91.121.23.100 | 9001 | TCP |
138.68.78.95 | 443 | TCP |
163.172.131.111 | 9001 | TCP |
138.201.211.235 | 9001 | TCP |
91.105.203.92 | 443 | TCP |
18.82.3.136 | 9001 | TCP |
62.210.36.46 | 9001 | TCP |
109.95.51.107 | 9001 | TCP |
84.236.37.15 | 9001 | TCP |
89.163.141.115 | 9001 | TCP |
91.121.230.216 | 9001 | TCP |
51.255.168.229 | 443 | TCP |
51.254.35.151 | 9000 | TCP |
176.158.236.102 | 9001 | TCP |
138.201.132.17 | 9001 | TCP |
91.121.230.218 | 443 | TCP |
109.236.90.209 | 443 | TCP |
78.194.220.54 | 9001 | TCP |
139.162.248.13 | 9001 | TCP |
81.7.10.203 | 443 | TCP |
51.15.38.13 | 9001 | TCP |
92.222.115.28 | 9001 | TCP |
62.227.127.214 | 9001 | TCP |
51.254.121.63 | 9001 | TCP |
178.254.7.88 | 9001 | TCP |
46.105.84.178 | 9002 | TCP |
89.163.225.115 | 443 | TCP |
81.7.10.93 | 31337 | TCP |
163.172.84.95 | 443 | TCP |
94.23.204.175 | 9001 | TCP |
51.15.128.190 | 9001 | TCP |
130.230.113.229 | 443 | TCP |
213.239.217.18 | 1337 | TCP |
104.238.188.98 | 443 | TCP |
62.138.7.171 | 9001 | TCP |
93.186.200.68 | 9001 | TCP |
212.89.225.242 | 443 | TCP |
37.59.29.31 | 9001 | TCP |
222.152.191.50 | 443 | TCP |
159.203.42.254 | 9001 | TCP |
163.172.82.3 | 443 | TCP |
178.62.22.36 | 443 | TCP |
137.74.229.191 | 9001 | TCP |
51.254.120.82 | 443 | TCP |
85.145.173.31 | 443 | TCP |
46.38.236.122 | 9001 | TCP |
148.251.42.164 | 9001 | TCP |
104.223.122.213 | 443 | TCP |
Network IOCs
- 193.70.73.251 – en.sundayloop.com – Gate
- 188.225.76.222 – RIG EK
- 31.148.219.104 – www2[.]cloudchai[.]net – GET /t32.bin or /t64.bin – Tor module
Hashes
SHA256: 93c2503c802405faa2e8312b96f38de233cc729b72bb36731550782f8e3e51a6
File name: 188.225.76.222 RIG EK LP.txt
SHA256: 6b046933a8f9140e2ade1037c2160cd0b58d459f158e06817061e1c03b511e9f
File name: 188.225.76.222 Flash exploit.swf
SHA256: be27efa783533b55810bbf40516af0d502180e9c8ceb75af3eaf2a54f9b5dd92
File name: ctkw46kh.exe
Hybrid-Analysis Report
SHA256: 9824892f24b5e256d97fe4803fc7a543162a246baaca1a8bd27db855faa4e244
File name: t32.bin
Downloads
Until next time!