On 9/22/17, @thlnk3r had tweeted out images of an infection chain involving some malvertising and RIG exploit kit. Below is an image of the Tweet:
One of the images seems to show a referer from PopCash.net, which is a popunder advertising network:
The URI used by the popcash.net referer contains a base64/URL encoded string that decodes to /hxxp://mp3club[.]xyz/?q=mary-jane-girls-all-night-long?cb=6092719085137035.
The popunder from PopCash.net appears to have redirected the user to itransportandlogistics[.]com, which contained the malicious iframe:
The iframe redirected to the RIG EK landing page, which dropped the malicious payload in %TEMP%:
Executing the malicious payload shows the process bilonebilo43.exe creating a hidden copy of itself at C:Users[Username]AppDataRoamingremcosremcos.exe:
bilonebilo43.exe then sets the AutoStart registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunremcos:
Followed by bilonebilo43.exe setting the AutoStart registry key in HKLMSoftwareMicrosoftWindowsCurrentVersionRunremcos:
I also found this entry in the registry (HKCUSoftwareRemcos-BGXZ2U):
bilonebilo43.exe then created the file C:Users[Username]AppDataLocalTempinstall.vbs:
bilonebilo43.exe then creates process WScript.exe and executes the .vbs:
Following the execution of remcos.exe there was attempted callback traffic to 220.127.116.11 via TCP port 1122, however the server responded with a [RST, ACK]:
The payload was identified as Remcos RAT by my friend @Antelox.
Fortinet has a good write-up on this RAT, which you can read at the following URL: https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2.
Network Based IOCs
- 18.104.22.168 – itransportandlogistics[.]com
- 22.214.171.124 – IP literal hostname used by RIG EK
- 126.96.36.199 – Callback attempts via TCP port 1122
File name: Landing page.txt
File name: Flash exploit.swf
File name: o32.tmp
File name: bilonebilo43.exe
File name: install.vbs
The password is “infected”.
Until next time!