Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.

A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us:

malicious site

Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that this site received 500K visitors over the last 30 days. When I was researching the site, I was redirected via malicious ad traffic to tech support scams. This leads me to believe the initial referer was from malvertising. The malvert likely redirected the host to pay-scale[.]us via a 3XX status code.

Examining the page source for pay-scale[.]us shows the website was mirrored from usmotors[.]com using HTTrack Website Copier:

page source

Looking a little farther down the page we can see how the user got redirected to RIG EK from pay-scale[.]us:

page source iframe

The domain in the hidden iframe, medical-help[.]top, resolves to

Looking at the Whois information shows these domains were registered using the name “Terry Kornfeld” and email address Searching for all domains registered using that name and/or email address returned the following:

Domain Registered
i-yourdoctor[.]top 10/8/2017
highqualitywebhelp[.]top 10/8/2017
filmsdays[.]top 10/4/2017
photosetty[.]us 10/2/2017
pay-scale[.]us 10/1/2017
madicalcareme[.]top 9/19/2017
mymedicalcare[.]us 9/17/2017
photo24[.]top 9/9/2017
medical-help[.]top 9/9/2017
These sites should be considered malicious. Additionally, some of them are being used for C2 activities. More on that later.

Below is the GET request that was generated due to the hidden iframe on pay-scale[.]us:

GET for F4tZ8S edited

The server returns a 302 Found with a location containing the RIG EK landing page URL.

Further examination of the infrastructure being used in this campaign show that the threat actor(s) are utilizing Keitaro TDS:

Below is an image of the HTTP traffic captured during this infection chain:

HTTP traffic edited

RIG EK dropped two identical Quant Loader payloads in %TEMP%:


When Quant Loader was executed it copied itself to %APPDATA%[uid]svchost.exe:

AppData copy edited

[uid] is the eight-digit unique ID generated for the infected host. Forcepoint shows how the unique ID is generated:

  1. Obtain the Windows GUID value from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCryptography
  2. Extract only the number values, no letters or dashes
  3. Copy 8 of the numbers, beginning with the 5th number

The malware then re-launches itself under “svchost.exe” and creates file “C:Users[Username]AppDataLocalTempper”. The following processes and actions were recorded:

  1. svchost.exe creates process regini.exe
  2. regini.exe reads data from file %TEMP%per
  3. svchost.exe deletes file %TEMP%per
  4. svchost.exe sets AutoStart registry key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunQt”

HKCU Run edited

Quant Loader also modifies Windows Firewall to allow outbound communications using the command:

netsh.exe advfirewall firewall add rule "name=Quant" "program=c:usersappdata[uid]svchost.exe" dir=Out action=allow

Quant Loader modifies outbound Windows Firewall rules edited

I found post-infection traffic to the C2 at filmsdays[.]top/q/, which was registered by “Terry Kornfeld” using the email address

index filmsdays dot top

c2 traffic returns address of follow up malware edited

  • id = the unique ID of the infected host
  • c = the current index of the server being used
  • mk = string likely used as an affiliate of campaign ID
  • il = Haven’t confirmed
  • vr = Haven’t confirmed but could be version number
  • bt = Haven’t confirmed but could be x86 or x64

Below is an example of the Quant Loader C2 TCP connections captured during my infection:

Remote Address:
Remote Host Name:
Remote Port: 80
Process Name: svchost.exe
Process Path: C:UsersWin7 32bitappdataroaming[uid]svchost.exe
Remote IP Country: Bulgaria

Remote Address:
Remote Host Name:
Remote Port: 80
Process Name: svchost.exe
Process Path: C:UsersWin7 32bitappdataroaming[uid]svchost.exe
Remote IP Country: Bulgaria

In my infection the first server (c=1) responded with the location of follow-up malware located at motorsus[.]us/fb.exe.

Motorsus[.]us appears to be under control of the same threat actor(s). The name and email used to register this domain is “Lee M Clark” and Below is a list of current domains using that registrant information.

Domain Registered 10/1/2017 10/1/2017

This payload is dropped in %TEMP% and executed.


The malware being downloaded by Quant Loader was identified as FormBook by my friend @Antelox.

FormBook, once executed, copied itself (it was hidden) to %USERPROFILE%:


The malware was renamed to mfcgn2pl.exe.

According to FireEye, it can also use the following prefixes for its name:

  • ms
  • mfc
  • win
  • gdi
  • vga
  • igfx
  • user
  • help
  • config
  • update
  • regsvc
  • chkdsk
  • systray
  • audiodg
  • certmgr
  • autochk
  • taskhost
  • colorcpl
  • services
  • IconCache
  • ThumbCache
  • Cookies

It can also use the following file extensions:

  • .exe
  • .com
  • .scr
  • .pif
  • .cmd
  • .bat

If it is running with normal privileges it is copied to one the following directories:

  • %TEMP%

Here is another image showing another copy called Cookiescz7x.cmd being created in %APPDATA%:

Cookiescz7x.cmd AppData edited

If it is running with elevated privileges it copies itself to one of the following directories:

  • %ProgramFiles%
  • %CommonProgramFiles%

In my infection I found it configuring persistence to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun:


However, depending on its privileges, it can also use the following locations for persistence:

  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun
  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

FormBook was beaconing to basefilm[.]top/tesla/shell123/config.php.

Basefilm[.]top is registered to “Shirhall Shirhall” and is using the registrant email address

I captured the following GET requests:

FormBook C2 GET edited

The parameter “id” shown in the URL contains encoded information about the system.

The malware also uses HTTP POST requests to send data back to basefilm[.]top/tesla/shell123/config.php:


According to FireEye, these messages to the C2 are RC4 encrypted and Base64 encoded.

FireEye also mentions that FormBook will use “function hooks to log keystrokes, steal clipboard data, and extract authentication information from browser HTTP sessions.”

For keystrokes captured during a browsing session with Internet Explorer it created the following file:

  • %APPDATA%JQ18T541JQ1log.ini

AppData 3

You can see my HTTP sessions and keystrokes being captured in the .ini file:

FormBook Keystrokes

Quick note. My friend @Antelox examined the FormBook sample and discovered that it downloaded ZeuS Panda with web injects for PayPal, eBay, Amazon, and BoQ (Bank of Queensland). The ZeuS sample can be viewed below:

Network Based IOCs
  • – pay-scale[.]us – Malicious dummy site
  • – medical-help[.]top – Redirected to RIG EK
  • – IP literal hostname used by RIG EK
  • – filmsdays[.]top – GET /q/index.php – Quant Loader C2
  • – motorsus[.]us – GET /fb.exe – GET for FormBook
  • – basefilm[.]top – GET and POST /tesla/shell123/config.php – FormBook beacon and C2

DNS queries for

DNS request


SHA256: c10c659498c3bd5ed8454c0041739db7d324ddd09126c16ea229ab30e9232de4
File name: RigEK landing page.txt

SHA256: b5dc599319b6f0968db9318e3d5dbbd6939c4d7b879e45269210a5878b7551a4
File name: RigEK Flash exploit.swf

SHA256: 22aba6be7e754e7163e8adb72f7235ad97ff411a29c98444ddacc24bd04cdc34
File name: o32.tmp

SHA256: 8e94bd154dbea3d020cce1e216f4a327d0ddf65737847ffed34113bf3fdb22dd
File name: bilonebilo417.exe
Hybrid-Analysis Report

SHA256: 2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82
File name: fb.exe
Hybrid-Analysis Report

SHA256: 0fa6898d426a6176ff7673d2d5336879d418f5be2714605eb32985626f508357
File name: 05110.exe
Hybrid-Analysis Report

SHA256: 72a4b137b02b0ef45f5013b88228132081cff1ecfeccecae5e70069bf38c5ba0
File name: 15838.exe
Hybrid-Analysis Report


Malicious Artifacts

Password is “infected”



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: