EITest Gate at 31.184.193.179 Leads to Rig EK at 185.117.73.220 and Drops What Appears to be Betabot

IOCs:

  • 198.15.70.67 – azarsenalsc[.]org – Compromised Site
  • 31.184.193.179 – aliancaadm.top – EITest Gate
  • 185.117.73.220 – zio11q.oa3ri8.top – Rig EK
  • 103.243.38.25 – b.uandmearertyasport1.com – POST /direct/mail9/order.php – Betabot
  • 103.234.37.4 – GET /rd927.exe – Post infection download
  • 66.55.153.57 – and30.blabladomdom.com – POST /bla30/gate.php
  • 104.223.89.174 – and30.blabladomdom.com – POST /bla30/gate.php
  • 107.155.99.135 – and30.blabladomdom.com – POST /bla30/gate.php

Reference for Betabot traffic identification came from http://cybercrime-tracker.net/index.php?s=0&m=40&search=Betabot

DNS queries for various ntp servers found in the post-infection traffic:

  • europe.pool.ntp.org
  • north-america.pool.ntp.org
  • south-america.pool.ntp.org
  • asia.pool.ntp.org
  • oceania.pool.ntp.org
  • africa.pool.ntp.org
  • pool.ntp.org

Traffic:

traffic

Hashes:

  1. SHA256: 3721ad6922a035c127b35365ac5476b0772a5172c8716b6fee2851284927caeb
    File name: EITest SWF.swf
  2. SHA256: d3afe7520b438ba6387f95c0b49a6715b3ee758903a52ccf30d52dc6abe0f62b
    File name: EITest Gate.html
  3. SHA256: bb4261ad5f277ce5f68f8cfa13f51659b0a41b866f978113e0e5e7179b91ffe8
    File name: RigEK Landing Page.html
  4. SHA256: 945ea5134ffbdf24d4fa8e141e85fbfec82aa04185201f6bc6228517b8dd8d64
    File name: RigEK Flash Exploit.swf
  5. SHA256: d2b95008174c4495ed9be4d7a0d9ea6b5c328685b443b072117162b9cd28f6ff
    File names: i993ksye3.exe, o1y973591c37yq.exe, rd927.exe
  6. SHA256: 4cdbbb3962fd124bbe82a42c97edde069e551159a634827830efed01c1448357
    File name: 575y93oe5wa_1.exe

Infection Chain:

The infection chain is as follows:

  1. Compromised website injected with EITest Script
  2. EITest Flash redirect
  3. EITest Gate
  4. Rig EK landing page
  5. Rig EK Flash exploit
  6. Rig EK drops payload

Below is a screenshot of the compromised site’s source code containing the injected EITest script:

eitest-script-on-compromised-site

The script is being obfuscated and hex encoded. Using the replace() method to replace all hyphens with percent signs removes the obfuscation and returns the hex encoded data. The hex encoded data is then decoded via the decodeURIComponent() function and then written to the document with the document.write() function. All this was likely added to the EITest script to help evade detection.

The purpose of the EITest script is to give the host instructions to download the EITest Flash file. Here is the GET request for that Flash file:

eitest-flash-file

The EITest Flash file is followed by the host being redirected the EITest gate:

eitest-gate

If you look at the <script> tag you will notice that there is a href containing the URL for the Rig Exploit Kit landing page. As you might have expected the host will then make a GET request for the Rig Exploit Kit landing page (shown below):

rigek-landing-page

The file returned to the host is being obfuscated and encoded. As always, once on the landing page the host is fed instructions to make a request for an exploit. No surprise here but it was a Flash exploit:

rigek-flash-exploit

After the Flash exploit is sent to the host we see the request for the payload:

rigek-payload

The response from the server shows the content-type to be application/x-msdownload  and the content-length to be 373248 Bytes in size. That equates to 364.5 KB. Now, we see an executable created in the user’s %TEMP% folder called “575y93oe5wa_1.exe”. That executable is 364.5 KB in size. I am not sure yet what this payload is but the POST requests to gate.php makes me think it could be Hancitor downloader callback traffic.

There were also 3 registry keys created with the name “CreativeAudio” and the data value being “C:\ProgramData\CreativeAudio\575y93oe5wa.exe”. The keys were in Run and RunOnce, shown below:

  1. Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  2. Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  3. Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

regedit-run-runonce

Following the payload delivered by Rig Exploit Kit server there were two GET requests for an executable named “rd927.exe,” 141312 Bytes in size (138 KB). Below is a GET request for that executable with the response showing “MZ” and “This program cannot be run in DOS mode”:

rd927

These two files were dropped in the user’s %TEMP% folder and were promptly self deleted. The names of the files can be seen below:

temp

Once the computer is restarted the payload is removed from %TEMP%. The two registry RunOnce keys remain the same however the Run key pointing to  C:\ProgramData\CreativeAudio\575y93oe5wa.exein via HKEY_CURRENT_USER is now gone.

As always I recommend blocking all the IPs listed in the IOCs section at the very top of this post.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: