- 18.104.22.168 – good.chronic.news – RIG-v EK
- 22.214.171.124 – hpservice.zapto.org – Post-infection traffic via TCP port 5044
- DNS query for hpservice.zapto.org, response from authoritative NS:
File name: Flash Exploit RIG-v.swf
File name: ETTYUADAF
File name: rad94DC8.tmp.exe, drivupdater.exe
I have reason to believe the infection chain began with a redirect from clicking on an advert. The redirect leads to a domain selling a skincare product. For lack of a better term I am calling it an advertisement page. It looks like a normal webpage only it isn’t being indexed so you won’t find it via Google search. The advertisement page contained an iframe pointing to a server running BossTDS. Below is an image of the iframe:
The iframe points to a location accessed via port 18001. BossTDS runs on this port by default, however, it can be configured to run on port 80 as well. The response from the server is a 200 OK. The response header contains the word “Cowboy.” BossTDS is bundled with Erlang and “Cowboy” is a small, fast and modern HTTP server for Erlang/OTP.
The server’s response is determined by the IP geolocation. For example, certain geolocations will cause the server to return a 302 Found while others will return 200 OK. In this example we see the server return a 200 OK with a window.location.href redirect.
The response from the next GET request is 302 Found with the new redirect location being a RIG-v Exploit Kit “pre-landing” page, which we’ve become accustomed to seeing since December 4th, 2016.
The next steps follow the typical RIG-v EK infection chain. For example, if the User-Agent is IE then the host is passed to the landing page where it will likely be sent a Flash exploit followed by the payload.
We see ETTYUADAF (JS.Downloader) dropped in %Temp% followed by the payload, rad94DC8.tmp.exe:
The executable is also located in \AppData\Roaming\ and C:\, both in the folder “Driver.”
It also creates persistence (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run):
Post-infection traffic is found in the DNS traffic as we see continuous queries for hpservice.zapto.org, which resolves to 126.96.36.199. There is also communication to 188.8.131.52 via TCP port 5044.
Also, there is the input sample signed with a certificate issued by “EMAILADDRESSemail@example.com, CN=logar.net, OU=LOG Department, O=Logar Inc, L=New York City, ST=New York, C=US“. Doing a quick Google search for “firstname.lastname@example.org” returns similar malware samples that have been uploaded today (01/08/17):
Post-infection traffic from those samples includes the following DNS queries and TCP communications:
- Connections to 184.108.40.206 via TCP port 888 and DNS queries for nanowhore.jumpingcrab.com
- Connections to 220.127.116.11 via TCP port 1555 and DNS queries for epiubenvm.hopto.org
The post-infection looks similar to njRAT or the H-worm variant. Notice the use of subdomains from abused dynamic DNS domains. Here is a good article from OpenDNS discussing the use of abused dynamic DNS domains https://blog.opendns.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/.
I recommend blocking the RIG-v EK IP at your perimeter firewall(s).