IOCs:
- 92.53.120.207 – good.chronic.news – RIG-v EK
- 79.134.225.49 – hpservice.zapto.org – Post-infection traffic via TCP port 5044
- DNS query for hpservice.zapto.org, response from authoritative NS:
- nf1.no-ip.com
- nf2.no-ip.com
- nf3.no-ip.com
- nf4.no-ip.com
Traffic:
Hashes:
SHA256: 7334e5f058f0ae9a0bbe073da49bb155255855705907ea84fa40098994ba3c27
File name: Flash Exploit RIG-v.swf
SHA256: 51ce2615b3b0784f55d03d1ba3f77d13aaca40931c72df750b0e298edaf6e3c4
File name: ETTYUADAF
SHA256: 01028a0702188f86b8c743cb3af891073df63310e4f3013ae7aeba0aee01e40e
File name: rad94DC8.tmp.exe, drivupdater.exe
Hybrid-Analysis Submission
Infection Chain:
I have reason to believe the infection chain began with a redirect from clicking on an advert. The redirect leads to a domain selling a skincare product. For lack of a better term I am calling it an advertisement page. It looks like a normal webpage only it isn’t being indexed so you won’t find it via Google search. The advertisement page contained an iframe pointing to a server running BossTDS. Below is an image of the iframe:
The iframe points to a location accessed via port 18001. BossTDS runs on this port by default, however, it can be configured to run on port 80 as well. The response from the server is a 200 OK. The response header contains the word “Cowboy.” BossTDS is bundled with Erlang and “Cowboy” is a small, fast and modern HTTP server for Erlang/OTP.
The server’s response is determined by the IP geolocation. For example, certain geolocations will cause the server to return a 302 Found while others will return 200 OK. In this example we see the server return a 200 OK with a window.location.href redirect.
The response from the next GET request is 302 Found with the new redirect location being a RIG-v Exploit Kit “pre-landing” page, which we’ve become accustomed to seeing since December 4th, 2016.
The next steps follow the typical RIG-v EK infection chain. For example, if the User-Agent is IE then the host is passed to the landing page where it will likely be sent a Flash exploit followed by the payload.
We see ETTYUADAF (JS.Downloader) dropped in %Temp% followed by the payload, rad94DC8.tmp.exe:
The executable is also located in AppDataRoaming and C:, both in the folder “Driver.”
It also creates persistence (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun):
Post-infection traffic is found in the DNS traffic as we see continuous queries for hpservice.zapto.org, which resolves to 79.134.225.49. There is also communication to 79.134.225.49 via TCP port 5044.
Also, there is the input sample signed with a certificate issued by “EMAILADDRESS=simonl@logar.net, CN=logar.net, OU=LOG Department, O=Logar Inc, L=New York City, ST=New York, C=US“. Doing a quick Google search for “simonl@logar.net” returns similar malware samples that have been uploaded today (01/08/17):
Post-infection traffic from those samples includes the following DNS queries and TCP communications:
- Connections to 72.66.105.242 via TCP port 888 and DNS queries for nanowhore.jumpingcrab.com
- Connections to 86.192.129.178 via TCP port 1555 and DNS queries for epiubenvm.hopto.org
The post-infection looks similar to njRAT or the H-worm variant. Notice the use of subdomains from abused dynamic DNS domains. Here is a good article from OpenDNS discussing the use of abused dynamic DNS domains https://blog.opendns.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/.
I recommend blocking the RIG-v EK IP at your perimeter firewall(s).
Malware breakdown 
[…] 2017-01-09 – unspecified campaign Rig EK sends NanoCore RAT and other malware […]
LikeLike