Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.

IOCs:

  • 88.99.41.189 – qj.fse.mobi – Sundown EK
  • 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant
  • 93.190.143.82 – mhn.jku.mobi – Sundown EK
  • 93.190.143.82 – nso.fzo.mobi – Sundown EK
  • 93.158.215.169 – domainfilsdomainc.study – RIG-v EK

Sundown EK Traffic Run 1 (Traffic exported from SIEM):

sundown-ek-traffic-run-1

FlashPlayer.exe Run 2:

traffic-edited

Sundown EK Traffic Run 3:

sundown-ek-traffic

RIG-v EK Traffic Run 4:

sundown-ek-traffic-run-3


Run 1 (01/17/17):

This infection began when the user went to thiscouldbeyourgreenhome.com. The website doesn’t have any injected code from campaigns like EITest or pseudo-Darkleech but it is infested with malicious ads that when clicked led to PUAs and malware. This, at least to me,  makes me believe that this infection chain started from a malicious advert.

According to available packet data the user was redirected to the Sundown EK by [redacted]tds.com. I don’t have access to all the packets so I’m not sure on how [redacted].biz was involved in this particular infection chain.

What do I know? Well, the domain ending in the [redacted].biz TLD is a verifiable Keitaro TDS server. I know this because I located the admin page and checked the source code:

The other domain, [redacted]tds.com, might be another TDS, however, at this point, I don’t have proof. What I do know is that there are hundreds of directories found on that domain and they were all leading to Exploit Kits and direct malware downloads. Here is just a partial image of what I was able to collect before the scan encountered connection errors:

directories-found

The infection chain ended with the user being redirected the Sundown EK at qj.fse.mobi (resolves to 88.99.41.189).


Run 2 (01/20/17):

After seeing this I decided I would try and recreate the traffic in my lab, however, it is very difficult to recreate a malvertising infection. For this reason I connected directly to both [redacted]tds.com and  [redacted].biz (Keitaro TDS server).

Going directly to the [redacted]tds.com redirected the host to the [redacted].biz/1:

tds-com-redirected-to-biz-1-edited
Partial image showing iframe

The page contains an iframe pointing to “/1” on the Keitaro TDS server.

This generated a GET request for the directory /1:

tds-com-redirected-to-biz-edited

The TDS server returns a “302 Moved Temporarily” and gives a new location of:

badboys.net.in GET /land_flash/index.html

The page /index.html, which appears to be mirrored from update-flash-player.com, contains the following script: setTimeout(“location.href = ‘download/FlashPlayer.exe’;”, 1000);”. You can this in the image below:

index-html-redirects-to-executable-edited

This redirects the user to the relative path /land_flash/download/FlashPlayer.exe. Below is the GET request and response from the server:

malware-payload
Returns malware payload

The user is presented with the following download warning on the bottom of the browser window:

flashplayer-exe-edited

Clicking Run gives the user another warning:

additional-warning

If the user clicks run again the payload is dropped in their %Temp% folder:

flashplayer-exe-malware

Scanning the file returned the following hash:

SHA256: 31d8a6fe4c875f8f5de2ec43e27cf68eecacf23c4ff3ada234e9456d6e3e4f63

The Hybrid-Analysis report shows the malware making POST requests to 46.119.217.132:80, which triggered ET alerts for “ET TROJAN Ursnif Variant CnC Beacon 4.”


Run 3 (01/22/17):

Run 3 was different than the first two as this time it went straight from [redacted]tds.com to a Sundown EK landing page, skipping [redacted].biz (Keitaro TDS server).

Taking one of the directories that I found on [redacted]tds.com, /adminstrator/, returned a page mirroring another compromised website. At the very bottom of the source code there is an iframe containing a URL for a Sundown EK landing page:

site-source-code

This of course redirects the host to the landing page were we see the usual requests for Flash exploits and PNG exploit:

sundown-ek-landing-pagefirst-flash-exploitsecond-flash-exploitthird-flash-exploitpng-exploit

Here is the malware payload that was dropped in %Temp%:

radb7cbc-tmp-exe-in-temp

Running the file through VirusTotal gave me this hash:

SHA256: 3b482fbb430d9b6e575eb166af630e8624d7731f671f1f42c483ed240291bf90

The Hybrid-Analysis report is identical to the post-infection traffic found in Run 2, which showed the malware making POST requests to 46.119.217.132:80 and triggering ET alerts for “ET TROJAN Ursnif Variant CnC Beacon 4.”

Checking back an hour later shows that somebody might have forgot to renew their subscription:

malicious-iframe-missing-now-edited


Run 4 (01/22/17):

During this run I decided to see if I could skip [redacted]tds.com and instead make a direct request for a directory located on the Keitaro TDS server, hosted at [redacted].biz. I used the location “/1” since I knew it had worked before. Here is the result of that request and response from the TDS server:

run-4-keitaro-tds-redirects-to-rigv-ek-edited

So we can see that the TDS server returned a “302 Moved Temporarily” with a new location pointing to a RIG-v EK “pre-landing” page. The RIG-v pre-landing page is used to determine if the host is using IE. If the host passes the User-Agent checks it is redirected to the landing page in the form of a POST request.

Following the host being redirected to the landing page we see a GET request for a Flash exploit and the request for what should have been a payload:

run-4-flash-exploitwoops

Obviously that isn’t a malware payload. Oh well. ¯\_(ツ)_/¯

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: