Iframe Redirects Host to RIG-v EK at 92.53.97.168. TOR Client and Ursnif Variant Dreambot.

IOCs:

  • 88.214.225.168 – amateur.duckporno.com – Compromised adult website
  • 80.77.82.42 – sumterads.info – GET /rotation/hits?
  • 92.53.97.168 – zag.2043kutahya.net – RIG-v EK

Post-Infection Traffic:

  • 94.23.186.184 – GET /images/[truncated]/y/.avi
  • 91.228.166.47 – nod32.com – GET /images/[truncated]/zpyxRby.jpeg
  • 91.228.166.47 – nod32.com – GET /images/[truncated]/K04.gif
  • 94.23.186.184 – GET /tor/t32.dll – Tor client
  • 37.48.122.26 – curlmyip.net – GETs external IP of host
  • Outbound requests to various IPs via TCP port 9001 (Tor).

DNS Queries:

  • resolver1.opendns.com
  • 222.222.67.208.in-addr-arpa
  • myip.opendns.com
  • nod32.com
  • eset.com

Traffic:

traffictraffic-2sample-of-dns-queriessample-of-tor-traffic

IDS Events:

ids-events

Hashes:

SHA256: 926c914c444a5b6218ff305aaee022386741d0b784fa5c09fe57c80939fde392
File name: rotation hits.html

SHA256: 1c3863f4ba4b78fd22c32774487f488f8abd9a293a3238ad4afd98b94b16ed83
File name: zag.2043kutahya.net pre landing page.txt

SHA256: c5c14e08e160e393a51ced0e8bd15038ad05a7d9503b142f6e7149662f3a51a1
File name: zag.2043kutahya.net landing page.txt

SHA256: c51983e60892d0c011339e123f9058c390f8f4bc162e00fa1879db4a76734029
File name: zag.2043kutahya.net RIG-v EK Flash exploit.swf

SHA256: ceec7a77c12c11bc3c02c5d724db3e6ce4377a240773b5fef86b0bdd8ad84ef5
File name: rad5BA76.tmp.exe
Hybrid-Analysis Report

SHA256: b4e9a4186bbe15e4a32685fcd5d2da493b6431de904256a220388b8e2369d1e2
File name: dot3Core.exe

SHA256: 5d5bda87bb2871b29c63d7a40c3f7e1ef81ebb4c69396059e94d4ce02ece9f10
File name: t32.dll

SHA256: 844e63492bd90551aff973d093be4bf2610bbb3057b86fe1a146f7bc412cfa92
File name: 8D53.bin

Infection Chain:

This infection began with me researching and finding a compromised website, which had the following iframe in the source code:

iframe

Loading the page multiple times eventually showed an error stating that there was a connection timeout when trying to reach sumterads.info, which was being loaded in an ad location:

edited-ad

The first time we see a .info domain resolving to 80.77.82.42 was on 11/25/16. Using PassiveTotal I was able to determine that there have been at least 118 .info TLD domains resolving to 80.77.82.42 since 11/25/16.

The entire list of domains can be seen here:

Domain First Time Last Time
blufftonads.info 12/19/2016 4:50 1/27/2017 17:05
orangeburgads.info 12/20/2016 16:17 1/27/2017 12:44
irmoads.info 12/22/2016 8:40 1/27/2017 8:54
camdenads.info 1/2/2017 3:20 1/27/2017 6:31
easleyads.info 12/21/2016 8:30 1/27/2017 5:34
tshwater.info 1/6/2017 0:00 1/27/2017 0:00
sumterads.info 12/17/2016 12:27 1/26/2017 20:25
chimneyads.info 12/18/2016 20:47 1/26/2017 18:07
asheboroads.info 12/18/2016 12:40 1/26/2017 11:50
pawleysads.info 12/22/2016 17:33 1/26/2017 10:19
morgantonads.info 12/18/2016 4:37 1/26/2017 7:58
garnerads.info 12/17/2016 20:30 1/26/2017 2:28
goosecreekads.info 12/21/2016 0:28 1/25/2017 23:12
pronomial.info 1/6/2017 19:42 1/25/2017 5:32
ashevilleads.info 12/12/2016 0:08 1/24/2017 20:09
deweyads.info 1/2/2017 11:37 1/24/2017 15:42
fetonads.info 1/2/2017 19:38 1/24/2017 12:42
harrisburgads.info 12/7/2016 3:59 1/22/2017 17:50
beaufortads.info 12/16/2016 14:21 1/21/2017 19:24
auburnads.info 12/10/2016 10:40 1/21/2017 16:40
bethanyads.info 12/25/2016 1:20 1/21/2017 10:26
booneads.info 12/14/2016 4:46 1/21/2017 4:12
winstonads.info 12/12/2016 0:00 1/21/2017 2:45
delawareads.info 12/25/2016 9:45 1/20/2017 12:46
spartanburgads.info 12/15/2016 7:05 1/20/2017 11:03
andersonads.info 12/16/2016 5:19 1/18/2017 7:28
clemsonads.info 12/15/2016 11:00 1/18/2017 7:25
covernment.info 1/6/2017 20:30 1/15/2017 23:24
fenwickads.info 12/26/2016 1:35 1/15/2017 6:33
myrtleads.info 12/10/2016 20:32 1/14/2017 12:01
kosiceads.info 12/1/2016 10:55 1/13/2017 21:35
notablo.info 1/6/2017 19:42 1/13/2017 8:26
flintads.info 12/9/2016 8:36 1/12/2017 21:51
jakarth.info 1/6/2017 12:25 1/12/2017 15:12
augustads.info 12/23/2016 0:50 1/11/2017 14:35
caryads.info 12/13/2016 12:38 1/8/2017 10:38
charlotteads.info 12/11/2016 7:45 1/8/2017 8:24
greensboroads.info 12/11/2016 15:50 1/8/2017 8:19
philadelphiaads.info 12/6/2016 12:26 1/8/2017 5:09
duluthads.info 12/6/2016 4:26 1/8/2017 4:17
fenwikads.info 12/27/2016 16:16 1/7/2017 20:43
laurelads.info 12/25/2016 17:30 1/7/2017 10:50
salemads.info 12/12/2016 16:02 1/6/2017 6:30
trencinads.info 12/2/2016 0:22 1/6/2017 3:59
lexingtonads.info 12/17/2016 5:07 1/5/2017 19:09
simpsonvilleads.info 12/19/2016 13:05 1/5/2017 15:11
greenvilleads.info 12/10/2016 22:04 1/5/2017 14:21
rockhillads.info 12/15/2016 22:32 1/5/2017 8:43
rockads.info 12/31/2016 11:50 1/5/2017 8:41
fayettevilleads.info 12/12/2016 14:22 1/5/2017 8:05
destinads.info 12/8/2016 2:03 1/5/2017 5:08
ketchikanads.info 12/4/2016 0:00 1/3/2017 21:11
selbywilleads.info 12/28/2016 0:00 1/1/2017 19:05
oceanads.info 12/26/2016 9:40 1/1/2017 2:50
walterboroads.info 12/23/2016 9:04 12/30/2016 10:20
charlstonads.info 12/16/2016 22:25 12/29/2016 23:43
highpointads.info 12/13/2016 20:40 12/29/2016 23:19
mountads.info 12/15/2016 14:26 12/29/2016 13:23
millsboroads.info 12/24/2016 17:16 12/29/2016 12:34
newbernads.info 12/14/2016 18:55 12/29/2016 8:43
steyrads.info 12/14/2016 11:00 12/29/2016 8:34
gastoniaads.info 12/15/2016 0:58 12/29/2016 7:11
chapelads.info 12/13/2016 8:10 12/29/2016 4:51
kissimmeeads.info 12/8/2016 16:20 12/27/2016 0:14
wasillaads.info 12/4/2016 0:00 12/26/2016 12:15
erieads.info 12/7/2016 20:29 12/26/2016 4:16
lancasterads.info 12/7/2016 0:00 12/26/2016 4:11
montgomeryads.info 12/9/2016 12:36 12/26/2016 0:46
gainesvilleads.info 12/8/2016 4:25 12/25/2016 22:59
warrenads.info 12/9/2016 0:32 12/25/2016 22:57
lansingads.info 12/9/2016 0:00 12/25/2016 21:25
sitkaads.info 12/4/2016 12:46 12/24/2016 15:55
ocalaads.info 12/8/2016 8:17 12/24/2016 12:48
allentownads.info 12/7/2016 12:23 12/24/2016 12:46
pittsburghads.info 12/6/2016 20:33 12/24/2016 12:44
saintpaulads.info 12/5/2016 22:17 12/24/2016 12:43
minneapolisads.info 12/5/2016 14:11 12/24/2016 11:17
vidinads.info 11/30/2016 4:39 12/23/2016 15:56
summervilleads.info 12/16/2016 11:36 12/23/2016 14:54
sewardads.info 12/5/2016 0:00 12/22/2016 12:22
kodiakads.info 12/4/2016 20:50 12/22/2016 12:00
kenaiads.info 12/5/2016 11:30 12/22/2016 10:55
chillicotheads.info 12/2/2016 11:10 12/22/2016 8:25
fairbanksads.info 12/3/2016 21:30 12/22/2016 7:54
banskaads.info 12/1/2016 16:20 12/22/2016 5:18
juneauads.info 12/3/2016 13:28 12/22/2016 4:38
anchorageads.info 12/3/2016 0:00 12/22/2016 4:31
toledoads.info 12/2/2016 5:35 12/22/2016 4:13
huntsvilleads.info 12/9/2016 20:40 12/22/2016 4:01
daytonads.info 12/2/2016 0:00 12/22/2016 1:05
bratislavaads.info 12/1/2016 6:08 12/22/2016 0:53
charlestonads.info 12/10/2016 12:27 12/18/2016 12:52
akronads.info 12/1/2016 16:18 12/15/2016 10:30
youngstownads.info 12/2/2016 8:44 12/3/2016 8:39
clivelandads.info 12/1/2016 15:17 12/2/2016 15:21
aarhusads.info 11/26/2016 3:20 12/1/2016 12:39
tromsoads.info 11/30/2016 17:25 12/1/2016 8:55
plevenads.info 11/29/2016 21:35 12/1/2016 6:45
aalborgads.info 11/26/2016 11:20 12/1/2016 4:55
stavangerads.info 11/30/2016 12:44 12/1/2016 4:34
nantesads.info 11/28/2016 16:39 12/1/2016 2:44
bergenads.info 11/30/2016 12:02 12/1/2016 1:51
sibiuads.info 11/30/2016 7:31 12/1/2016 1:36
osloads.info 11/30/2016 10:17 12/1/2016 1:35
tronfheimads.info 11/30/2016 15:17 12/1/2016 1:21
odenseads.info 11/26/2016 19:26 11/30/2016 21:14
perugiaads.info 11/27/2016 19:35 11/30/2016 20:07
brasovads.info 11/30/2016 6:28 11/30/2016 18:49
clujads.info 11/30/2016 6:59 11/30/2016 15:07
bucharestads.info 11/30/2016 5:51 11/30/2016 15:01
nurnbergads.info 11/29/2016 13:33 11/30/2016 15:01
amalfiads.info 11/27/2016 11:35 11/30/2016 13:49
selvenads.info 11/30/2016 5:15 11/30/2016 13:40
avignonads.info 11/28/2016 8:42 11/30/2016 9:41
palermoads.info 11/27/2016 16:04 11/30/2016 8:26
kolnads.info 11/29/2016 5:29 11/30/2016 1:45
esbjergads.info 11/25/2016 15:26 11/30/2016 1:35
munchenads.info 11/29/2016 0:40 11/29/2016 13:06

Download the list here: info-tld-resolving-to-80-77-82-42.xlsx

The iframe generates a GET request for “/rotation/hits?”, which returned an HTML document that had script identical to the RIG-v “pre-landing.” This script also contains the URL for the RIG-v “pre-landing” page and tells the host to use the POST method. Here is a partial image of “hits?”:

hits

In contrast, campaigns like pseudo-Darkleech include the RIG-v EK “pre-landing” page URL in the iframe.

The host then makes a POST request for the RIG-v pre-landing page (URL shown in the image above). The pre-landing page is returned by the server and it contains the same code except this time the URL contained within the script points the host to the RIG-v landing page:

landing-page

We then see another POST request for the landing page. To be clear that is two POST requests, one for the pre-landing page and the other for the landing page.

Once on the landing page we see the host make a GET request for a Flash exploit and then the malicious payload.

It was at this point we see rad5BA76.tmp.exe dropped in %Temp% and copied to a folder in Roaming as “dot3Core.exe.” We also see two folders created, as well as a .BI1 file and a lot of .BIN files:

temp1dot3core-executableroaming

The file 8D53.bin (see in the first picture), which is 2,374 KB is size, is related to the TOR client download. There is also a “cached-microdescs” file created in Roaming, which is used by the Tor client.

Here is the GET request for “/tor/t32.dll”:

tor-client

Here are some changes made to the registry for persistence and the Tor client:

Post-infection traffic also shows the host making a GET request for curlmyip.net in order to grab the external IP address of the host:

curlmyip

If you’re working in a SOC I would filter network traffic over the last 72 hours and look for any communication to 80.77.82.42. From there I would see if the host was successfully redirected to an EK. You can likely determine if the host has been compromised through signs of AV events or post-infection traffic. Lastly, I would block 80.77.82.42 and 92.53.97.168 at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: