EITest Leads to RIG-v EK at 185.159.130.122. Ursnif Variant Dreambot.

IOCs:

  • 92.243.23.204 – www[.]caltech[.]fr – Compromised website
  • 185.159.130.122 – more.THEBESTDALLASFLORISTS.COM – RIG-v EK
  • 5.196.159.175 – GET /images/[removed]/KTDEi/.avi – CnC traffic
  • 46.4.99.46 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download
  • 37.48.122.26 – curlmyip.net – External IP lookup

Post-Infection DNS Queries:

  • resolver1.opendns.com – ET POLICY OpenDNS IP Lookup
  • curlmyip.net
  • 222.222.67.208.in-addr.arpa
  • myip.opendns.com
  • nod32s.com

Traffic:

Traffic.PNG

Hashes:

SHA256: 37f7e78080f85e6f98136e927a69a72ea7d619f230b476b5d6826ebc1eee29a0
File name: RIG-v EK Flash Expoit.swf

SHA256: 2bfe062e8fb089f22d8dbe33184174098e87ba0b7ecc36e3db1290a5896d00c0
File name: QTTYUADAF

SHA256: c845c57e8fe49ae9fa7413cd51d7fdba563e5aeb422d01f4f1d473ca7dcb0a56
File name: radE86B9.tmp.exe
Hybrid-Analysis Report

SHA256: a8f7a0471f65cfad7031d77bf131532fa8d930e9eea86c23584771251d0b51d5
File name: t64.dll

Infection Chain:

Shout-out to @kkrnt who told me about the compromised website. Here is an image of the compromised website:

caltech-dot-fr

Loading the website in my browser and inspecting the TCP stream between my host and the web server showed that the EITest script had been injected into the web page. Below is the EITest script returned by the web server:

eitest-script

The URL within the script redirected my host to the RIG-v EK pre-landing page. The host was then redirected to the landing page after which we see the Flash exploit followed by the malware payload.

We see cmd.exe create QTTYUADAF in %Temp% and execute it. The script causes the host to make a GET request for the malware payload. The malware payload (radE86B9.tmp.exe) is dropped and executed in %Temp%:

temp

The file is also copied to [User]\AppData\Roaming\catskend:

docpdump-exe-after-1-hour
docpDump (1).exe is the copy. After an hour it grew in size by 225KB.

There is a registry entry created for persistence:

registry-run

The bot checks-in with the CnC server via 5.196.159.175/images/[removed]/KTDEi/.avi.

We then see the GET request for the Tor client, which is currently being hosted at 46.4.99.46. The most current resolution for 46.4.99.46 is static.46.99.4.46.clients.your-server.de. The name servers include:

Name Servers
ns.second-ns.com
ns1.your-server.de
2a01:4f8:d0a:2006:0:0:0:2
ns3.second-ns.de

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

When the Tor cleint is retrieved from 46.4.99.46 we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\ [random guid]:

registry-tor-client-edited

This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was FFDA.bin.

We also see the creation of cached-microdescs, which is used by the Tor client:

roaming

For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

As always I recommend blocking the RIG EK IP address as well as the CnC servers. Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: