HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.

IOCs:

  • 104.27.134.78 – multimediaz.net – Website hosting script for onclickads.net
  • 206.54.163.4 – onclickads.net – Checks Flash. Redirects to onclkds.com.
  • 206.54.163.50 – onclkds.com – Returns “302 Moved Temporarily,” new location is set to avatrading.org
  • 185.51.244.202 – avatrading.org – Domain in fake ad network. Contains iframe for stockholmads.info
  • 185.51.244.210 – stockholmads.info – GET /rotation/check-hits? – Contains iframe for RIG-v EK
  • 217.107.219.99 – sup.glencoelocksmithil.com – RIG-v EK
  • 89.223.31.51 – GET /images/[removed]/.avi – CnC traffic
  • 89.223.31.51 – GET /tor/t64.dll – Tor module download
  • 37.48.122.26 – curlmyip.net – External IP lookup
  • Post-infection Tor traffic via TCP port 9001

Identifying DNS Queries:

  • resolver1.opendns.com
  • 222.222.67.208.in-addr.arpa
  • myip.opendns.com
  • nod32.com
  • eset.com

Traffic:

traffic

Hashes:

SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8
File name: RIG-v Flash Exploit.swf

SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea
File name: QTTYUADAF

SHA256: 968c138d81479711c3c1fea10860cf14bcda165971add20bb14e6671cfd7f5ab
File name: rad763E4.tmp.exe or Deviprov.exe
Hybrid-Analysis Report

SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll (Downloaded when using Windows 64-bit)

SHA256: 5d5bda87bb2871b29c63d7a40c3f7e1ef81ebb4c69396059e94d4ce02ece9f10
File name: t32.dll (Downloaded when using Windows 32-bit)

Infection Chain:

The infection began when I was browsing the WordPress site multimediaz.net. A picture of the site is shown below:

pic-of-site
You can see that the ads from ad.propellerads.com returned a 404 Not Found.

Searching this domain via Google doesn’t directly return the homepage. However, the owner of the site appears to be letting it sit idle and it hasn’t been updated in a long time (due to lack of public interest).

As you can see from the picture of my traffic the site’s source code contains script pointing to onclickads.net:

multimediaz-net-onclickads-script

We then see a GET request for onclickads.net/?zoneid=7904&pbk2=2829851022915fd178a61c17ad4940996388365887265502682&r=%2Foc%2Fhan%2Ftomb&uuid=20950899-f385-4e08-9179-7f55bf462380&fs=1

Below is the file found in the return traffic:

part-1part-2part-3

We can see that the title is “Redirect” and it tells the browser to do a DNS prefetch for avatrading.org. It also uses a meta-refresh for onclkds.com. We then see some JavaScript that does some checks for Flash. The original full file and a commented out version of the JavaScript can be viewed on my Pastebin account.

Original full file: http://pastebin.com/7ah2Pw9H
Commented JavaScript: http://pastebin.com/tUy3Lehh (shout-out to my buddy “elf” for taking the time to breakdown the script, decode it and comment it!)

This redirects the host to onclkds.com, which in turn returns a 302 Moved Temporarily and redirects the host to avatrading.org/?sw=1280:

302-moved-temporarily

It should be noted that I’ve seen a lot of malvertising begin with on OnClickAds.net, which is used by ad network Propeller Ads Media for ad serving.

We then see avatrading.org/?sw=1280 open in a new browser on the Desktop:

avatrading-used-in-malvertising

AvaTrading.org appears to be a dummy site used by this malvertising campaign. The domain was created on 02/16/17. Below is the Whois information:

Attribute Value
WHOIS Server whois.publicinterestregistry.net
Registrar Danesco Trading Ltd.
Email
avatrading.org@whoisprotectservice.net (registrant, admin, tech)
Name
WhoisProtectService.net (registrant, admin, tech)
Organization
PROTECTSERVICE, LTD. (registrant, admin, tech)
ASN AS46636 NATCOWEB
Street 27 Old Gloucester Street
City  London
Postal  WC1N 3AX
Country  GB
Phone
4402074195061 (registrant, admin, tech)
NameServers
ns1.topdns.me
ns2.topdns.me
ns3.topdns.me

Notice the name servers? The TopDNS.me name servers are used by the fake ad network and malvertising campaign called “HookAds.” To read more about HookAds see this article written by :

https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign/

This domain resolves to 185.51.244.202, with the subnet 185.51.244.0/24 containing other domains in the HookAds infrastructure. That range is operated by Soft-com.biz Inc., with the netname being UK-SOFTCOM-HQHost.

Looking at the source code behind AvaTrading.org shows that it contains an iframe pointing to stockholmads.info:

stockholmads-info-iframe

That iframe redirects the host to “stockholmads[.]info/rotation/check-hits?”. stockholmads.info resolves to 185.51.244.210. The resolution history for 185.51.244.210 is shown below:

Domain First Seen Last Seen
stockholmads.info 11/9/2016 7:56 2/19/2017 22:43
leedsads.info 11/11/2016 16:13 2/19/2017 12:35
lilleads.info 11/4/2016 18:54 2/19/2017 12:05
malmoads.info 11/8/2016 23:48 2/19/2017 11:56
ostravaads.info 11/13/2016 8:52 2/19/2017 1:53
trivagoad.com 1/14/2016 3:58 2/19/2017 0:00
bristolads.info 11/11/2016 8:45 2/18/2017 20:40
amsterdamads.info 11/5/2016 13:18 2/18/2017 18:27
lublanads.info 11/12/2016 0:45 2/18/2017 16:24
turkuads.info 11/10/2016 15:56 2/18/2017 12:42
koperads.info 11/12/2016 16:48 2/18/2017 12:10
turinads.info 11/8/2016 15:48 2/18/2017 3:24
varnaads.info 11/14/2016 1:34 2/18/2017 3:11
sevilleads.info 11/5/2016 0:07 2/18/2017 1:15
rotterdamads.info 11/7/2016 4:52 2/18/2017 0:42
naplesads.info 11/8/2016 8:24 2/17/2017 22:19
munichads.info 11/7/2016 12:39 2/17/2017 22:06
mariborads.info 11/12/2016 8:46 2/17/2017 21:07
landads.info 11/9/2016 14:35 2/17/2017 20:32
umeaads.info 11/9/2016 14:29 2/14/2017 11:20
lisbonads.info 11/5/2016 3:41 2/14/2017 7:57
hagueads.info 11/6/2016 12:24 2/13/2017 20:25
brnoads.info 11/13/2016 0:55 2/11/2017 1:33
frankfurtads.info 11/7/2016 14:02 2/10/2017 9:37
tampereads.info 11/10/2016 16:17 2/7/2017 22:31
helsinkiads.info 11/10/2016 7:54 2/7/2017 21:28
utrechtads.info 11/6/2016 14:50 12/26/2016 8:47
sofiaads.info 11/14/2016 14:36 12/26/2016 7:46
hamburgads.info 11/7/2016 23:16 12/23/2016 8:29
pasteero.com 12/18/2015 3:27 12/16/2016 2:04
plivdivads.info 11/14/2016 0:57 12/16/2016 1:33
pilsenads.info 11/13/2016 16:54 11/24/2016 10:52
florenceads.info 11/8/2016 7:18 11/19/2016 18:44
yorkads.info 11/12/2016 0:04 11/12/2016 0:28
liverpoolads.info 11/3/2016 20:34 11/6/2016 20:39
adsrotation.info 9/8/2016 0:01 9/8/2016 14:22
adsdelivery.info 9/7/2016 10:16 9/8/2016 7:26
hoptop.info 8/28/2016 0:00 8/29/2016 16:09
dc-d2922a0b.trivagoad.com 1/13/2016 11:07 1/13/2016 11:07

The malicious activity associated with this IP address appears to have begun on 08/28/16. Whois information for 185.51.244.210 is shown below:

WHOIS Server whois.ripe.net
Registrar RIPE NCC
Email eugene.stryapin@soft-com.biz (registrant)
Name UK-SOFTCOM-HQHost (registrant)
Eugene Stryapin (admin)
Organization UK-SOFTCOM-HQHost (registrant)
Street 272 Bath Street (admin, tech)
City Glasgow
Postal
Country GB (registrant)
Phone 380 66 42 32 985 (admin, tech)
NameServers

/check-hits? returns what has been called RIG’s “pre-landing” page. The full page can be seen at my Pastebin account:

http://pastebin.com/EajPMUnB

While it was called the “pre-landing” page by security researchers the authors are calling it “firstDetect.js”. The file is located at /library/:

firstdetect

firstDetect.js contains the URL for the RIG-v EK landing page and it tells the host to use the POST method for that request.

The EK then sent the Flash exploit and the malware payload.

cmd.exe creates QTTYUADAF in %Temp% and executes it. The script causes the host to make a GET request for the malware payload. The malware payload (rad763E4.tmp.exe) is dropped and executed in %Temp%:

temp

The file is also copied to C:\Users[User]\AppData\Roaming\efsshell\ as Deviprov.exe:

appdata-roaming

The original file has “(original)” in the name whereas the file size did grow by 276 KB after only a couple of minutes. I have both samples in there as an example of the change in file size.

There is a registry entry created for persistence:

registry-run-entry

The bot checks-in with the CnC server via 89.223.31.51/images/[removed]/.avi.

We then see the GET request for the Tor client, which is currently being hosted at 89.223.31.51. The server will return /tor/t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

When the Tor cleint is retrieved from 89.223.31.51 we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\ [random guid]:

registry-tor-client-entry

This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was B725.bin (3,088 KB).

We also see the creation of cached-microdescs, which is used by the Tor client:

roaming

For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

As always I recommend blocking the nasty stuff, including the HookAds infrastructure, RIG EK IP address as well as the CnC servers. Until next time!

space-invaders

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

One thought on “HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.

Leave a Comment

%d bloggers like this: