RIG EK at 92.53.127.21 Drops Dreambot

IOCs:

  • 209.126.118.90 – cominents.gdn – Fake ad infrastructure. Server returned RIG’s pre-filter page which contained the URL for the landing page
  • 92.53.127.21 – try.werrew.info – RIG EK
  • 176.223.111.198 – GET /images/[removed]/.avi
  • 176.223.111.198 – GET /tor/t64.dll – Tor module
  • 208.43.71.133 – avast.com – GET /images/[removed]/.jpeg or .gif- ET Trojan Ursnif Variant CnC Beacon 4
  • 37.48.122.26 – curlmyip.net – Used to identify the host external IP address
  • The User-Agent string used by the malware is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), which is IE 8.
  • Post-infection Tor traffic via TCP ports 9001 and 443

Additional DNS Queries:

  • resolver1.opendns.com
  • 222.222.67.208.in-addr.arpa
  • myip.opendns.com
  • avast.com
  • www[.]avast.com

Host Based Artifacts:

  • Persistance: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Malware is copied to C:\Users\[User]\AppData\Roaming\efsshell\Deviprov.exe
  • When the Tor cleint is retrieved we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\[random GUID]
  • This key contains the path to the client, which is dropped in %Temp% with a filename using the pattern [A-F0-9]{4}.bin (3,088 KB)
  • We also see the creation of cached-microdescs in %AppData%, which is used by the Tor client

Runs shell commands From Hybrid-Analysis Report:

cmd /c “”%TEMP%\5A91\1449.bat” “C:\ht7cx8eu.exe””
cmd /c “”%APPDATA%\cmdisvc6\adprtext.exe” “””
cmd /C “”%APPDATA%\cmdisvc6\adprtext.exe” “””
cmd /C “nslookup myip.opendns.com resolver1.opendns.com > %TEMP%\976C.bi1”
cmd /C “echo ——– >> %TEMP%\976C.bi1”

Processes:

processes

Hashes:

SHA256: 41bcdc8e99edc70be75489510ffbd2f3ba65cea23183450591ef3a8f260f218c
File name: RIG EK Flash Exploit.swf

SHA256: b90eb9519df036c49abd341dd493c98b495d910827ad64f58b26b2bb32ef8e07
File name: o32.tmp

SHA256: f637a35012ab04171ef5f4b8b3bfde4c6cba25bab7d63a0e281e1fea22ebe631
File name: ht7cx8eu.exe
Hybrid-Analysis Report

SHA256: 5d5bda87bb2871b29c63d7a40c3f7e1ef81ebb4c69396059e94d4ce02ece9f10
File name: t32.dll

SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll

Traffic:

Additional Threat Intel:

Recent DNS records show the following resolutions associated with the fake ad infrastructure being hosted at 209.126.118.90.

Domain First Seen Last Seen
cominents.gdn 3/6/2017 9:45 3/6/2017 11:52
werned.gdn 3/6/2017 11:23 3/6/2017 11:23
dravitalia.gdn 3/2/2017 19:04 3/6/2017 10:56
algrook.top 3/20/2016 1:03 3/6/2017 10:40
unexperic.gdn 3/1/2017 5:25 3/6/2017 10:01
westponent.gdn 3/5/2017 21:51 3/6/2017 9:46
elecommon.gdn 3/4/2017 21:39 3/6/2017 2:00
slightfall.gdn 2/28/2017 6:32 3/5/2017 12:40
paltruise.gdn 3/3/2017 20:15 3/5/2017 11:47
germante.gdn 3/2/2017 8:50 3/5/2017 7:08
irritorian.gdn 3/4/2017 0:00 3/5/2017 0:00
seconquest.gdn 3/3/2017 8:04 3/4/2017 2:09
hickenzi.gdn 3/3/2017 8:00 3/4/2017 1:37
zachael.gdn 2/28/2017 5:03 3/2/2017 1:34
forexpromo.net 3/1/2017 10:03 3/1/2017 10:10
wallther.gdn 2/28/2017 17:12 3/1/2017 4:28
mail.holyhee.top 6/6/2016 12:05 2/27/2017 0:48
www[.]algrook.top 1/3/2017 14:55 2/24/2017 17:48
mail.algrook.top 3/19/2016 17:24 2/18/2017 5:19
imap.holyhee.top 2/7/2017 17:11 2/7/2017 17:11
www[.]ebifat.top 1/4/2017 17:38 1/4/2017 17:38
forum.algrook.top 12/21/2016 9:46 12/21/2016 9:46

Whois record for the domains shown above:

WHOIS Server whois.publicdomainregistry.com
Registrar PDR Ltd. d/b/a PublicDomainRegistry.com
Email seoboss@seznam.cz
Name Robert Bulis
Organization N/A
Street Lysinska 1756/32
City Praha 12
State Praha
Postal Postal code 14300
Country CZ
Phone 420234261846
Name Servers a8332f3a.bitcoin-dns.hosting
ad636824.bitcoin-dns.hosting
c358ea2d.bitcoin-dns.hosting
1a7ea920.bitcoin-dns.hosting

This was a quick and dirty post just to get the IOCs out there. Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: