RIG EK at 92.53.127.21 Drops Dreambot

IOCs:

• 209.126.118.90 – cominents.gdn – Fake ad infrastructure. Server returned RIG’s pre-filter page which contained the URL for the landing page
• 92.53.127.21 – try.werrew.info – RIG EK
• 176.223.111.198 – GET /images/[removed]/.avi
• 176.223.111.198 – GET /tor/t64.dll – Tor module
• 208.43.71.133 – avast.com – GET /images/[removed]/.jpeg or .gif- ET Trojan Ursnif Variant CnC Beacon 4
• 37.48.122.26 – curlmyip.net – Used to identify the host external IP address
• The User-Agent string used by the malware is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), which is IE 8.
• Post-infection Tor traffic via TCP ports 9001 and 443

Additional DNS Queries:

• resolver1.opendns.com
• 222.222.67.208.in-addr.arpa
• myip.opendns.com
• avast.com
• www[.]avast.com

Host Based Artifacts:

• Persistance: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
• Malware is copied to C:Users[User]AppDataRoamingefsshellDeviprov.exe
• When the Tor cleint is retrieved we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft[random GUID]
• This key contains the path to the client, which is dropped in %Temp% with a filename using the pattern [A-F0-9]{4}.bin (3,088 KB)
• We also see the creation of cached-microdescs in %AppData%, which is used by the Tor client

Runs shell commands From Hybrid-Analysis Report:

cmd /c “”%TEMP%5A911449.bat” “C:ht7cx8eu.exe””
cmd /c “”%APPDATA%cmdisvc6adprtext.exe” “””
cmd /C “”%APPDATA%cmdisvc6adprtext.exe” “””
cmd /C “nslookup myip.opendns.com resolver1.opendns.com > %TEMP%976C.bi1”
cmd /C “echo ——– >> %TEMP%976C.bi1”

Processes:

Hashes:

SHA256: 41bcdc8e99edc70be75489510ffbd2f3ba65cea23183450591ef3a8f260f218c
File name: RIG EK Flash Exploit.swf

SHA256: b90eb9519df036c49abd341dd493c98b495d910827ad64f58b26b2bb32ef8e07
File name: o32.tmp

SHA256: f637a35012ab04171ef5f4b8b3bfde4c6cba25bab7d63a0e281e1fea22ebe631
File name: ht7cx8eu.exe
Hybrid-Analysis Report

SHA256: 5d5bda87bb2871b29c63d7a40c3f7e1ef81ebb4c69396059e94d4ce02ece9f10
File name: t32.dll

SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll

Traffic:

Additional Threat Intel:

Recent DNS records show the following resolutions associated with the fake ad infrastructure being hosted at 209.126.118.90.

Domain	First Seen	Last Seen
cominents.gdn	3/6/2017 9:45	3/6/2017 11:52
werned.gdn	3/6/2017 11:23	3/6/2017 11:23
dravitalia.gdn	3/2/2017 19:04	3/6/2017 10:56
algrook.top	3/20/2016 1:03	3/6/2017 10:40
unexperic.gdn	3/1/2017 5:25	3/6/2017 10:01
westponent.gdn	3/5/2017 21:51	3/6/2017 9:46
elecommon.gdn	3/4/2017 21:39	3/6/2017 2:00
slightfall.gdn	2/28/2017 6:32	3/5/2017 12:40
paltruise.gdn	3/3/2017 20:15	3/5/2017 11:47
germante.gdn	3/2/2017 8:50	3/5/2017 7:08
irritorian.gdn	3/4/2017 0:00	3/5/2017 0:00
seconquest.gdn	3/3/2017 8:04	3/4/2017 2:09
hickenzi.gdn	3/3/2017 8:00	3/4/2017 1:37
zachael.gdn	2/28/2017 5:03	3/2/2017 1:34
forexpromo.net	3/1/2017 10:03	3/1/2017 10:10
wallther.gdn	2/28/2017 17:12	3/1/2017 4:28
mail.holyhee.top	6/6/2016 12:05	2/27/2017 0:48
www[.]algrook.top	1/3/2017 14:55	2/24/2017 17:48
mail.algrook.top	3/19/2016 17:24	2/18/2017 5:19
imap.holyhee.top	2/7/2017 17:11	2/7/2017 17:11
www[.]ebifat.top	1/4/2017 17:38	1/4/2017 17:38
forum.algrook.top	12/21/2016 9:46	12/21/2016 9:46

Whois record for the domains shown above:

WHOIS Server	whois.publicdomainregistry.com
Registrar	PDR Ltd. d/b/a PublicDomainRegistry.com
Email	seoboss@seznam.cz
Name	Robert Bulis
Organization	N/A
Street	Lysinska 1756/32
City	Praha 12
State	Praha
Postal	Postal code 14300
Country	CZ
Phone	420234261846
Name Servers	a8332f3a.bitcoin-dns.hosting
	ad636824.bitcoin-dns.hosting
	c358ea2d.bitcoin-dns.hosting
	1a7ea920.bitcoin-dns.hosting

This was a quick and dirty post just to get the IOCs out there. Until next time!