TDS Redirecting Users to RIG Exploit Kit and Other Stuff

I’ve been tracking numerous external TDSs being used in exploit kit infection chains over the last couple of months. This post will focus on one TDS in particular, specifically a Keitaro TDS. During my investigation I was able to track down 12 domains that had been compromised and were redirecting users to this TDS. In the past investigations the TDS would redirect the host directly to an exploit kit. However, in recent cases involving this TDS it was also redirecting users to another compromised domain. That compromised domain contained the URL for the RIG EK landing page.

Below is the traffic from my first run, which failed:

run-1-traffic-edited

The host was redirected to the TDS via an iframe. The TDS then redirected my host directly to RIG EK at 92.53.124.52 (act.vrundavaninfra.com) via a 302 Moved Temporarily:

failed-run-1-edited

The infection chain stopped at the landing page.

The second and third runs were successful, both delivering Dreambot, a variant of Ursnif. Traffic from both those runs were as follows:

In both of these runs the TDS redirected the host to another compromised domain using the .net TLD. The compromised domain contained the URL for the RIG landing page.

The infections aren’t really that interesting as RIG EK has been dropping a lot of Dreambot recently. What I was actually looking for was how the TDS would decide to redirect my host, however, nothing seemed to matter. I only documented the TDS using 302s as its redirection mechanism. Furthermore, the payload didn’t change based on factors like geo-location.

During one of my later runs the TDS redirected my host to one of those  fake “Windows Defender Alert: Zeus Virus Detected In Your Computer” pages that are starting to become a lot more prevalent. I don’t know why it decided to redirect my host here instead of RIG.

If you haven’t seen one of these tech support scam pages here is an image of the page that I got:

tech-support-scam

Typically a user will be browsing the Interwebz and land on a compromised website. The compromised website redirects the host to one of these fake alert pages. There is also an audible message that is played and repeated which claims that their computer is infected and will be “disabled” if they don’t call the fake Microsoft Technical Department. Here is the audio message:

Trying to close the browser via the traditional methods doesn’t work. The criminals are hoping that users will call the phone number (844-243-0494) and pay them to “fix” their system.  However, in reality, there isn’t anything wrong with the system as there isn’t any malware being dropped on the host. For users reading this you can use the Applications tab on the Task Manager to shutdown the browser. If for some reason that doesn’t work then you can power down or restart the system.

Here is the traffic showing my host visiting a compromised website, getting redirected to the TDS and then to the “Windows Defender Alert: Zeus Virus Detected In Your Computer” page:

fake-tech-support-scam-traffic-edited

The compromised website, ending with the .id TLD, contains an iframe pointing to the TDS using the .biz TLD. Below is an image of the iframe found on the compromised website:

TCP stream of compromised site edited.png

This website was also defaced by a “hacking” crew calling themselves the “WuRKaC TeaM.” They even have a Facebook page…how l33t.

The TDS responds to the request with a 302 Moved Temporarily, a common method used by TDSs to reroute traffic based on the various options offered by traffic schemes:

tds-redirect-edited

The new location is www[.]ankaracocukorganizasyonlari[.]com/original.php, which returns the following:

second-redirection-edited

The response is compressed but examining the file shows it contains a meta refresh that is pointing to the “Windows Defender Alert: Zeus Virus Detected In Your Computer” page:

<meta http-equiv=”refresh” content=”0; URL=’hxxp://25689562165489421512515143478922[.]win/10012761/'” />

While these tech support scam pages aren’t dropping malware they are still very annoying and could cost users money through successful social-engineering. Not to mention I have been seeing A LOT of these tech support scams pop-up lately. It’s probably a good idea to just block the IPs (104.18.43.212) being used by these domains.

brace-yourself-meme

In the end the TDS didn’t just redirect hosts to an exploit kit. It was also redirecting hosts to tech support scam pages. Furthermore, the TDS redirected users directly to RIG and also to other compromised domains. So far I’ve only captured the TDS using 302s as its main redirection mechanism and factors like geo-location didn’t seem to make any difference in terms of what payload was delivered. I will continue to monitor for any changes.

Dreambot IOCs:

  • 188.225.32.184 – 1art.neighbourhoodreunions.net – RIG EK
  • 92.53.124.52 – act.vrundavaninfra.com – RIG EK
  • 93.119.123.193 – GET /images/[removed]/.avi – Callback
  • 93.119.123.193 – GET /tor/t64.dll – Tor module
  • 37.48.122.26 – curlmyip.net – Used to identify its external IP address

Hashes:

SHA256: cf0e13b2e3b480aff6f2f0c8082d52cfb4b01c082019cfac4adc87a7cbbf7fd6
File name: RIG EK Flash Exploit 1.swf

SHA256: b90eb9519df036c49abd341dd493c98b495d910827ad64f58b26b2bb32ef8e07
File name: o32.tmp

SHA256: 33b5a177f12c01efd040db542ed60bba0d9c21d83eb4f13d52a5125d0783badb
File name: 6D3A.bat

SHA256: ca7516a59d2ad6d3fe9663648e0d633b599abdccd35da9e98c76d76df0ae434a
File name: 9v4fqrw1.exe
Hybrid-Analysis Report

SHA256: a8f7a0471f65cfad7031d77bf131532fa8d930e9eea86c23584771251d0b51d5
File name: t64.dll

Additional DNS Queries:

  • resolver1.opendns.com
  • 222.222.67.208.in-addr.arpa
  • myip.opendns.com
  • nod32s.com

Host Based Artifacts:

  • Persistance: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Malware is copied to C:\Users\[User]\AppData\Roaming\efsshell\Deviprov.exe
  • When the Tor cleint is retrieved we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\<random guid>
  • This key contains the path to the client, which is dropped in %Temp% with a filename using the pattern [A-F0-9]{4}.bin (3,088 KB)
  • We also see the creation of cached-microdescs in %AppData%, which is used by the Tor client

Runs Shell Commands:

“cmd /c “”%TEMP%\2912\26D2.bat” “C:\9v4fqrw1.exe”””
“cmd /c “”%APPDATA%\cmdisvc6\adprtext.exe” “”””
“cmd /C “”%APPDATA%\cmdisvc6\adprtext.exe” “”””
“cmd /C “nslookup myip.opendns.com resolver1.opendns.com > %TEMP%\55C5.bi1″”
“cmd /C “echo ——– >> %TEMP%\55C5.bi1″”

  1. […] GATES and TRAFFIC DISTRIBUTION SYSTEMs (TDS)Early in our research, we observed no significant evidence of TDS or Gates being used in conjunction with major RIG campaigns (specifically PseudoDarkleech and EITEST), although there are published reports by other security researchers, such as @dynamicanalysis who covers TDS referral traffic used by GoodMan and some malvertising leading to RIG EK. […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: