HookAds Campaign Leads to RIG EK at 92.53.104.78

The HookAds campaign was first discovered by researchers at Malwarebytes back in mid August of 2016. This campaign leverages decoy adult sites to spread malware. In this case the user would be browsing a legitimate website, often an adult website, and then they would be redirected to a decoy adult site through a malvertising chain.

On the decoy adult sites there is a malicious iframe that points to a fake ad server acting as a gate for RIG EK:

iframe
Decoy site contains iframe pointing to an ad domain acting as a gate

The domain milliption.gdn resolves to 62.75.195.128. The campaign has been using this IP address since February:

Domains First Seen Last Seen
milliption.gdn 3/13/2017 2:31 3/20/2017 13:21
decipio.gdn 3/13/2017 2:30 3/18/2017 2:37
africal.gdn 3/17/2017 20:49 3/17/2017 20:49
vessed.gdn 3/13/2017 2:31 3/13/2017 2:31
resourdish.gdn 3/8/2017 10:25 3/8/2017 21:12
wow1.paramework.xyz 1/25/2017 10:00 3/8/2017 19:07
psittan.gdn 3/8/2017 6:57 3/8/2017 9:40
wow3.paramework.xyz 2/24/2017 3:30 2/24/2017 3:30
wow2.paramework.xyz 2/19/2017 13:30 2/24/2017 3:29

The domain first resolved to 209.126.118.91, which showed more malicious domains using the generic TLD .gdn (Global Domain Name):

Domain First Seen Last Seen
coolinin.gdn 3/9/2017 23:50 3/20/2017 3:24
procody.gdn 3/8/2017 22:12 3/19/2017 18:59
slightfall.gdn 3/12/2017 9:19 3/14/2017 4:18
restribe.gdn 3/9/2017 10:19 3/14/2017 3:13
milliption.gdn 3/13/2017 2:31 3/13/2017 2:31
vessed.gdn 3/13/2017 2:31 3/13/2017 2:31
africal.gdn 3/10/2017 10:25 3/13/2017 1:06
resourdish.gdn 3/8/2017 0:00 3/12/2017 1:36
psittan.gdn 3/12/2017 1:34 3/12/2017 1:34

All of the .gdn domains being used by this campaign are registered to seoboss@seznam.cz:

Domain Registrant Email Registered
decipio.gdn seoboss@seznam.cz 3/5/2017
restribe.gdn seoboss@seznam.cz 3/5/2017
procody.gdn seoboss@seznam.cz 3/5/2017
vessed.gdn seoboss@seznam.cz 3/5/2017
africal.gdn seoboss@seznam.cz 3/5/2017
coolinin.gdn seoboss@seznam.cz 3/5/2017
milliption.gdn seoboss@seznam.cz 3/5/2017
resourdish.gdn seoboss@seznam.cz 3/5/2017
werned.gdn seoboss@seznam.cz 3/1/2017
psittan.gdn seoboss@seznam.cz 3/1/2017
westponent.gdn seoboss@seznam.cz 3/1/2017
confidely.gdn seoboss@seznam.cz 3/1/2017
elecommon.gdn seoboss@seznam.cz 3/1/2017
cominents.gdn seoboss@seznam.cz 3/1/2017
slightfall.gdn seoboss@seznam.cz 2/27/2017
wallther.gdn seoboss@seznam.cz 2/27/2017
dravitalia.gdn seoboss@seznam.cz 2/27/2017
paltruise.gdn seoboss@seznam.cz 2/27/2017
irritorian.gdn seoboss@seznam.cz 2/27/2017
unexperic.gdn seoboss@seznam.cz 2/27/2017
centuation.gdn seoboss@seznam.cz 2/27/2017
germante.gdn seoboss@seznam.cz 2/27/2017
thousales.gdn seoboss@seznam.cz 2/26/2017
zachael.gdn seoboss@seznam.cz 2/26/2017
chromotor.gdn seoboss@seznam.cz 2/26/2017
wrapsing.gdn seoboss@seznam.cz 2/26/2017
seconquest.gdn seoboss@seznam.cz 2/26/2017
hickenzi.gdn seoboss@seznam.cz 2/26/2017
sidentitis.gdn seoboss@seznam.cz 2/23/2017
concephall.gdn seoboss@seznam.cz 2/23/2017
neveraged.gdn seoboss@seznam.cz 2/22/2017
havenhoek.gdn seoboss@seznam.cz 2/22/2017
dispanic.gdn seoboss@seznam.cz 2/22/2017
discussels.gdn seoboss@seznam.cz 2/22/2017
explosin.gdn seoboss@seznam.cz 2/22/2017
austribach.gdn seoboss@seznam.cz 2/22/2017
rulence.gdn seoboss@seznam.cz 2/22/2017
patteriod.gdn seoboss@seznam.cz 2/22/2017
sebrisburg.gdn seoboss@seznam.cz 2/22/2017
becomple.gdn seoboss@seznam.cz 2/22/2017
entrary.gdn seoboss@seznam.cz 2/22/2017
mormous.gdn seoboss@seznam.cz 2/22/2017

The iframe on the decoy site contains the location of ad domains that are acting as a gate. The script on the gate is being used to fingerprint the system.

The fingerprinting checks to see if the current browser is Internet Explorer and makes sure that the browser is not a crawling bot. On March 6th, 2017, I noticed that it added checks for Fiddler, FFDec, VirtualBox, and VMware:

additional checks
There is also commented out code for NOD32 and Bitdefender AV products

You can read more about the new checks HERE.

The page returned by the server loaded in the location of the banner ad. If the system passes the checks then you will see a POST request using a URL pointing to the RIG exploit kit landing page:

GET for gate
URL points to RIG EK landing page

The RIG exploit kit landing page is loaded in the same location as the gate:

Banner RIG EK LP
Banner on decoy site

We can see the nonsensical sentences “Trick can you fix my BMW” and “Boys want education ty” are being displayed in the location of the banner ad. However, taking a closer look at the page being returned to host we can clearly see that it is actually the landing page:

RIG EK LP words 1RIG EK LP words 2

The EK dropped 06amrddi.exe and m73hwg6i.exe (same file) in %TEMP%:

Temp

Additional IOCs

Network:

  • 62.75.195.128 – milliption.gdn – Fake ad domain
  • 92.53.104.78 – temp.levvi.com – RIG EK

Traffic 1 (edited)

Hashes:

SHA256: 14be41a97b8d0b4cb626f1a659ba895847436e68721a8119e7ddd05b6cd3d69d
File name: RIG EK Flash Exploit.swf

SHA256: 14fcca3094cef0d5bff90a09eca427ff3975ed15265d46207c2e8b124619df62
File name: 06amrddi.exe and m73hwg6i.exe
Hybrid-Analysis Report
DeepViz Report

Download Artifacts (password is the same word used by other EK researchers):

Malicious Artifacts.zip

References:
https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign/

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: