EITest Leads to RIG EK at 92.53.124.144 and Drops Dreambot

IOCs

Network:

  • 104.27.179.62 – thelifestyle.guru – Compromised website
  • 92.53.124.144 – free.fabuloussatchi.com – RIG EK
  • 91.121.251.22 – GET /images/[removed]/.avi – CnC Beacon
  • 91.121.251.22 – GET /tor/t64.dll – Tor module
    • The User-Agent string used during the callback is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), which is the indentifier for IE 8
  • 37.48.122.26 – curlmyip.net – Used to identify the host external IP address
  • DNS queries to:
    • resolver1.opendns.com
    • 222.222.67.208.in-addr.arpa
    • nod32s.com
    • myip.opendns.com

File System:

  • Downloader is dropped and executed in %TEMP%
  • Payload is dropped and executed in %TEMP%
  • The malware is copied to %APPDATA% via C:\Users\[User]\AppData\Roaming\catskend\docpDump.exe
  • Tor client is dropped in %TEMP% and is using the pattern [A-F0-9]{4}.bin as the filename and is 3,088 KB
  • cached-microdescs is created in %APPDATA%, which is used by the Tor client

Registry:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • When the Tor client is retrieved we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\[random GUID]

Process Activity:

Process tree

Hashes:

SHA256: 8411ffb402372f51fbcc5f4d80f23eaf79871650d5cbbac8597c3667a49870b6
File name: Flash Exploit.swf

SHA256: 3c206e33e3ac1a3efb09f6225a60bae7c7c3cbaf095035ee48131a27c3e4e63b
File name: o32.tmp

SHA256: cad48968802d933e1ef7a346c8112b6c919d521227121e126360e26d95626793
File name: h00czx4n.exe
Hybrid-Analysis Report

Infection chain

This was a typical EITest to RIG exploit kit infection chain. Below is the image of the injected script on the compromised website:

EITest

Shout-out to my friend @nao_sec for finding the website

The injected script contains the URL for the RIG exploit kit landing page.  In this infection chain I also got two identical payloads. Below is an image of the traffic showing the infection chain:

Traffic

Below are some images of the changes to the registry as well as files that were created by the malware:

Artifacts for download (password is “infected”):

Malicious Artifcats.zip

The sample can be downloaded from the Hybrid-Analysis report.

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: