Good Man Gate Leads to RIG EK, Drops ZeusVM (KINS)

IOCs

Network:

  • 188.215.92.104 – hurtmehard.net – Good Man gate
  • 86.106.131.120 – bestdoosales.club – RIG exploit kit
  • 185.100.87.161 – badlywantyou.top – GET /smk/config.jpg – ZeusVM config URL
  • 185.100.87.161 – badlywantyou.top – POST /smk/gate.php – ZeusVM dropzone URL
  • 77.88.55.88 – yandex.ru – Connectivity check

File System:

  • o32.tmp is dropped and executed in %TEMP% (self-deletes)
  • The payload q2tlgu9t.exe is dropped and executed in %TEMP% (self-deletes)
  • Folder created in %TEMP% using the pattern [a-zA-Z0-9]{6,7}\.tmp contains System.dll
  • The payload copies itself to %APPDATA% in randomly named folders

Registry:

  • Entries created in HKCU\Software\Microsoft\
  • Each folder has numerous REG_BINARY values

Hashes:

SHA256: 1b9bf35a6662775e538f01738c1f6c94a35481192b63d2229030526d8c3f39f9
File name: Flash Exploit.swf

SHA256: b7e2ac891a8e524668261b149515ccb0105655f1bcb5c8ad72a3fb78de2d02d3
File name: o32.tmp

SHA256: 035a56f1bfa148bf58d48971aa9b71d8cbd78dd5a54055d4caf0a8b4d8c14de6
File name: qwjh89ks.exe
Hybrid-Analysis Report

SHA256: ec93953304bda318b4f6e2f0fae9d619bcb60679a874d977721d033ec3649398
File name: Archimedes.dll

SHA256: 2b57b0cfa09d86f2e7da17998c4890e5ab8069178211fddf304b53c7f1e6cb1e
File name: uloxg.exe
Hybrid-Analysis Report

Infection Chain

The infection chain starts off with visiting a Good Man gate. In this infection chain I used the Good Man gate hurtmehard[.]net. For those of you that don’t know I discovered gates being used to redirect users to various exploit kits on January 20th, 2017. I called them Good Man gates because the registrant name and email had “good man” in them.

They have added 3 more domains since my last post on Good Man:

Good Man Domains Registrant Email Registered Expires
n1shop.net.in goodmandilaltain@gmail.com 3/31/2017 3/31/2018
adobeflashpayer.net.in goodmandilaltain@gmail.com 3/29/2017 3/29/2018
sipasalar.net.in goodmandilaltain@gmail.com 3/24/2017 3/24/2018

There is already evidence that these domains are being used for malicious purposes. You can read more about the Good Man gates HERE.

Below is the infection chain captured by Wireshark:

Traffic

Hurtmehard[.]net auto refreshed 3 times. That is why you’re seeing 3 different infection chains. This is also why you’ll see multiple files created by the three same payloads later on in this post.

Injected in hurtmehard[.]net is the following script:

Goodman iframe

Inside the script is an iframe containing the URL for the RIG exploit kit landing page.

The host is then redirected to the landing page and is eventually sent the malware payload. The payload is dropped into %TEMP% and executed:

Temp

You’ll notice that the only one payload in %TEMP% is q2tlgu9t.exe; however, I only kept one sample out of the many that I got. The multiple malware payloads caused the numerous .tmp folders to be created in %TEMP%.

The malware copies itself to %APPDATA%:

AppData

Again, there are multiple files created in %APPDATA% because of the multiple payloads I received as a result of the gate refreshing numerous times. Here are some of the files:

And here are some entries found in HKCU\Software\Microsoft:

Registry 1Reigstry 2Registry 3

We then see a connectivity check using yandex.ru, followed by the ZeusVM C&C activity:

  • badlywantyou.top/smk/config.jpg
  • badlywantyou.top/smk/gate.php
ZeuS C&C: badlywantyou.top
Malware: VMZeuS
IP address: 185.100.87.161
Host status: online
Uptime: 01:24:05
Hostname: n/a
SBL: SBL338948
AS number: 200651
AS name: FLOKINET, RO
Country: - Romania (RO)
Level: 4 (Unknown / not categorized)
Sponsoring registrar: n/a
Nameserver(s): n/a
Date added: 2017-04-03
Last checked: 2017-04-03
Last updated: never
BL status: This host is being published on the ZeuS Blocklist!

ZeuS ConfigURLs on this C&C:

Date added ConfigURL Status V Filesize MD5 hash HTTP Status File download
2017-04-03 badlywantyou.top/smk/config.jpg online 2 179’337 31ac27b2e7cc24f506953febcb6e4098 200 - ZeuS_config

ZeuS DropURLs (Dropzones) on this C&C:

Date added DropURL Status HTTP Status
2017-04-03 badlywantyou.top/smk/gate.php online 200

ZeusVM uses steganography (the practice of concealing a file, message, image, or video within another file, message, image, or video) to hide the configuration code which is embedded in the JPG file:

jpeg

We then see POST requests to /smk/gate.php. The C&C domain is being hosted at 185.100.87.161. Here is the login panel for the C&C domain:

ZuesVM login

The Whois information for badlywantyou.top is shown below:

WHOIS Server www[.]eranet[.]com
Registrar Eranet International Limited
Email kentgitan732@mail.ru
Name john alex
Organization NA
Phone 00380662963886
NameServers ns7.01isp.com
ns8.01isp.net

I found only 2 domains using that registrant email:

Domain Registrant Email Registered Expires
whoareyoume.top kentgitan732@mail.ru 3/26/2017 3/26/2018
badlywantyou.top kentgitan732@mail.ru 3/26/2017 3/26/2018

Download the Artifacts (password is infected):

Malicious Artifacts.zip

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: