Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan

On April 5th, 2017, the Twitter user  sent a message to Brad and myself about a malvertising chain using onclkds.com to redirect hosts to RIG exploit kit. Here is the Tweet:

Twitter

I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 194.58.38.64 as my referer. Here is the traffic from my run:

Traffic

This tactic proved to be successful as I was redirected from the server to a RIG exploit kit landing page being hosted at the subdomain help.csrabearing.com (185.159.128.228):

File returns with an iframe
Figure 1

As you can see from the TCP stream the GET request for flow339.php returned an iframe containing a URL for a RIG exploit kit landing page. It also contained the following string at the very bottom:

If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html

More on this string later….

The host is then sent the Flash exploit and the malware payload. The malware payload was dropped and executed in %TEMP%. Below is an image of multiple malware payloads (I received numerous identical payloads as the page refreshed itself numerous times):

TEMP

The malware copies itself to AppData and creates some .log files:

It also creates a .log file in ProgramData (64 characters):

We also see it modify and set some values in the registry:

Access type: "SETVAL"; Path: HKCU\Software\AppDataLow\[GUID]"; Key "Client"; Value: [GUID]

Access type: "SETVAL"; Path: "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"; Key: "LbdUpnlo"; Value: "%LOCALAPPDATA%\duoibyaa\lbdupnlo.exe"

Access type: "SETVAL"; Path: "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"; Key: "UwuAwwru"; Value: "%TEMP%\uwuawwru.exe"

Access type: "SETVAL"; Path: "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"; Key: "Userinit"; Value: "%WINDIR%\system32\userinit.exe,%TEMP%\uwuawwru.exe,%LOCALAPPDATA%\duoibyaa\lbdupnlo.exe"

It also writes to a start menu file:

%APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Processes from the Hybrid-Analysis report:

Processes

The various file system and registry IOCs confirmed that the malware payload was Ramnit banking Trojan.

I then decided to do some additional digging to see if I could figure out what campaign this was coming from. That is when I found an article written on March 21st, 2017, by  over at Malwarebytes Labs. The article was entitled “Canada and the U.K. hit by Ramnit Trojan in new malvertising campaign” and in the article Jérôme talked about malvertising activity originating from various adult websites.

Jérôme also mentioned that their honeypot caught Ramnit payloads coming from this malvertising campaign. An interesting note about their investigation is that they documented TDSs (Traffic Distribution System) being used in this malvertising campaign.

Below is an image from Jérôme’s post on March 21st, 2017:

Malwarebytes post from Jerome
Figure 2

You’ll notice that their Fiddler session captures the same exact string that I discussed earlier in the post. For example, you’ll see “If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html” at the bottom of the image. The traffic and payload (Ramnit) seems to match the campaign that they discovered.

BroadAnalysis had also sent me a DM with a link to an article entitled “Seamless Campaign Delivers Ramnit via Rig EK.” The article is written by Andrea Scarfo, , and Matt Foley over at the Cisco Umbrella blog. They’re calling it the “Seamless” campaign due to that word being used in the response from the gate (see Figure 1 and Figure 2). Just like with Malwarebytes they too found that this campaign was heavily targeting Canadian hosts and dropping Ramnit banking malware as its payload.

Further reconnaissance showed that there were numerous open ports on 194.58.38.64:

21/TCP – Open – FTP: ProFTPD
22/TCP – Open – SSH: OpenSSH 5.3 (protocol 2.0)
25/TCP – Open – SMTP: Exim SMTPD 4.89
53/TCP –  Open – DNS
80/TCP – Open – HTTP: nginx 1.10.2
110/TCP – Open – POP3: Dovecot POP3D
143/TCP – Open – IMAP: Dovecot IMAPD
465/TCP  Open – SSL/SMTP: Exim SMTPD 4.89
587/TCP – Open – SMTP: Exim SMTPD 4.89
993/TCP – Open – SSL/IMAP: Dovecot IMAPD
995/TCP – Open – SSL/POP3: Dovecot POP3D
1500/TCP – Open – ISPmanager
3306/TCP – open – MySQL

It looks as though they’re using ISPManager to manage the web server:

ISP Manager Login
ISPManager provides a feature set for managing websites, creating users, handling domains, emails, databases, etc.
Post-Infection Traffic

Upon execution of the malware payload the host made numerous DNS queries:

Domain Address Country
fbtsotbs.com
npcvnorvyhelagx.com 87.106.190.153 Germany
mrthpcokvjc.com
notalyyj.com 185.118.66.84 Russian Federation
ctiprlgcxftdsaiqvk.com
aofmfaoc.com 34.194.213.50 United States
wgwuhauaqcrx.com 87.106.190.153 Germany
fkqrjsghoradylfslg.com
doisafjsnbjesfbejfbkjsej88.com
bheabfdfug.com 185.156.179.126 Russian Federation
sinjydtrv.com

The malware then used the following Port/Protocol to contact these hosts:

IP Address Port Protocol Domain Country
185.156.179.126 443 TCP bheabfdfug.com Russian Federation
34.194.213.50 443 TCP aofmfaoc.com United States
87.106.190.153 443 TCP wgwuhauaqcrx.com Germany
185.118.66.84 443 TCP notalyyj.com Russian Federation

These events triggered the following rules on my IDS:

  • ET TROJAN Win32/Ramnit Checkin
  • MALWARE-CNC Win.Trojan.Ramnit variant outbound detected

I then found my infected host making A LOT of ARP requests to IP addresses in its subnet. This traffic was followed by even more connection requests to host in the private address spaces via TCP port 110 (POP3). The POP3 request caused the following ET rule to trigger:

  • ET SCAN Rapid POP3 Connections – Possible Brute Force Attack

There was also another ET rule that triggered:

  • ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection

You will find the hashes for the files below, as well as the malicious artifacts which are zipped and password protected with “infected”. The malware samples can be downloaded from the Hybrid-Analysis reports.

Hashes

SHA256: f5be3eb33c9b6759f3609da0240920184154907f6950e9d885bdf1fd96340e15
File name: RigEK Flash Exploit.swf

SHA256: 702d95d12d03be87d49d15714d221c7019ff48bc96a60b03e893bb55849ff272
File name: o32.tmp

SHA256: 3245c8670600513626941cca7a8ceb56acdda3905524100a2815ee8c9d358c1c
File name: ldzquze7.exe
Hybrid-Analysis Report

SHA256: c823183b49148e7e60d84142ccefc8fe16fe44bec94d5eabdbd623c65cdaff8c
File name: ldzquze7.exe (Ramnit)
Hybrid-Analysis Report

Malicious Artifacts (Flash Exploit and Landing Page)

Malicious Artifacts.zip

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: