RIG EK at 92.53.119.66 Drops Dreambot

IOCs

HTTP Traffic:

  • 80.77.82.41 – guerritor.info – Gate (fake ad domain)
  • 92.53.119.66 – new.ibconsultants.net – RIG EK
  • 158.69.176.173 – Dreambot post-infection traffic

DNS Queries:

  • ip-addr.es
  • resolver1.opendns.com
  • 222.222.67.208.in-addr.arpa
  • myip.opendns.com

There is also post-infection Tor traffic via TCP port 9001 and 443.

Traffic:

Traffic

Hashes:

SHA256: 3d44a6f79e6fe3eb21a7afac7e5b71b0c611bff547838fac0862aafa4bd90c16
File name: guerritor.info banners uaps.txt

SHA256: 98755080b844dc5c09c509a12eeb8955aa26408b3d0b0677ed65b799b92032e0
File name: new.ibconsultants.net RIG EK landing page.txt

SHA256: 81549d2ea47649a750bd4fc6e7be0b971c3fc6711a31af2f77ba437218ff63d1
File name: RIG EK Flash Exploit.swf

SHA256: ca287ec67041c47a2220c828ad0b020523f56450b5671b4443dcf2fc8bb5563a
File name: js1jq4ly.exe

SHA256: f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
File name: t64.dll

Infection Chain

The infection chain started off with a decoy site that contained an iframe pointing to the URL guerritor.info/banners/uaps?. Typically a user would be redirected to these decoy sites through malvertising.

The GET request for guerritor.info/banners/uaps? returns a version of RIG’s pre-landing page. This pre-landing page contains script that fingerprints the system as well as the URL for the RIG exploit kit landing page. Below is an snippet of the pre-landing page:

pre-landing page

If everything checks out the script tells the host to make a POST request for the landing page.

After the Flash exploit is when the malware payload is dropped and executed in %Temp%:

Temp

The executable js1jq4ly.exe is copied over to C:\Users\<User>\AppData\Roaming\catskend\ as docpDump.exe:

The bot checks-in with the CnC server at 158.69.176.173/images/[removed]/.avi. We then see the GET request for the Tor client currently being hosted at 158.69.176.173/tor/t64.dll. The server will return /tor/t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.

When the Tor client is retrieved from 158.69.176.173 we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\<random GUID>:

Reg1

This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was F464.bin (3,088 KB).

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

Persistence used at HKCU\Software\Microsoft\Windows\CurrentVersion\Run:

Reg2

For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

I’ve uploaded the malicious artifacts (pre-landing page, RIG exploit landing page and the Flash expoit):

Malicious Artifacts.zip (password is “infected”)

As always I recommend blocking the nasty stuff at your perimeter firewall(s). Until next time!

  1. […] that redirected to a fake ad domain. Such gates have been detailed by other researchers such as Malware Breakdown. They contain a pre-landing page which further filters out unwanted visitors before the Rig EK […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: