Seamless Malvertising Campaign Leads to RIG EK at 185.154.53.33 and Drops Ramnit

IOCs

HTTP Traffic:

  • 185.31.160.55 – GET /flow339.php – Seamless campaign redirector
  • 185.154.53.33 – new.cloudarchieve.com – RIG EK

HTTP Traffic

DNS Queries:

  • doisafjsnbjesfbejfbkjsej88.com
  • notalyyj.com – 185.118.66.84
  • bheabfdfug.com – 185.156.179.126
  • sinjydtrv.com
  • fbtsotbs.com
  • fkqrjsghoradylfslg.com
  • aofmfaoc.com – 34.194.213.50
  • ctiprlgcxftdsaiqvk.com
  • mrthpcokvjc.com
  • wgwuhauaqcrx.com – 87.106.190.153
  • npcvnorvyhelagx.com – 87.106.190.153

dns queries

Post-infection traffic via TCP port 443:

Filtered Traffic:

Traffic

Hashes:

SHA256: 059335a3470680fb7b959a8ed8f8a487376382011a22fbc8ebfee6fed837e986
File name: flow339.php.txt

SHA256: 3624e48df3d08146e2a80a47684fdd2c8475ff6b55fceeb47b637a542ba4af50
File name: new.cloudarchieve.com RIG EK landing page.txt

SHA256: ac1f66aeef43044139d5a50dbc1b06b8c0603edcbe9f9f7ec616ce4686d5e40c
File name: new.cloudarchieve.com RIG EK Flash exploit.swf

SHA256: c3c891c779abc432a9b8fd056af3acedf0d8773ddfa2d4535c150fafc108c58c
File name: o32.tmp

SHA256: 099dcb12acae191a9692f739b366fe245a01c0dc267dc512544c638d3cb6d1da
File name: dwjkhvua.exe

SHA256: 8cd46d3397ef9e2ab0ef4a37042bef4f89901150739388b3af2511119b2e46c6
File name: tyifmdpx.exe
Hybrid-Analysis Report

Infection Chain

I was redirected from 185.31.160[.]55/flow335.php to a RIG exploit kit landing page being hosted at new.cloudarchieve.com (resolved to 185.154.53.33):

Seamless redirect

As you can see from the TCP stream the GET request for flow335.php returned an iframe containing a URL for a RIG exploit kit landing page. It also contained the following string at the very bottom:

If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html

The host is then sent the Flash exploit and the malware payload. The malware payload was dropped and executed in %Temp%:

Temp

The malware copies itself to %AppData% and creates some .log files:

It also creates a .log file in ProgramData (64 characters):

We also see it modify and set some values in the registry:

reg1

HKCU\Software\AppDataLow\[GUID]

reg2

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

reg3

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

It also writes to a start menu file:

I found my infected host making A LOT of ARP requests to IP addresses in its subnet. This traffic was followed by even more connection requests to host in the private address spaces via TCP port 110 (POP3). The POP3 requests caused the following ET rule to trigger:

  • ET SCAN Rapid POP3 Connections – Possible Brute Force Attack

There was also another ET rule that triggered:

  • ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
Malicious Artifacts (password is “infected”):

Seamless Campaign to RIG EK 051717.zip

You can download the malware payload from VirusTotal or Hybrid-Analysis.

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: