IOCs
Network Traffic:
- 80.77.82.41 – nairolonia.info – Pre-landing page
- 185.154.53.33 – post.divakarshenoy.com – RIG EK
- VirusTotal report showing URLs resolving to 185.154.53.33
- 23.249.162.164 – GET /Base64 encoded URI string
- 23.249.162.164 – GET /yor8Vzpo75Y9b1f1pri/[random numbers].zip – LatentBot modules
- 23.249.162.164 – POST /web/?ACTION=HELLO
- 23.249.162.164 – POST /web/?ACTION=START&ID=[32 alphanumeric character ID]
- 23.249.162.164 – POST /web/?ID=[32 alphanumeric character ID]
- 23.249.162.164 – POST /test.php
Hashes:
SHA256: c013ce60d5e4fa486ecdca7c2b27b36189f07a324d0d402ee8015c726a7a0125
File name: nairolonia.info.txt
SHA256: 5627c8e76f5f8f2925bdc1c5c939b3d5f8919719c80ab1038e5b273e6d461715
File name: post.divakarshenoy.com RIG EK landing page.txt
SHA256: ac1f66aeef43044139d5a50dbc1b06b8c0603edcbe9f9f7ec616ce4686d5e40c
File name: post.divakarshenoy.com RIG EK Flash exploit.swf
SHA256: c3c891c779abc432a9b8fd056af3acedf0d8773ddfa2d4535c150fafc108c58c
File name: o32.tmp
SHA256: 3c521835246f9534f4c49c007972ba5be1316d4aa3ae354ec8c01290e3ed55a3
File name: 2oggf3ch.exe
Hybrid-Analysis Report
Infection Chain
This infection chain began with me visiting a decoy site used by the HookAds malvertising campaign. The decoy site is using an anti-Adblock solution for image banners and popunders. This anti-Adblock solution uses frontend and backend scripts (frontend_loader.js and backend_loader.php) that have to be hosted on the server.
The decoy site contains script for popunders:
The decoy site also contained a call for /popunder.php:
The PHP file located at the relative path returned the following script:
The function definition is called to write an iframe to a new DOM object containing: the “PopUnderURL” (nairolonia.info), statically-defined dimensions for the injected iframe, and the location of the resource at “nairolonia[.]info/banners/uaps?”.
nairolonia[.]info/banners/uaps? returns RIG’s pre-landing page:
You can see from the partial image above that the pre-landing page contains the URL for the RIG exploit kit landing page.
File System
During this infection the payload was dropped in %Temp% and was then copied to AppDataLocalMicrosofWindows:
Registry used for persistence:
There is a detailed report on LatentBot from FireEye which can be found HERE. The report shows how the GET requests for the .ZIP files are actually modules pretending to be ZIP files. These files are encoded data that are saved into the following subkeys located at HKCUSoftwareGoogleUpdatenetworksecure:
- FtUFJu5xP3C = Formgrabber (steals user typed data in forms)
- hdtWD3zyxMpSQB = Bot_Engine (base module)
- l551X+rNDh3B4A =
- QdG8eO0qHI8/Y1G = Send_report
- QdW/DoI2F9J = Security (searches for AV software and tools)
- RRrIibQs+WzRVv5B+9iIys+17huxID = Remote_desktop_service (allows remote access to victim’s machine via RDP)
- VRWVBM6UtH6F+7UcwkBKPB = Vnc_hide_desktop
- w97grmO – Socks
- ZRlBb9ofmNVErtdu – Pony_Stealer
Cert.pl wrote a detailed analysis of LatentBot and these modules (translated to English):
Additional registry entries:
The C2 traffic caused by LatentBot generated the following ET alerts:
- ET TROJAN Win32/Hyteod CnC Beacon
- ET POLICY HTTP traffic on port 443 (POST)
Malicious Artifacts (password is “infected”)
Until next time!