HookAds Malvertising Campaign Leads to RIG EK at 185.154.53.33, Drops LatentBot

IOCs

Network Traffic:

  • 80.77.82.41 – nairolonia.info – Pre-landing page
  • 185.154.53.33 – post.divakarshenoy.com – RIG EK
  • 23.249.162.164 – GET /Base64 encoded URI string
  • 23.249.162.164 – GET /yor8Vzpo75Y9b1f1pri/[random numbers].zip – LatentBot modules
  • 23.249.162.164 – POST /web/?ACTION=HELLO
  • 23.249.162.164 – POST /web/?ACTION=START&ID=[32 alphanumeric character ID]
  • 23.249.162.164 – POST /web/?ID=[32 alphanumeric character ID]
  • 23.249.162.164 – POST /test.php

Traffic edited

Hashes:

SHA256: c013ce60d5e4fa486ecdca7c2b27b36189f07a324d0d402ee8015c726a7a0125
File name: nairolonia.info.txt

SHA256: 5627c8e76f5f8f2925bdc1c5c939b3d5f8919719c80ab1038e5b273e6d461715
File name: post.divakarshenoy.com RIG EK landing page.txt

SHA256: ac1f66aeef43044139d5a50dbc1b06b8c0603edcbe9f9f7ec616ce4686d5e40c
File name: post.divakarshenoy.com RIG EK Flash exploit.swf

SHA256: c3c891c779abc432a9b8fd056af3acedf0d8773ddfa2d4535c150fafc108c58c
File name: o32.tmp

SHA256: 3c521835246f9534f4c49c007972ba5be1316d4aa3ae354ec8c01290e3ed55a3
File name: 2oggf3ch.exe
Hybrid-Analysis Report

Infection Chain

This infection chain began with me visiting a decoy site used by the HookAds malvertising campaign. The decoy site is using an anti-Adblock solution for image banners and popunders. This anti-Adblock solution uses frontend and backend scripts (frontend_loader.js and backend_loader.php) that have to be hosted on the server.

anti adblock 1 edited

anti adblock 2 edited

The decoy site contains script for popunders:

anti adblock edited

The decoy site also contained a call for /popunder.php:

image1.PNG

The PHP file located at the relative path returned the following script:

popunder

The function definition is called to write an iframe to a new DOM object containing: the “PopUnderURL” (nairolonia.info), statically-defined dimensions for the injected iframe, and the location of the resource at “nairolonia[.]info/banners/uaps?”.

nairolonia[.]info/banners/uaps? returns RIG’s pre-landing page:

pre-landing page

You can see from the partial image above that the pre-landing page contains the URL for the RIG exploit kit landing page.

File System

During this infection the payload was dropped in %Temp% and was then copied to AppData\Local\Microsof\Windows:

Temp

AppData Local

Registry used for persistence:

reg1

There is a detailed report on LatentBot from FireEye which can be found HERE. The report shows how the GET requests for the .ZIP files are actually modules pretending to be ZIP files. These files are encoded data that are saved into the following subkeys located at HKCU\Software\Google\Update\network\secure:

modules

  1. FtUFJu5xP3C = Formgrabber (steals user typed data in forms)
  2. hdtWD3zyxMpSQB = Bot_Engine (base module)
  3. l551X+rNDh3B4A =
  4. QdG8eO0qHI8/Y1G = Send_report
  5. QdW/DoI2F9J = Security (searches for AV software and tools)
  6. RRrIibQs+WzRVv5B+9iIys+17huxID = Remote_desktop_service (allows remote access to victim’s machine via RDP)
  7. VRWVBM6UtH6F+7UcwkBKPB = Vnc_hide_desktop
  8. w97grmO – Socks
  9. ZRlBb9ofmNVErtdu – Pony_Stealer

Cert.pl wrote a detailed analysis of LatentBot and these modules (translated to English):

https://translate.google.com/translate?hl=en&sl=pl&u=https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/&prev=search

Additional registry entries:

reg2

HKCU\Software\Adobe\Adobe Acrobat

reg3

HKCU\Software\WinRAR

reg4

HKCU\Software\Google\Common\Rlz\Events

The C2 traffic caused by LatentBot generated the following ET alerts:

  • ET TROJAN Win32/Hyteod CnC Beacon
  • ET POLICY HTTP traffic on port 443 (POST)
Malicious Artifacts (password is “infected”)

HookAds RigEK 051717.zip

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: