HookAds Campaign Leads to RIG EK at 188.227.74.169 and 5.200.52.203, Drops Dreambot

IOCs

HTTP Traffic:

  • Decoy site – GET /popunder.php
  • 80.77.82.41 – goverheast.info – GET /banners/uaps?
  • 80.77.82.41 – recenties.info – GET /banners/uaps? (second run)
  • 188.227.74.169 – set.acceleratehealthcaretransformation.com – RIG EK
  • 5.200.52.203 – set.accumen.info – RIG EK (second run)
  • 144.168.45.144 – GET /images/[removed]/.avi
  • 144.168.45.144 – GET /tor/t64.dll
  • 52.32.183.140 – ipinfo.io – GET /ip

HTTP traffic edited

DNS Queries:

  • ipinfo.io
  • resolver1.opendns.com
  • myip.opendns.com
  • wdwefwefwwfewdefewfwefw.onion

DNS traffic

HTTPS Traffic:

HTTPS traffic

Additional Post-Infection Traffic:

  • Tor traffic via TCP port 9001 and 443
  • 163.172.215.78 via TCP port 22
  • 62.210.142.39 via TCP port 444
  • 37.187.16.175 via TCP port 8090
  • 192.42.115.102 via TCP port 9004
  • 5.230.137.80 via TCP port 21

Here is another sample submitted to VirusTotal on 2017-05-23 that has similar post-infection traffic (look at the Behavioral Information tab):

https://www.virustotal.com/en/file/75ee4f39fa3fa7d100f64370db1a9918e3a2a2286662a589c69fc68916d97798/analysis/

Hashes:

SHA256: feec9bad0381662e12bcf2c6e5dcb1ba98e852c9d46342f833425a7de20fe884
File name: popunder.php.txt

SHA256: 4d63c81066ee9d7f4d90a9de8f8d2378b7b39e029a5d32b2cdc14fd33acee26d
File name: pre-filter page.txt

SHA256: 15582686f0e76cced06dcece59ab37756b0bfe0e7ee3b4fd60b52a11bd0e6bb6
File name: landing page.txt

SHA256: 8f43aec2986d0705134b6b4af7e745ade1dd48897b95dc7e3844520fa8f9cd18
File name: RIG EK Flash exploit.swf

SHA256: 5f877a85bdf65c2571de02fcbb1439a43624da11274ac2059008a62b8c874843
File name: o32.tmp

SHA256: fcb8b4a36e4327a6f4d228968cdd9838b7a6fc911b438da8feccc437d91ed72b
File name: bclneajk.exe
Hybrid-Analysis Report

SHA256: 74f24a26da3af4ced5d45721ba587d1b42d009c53c93b3d8d80210d952319f77
File name: t64.dll

Infection Chain

This infection chain began with me visiting a decoy site used by the HookAds malvertising campaign. The decoy site also contained a call for /popunder.php:

image1

The PHP file located at the relative path returned the following script:

PU

The function definition is called to write an iframe to a new DOM object containing: the “PopUnderURL” (goverheast.info), statically-defined dimensions for the injected iframe, and the location of the resource at “goverheast[.]info/banners/uaps?”.

goverheast[.]info/banners/uaps? returns RIG’s pre-landing page:

pre-filter page

You can see from the partial image above that the pre-landing page contains the URL for the RIG exploit kit landing page.

File System

During this infection the payload was dropped in %Temp% and was then copied to %AppData% in the folder catskend:

The bot checks-in with the CnC server at 144.168.45.144/images/[removed]/.avi. We then see the GET request for the Tor client currently being hosted at 144.168.45.144/tor/t64.dll. The server will return t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.

When the Tor client is retrieved from 144.168.45.144 we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft:

This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin.

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

Persistence used at HKCU\Software\Microsoft\Windows\CurrentVersion\Run:

reg3

I also noticed the creation of extension-less text files in a folder located at C:\Users[Username]\AppData\Roaming\Microsoft/{random}:

Interesting 1 edited

These files contained information being sent to websites. For example, here is the text file that was created when I uploaded o32.tmp to VirusTotal:

Interesting

Here is another file created when I submitted some fake creds on BoA’s website:

Interesting 2

 Files

I’ve uploaded some of the malicious artifacts (popunder.php, the pre-landing page, RIG EK landing page and the Flash expoit):

Malicious Artifacts 053017.zip (password is “infected”)

Additional Resources

For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

As always I recommend blocking the nasty stuff at your perimeter firewall(s). Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: