IOCs
HTTP Traffic:
- Decoy site – GET /popunder.php
- 80.77.82.41 – goverheast.info – GET /banners/uaps?
- 80.77.82.41 – recenties.info – GET /banners/uaps? (second run)
- 188.227.74.169 – set.acceleratehealthcaretransformation.com – RIG EK
- VirusTotal report on 188.227.74.169 (shows full URLs)
- 5.200.52.203 – set.accumen.info – RIG EK (second run)
- VirusTotal report on 5.200.52.203 (shows full URLs)
- 144.168.45.144 – GET /images/[removed]/.avi
- 144.168.45.144 – GET /tor/t64.dll
- 52.32.183.140 – ipinfo.io – GET /ip
DNS Queries:
- ipinfo.io
- resolver1.opendns.com
- myip.opendns.com
- wdwefwefwwfewdefewfwefw.onion
HTTPS Traffic:
Additional Post-Infection Traffic:
- Tor traffic via TCP port 9001 and 443
- 163.172.215.78 via TCP port 22
- 62.210.142.39 via TCP port 444
- 37.187.16.175 via TCP port 8090
- 192.42.115.102 via TCP port 9004
- 5.230.137.80 via TCP port 21
Here is another sample submitted to VirusTotal on 2017-05-23 that has similar post-infection traffic (look at the Behavioral Information tab):
Hashes:
SHA256: feec9bad0381662e12bcf2c6e5dcb1ba98e852c9d46342f833425a7de20fe884
File name: popunder.php.txt
SHA256: 4d63c81066ee9d7f4d90a9de8f8d2378b7b39e029a5d32b2cdc14fd33acee26d
File name: pre-filter page.txt
SHA256: 15582686f0e76cced06dcece59ab37756b0bfe0e7ee3b4fd60b52a11bd0e6bb6
File name: landing page.txt
SHA256: 8f43aec2986d0705134b6b4af7e745ade1dd48897b95dc7e3844520fa8f9cd18
File name: RIG EK Flash exploit.swf
SHA256: 5f877a85bdf65c2571de02fcbb1439a43624da11274ac2059008a62b8c874843
File name: o32.tmp
SHA256: fcb8b4a36e4327a6f4d228968cdd9838b7a6fc911b438da8feccc437d91ed72b
File name: bclneajk.exe
Hybrid-Analysis Report
SHA256: 74f24a26da3af4ced5d45721ba587d1b42d009c53c93b3d8d80210d952319f77
File name: t64.dll
Infection Chain
This infection chain began with me visiting a decoy site used by the HookAds malvertising campaign. The decoy site also contained a call for /popunder.php:
The PHP file located at the relative path returned the following script:
The function definition is called to write an iframe to a new DOM object containing: the “PopUnderURL” (goverheast.info), statically-defined dimensions for the injected iframe, and the location of the resource at “goverheast[.]info/banners/uaps?”.
goverheast[.]info/banners/uaps? returns RIG’s pre-landing page:
You can see from the partial image above that the pre-landing page contains the URL for the RIG exploit kit landing page.
File System
During this infection the payload was dropped in %Temp% and was then copied to %AppData% in the folder catskend:
The bot checks-in with the CnC server at 144.168.45.144/images/[removed]/.avi. We then see the GET request for the Tor client currently being hosted at 144.168.45.144/tor/t64.dll. The server will return t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.
When the Tor client is retrieved from 144.168.45.144 we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft:
This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin.
According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.
Persistence used at HKCUSoftwareMicrosoftWindowsCurrentVersionRun:
I also noticed the creation of extension-less text files in a folder located at C:Users[Username]AppDataRoamingMicrosoft/{random}:
These files contained information being sent to websites. For example, here is the text file that was created when I uploaded o32.tmp to VirusTotal:
Here is another file created when I submitted some fake creds on BoA’s website:
Files
I’ve uploaded some of the malicious artifacts (popunder.php, the pre-landing page, RIG EK landing page and the Flash expoit):
Malicious Artifacts 053017.zip (password is “infected”)
Additional Resources
For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
As always I recommend blocking the nasty stuff at your perimeter firewall(s). Until next time!