RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK.

On 06/03/17 I stumbled across a malvertising chain that led to RIG exploit kit. What was unusual about this malvertising chain is that it was also leading to a lot of social engineering scams. After some research I have discovered that it could be related to the “RoughTed” malvertising campaign. You can read more about RoughTed malvertising at the link below:

The infection chain I ran across showed that the user was trying to watch a soccer (football) match via an online streaming site called The user ended up clicking on a link found on that was pointing to hxxp://

Below is an image that shows the malicious link being hosted on

Warning edited

As you can see from the image above the channel location (hxxp:// was redirecting the user to malicious content. Eventually this channel was detected as being malicious and was blocked by Google Safe Browsing. was first registered on 05/17/17.

333sport dot info contains an obfuscated ad code script used to generate future Amazon S3 URLs.  Part of the base64 encoded data decodes to show a subdomain. Malwarebytes Lab documented that many times these subdomains are the referer for the RoughTed domains. The RoughTed domain that I found in my infection chain was The three URLs that I found in my traffic, which were used to confirm it was RoughTed, are as follows:

seness[.]info/?&subid=0&pid=1&tid=632723&status=62&v= was registered using the email address Here are some more RoughTed domains registered under that email address:

RoughTed Domain Registrant Email Registration Date 9/29/2016 9/29/2016 9/29/2016 9/29/2016 9/29/2016

My host was then redirected to, which eventually led to From the host was redirected to h0nap.voluumtrk[.]com/voluum/0fb93bf8-7ecb-4532-b0a4-ffebfd1c9d9d. The server returned a “302 Found” that was pointing to

302 Found

This is where things get more interesting. The page returned by contained iframes for sennymotial[.]pw/indexz.php and sennymotial[.]pw/index222.php:


Click HERE to view sennymotial[.]pw in its entirety.

sennymotial[.]pw/indexz.php leads to a RIG exploit kit landing page:

rigek iframe
RIG EK subdomain = at

Unfortunately, I didn’t get past the landing page.

Sennymotial[.]pw, along with being a gate for RIG exploit kit, is a social engineering page that is targeting Internet Explorer users (I haven’t had time to test it with other Browsers yet). This social engineering tactic is very similar to the HoeflerText Chrome popups that we’ve been seeing from the waning EITest campaign.

The malicious actors are attempting to social engineer people into installing an ‘ArialText’ font pack for their PC.

Images of each step:

Arial Font 0
Microsoft Font Pack not installed! User’s are tricked into thinking that they must install this font pack to view the webpage correctly.
Arial Font 2
The “ArialText” font was not found. The user must click “Update” to continue.
Arial Font 3
The user is given instructions on how to download and run the malicious file.
Arial Font 4
The user is tricked into downloading, opening, and running a malicious JavaScript file that downloads an executable.

The file is downloaded. Opening the ZIP file shows it contains a JavaScript file called “ArialFont.js”:

ArialFontLight dot zip

Click HERE to view the original obfuscated ArialFont.js file.

Executing ArialFont.js results in a GET request for sobberinfo[.]com/gate.php?ff1 at

GET for executable

A shortcut for 36d4.exe is found on the Desktop. I also located mMSBuild.exe in C:\ProgramData\MSBuild.


Traffic 1Traffic 2


SHA256: 70d9ca6de6ef370632ffdf460f23b5e340a602bfde1352bde6bad1251a879439
File name:

SHA256: d061eb15f3235cc11777a7aa58b046dfec02f49af30048c42d2f3f2b24884e2e
File name: ArialFont.js

SHA256: c46f85607a9f2d8e86ae3e8f87680f2dba48b5fa0f172a127c3c481f63d89ff8
File name: 36d4.exe (Located on Desktop)
Hybrid-Analysis Report

SHA256: a412e39308be0450470f6dcd448d0bee711d01463f7061d32d4b2e212774dfd4
File name: mMSBuild.exe (Located at C:\ProgramData\MSBuild)
Hybrid-Analysis Report

After doing some more digging I was able to locate more domains being used by these threat actors. The domains were registered using the email address and the registrant name is KireevSergey Valerievich. Searching for other domains using this information shows 4 additional domains:

Domain Registrant Email Registration Date 6/4/2017 6/4/2017 6/3/2017 6/3/2017 5/31/2017

There are over 100 sketchy looking domains registered to support@alialiservices. Click HERE to view the full list. It was at this point that I decided to test more of these domains.

For my next infection chain I used the referer h0nap.voluumtrk[.]com/voluum/0fb93bf8-7ecb-4532-b0a4-ffebfd1c9d9d, which redirected me to (NSFW): GET

Click HERE to see the full page.

I am calling this the “RELST” campaign since the iframe id = “relst” on both and

relst didn’t contain any redirects to RIG exploit kit, however, it did use another social engineering trick.

This time they try to convince the user that their webcam took compromising photos of them and that they are not to close the browser or their embarrassing photos will be posted online:

It then instructs the user to open the downloaded ZIP file called “” (it can also be and

Photo zip folder

This ZIP folder contains “Photo.js”:

Photo.js file

This JavaScript file is pretty much identical to ArialFont.js:

  • Click HERE to view the fully obfuscated Photo.js file.
  • Click HERE to see the desobfuscated file (thanks to my friend IRDivision for doing the deobfuscation!).

Executing Photo.js results in the same GET request to sobberinfo[.]com/gate.php?ff1.


Traffic 3Traffic 4


SHA256: 322591d8f69224e9622b7e98d2f3ecbe522dd427c8482ec8feb21c0572d3cfc6
File name:

SHA256: c3cdfe89695f1a03cc4c15127603394be14dacb365a2a589bb6d710700fd4705
File name: Photo.js

SHA256: 0418840ba8392f1876db6920372f3d51b8139f4ee6d9faed0a084b9db279efd4
File name: nt.exe (Located on the Desktop)
Hybrid-Analysis Report

SHA256: 6778eaa0e79ec1114e972e0a547afe484e9a59a40cba920eb3a3154695b14043
File name: nt.exe (Located in C:\ProgramData\Uninstall Information)
Hybrid-Analysis Report

Per @Antelox (thanks for the ID) the payloads from sobberinfo[.]com/gate.php?ff1 are Pony downloading Chthonic.

I was able to find some post-infection POST requests to letit2.bit/home/www/ via over TCP port 80:

post infection traffic

This traffic triggered the following rules on my Suricata IDS:

  • BLACKLIST suspicious .bit tcp dns query
  • ET TROJAN Chthonic Checkin


File System:

It should also be noted that RoughTed was also redirecting my host to numerous fake Flash player update landing pages that are delivering adware:

Fake flash player updateAnother fake flash player update

You can download the payloads from either the VirusTotal or Hybrid-Analysis reports.

Until next time!


Just a normal person who spends their free time infecting systems with malware.

3 thoughts on “RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK.

Leave a Comment

%d bloggers like this: