On 06/03/17 I stumbled across a malvertising chain that led to RIG exploit kit. What was unusual about this malvertising chain is that it was also leading to a lot of social engineering scams. After some research I have discovered that it could be related to the “RoughTed” malvertising campaign. You can read more about RoughTed malvertising at the link below:
The infection chain I ran across showed that the user was trying to watch a soccer (football) match via an online streaming site called rojadirecta.me. The user ended up clicking on a link found on rojadirecta.me that was pointing to hxxp://333sport.info/ue/02.html:
Below is an image that shows the malicious link being hosted on rojadirecta.me:
As you can see from the image above the channel location (hxxp://333sport.info/ue/02.html) was redirecting the user to malicious content. Eventually this channel was detected as being malicious and was blocked by Google Safe Browsing. 333sport.info was first registered on 05/17/17.
333sport.info/ue/02.html contains an obfuscated ad code script used to generate future Amazon S3 URLs. Part of the base64 encoded data decodes to show a cloudfront.net subdomain. Malwarebytes Lab documented that many times these cloudfront.net subdomains are the referer for the RoughTed domains. The RoughTed domain that I found in my infection chain was seness.info. The three URLs that I found in my traffic, which were used to confirm it was RoughTed, are as follows:
Seness.info was registered using the email address firstname.lastname@example.org. Here are some more RoughTed domains registered under that email address:
|RoughTed Domain||Registrant Email||Registration Date|
My host was then redirected to bro.adca.st, which eventually led to ads.deltatv.site. From ads.deltatv.site the host was redirected to h0nap.voluumtrk[.]com/voluum/0fb93bf8-7ecb-4532-b0a4-ffebfd1c9d9d. The server returned a “302 Found” that was pointing to sennymotial.pw:
This is where things get more interesting. The page returned by sennymotial.pw contained iframes for sennymotial[.]pw/indexz.php and sennymotial[.]pw/index222.php:
Click HERE to view sennymotial[.]pw in its entirety.
sennymotial[.]pw/indexz.php leads to a RIG exploit kit landing page:
Unfortunately, I didn’t get past the landing page.
Sennymotial[.]pw, along with being a gate for RIG exploit kit, is a social engineering page that is targeting Internet Explorer users (I haven’t had time to test it with other Browsers yet). This social engineering tactic is very similar to the HoeflerText Chrome popups that we’ve been seeing from the waning EITest campaign.
The malicious actors are attempting to social engineer people into installing an ‘ArialText’ font pack for their PC.
Images of each step:
Click HERE to view the original obfuscated ArialFont.js file.
Executing ArialFont.js results in a GET request for sobberinfo[.]com/gate.php?ff1 at 18.104.22.168:
A shortcut for 36d4.exe is found on the Desktop. I also located mMSBuild.exe in C:\ProgramData\MSBuild.
File name: ArialFontLight.zip
File name: ArialFont.js
File name: 36d4.exe (Located on Desktop)
File name: mMSBuild.exe (Located at C:\ProgramData\MSBuild)
After doing some more digging I was able to locate more domains being used by these threat actors. The domains were registered using the email address email@example.com and the registrant name is KireevSergey Valerievich. Searching for other domains using this information shows 4 additional domains:
|Domain||Registrant Email||Registration Date|
There are over 100 sketchy looking domains registered to support@alialiservices. Click HERE to view the full list. It was at this point that I decided to test more of these domains.
For my next infection chain I used the referer h0nap.voluumtrk[.]com/voluum/0fb93bf8-7ecb-4532-b0a4-ffebfd1c9d9d, which redirected me to miragenotax.pw (NSFW):
Click HERE to see the full page.
I am calling this the “RELST” campaign since the iframe id = “relst” on both sennymotial.pw and miragenotax.pw:
Miragenotax.pw didn’t contain any redirects to RIG exploit kit, however, it did use another social engineering trick.
This time they try to convince the user that their webcam took compromising photos of them and that they are not to close the browser or their embarrassing photos will be posted online:
It then instructs the user to open the downloaded ZIP file called “Photo02.zip” (it can also be Photo01.zip and Photo03.zip):
This ZIP folder contains “Photo.js”:
- Click HERE to view the fully obfuscated Photo.js file.
- Click HERE to see the desobfuscated file (thanks to my friend IRDivision for doing the deobfuscation!).
Executing Photo.js results in the same GET request to sobberinfo[.]com/gate.php?ff1.
File name: Photo02.zip
File name: Photo.js
File name: nt.exe (Located on the Desktop)
File name: nt.exe (Located in C:\ProgramData\Uninstall Information)
Per @Antelox (thanks for the ID) the payloads from sobberinfo[.]com/gate.php?ff1 are Pony downloading Chthonic.
I was able to find some post-infection POST requests to letit2.bit/home/www/ via 22.214.171.124 over TCP port 80:
This traffic triggered the following rules on my Suricata IDS:
- BLACKLIST suspicious .bit tcp dns query
- ET TROJAN Chthonic Checkin
It should also be noted that RoughTed was also redirecting my host to numerous fake Flash player update landing pages that are delivering adware:
You can download the payloads from either the VirusTotal or Hybrid-Analysis reports.
Until next time!