RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK.

On 06/03/17 I stumbled across a malvertising chain that led to RIG exploit kit. What was unusual about this malvertising chain is that it was also leading to a lot of social engineering scams. After some research I have discovered that it could be related to the “RoughTed” malvertising campaign. You can read more about RoughTed malvertising at the link below:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

The infection chain I ran across showed that the user was trying to watch a soccer (football) match via an online streaming site called rojadirecta.me. The user ended up clicking on a link found on rojadirecta.me that was pointing to hxxp://333sport.info/ue/02.html:

Below is an image that shows the malicious link being hosted on rojadirecta.me:

Warning edited

As you can see from the image above the channel location (hxxp://333sport.info/ue/02.html) was redirecting the user to malicious content. Eventually this channel was detected as being malicious and was blocked by Google Safe Browsing. 333sport.info was first registered on 05/17/17.

333sport dot info

333sport.info/ue/02.html contains an obfuscated ad code script used to generate future Amazon S3 URLs.  Part of the base64 encoded data decodes to show a cloudfront.net subdomain. Malwarebytes Lab documented that many times these cloudfront.net subdomains are the referer for the RoughTed domains. The RoughTed domain that I found in my infection chain was seness.info. The three URLs that I found in my traffic, which were used to confirm it was RoughTed, are as follows:

seness[.]info/?&subid=0&pid=1&tid=632723&status=1&v=1.10.59.25&tpag=1&_=1496524940123
seness[.]info/?&subid=0&pid=1&tid=632723&status=62&v=1.10.59.25&tpag=1&_=1496524940128
seness[.]info/?&subid=0&pid=1&tid=632723&status=62&v=1.10.59.25&tpag=1&_=1496524940128

Seness.info was registered using the email address onishekovich@bk.ru. Here are some more RoughTed domains registered under that email address:

RoughTed Domain Registrant Email Registration Date
chequent.info onishekovich@bk.ru 9/29/2016
seness.info onishekovich@bk.ru 9/29/2016
somethodox.info onishekovich@bk.ru 9/29/2016
contil.info onishekovich@bk.ru 9/29/2016
publicit.info onishekovich@bk.ru 9/29/2016

My host was then redirected to bro.adca.st, which eventually led to ads.deltatv.site. From ads.deltatv.site the host was redirected to h0nap.voluumtrk[.]com/voluum/0fb93bf8-7ecb-4532-b0a4-ffebfd1c9d9d. The server returned a “302 Found” that was pointing to sennymotial.pw:

302 Found

This is where things get more interesting. The page returned by sennymotial.pw contained iframes for sennymotial[.]pw/indexz.php and sennymotial[.]pw/index222.php:

iframes

Click HERE to view sennymotial[.]pw in its entirety.

sennymotial[.]pw/indexz.php leads to a RIG exploit kit landing page:

rigek iframe

RIG EK subdomain = admin.eggfreezingfuture.com at 195.161.41.13.

Unfortunately, I didn’t get past the landing page.

Sennymotial[.]pw, along with being a gate for RIG exploit kit, is a social engineering page that is targeting Internet Explorer users (I haven’t had time to test it with other Browsers yet). This social engineering tactic is very similar to the HoeflerText Chrome popups that we’ve been seeing from the waning EITest campaign.

The malicious actors are attempting to social engineer people into installing an ‘ArialText’ font pack for their PC.

Images of each step:

Arial Font 0

Microsoft Font Pack not installed! User’s are tricked into thinking that they must install this font pack to view the webpage correctly.

Arial Font 2

The “ArialText” font was not found. The user must click “Update” to continue.

Arial Font 3

The user is given instructions on how to download and run the malicious file.

Arial Font 4

The user is tricked into downloading, opening, and running a malicious JavaScript file that downloads an executable.

The file ArialFontLight.zip is downloaded. Opening the ZIP file shows it contains a JavaScript file called “ArialFont.js”:

ArialFontLight dot zip

Click HERE to view the original obfuscated ArialFont.js file.

Executing ArialFont.js results in a GET request for sobberinfo[.]com/gate.php?ff1 at 77.72.82.120:

GET for executable

A shortcut for 36d4.exe is found on the Desktop. I also located mMSBuild.exe in C:\ProgramData\MSBuild.

Traffic

Traffic 1Traffic 2

Hashes

SHA256: 70d9ca6de6ef370632ffdf460f23b5e340a602bfde1352bde6bad1251a879439
File name: ArialFontLight.zip

SHA256: d061eb15f3235cc11777a7aa58b046dfec02f49af30048c42d2f3f2b24884e2e
File name: ArialFont.js

SHA256: c46f85607a9f2d8e86ae3e8f87680f2dba48b5fa0f172a127c3c481f63d89ff8
File name: 36d4.exe (Located on Desktop)
Hybrid-Analysis Report

SHA256: a412e39308be0450470f6dcd448d0bee711d01463f7061d32d4b2e212774dfd4
File name: mMSBuild.exe (Located at C:\ProgramData\MSBuild)
Hybrid-Analysis Report

After doing some more digging I was able to locate more domains being used by these threat actors. The domains were registered using the email address support@alialiservices.com and the registrant name is KireevSergey Valerievich. Searching for other domains using this information shows 4 additional domains:

Domain Registrant Email Registration Date
frontagermaner.pw support@alialiservices.com 6/4/2017
hemoritanmak.pw support@alialiservices.com 6/4/2017
sennymotial.pw support@alialiservices.com 6/3/2017
miragenotax.pw support@alialiservices.com 6/3/2017
jikajikamorta.pw support@alialiservices.com 5/31/2017

There are over 100 sketchy looking domains registered to support@alialiservices. Click HERE to view the full list. It was at this point that I decided to test more of these domains.

For my next infection chain I used the referer h0nap.voluumtrk[.]com/voluum/0fb93bf8-7ecb-4532-b0a4-ffebfd1c9d9d, which redirected me to miragenotax.pw (NSFW):

miragenotax.pw GET

Click HERE to see the full page.

I am calling this the “RELST” campaign since the iframe id = “relst” on both sennymotial.pw and miragenotax.pw:

relst

Miragenotax.pw didn’t contain any redirects to RIG exploit kit, however, it did use another social engineering trick.

This time they try to convince the user that their webcam took compromising photos of them and that they are not to close the browser or their embarrassing photos will be posted online:

miragenotax.pw

It then instructs the user to open the downloaded ZIP file called “Photo02.zip” (it can also be Photo01.zip and Photo03.zip):

Photo zip folder

This ZIP folder contains “Photo.js”:

Photo.js file

This JavaScript file is pretty much identical to ArialFont.js:

  • Click HERE to view the fully obfuscated Photo.js file.
  • Click HERE to see the desobfuscated file (thanks to my friend IRDivision for doing the deobfuscation!).

Executing Photo.js results in the same GET request to sobberinfo[.]com/gate.php?ff1.

Traffic

Traffic 3Traffic 4

Hashes

SHA256: 322591d8f69224e9622b7e98d2f3ecbe522dd427c8482ec8feb21c0572d3cfc6
File name: Photo02.zip

SHA256: c3cdfe89695f1a03cc4c15127603394be14dacb365a2a589bb6d710700fd4705
File name: Photo.js

SHA256: 0418840ba8392f1876db6920372f3d51b8139f4ee6d9faed0a084b9db279efd4
File name: nt.exe (Located on the Desktop)
Hybrid-Analysis Report

SHA256: 6778eaa0e79ec1114e972e0a547afe484e9a59a40cba920eb3a3154695b14043
File name: nt.exe (Located in C:\ProgramData\Uninstall Information)
Hybrid-Analysis Report

Per @Antelox (thanks for the ID) the payloads from sobberinfo[.]com/gate.php?ff1 are Pony downloading Chthonic.

I was able to find some post-infection POST requests to letit2.bit/home/www/ via 91.209.77.11 over TCP port 80:

post infection traffic

This traffic triggered the following rules on my Suricata IDS:

  • BLACKLIST suspicious .bit tcp dns query
  • ET TROJAN Chthonic Checkin

Registry:

File System:

It should also be noted that RoughTed was also redirecting my host to numerous fake Flash player update landing pages that are delivering adware:

Fake flash player updateAnother fake flash player update

You can download the payloads from either the VirusTotal or Hybrid-Analysis reports.

Until next time!

  1. […] RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK (June 5, 2017) Researchers have discovered a new malvertising campaign, dubbed “RELST,” that appears to be connected to the “RoughTed” malvertising campaign. Malicious scripts were identified on websites associated with streaming. Additionally, some of the websites attempt to redirect users to the RIG Exploit Kit to download information stealing malware. Other related domains attempt to trick users into downloading a “missing ArialText” format. Another domain claims that the user’s webcam has been compromised, and requests the user to download a file to view the photos that have been stolen.Recommendation: Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.Tags: Malvertising, Exploit Kit […]

    Like

    Reply

  2. […] using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to […]

    Like

    Reply

  3. […] In some cases, URLs will redirect to an EK one day and then on following days will often redirect to a fake installer for something like Adobe Flash Player like shown in Figure 5. These social engineering schemes are becoming more common, and researchers often run across them as they search for EKs. […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: