HookAds Malvertising Campaign Leads to RIG EK at and Drops Dreambot


HTTP Traffic:

  • Decoy site [hidden] – GET /popunder.php – Redirects to remainland.info
  • – remainland.info – GET /banners/uaps – Pre-landing page
  • – RIG EK
  • – GET /images/[removed]/.avi
  • – GET /tor/t32.dll – Tor module
  • – ipinfo.io – GET /ip – Checks your public IP address

DNS Queries:

  • resolver1.opendns.com
  • myip.opendns.com


Traffic edited


SHA256: 732637809542bf1e174249104d2b1c88dc79da20862318a749accc052638b8f1
File name: popunder.php.txt

SHA256: 29f7549ed1df9ca36112936554aac61b39c3f32d718f166f6e51eaf495268bb2
File name: uaps.txt [1st Pre-Landing Page]

SHA256: e9ac5882d5629183863c6e5dcfff7e007d24988f86233480b59e9c957621cb3b
File name: 2nd Pre-Landing Page.txt

SHA256: f7f7ae3a95cf3c3dbbdc5100266aa38b25167e14a7e0ad4597e5bf32fdabd3c2
File name: RIG EK Landing Page.txt

SHA256: 9fc5fb99f72be24ec7d1e2004f1c1f2083885059e0e072314cb712934415bc24
File name: RIG EK Flash Exploit.swf

SHA256: e53444daa029ca5821ef53904ad1136fb24eea721a97300e86b38881cbee8a36
File name: o32.tmp

SHA256: 19983fa4e8cb3207a845e033ff12caeec114c16b8ab9e291a66d796bc11e3e22
File name: gcg2jb8g.exe [Dreambot]

SHA256: 5b8f2ce696576eb57266b0b3114bb3b4ae98f8157bc77d8df034f0ce81be603b
File name: t32.dll

Files [password is “infected”]:

Malicious Artifacts 060617 – HookAds Leads to RigEK.zip

Infection Chain

This infection chain began with me visiting a decoy site used by the HookAds malvertising campaign. The decoy site contained a call for /popunder.php:

decoy site edited

The PHP file located at the relative path returned the following script:

JS redirects to remainland dot info

The function definition is called to write an iframe to a new DOM object containing: the “PopUnderURL” (remainland.info), statically-defined dimensions for the injected iframe, and the location of the resource at “remainland[.]info/banners/uaps”.

remainland[.]info/banners/uaps returns RIG’s pre-landing page:

pre-landing page

In this infection chain the NormalURL = contained the location of another RIG pre-landing page, which is why you’re seeing two POST request in the traffic (the pre-landing page uses POST requests to retrieve the next page). In a normal infection chain the pre-landing page would contain the location of the RIG landing page. However, in this infection chain the second pre-landing page contained the URL for the landing page.

File System

During this infection the payload was dropped in %Temp% and was copied to %AppData% as dot3Core.exe:

TempAppDataAppData 2

The bot checks-in with the CnC server at[removed]/.avi. We then see the GET request for the Tor client being hosted at The server will return “t64.dll” if the host OS is 64-bit and “t32.dll” if it is 32-bit.

When the Tor client is retrieved from we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft:

This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In my infection chain the file was called 5EC9.bin [see image of %Temp%].

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

Persistence used at HKCU\Software\Microsoft\Windows\CurrentVersion\Run:


I also noticed the creation of extension-less text files in a folder located at C:\Users[Username]\AppData\Roaming\Microsoft[random]:

hmmmm edited

These files contained information being sent to websites that I visited. For example, here is the text file that was created when was I messing about on Bank of America:


For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

As always I recommend blocking the nasty stuff at your perimeter firewall(s). Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: