On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code:
In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit kit, as well as a social engineering page using the “ArialText” font popup (using Internet Explorer):
It should be noted that while I’ve only witnessed the RELST campaign in relationship with malvertising it could also be coming from malspam (malicious spam) containing links to these domains.
The RELST domain that I used for my infection today was holyxxxmamapumpum.pw [NSFW]. This domain is not using the “ArialText” font social engineering trick but instead is using another one aimed at convincing users that their compromising photos will be leaked online [images and text on the webpage have been edited to make it safe for work]:
Click HERE to view the page source code.
As you can see they’re attempting to social engineer the user’s into believing that they must open the downloaded file, in this case a Word document called “Photo.docm”. The document is downloaded from holyxxxmamapumpum[.]pw/files/Photo.docm.
When user’s opens the Word document they are tricked into clicking “Enable Editing” and then “Enable Content”:
Click HERE to view the script.
The script is used to download the malware payload. In this case the malware was located at sobberinfo[.]com/gate.php?ff1 (18.104.22.168):
We then see the same executable (same file hash) dropped on the Desktop and in C:ProgramDataMicrosoft Silverlight:
Persists itself using auto-execute at a hidden registry location:
Machines that are infected with Chthonic should be making POST requests to letit2.bit/home/ at 22.214.171.124.
File name: Video Recording.htm.txt
File name: Photo.docm
File name: feafdcfffdea.js
File name: 0267.exe and wMicrosoftSilverlight.exe
Files and Malware (password is “infected”):
I recommend blocking the RELST social engineering domains and sobberinfo.com (126.96.36.199) at your perimeter firewall(s). Until next time!