RELST Campaign Delivering Pony, Downloads Chthonic.

On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code:

RELST

In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit kit, as well as a social engineering page using the “ArialText” font popup (using Internet Explorer):

Arial Font 2

It should be noted that while I’ve only witnessed the RELST campaign in relationship with malvertising it could also be coming from malspam (malicious spam) containing links to these domains.

The RELST domain that I used for my infection today was holyxxxmamapumpum.pw [NSFW]. This domain is not using the “ArialText” font social engineering trick but instead is using another one aimed at convincing users that their compromising photos will be leaked online [images and text on the webpage have been edited to make it safe for work]:

Photo.docm from RELST editedsoceng trick edited

Click HERE to view the page source code.

As you can see they’re attempting to social engineer the user’s into believing that they must open the downloaded file, in this case a Word document called “Photo.docm”. The document is downloaded from holyxxxmamapumpum[.]pw/files/Photo.docm.

When user’s opens the Word document they are tricked into clicking “Enable Editing” and then “Enable Content”:

protected viewenable content

We then see an obfuscated JavaScript file called feafdcfffdea.js run:

Temp

Click HERE to view the script.

The script is used to download the malware payload. In this case the malware was located at sobberinfo[.]com/gate.php?ff1 (77.72.82.120):

Malware payload

We then see the same executable (same file hash) dropped on the Desktop and in C:\ProgramData\Microsoft Silverlight:

Persists itself using auto-execute at a hidden registry location:

Reg RUN
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Machines that are infected with Chthonic should be making POST requests to letit2.bit/home/ at 91.209.77.11.

Traffic:

HTTP Traffic

Hashes:

SHA256: e847294d800e2292631bccc5e8b10c3b966850fad379f8a34f2e5429b32f405d
File name: Video Recording.htm.txt

SHA256: dc9dd8e6d201b6a3f6bbb58666679231b4846ac1c715dbb00189b461277b98e8
File name: Photo.docm
Hybrid-Analysis Report

SHA256: 138a35162d0c9034aab5843e29ad24a6c1d599f5ac17aaeb3b601b70a09fe5e9
File name: feafdcfffdea.js

SHA256: 78001ccd0cece59d95fec02b9e65a6892646e09dce100bd994604b7966c218ad
File name: 0267.exe and wMicrosoftSilverlight.exe
Hybrid-Analysis Report

Files and Malware (password is “infected”):

Malware

I recommend blocking the RELST social engineering domains and sobberinfo.com (77.72.82.120) at your perimeter firewall(s). Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: