“Despicable” Malvertising Campaign Redirects to RIG EK at 188.225.77.106, Drops Chthonic Banking Trojan.

Read about the Despicable (aka Despicable .ME) malvertising campaign HERE.

This infection chain resulted from me visiting a website that streams sporting events. Below is a partial and edited image of the malvertising chain being filtered in Wireshark:

Traffic edited

The host is redirected to adrunnr.com, which then redirects to done.witchcraftcash.com.

done.witchcraftcash.com then redirects the host to the Despicable .ME domain, comanast.me.

The .ME domain redirects the host to the gate at kikokik.fun via a “302 Moved Temporarily”:

302 edited

The GET request for kikokik.fun returns a “302 Found” that points to the RIG exploit kit landing page at 188.225.77.106:

302 Found edited

rigek landing page

Download the landing page: RigEK landing page.zip

RIG exploit kit dropped Chthonic on my system. This has been the payload of choice by a lot of malvertising campaigns lately and even other campaigns like RELST. The payload was dropped in %Temp% and then copied to C:\ProgramData\ under a newly created folder called “Windows Sidebar”:

ProgramData

You can see the post-infection traffic consists of POST requests to the C2 server at amellet.bit (119.28.105.45). The Hybrid-Analysis report also shows connections to another C2 at letit2.bit (47.91.124.165).

Emerging Threats alerts generated by these POST requests include “ET TROJAN Chthonic Checkin”.

Processes:

processes

Registry:

reg1reg2

reg3

Persists itself using auto-execute at a hidden registry location

Hashes

SHA256: 609ca0061ec890fba0535d66ccf1a11725ff2a29e30b0298ceba86264ec534ff
File name: RigEK landing page 061917.txt

SHA256: 450a1b8b6a1570182a8210391574e096691eda5b2eba7838f6aa767b074fa5a4
File name: o32.tmp

SHA256: 1321558aa4c02abb3d38a51540fa9c5af303e75f93f1bb35747fb703cfe3db6f
File name: BWindowsSidebar.exe
Hybrid-Analysis Report

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: