Read about the Despicable (aka Despicable .ME) malvertising campaign HERE.
This infection chain resulted from me visiting a website that streams sporting events. Below is a partial and edited image of the malvertising chain being filtered in Wireshark:
The host is redirected to adrunnr.com, which then redirects to done.witchcraftcash.com.
done.witchcraftcash.com then redirects the host to the Despicable .ME domain, comanast.me.
The .ME domain redirects the host to the gate at kikokik.fun via a “302 Moved Temporarily”:
The GET request for kikokik.fun returns a “302 Found” that points to the RIG exploit kit landing page at 220.127.116.11:
Download the landing page: RigEK landing page.zip
RIG exploit kit dropped Chthonic on my system. This has been the payload of choice by a lot of malvertising campaigns lately and even other campaigns like RELST. The payload was dropped in %Temp% and then copied to C:\ProgramData\ under a newly created folder called “Windows Sidebar”:
You can see the post-infection traffic consists of POST requests to the C2 server at amellet.bit (18.104.22.168). The Hybrid-Analysis report also shows connections to another C2 at letit2.bit (22.214.171.124).
Emerging Threats alerts generated by these POST requests include “ET TROJAN Chthonic Checkin”.
File name: RigEK landing page 061917.txt
File name: o32.tmp
File name: BWindowsSidebar.exe
Until next time!