HookAds Campaign Leads to RIG EK at RIG EK Drops Dreambot.

Network based IOCs – arrassley.info – RoughTed domain – heydrid-info – HookAds fake ad server – RIG exploit kit – Dreambot C2 – ipinfo.io – External IP lookup

Post-infection DNS queries and additional post-infection traffic:


traffic 2


SHA256: ab4db9eff5259f56e1c9f21444b9b8024d8ce2ffc841e178b10b9a522a750c3c
File name: heydrid.info pre-landing page.txt

SHA256: b712653deece760b1b981c7d93da44e62b58630ce0bfd511a2d621672cc2f7d6
File name: RigEK landing page.txt

SHA256: 892b3990a09bb3391c5a1a591d9908a0e77db7385addc2c38cfcb32db265a970
File name: RigEK Flash exploit.swf

SHA256: 478e311fe3d8ad965f135f5949adb5d894375d7f8b435472b856364bfd0370ca
File name: o32.tmp

SHA256: 1fd7b6b244cbcac394452f540ef373fd5bfaa402273b29252f06edf2fd0432b7
File name: vwgob5qt.exe and Deviprov.exe
Hybrid-Analysis Report

SHA256: 74f24a26da3af4ced5d45721ba587d1b42d009c53c93b3d8d80210d952319f77
File name: voip4.rar

Download the files [password is “infected”]:
Pre-landing page, landing page, and SWF exploit.zip

Infection Chain

Today, as I was doing my usual malvertising runs, I was redirected to RIG exploit kit via a decoy site often used by the HookAds campaign.

Below is an image of some of the malvertising traffic being filtered in Wireshark:

HTTP traffic edited

The website that initiated this malvertising traffic and the decoy site are being hidden.

The HookAds decoy sites are designed to redirect users to a RIG exploit kit landing page. Other campaigns that utilize exploit kits (pseudo-Darkleech and EITest) have either disappeared altogether or they have drastically slowed down. However, the HookAds campaign is still rolling along.

This malvertising chain was quite long so I won’t be including every single redirect. Additionally, trying to piece together a malvertising redirection chain can be confusing and time consuming, even for somebody with experience.

I am also seeing traffic to a RoughTed domain (arrassley.info at right before the host is redirected to the decoy site. However, it doesn’t appear that the RoughTed campaign was responsible for the redirection to the HookAds decoy site.

The referer for the HookAds decoy site was from clicksgear.com:

clicksgear redirect via a 302 edited

The GET request for clicksgear.com returns a 302 Moved Temporarily that points to the decoy site

The GET request for the decoy site, located at www[.]decoysite[.]com/?adsterra_us, was initiated via a 302 redirect from clicksgear.com. The decoy page contains the following script for /popunder.php:

script on decoy site edited

The GET request for popunder.php returns the following script:


The function definition is called to write an iframe to a new DOM object containing: the PopUnderURL, statically-defined dimensions for the injected iframe, and the location of the resource at “heydrid[.]info/banners/uaps”.

heydrid[.]info/banners/uaps returns RIG’s pre-landing page:

pre landing page image edited

The NormalURL contains the URL for the RIG pre-landing page.

File System

The payload is dropped in %Temp%:


The payload was then copied to %AppData% as Deviprov.exe:

AppData 2

Payload is copied to a folder called “efsshell”




The bot checks-in with the CnC server at[removed]/.avi. We then see the GET request for the Tor client being hosted at

When the Tor client is retrieved from we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\ {guid}:

This key contains the path to the client (which is dropped in the %Temp% folder) with a filename using the pattern [A-F0-9]{4}.bin. In my infection chain the file was called E5F1.bin.



As I was browsing the web I also noticed the creation of extension-less text files in a folder located at C:\Users\ {Username} \AppData\Roaming\Microsoft\ {random}:


These files contained information about my web sessions.

For a more detailed dive into Dreambot:


As always, I recommend blocking the nasty stuff at your perimeter firewall(s).

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: