Malvertising Leads to HookAds Campaign Which Redirects to RIG EK at 188.225.74.13. RIG EK Drops Dreambot.

I captured another malvertising chain that included the HookAds campaign. To read more about the HookAds campaign click HERE. You can also find all my HookAds related post HERE.

Below is an image of a 302 redirect that led to the HookAds decoy XXX website:

Decoy XXX website is being hidden

The referer for the decoy XXX website, according to the TCP stream, was jwvwak1a.com. The server returned a 302 Moved Temporarily and included the Location of the decoy XXX website.

The decoy page located at /?adsterra_us contains a script for the relative path found on the domain at /popunder.php:

The page returns the following script:

Base64 encoded string is underlined in red.

Found in the script is a base64 encoded string that decodes to hxxp://boultrated[.]info/banners/bbwjobs.

The GET request for /bbwjobs at boultrated[.]info returns the RIG exploit kit pre-landing page:

The pre-landing page contains the location of the RIG EK landing page, which is underlined in red.

The pre-landing page will filter out and redirect the appropriate connections to the RIG exploit kit landing page. RIG exploit kit ended up dropping Dreambot on my host, which is consistent with the HookAds campaign.

Below is an image of the HTTP GET and POST requests from the infection chain being filtered in Wireshark: