Below is an image of a 302 redirect that led to the HookAds decoy XXX website:
The referer for the decoy XXX website, according to the TCP stream, was jwvwak1a.com. The server returned a 302 Moved Temporarily and included the Location of the decoy XXX website.
The decoy page located at /?adsterra_us contains a script for the relative path found on the domain at /popunder.php:
The page returns the following script:
Found in the script is a base64 encoded string that decodes to hxxp://boultrated[.]info/banners/bbwjobs.
The GET request for /bbwjobs at boultrated[.]info returns the RIG exploit kit pre-landing page:
The pre-landing page will filter out and redirect the appropriate connections to the RIG exploit kit landing page. RIG exploit kit ended up dropping Dreambot on my host, which is consistent with the HookAds campaign.
Below is an image of the HTTP GET and POST requests from the infection chain being filtered in Wireshark:
- 126.96.36.199 – boultrated.info – GET /banners/bbwjobs – Fake ad server
- 188.8.131.52 – RIG EK
- 184.108.40.206 – Dreambot C2 traffic (Tor client at /tor/viewt.zip)
- 220.127.116.11 – ip-addr.es – External IP lookup
File name: popunder.php.2.txt
File name: bbwjobs.txt
File name: RigEK landing page from 18.104.22.168.txt
File name: RigEK Flash exploit from 22.214.171.124.swf
File name: o32.tmp
File name: 4aqdak84.exe
The password for the files is “infected”.
Until next time!