I captured another malvertising chain that included the HookAds campaign. To read more about the HookAds campaign click HERE. You can also find all my HookAds related post HERE.
Below is an image of a 302 redirect that led to the HookAds decoy XXX website:
The referer for the decoy XXX website, according to the TCP stream, was jwvwak1a.com. The server returned a 302 Moved Temporarily and included the Location of the decoy XXX website.
The decoy page located at /?adsterra_us contains a script for the relative path found on the domain at /popunder.php:
The page returns the following script:
Found in the script is a base64 encoded string that decodes to hxxp://boultrated[.]info/banners/bbwjobs.
The GET request for /bbwjobs at boultrated[.]info returns the RIG exploit kit pre-landing page:
The pre-landing page will filter out and redirect the appropriate connections to the RIG exploit kit landing page. RIG exploit kit ended up dropping Dreambot on my host, which is consistent with the HookAds campaign.
Below is an image of the HTTP GET and POST requests from the infection chain being filtered in Wireshark:
IOCs
HTTP:
- 80.77.82.41 – boultrated.info – GET /banners/bbwjobs – Fake ad server
- 188.225.74.13 – RIG EK
- 23.227.201.103 – Dreambot C2 traffic (Tor client at /tor/viewt.zip)
- 64.182.208.181 – ip-addr.es – External IP lookup
DNS Queries:
- resolver1.opendns.com
- 222.222.67.208.in-addr.arpa
- myip.opendns.com
- aeeeeeeeeeeeeeeeeeeeeeeeeeeeva.onion
Hashes:
SHA256: 46630f9f89794376d37715606fb333017106749532f444517efb6ebcc4be8652
File name: popunder.php.2.txt
SHA256: 1c7fd09b6dc9bb0a817d04569705e68e2140c1de6fdc1d091dda9577f2ee2d39
File name: bbwjobs.txt
SHA256: 15536875d8a40b7f8541475d68017a795318fed86f682e1635c89359dd89cc95
File name: RigEK landing page from 188.225.74.13.txt
SHA256: 6f2be67a2bc9f1a61577feb5ab364c014b89f1cfb7f29461e8439de57a081b80
File name: RigEK Flash exploit from 188.225.74.13.swf
SHA256: 9970412366402809ba2089cb8fc23d92199d13226b67f0302b1fa87adb138352
File name: o32.tmp
SHA256: b1e2e9182211e866dce3cfc7a62641b7a2bff194cb94d25e98064c524cc32ad6
File name: 4aqdak84.exe
Registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareAppDataLowSoftwareMicrosoft {guid}
Download
The password for the files is “infected”.
Until next time!