RIG EK Delivers Pushdo / Cutwail Botnet and RELST Campaign Still Pushing Chthonic.

Background on RELST campaign:

  1. https://malwarebreakdown.com/2017/06/05/roughted-malvertising-operation-leads-to-relst-domains-and-rig-ek/
  2. https://malwarebreakdown.com/2017/06/06/relst-campaign-delivering-pony-downloads-chthonic/

On 06/26/17  had informed me that they located a RELST domain:

Twitter

webshoot[.]pw/files/Photo05.zip. Downloads payload from Sobbernews[.]pw/get.php

The source code from webshoot.pw (104.18.32.54 and 104.18.33.54) shows “relst” in the iframe id:

iframe id RELST

The RELST campaign uses different social engineering tactics in order to convince users to download ZIP files (Photo05.zip) that contain malicious scripts (Photo.js). Click HERE to view Photo.js.

Once the user downloads and executes the script the host will make a GET request for the malware payload being hosted on another one of their servers (sobbernews.pw at 104.27.170.248 and 104.27.171.248):

data.bin from RELST domain

data.bin from sobbernews.pw

Below is an image of the traffic being filtered in Wireshark:

Traffic

The payload was dropped in C:\ProgramData\Windows Photo Viewer under the name MWindowsPhotoViewer.exe:

payload

Processes:

processes

Post-infection traffic shows callback traffic via POST requests to letit2.bit at 103.52.216.15:

traffic 2

Registry persistence:

Registry RUN

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Hashes:

SHA256: 1e3bb634b2b2c16260b1adb6300a85f040765d6ab4f0967564270b02d585feef
File name: Photo05.zip

SHA256: 27f668b227c57f20d9559085bfc2c9a6112708508e985903641505f050a375ce
File name: Photo.js

SHA256: 4737a87631869ecc8f9109ab045da119b20cb88300a63d4259e5ab99a403fbb5
File name: data.bin

SHA256: e54e3197d33108a76af2247b464aaab3fc59f83c2d8a41ed96c32d3ea27cf471
File name: MWindowsPhotoViewer.exe
Hybrid-Analysis Report

Download the files and malware (password is “infected”):

Malicious Artifacts.zip


This next campaign is also related to RIG exploit kit and it appears to be using malvertising and then decoy websites as their initial infection vector. Hosts are redirected from these compromised or decoy sites to numerous gates being hosted at 193.70.73.251.

These gates appear to be under control of the same threat actor(s) and are redirecting hosts, via different methods, to RIG exploit kit landing pages. Zerophage had documented an example of this campaign on 06/22/17.

Here is an image of the traffic from the gates being filtered in Wireshark:

Traffic 1

The first gate, id.azartclubwelcome.compress.to, redirects to scuk.portyankoman.vizvaz.com:

script 1

scuk.portyankoman.vizvaz.com then redirects to the RIG exploit kit landing page:

script 2

The payload being pushed by this campaign is Pushdo. The Pushdo botnet has been around since 2007. Pushdo is a downloader which infects the system and then downloads the Cutwail spam module.

Post-infection traffic shows a ton of POST requests to various hostnames:

Traffic 2

The host will connect to these domains on port 80 and send what looks like bogus HTTP requests.

The host will also attempt to connect to these domains via port 25 (SMTP):

Traffic 3

This traffic goes on in what seems like an endless and very noisy loop. Needless to say, a Pushdo / Cutwail infection isn’t difficult to spot if you’re inspecting network traffic.

There are numerous detailed papers on the Pushdo / Cutwail botnet that you can find online. Two good write ups that I found were from Trend Micro and Avast:

  1. https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf
  2. https://blog.avast.com/2013/06/25/15507/
IOCs

Network based IOCs:

  • 193.70.73.251 – id.azartclubwelcome.compress.to – GET /?sourceid=7757&sourcename=red
  • 193.70.73.251 – scuk.portyankoman.vizvaz.com  – Gate
  • 188.225.78.135 – RIG EK (run 1)
  • 188.225.78.96 – RIG EK (run 2)
  • POST requests
    • User-Agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
      • MSIE 6.0 = Internet Explorer version 6.0
      • Windows NT 5.1 = Windows XP
      • SV1 = Windows XP Service Pack 2 installed (Security Version 1)

Hashes:

SHA256: 6af5912f43fdd780e3e2df9d21e13baf29eddb7e3793a7561f9cc73fca770aed
File name: RIG EK landing page at 188.225.78.135.txt

SHA256: ef5b8cb49ba72ead4cc5fe96ea8895b3cda3691a05452812fcfd1704a73afbbc
File name: RIG EK Flash exploit from 188.225.78.135.swf

SHA256: 404027a2cbf71578dea26b9477588acc12394643e77b389dcf5f5933ebb7d495
File name: o32.tmp

SHA256: 94a0a09ee6a21526ac34d41eabf4ba603e9a30c26e6a1dc072ff45749dfb1fe1
File name: bma2beo4.exe
Hybrid-Analysis Report

Download the artifacts:

Malicious Artifacts 2.zip

Until next time!

ezgif-3-e5848a986f

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: