RIG EK at 188.225.76.222 Drops Dreambot

This infection chain would have most likely came from malvertising. Instead of recreating the entire chain I used a compromised site (created on 11/30/2014) that redirects to various RIG EK gates. Below is an image of the traffic being filtered in Wireshark:

HTTP traffic edited

Found in page source:

page source

We then see the GET request for dNw3XwZXSc6ysO.js at en.sundayloop.com. The server returns a “301 Moved Permanently” and points to resource scr.php:

redirects

scr.php returns the following RIG LPs:

scr.php

This unknown campaign is now dropping Dreambot banking Trojan, which was followed by a GET request for a Tor module that is used for post-infection C2 traffic. Tor functionality was incorporated into Dreambot since at least July 2016. On June 28th, 2017, this same campaign was pushing Pushdo/Cutwail Botnet.

https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

We can see some post-infection DNS queries:

DNS queries

The DNS queries triggered the following ET rule:
ET POLICY OpenDNS IP Lookup

Following the delivery and execution of the malware payload we can see a GET request for the Tor module located at www2[.]cloudchai[.]net/t32.bin. The resource would be called “t64.bin” if the OS was 64 bit.

The Tor traffic triggered the following ET rule:
ET POLICY TLS possible TOR SSL traffic

Post-infection traffic (Download .xlsx):

Host Address Dst Port Protocol
128.31.0.39 9101 TCP
193.23.244.244 443 TCP
193.70.73.242 50101 TCP
79.197.187.177 443 TCP
144.76.37.242 8443 TCP
89.163.246.127 9001 TCP
138.201.3.75 443 TCP
208.80.154.39 443 TCP
66.170.11.203 443 TCP
79.194.71.36 9001 TCP
212.83.154.33 8443 TCP
51.175.193.142 443 TCP
138.68.102.40 9001 TCP
5.9.61.207 9001 TCP
46.28.207.141 443 TCP
192.42.115.101 9003 TCP
163.172.143.186 443 TCP
91.121.158.17 110 TCP
144.76.253.229 443 TCP
185.15.244.124 443 TCP
128.199.41.238 9001 TCP
185.21.217.29 1337 TCP
213.114.155.106 9001 TCP
51.255.206.74 443 TCP
212.47.245.76 9001 TCP
5.61.34.63 9001 TCP
81.7.14.31 995 TCP
141.255.166.189 443 TCP
37.59.72.132 443 TCP
5.9.7.130 9001 TCP
104.238.167.111 443 TCP
178.63.94.196 9001 TCP
91.121.23.100 9001 TCP
138.68.78.95 443 TCP
163.172.131.111 9001 TCP
138.201.211.235 9001 TCP
91.105.203.92 443 TCP
18.82.3.136 9001 TCP
62.210.36.46 9001 TCP
109.95.51.107 9001 TCP
84.236.37.15 9001 TCP
89.163.141.115 9001 TCP
91.121.230.216 9001 TCP
51.255.168.229 443 TCP
51.254.35.151 9000 TCP
176.158.236.102 9001 TCP
138.201.132.17 9001 TCP
91.121.230.218 443 TCP
109.236.90.209 443 TCP
78.194.220.54 9001 TCP
139.162.248.13 9001 TCP
81.7.10.203 443 TCP
51.15.38.13 9001 TCP
92.222.115.28 9001 TCP
62.227.127.214 9001 TCP
51.254.121.63 9001 TCP
178.254.7.88 9001 TCP
46.105.84.178 9002 TCP
89.163.225.115 443 TCP
81.7.10.93 31337 TCP
163.172.84.95 443 TCP
94.23.204.175 9001 TCP
51.15.128.190 9001 TCP
130.230.113.229 443 TCP
213.239.217.18 1337 TCP
104.238.188.98 443 TCP
62.138.7.171 9001 TCP
93.186.200.68 9001 TCP
212.89.225.242 443 TCP
37.59.29.31 9001 TCP
222.152.191.50 443 TCP
159.203.42.254 9001 TCP
163.172.82.3 443 TCP
178.62.22.36 443 TCP
137.74.229.191 9001 TCP
51.254.120.82 443 TCP
85.145.173.31 443 TCP
46.38.236.122 9001 TCP
148.251.42.164 9001 TCP
104.223.122.213 443 TCP
Network IOCs
  • 193.70.73.251 – en.sundayloop.com – Gate
  • 188.225.76.222 – RIG EK
  • 31.148.219.104 – www2[.]cloudchai[.]net – GET /t32.bin or /t64.bin – Tor module
Hashes

SHA256: 93c2503c802405faa2e8312b96f38de233cc729b72bb36731550782f8e3e51a6
File name: 188.225.76.222 RIG EK LP.txt

SHA256: 6b046933a8f9140e2ade1037c2160cd0b58d459f158e06817061e1c03b511e9f
File name: 188.225.76.222 Flash exploit.swf

SHA256: be27efa783533b55810bbf40516af0d502180e9c8ceb75af3eaf2a54f9b5dd92
File name: ctkw46kh.exe
Hybrid-Analysis Report

SHA256: 9824892f24b5e256d97fe4803fc7a543162a246baaca1a8bd27db855faa4e244
File name: t32.bin

Downloads

Malicious Atifacts.zip

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: