HookAds Continues to use RIG EK to Drop Dreambot

malwarebreakdown on July 18, 2017

A couple days ago RIG changed its URI parameters. This isn’t unusual as it seems to happen at least once a month. However, one thing to note is that RIG, at this moment, is using some base64 encoded strings in the URI. Examples taken from this infection chain include the following:

  • /?MzQwNDg3NTE= decodes to /?34048751=
  • /?MTU2NzMzOTY= decodes to /?15673396=
  • /?NDE4MTY0NjE= decodes to /?41816461=

I’m not sure if this is random or if it serves another purpose.

Below is an image of the notable HTTP and DNS traffic collected during this infection:

Network traffic edited

/popunder.php returns the following:

script

base64 encoded string decodes to hxxp://milips[.]info/banners/countryhits

/countryhits returns the pre-filter page, which has undergone some changes:

rigek pre-filter page edited

Again we see the use of base64 encoding. This string decodes to the RIG EK landing page. You can download popunder.php and countryhits at the end of this post.

Network Based IOCs
  • 80.77.82.41 – milips.info – GET /banners/countryhits – HookAds
  • 188.225.87.170 – IP-literal hostname used by RIG EK
  • 142.91.104.107 – GET /windowsxp/t3.css – Dreambot C2 server
  • 216.239.34.21 – ipinfo.io – GET /ip – Used to retrieve the host external IP address
  • aeeeeeeeeeeeeeeeeeeeeeeeeeeeva.onion – Additional callback traffic

DNS queries:

  • resolver1.opendns.com
  • 222.222.67.208.in-addr.arpa
  • myip.opendns.com

Additional post-infection traffic via TCP port 443:

more post infection traffic

After the Tor module and the external IP is retrieved we see more connections via TCP ports 9001, 60784, 29001, 9090, 8001, and 8080 (to name a few):

more post infection connections

Emerging Threats rules triggered:
  • ET POLICY OpenDNS IP Lookup
  • ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR
  • ET POLICY TLS possible TOR SSL traffic
Download a List of Contacted Hosts (.XLSX):

Contacted_Hosts.xlsx

Processes

processes

Hashes

SHA256: f4886efc9f50af4808c913b8a5b702b205000092757e2a08623010896212d274
File name: popunder.php.txt

SHA256: a7d0192841d8f92194a86c9c98ddddfd1283dbddffe9140ac501928950978ca8
File name: countryhits.txt

SHA256: 26e0d0a3ec16f874137bda37f2357bd914234ee8a6a62658ca4dfec1bb556f6b
File name: 188.225.87.170 RIG EK LP.txt

SHA256: 644b6905a1a1b35620c5dd44bfd30e039bbeaa54799853b4b93ee7ee51bbbe0e
File name: 188.225.87.170 RIG EK Flash exploit.swf

SHA256: 869067582081bdd8a6fe5c194bebe71cace185f69ce2992a17492641e5290f47
File name: o32.tmp

SHA256: e2db455c4840be8dcee0f2fe78e0cb309d898dc4ce9d50dff07c4a0a9575754b
File name: gltv7bjw.exe

SHA256: 4384458b9c3f09af64f386552588ea9b35e4aa7438bbb515dadf4b4619e10820
File name: t3.css

Downloads

Malicious Files.zip

The password is “infected”

Until next time!

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment