This will be a quick post as I just wanted to put out some updated IOCs.
“popunder.php” from the HookAds decoy site:
decode64 contains Base64 string which decodes to the location the RIG EK pre-filter page at balkali[.]info/banners/countryhits
Partial image of pre-filter page. Base64 string decodes to the RIG EK landing page.
HookAds is still pushing Dreambot via RIG EK.
Network Based IOCs
HTTP:
- 80.77.82.41 – balkali.info – GET /banners/countryhits – HookAds server
- 188.225.33.164 – IP-literal hostname used by RIG EK
- 104.223.89.174 – GET /images/[removed]/B.avi and GET /home/2.css – Dreambot C2
DNS:
- wdwefwefwwfewdefewfwefw.onion
- resolver1.opendns.com
- myip.opendns.com
Other Contacted Hosts:
- 193.23.244.244 via TCP port 443
- 76.73.17.194 via TCP port 9090
ET Rules Triggered:
- ET POLICY OpenDNS IP Lookup
- ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR
- POLICY TLS possible TOR SSL traffic
Images of Traffic:
Hashes
SHA256: 5bc5bf65fa088d58df193e99a31d3471cf20aeade39c980362857ccea028d19b
File name: popunder.php.txt
SHA256: 86dfda35f3a035cd1a294fc427d9f2774f75fbda687902f261f2cf8d215938ff
File name: countryhits.txt
SHA256: 87a3d00fe14e3a773e905c00cc3a912999d41a3fcf4093fbec7c0c5ebae7bb77
File name: RigEK Landing Page from 188.225.33.164.txt
SHA256: b97163074bc8bb1893310e27aa673cbb89ae0ac9b88fad149fe2bfe9adcf4897
File name: RigEK Flash exploit from 188.225.33.164.swf
SHA256: 82a322e80c3cc0645123812b8933bad1e88f164b82a649167bbca4028809ff13
File name: o32.tmp
SHA256: c3680493f64fce0dfe7cfa77a752ec15baa31c9ad5f76d5156fa6a465a399623
File name: q1t3ly73.exe
Hybrid-Analysis Report
SHA256: 4384458b9c3f09af64f386552588ea9b35e4aa7438bbb515dadf4b4619e10820
File name: 2.css (32-bit Windows OS)
SHA256: 939ca8ad0e3c61b471d7fd918f4701e548f98084ff461fa7c897191b0f778fa4
File name: 3.css (64-bit Windows OS)
Downloads
HookAds RigEK 072617 – Malicious Artifacts.zip
Password is “infected”
Until next time!
