The site I used for today’s malvertising chain appears to be a legitimate adult website, however, downstream of more popular ones. According to traffic estimates the site has received roughly 637,100 visitors over the last 30 days. Alexa.com currently ranks the site in the top 33,000 globally, with most of its visitors coming from India (14%), Germany (10%), Russia (6%), China (5%) and the United States (5%).
Below is a basic flowchart of the malvertising chain:
Below is the TCP streams from the malvertising chain:
It should be noted that the decoy site is opened in a new tab.
As usual with the HookAds campaign, I was delivered Dreambot via RIG EK. Unfortunately, I couldn’t get the payload to run properly on my lab 😞 … However, here are some recent Dreambot IOCs collected from Brad: http://www.malware-traffic-analysis.net/2017/08/01/index.html
Network Based IOCs
- 80.77.82.41 – cagnition.info – GET /banners/countryhits
- 188.225.79.139 – IP literal hostname used by RIG
Here is a picture of some of the HTTP traffic being filtered in Wireshark:
Hashes
SHA256: 227e17457aa719178a28b4fc1c85ab2909bb48c7ee484aa2ba30e7063b769984
File name: popunder.php.txt
SHA256: f86409d04e8f964f8554201270177478149b217dd3c01f0fe29fa9c95a8c2742
File name: countryhits.txt
SHA256: 8158d904b921b9c33425fac8d37376e8d5190e07284f2063a06491e7683c2307
File name: RigEK landing page from 188.225.79.139.txt
SHA256: e88cf614db2743dfab539304a434c4613d68ae6bec132016f4d7ec02f360c635
File name: RigEK Flash exploit from 188.225.79.139.swf
SHA256: fb13d8411a58f33433e7889a2b540e42be7dd18f53ed67a0cf52348e2c3280ef
File name: o32.tmp
SHA256: 6e7f74fb50217ee363622f8e70976342638049499523325df4c03c340e64bb15
File name: a2gnfa7u.exe
Downloads
Malicious Artifacts HookAds RigEK Dreambot 080217.zip
Until next time!
Malware breakdown 