The site I used for today’s malvertising chain appears to be a legitimate adult website, however, downstream of more popular ones. According to traffic estimates the site has received roughly 637,100 visitors over the last 30 days. Alexa.com currently ranks the site in the top 33,000 globally, with most of its visitors coming from India (14%), Germany (10%), Russia (6%), China (5%) and the United States (5%).
Below is a basic flowchart of the malvertising chain:
Below is the TCP streams from the malvertising chain:
It should be noted that the decoy site is opened in a new tab.
As usual with the HookAds campaign, I was delivered Dreambot via RIG EK. Unfortunately, I couldn’t get the payload to run properly on my lab 😞 … However, here are some recent Dreambot IOCs collected from Brad: http://www.malware-traffic-analysis.net/2017/08/01/index.html
Network Based IOCs
- 220.127.116.11 – cagnition.info – GET /banners/countryhits
- 18.104.22.168 – IP literal hostname used by RIG
Here is a picture of some of the HTTP traffic being filtered in Wireshark:
File name: popunder.php.txt
File name: countryhits.txt
File name: RigEK landing page from 22.214.171.124.txt
File name: RigEK Flash exploit from 126.96.36.199.swf
File name: o32.tmp
File name: a2gnfa7u.exe
Until next time!