Malvertising Chain Leads to the HookAds Campaign. RIG Drops Dreambot.

The site I used for today’s malvertising chain appears to be a legitimate adult website, however, downstream of more popular ones. According to traffic estimates the site has received roughly 637,100 visitors over the last 30 days. currently ranks the site in the top 33,000 globally, with most of its visitors coming from India (14%), Germany (10%), Russia (6%), China (5%) and the United States (5%).

Below is a basic flowchart of the malvertising chain:


Below is the TCP streams from the malvertising chain:

It should be noted that the decoy site is opened in a new tab.

As usual with the HookAds campaign, I was delivered Dreambot via RIG EK. Unfortunately, I couldn’t get the payload to run properly on my lab 😞 … However, here are some recent Dreambot IOCs collected from Brad:

Network Based IOCs
  • – – GET /banners/countryhits
  • – IP literal hostname used by RIG

Here is a picture of some of the HTTP traffic being filtered in Wireshark:

traffic edited


SHA256: 227e17457aa719178a28b4fc1c85ab2909bb48c7ee484aa2ba30e7063b769984
File name: popunder.php.txt

SHA256: f86409d04e8f964f8554201270177478149b217dd3c01f0fe29fa9c95a8c2742
File name: countryhits.txt

SHA256: 8158d904b921b9c33425fac8d37376e8d5190e07284f2063a06491e7683c2307
File name: RigEK landing page from

SHA256: e88cf614db2743dfab539304a434c4613d68ae6bec132016f4d7ec02f360c635
File name: RigEK Flash exploit from

SHA256: fb13d8411a58f33433e7889a2b540e42be7dd18f53ed67a0cf52348e2c3280ef
File name: o32.tmp

SHA256: 6e7f74fb50217ee363622f8e70976342638049499523325df4c03c340e64bb15
File name: a2gnfa7u.exe


Malicious Artifacts HookAds RigEK Dreambot

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: