On 08/02/17 I used the domain www2[.]davidhelpling[.]org to redirect my host to a RIG EK landing page located at 184.108.40.206.
RIG ended up dropping URLZone, which is a banking Trojan first discovered in 2009. More recently URLZone has been seen targeting Japan via malspam campaigns. You can read more about URLZone at the link below, as well as view the VirusTotal and Hybrid-Analysis report from that infection:
On August 3rd, I used the same campaign for another infection however instead of being redirected to RIG I was redirected to a domain hosting those all too familiar flash player “update” scams. Below is the redirection chain:
scr.php returned some script that redirected to the fake flash player update page.
Users will install these fake flash player updates, especially if they are coming from a video streaming site, as they tend to believe that the update is required to view the video(s).
Below is an image of the landing page:
Nothing special here, just your typical fake flash player update page. Once the page loads the user is given the option of installing “flashplayer_install_win.exe”. I thought this would be another case of adware but after doing some basic dynamic analysis I could tell this was a Miner. This was later confirmed by @Antelox (thanks!) who identified it as XMRig CoinMiner.
Following the execution of flashplayer_install_win.exe we can see some HEAD requests for /062/system.exe and /062/1.bat located at porntovirt.ru (220.127.116.11):
Looking at the process tree below we also see the download of a file called Security.exe.
The /062/ directory is still open:
The 1.bat file (https://pastebin.com/YjUdNKxE), while obfuscated, ended up only being a couple lines of code that set the number of processors and file attributes:
We see instructions for connections to xmr.pool.minergate.com via TCP port 45560:
We also see Gmail address email@example.com in 1.bat.
The hidden files were in fact found in C:\ProgramData\System32:
During further examination of the server hosting the XMRig CoinMiner I located some interesting statistics:
It shows the IPs, OS, browser, browser version, language, user-agent, and clicks from the users visiting the site. Other columns show the breakdown of the countries by count and click, as well as the breakdown of the platform by count and click.
Below are some quick graphs and a map that I made using the statistics:
Internet Explorer was the clear winner of the battle of the browsers. There was also a lot of activity from Windows 7 and Windows XP users, however, Windows 7 had 59 clicks while Windows XP had only 5. Lastly, while most visitors were from Spain, the United States brings home the gold medal in clicks. Overall, the pattern shows a pretty low click rate.
I wouldn’t be surprised if we started seeing more diversity of payloads from these kind of scam pages. Furthermore, with Flash set to die off in 2020 we will likely see shifts to fake updates focusing on Java, etc.
- 18.104.22.168 – RIG EK
- 22.214.171.124 – porntovirt.ru
- 126.96.36.199 via TCP port 45560
File name: flashplayer_install_win.exe
File name: system.exe
File name: Security.exe
File name: 1.bat
Password is “infected”
Until next time!