Campaign Leads to RIG EK and Fake Flash Player Update Site. RIG Drops URLZone and Fake Flash Player Update Drops a Miner.

On 08/02/17 I used the domain www2[.]davidhelpling[.]org to redirect my host to a RIG EK landing page located at 188.225.79.139.

Redirect to RIG EK

RIG ended up dropping URLZone, which is a banking Trojan first discovered in 2009. More recently URLZone has been seen targeting Japan via malspam campaigns. You can read more about URLZone at the link below, as well as view the VirusTotal and Hybrid-Analysis report from that infection:

https://securityintelligence.com/tag/urlzone/

The VirusTotal and Hybrid-Analysis reports.

On August 3rd, I used the same campaign for another infection however instead of being redirected to RIG I was redirected to a domain hosting those all too familiar flash player “update” scams. Below is the redirection chain:

TCP stream edited

scr.php returned some script that redirected to the fake flash player update page.

scr dot php

Users will install these fake flash player updates, especially if they are coming from a video streaming site, as they tend to believe that the update is required to view the video(s).

Below is an image of the landing page:

fake flash player update edited

Nothing special here, just your typical fake flash player update page. Once the page loads the user is given the option of installing “flashplayer_install_win.exe”. I thought this would be another case of adware but after doing some basic dynamic analysis I could tell this was a Miner. This was later confirmed by @Antelox (thanks!) who identified it as XMRig CoinMiner.

Following the execution of flashplayer_install_win.exe we can see some HEAD requests for /062/system.exe and /062/1.bat located at porntovirt.ru (88.212.240.244):

HEAD requests

Looking at the process tree below we also see the download of a file called Security.exe.

processes

The /062/ directory is still open:

Index of 062

The 1.bat file (https://pastebin.com/YjUdNKxE), while obfuscated, ended up only being a couple lines of code that set the number of processors and file attributes:

cleaned
Cleaned & commented by my buddy IRDivision (thanks!)

We see instructions for connections to xmr.pool.minergate.com via TCP port 45560:

Contacted host

We also see Gmail address testfilatovmarafon@gmail.com in 1.bat.

The hidden files were in fact found in C:\ProgramData\System32:

ProgramData System32

During further examination of the server hosting the XMRig CoinMiner I located some interesting statistics:

Stats edited

It shows the IPs, OS, browser, browser version, language, user-agent, and clicks from the users visiting the site. Other columns show the breakdown of the countries by count and click, as well as the breakdown of the platform by count and click.

Below are some quick graphs and a map that I made using the statistics:

platform and clicksBrowser countactivity by country

Internet Explorer was the clear winner of the battle of the browsers. There was also a lot of activity from Windows 7 and Windows XP users, however, Windows 7 had 59 clicks while Windows XP had only 5. Lastly, while most visitors were from Spain, the United States brings home the gold medal in clicks. Overall, the pattern shows a pretty low click rate.

I wouldn’t be surprised if we started seeing more diversity of payloads from these kind of scam pages. Furthermore, with Flash set to die off in 2020 we will likely see shifts to fake updates focusing on Java, etc.

Network Traffic
  • 188.225.79.139 – RIG EK
  • 88.212.240.244 – porntovirt.ru
  • 5.9.58.111 via TCP port 45560
Hashes

SHA256: 653c7267c92601548f3b44f304294e77284be75d7f03ed6e7a6821ca8dd156ff
File name: flashplayer_install_win.exe
Hybrid-Analysis Report

SHA256: 0ebadbfdd853d5e6977e58712b8d5912d960eec008322285dc7f3eaa86c0c166
File name: system.exe
Hybrid-Analysis Report

SHA256: 91131690a5e611a4002ff093640fb0a822ceec455b78a03431f4e82bbd3b2934
File name: Security.exe
Hybrid-Analysis Report

SHA256: 93cc8f39754cc60e4c936d07b013d3734540a7e5e50d78b62308634a2d4435af
File name: 1.bat

Downloads

Malicious Artifacts.zip
Password is “infected”

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

One thought on “Campaign Leads to RIG EK and Fake Flash Player Update Site. RIG Drops URLZone and Fake Flash Player Update Drops a Miner.

Leave a Comment

%d bloggers like this: