This campaign has been dubbed “Fobos” because the actors were using the registrant email address firstname.lastname@example.org. FireEye first published an article back in March 2017, that talked about Fobos in relation to RIG exploit kit called “Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits.” The article mentioned that they started tracking this campaign in the final quarter of 2016 and that the threat actors were using 302 redirects from ads to load the casino-themed Fobos domains. These Fobos domains contained iframes which redirected to RIG exploit kit.
The HTTP traffic from this infection is shown below:
777betx[.]info is one of the Fobos domains which contained an iframe pointing to 213jkhgfdghj[.]ga/bbc/index.php, another domain used by these operators:
213jkhgfdghj[.]ga/bbc/index.php returns a script that contains the iframe pointing to the RIG exploit kit landing page:
This campaign appears to be using RIG exploit kit to drop the Bunitu proxy Trojan. hasherezade posted a really good write up on the Bunitu Trojan called “Revisiting The Bunitu Trojan” which was being dropped by Neutrino exploit kit via malvertising.
The payload was dropped and executed in %Temp%, which then dropped fastdrv.dll in %LocalAppData%:
See the process tree below:
The process tree show fastdrv.dll being dropped in %LocalAppData% and firewall rules being added for allowing connections.
We can see the details of the running process Rundll32:
The Trojan also modifies auto-execute functionality by setting/creating the following values in the registry:
Modifies proxy settings be deleting values:
Network based IOCs found during this infection include the following DNS queries:
g.driftinhishouse.com – 18.104.22.168
r.driftinhishouse.com – 22.214.171.124
As well as connections via TCP port 443:
Connections to the proxy:
As hasherezade stated in the Malwarebytes Lab article (linked above), the Bunitu proxy Trojan “may have various consequences for the infected user. Basically, it uses his/her resources and slows down the network traffic. But it may also frame him/her in some illegal activities carried by the attackers due to the fact that the infected client’s IP is the one visible from the outside.”
Network Based IOCs
126.96.36.199 – 777betx[.]info – Fobos campaign
188.8.131.52 – 213jkhgfdghj.ga – GET /bbc/index.php – Fobos campaign
184.108.40.206 – IP literal hostname used by RIG EK
220.127.116.11 – g.driftinhishouse.com – DNS queries
18.104.22.168 – r.driftinhishouse.com – DNS queries
22.214.171.124 via TCP port 443
126.96.36.199 via TCP port 443
188.8.131.52 via TCP port 443
File name: RigEK landing page from 184.108.40.206.txt
File name: RigEK Flash exploit from 220.127.116.11.swf
File name: a6erdcmc.exe
File name: fastdrv.dll
Fobos RigEK Bunitu Trojan 081617.zip
Password is “infected”
Until next time!