The HookAds campaign is still active and there have been some recent changes. For starters, this campaign usually drops a variant of Ursnif known as Dreambot. However, the sample that I got today seems more likely to be a ZeuS variant. This was later confirmed by my friend @Antelox who identified it as ZeuS Panda.
Let’s first look at the HTTP traffic involved in the infection chain and then we will examine some of the code:
We see my host making connections to the decoy site, which I’ve hidden. Normally, host would be redirected to one of these decoy sites via malvertising.
The decoy site still contains a script to grab the file popunder.php:
Popunder.php contains the following packed and obfuscated code:
Running the code shows variable p returning the following code:
At the bottom of the code you can see var scr = containing a base64 encoded string:
aHR0cDovL3JvY2tzaWRlbnQuaW5mby9iYW5uZXJzL2FkdmVydGlzaW5n
Decoding the string returns the following URL:
hxxp://rocksident.info/banners/advertising
We can also see that an iframe is inserted in the web page, instructing the browser to load content from the malicious URL.
The URL returns what has been called the pre-landing page which is designed to filter out unwanted traffic. Here is an image of the pre-landing page showing some more packed code:
The browser will execute the embedded script, allowing us to examine the contents of variable p:
Here we can see that if (BrowserInfo.is_bot == true) then the host should expect to see a page showing “404 Not Found,” among other things. This is followed by the else statement, used to specify the next block of code to be executed if the same condition is false (not a “bot”).
This section of the code also contains another base64 encoded string:
aHR0cDovLzE4OC4yMjUuODMuMTQ5Lz9OalkzTmpRNSZ0d2l4eT14WHZRTXZXWmJSWFFDNTNFS3ZqY1Q2TkVNVkhSSEVDTDJZcWRtckhTZWZqYWVWV2t6cmJGVEZfd296S0FUd1NHNl9KdGRmSiZwYXJ0eT1VRFFyampCSFJlZ2Rvbk50Y1d3Z1Q5cXFuaWtXRXp4U1kxSi1GLVVIZk1nc1RyY2FVRnJadDJWejBtN1VrUVBzbGcxVEg2R0kmYm13YT1PRFUxTURreE5BPT0=
As you might have already guessed, this decodes to show the URL of the RIG EK landing page:
hxxp://188.225.83.149/?NjY3NjQ5&twixy=xXvQMvWZbRXQC53EKvjcT6NEMVHRHECL2YqdmrHSefjaeVWkzrbFTF_wozKATwSG6_JtdfJ&party=UDQrjjBHRegdonNtcWwgT9qqnikWEzxSY1J-F-UHfMgsTrcaUFrZt2Vz0m7UkQPslg1TH6GI&bmwa=ODU1MDkxNA==
It also shows that the host is to use the POST method when requesting the RIG EK landing page. This matches the HTTP traffic shown at the beginning of the article.
I already mentioned that the payload being delivered by the HookAds campaign is usually Dreambot, however, this time it was ZeuS Panda.
The initial malware payload (bilonebilo.exe) was dropped and executed in %TEMP%:
We can also see some .tmp files being created in %TEMP%.
The malware copied itself to C:Users[username]AppDataRoamingMacromediaFlash Playermacromedia.comsupportflashplayersyswebapps.exe:
An in-depth report from G Data, which can be found HERE, explains how ZeuS Panda finds a directory under %APPDATA%Roaming that is empty, has a path that is at least 140 characters long, doesn’t contain certain strings like “Microsoft”, and is as deep in the directory tree as possible. Their analysis also showed that Panda created four files with random extensions. In my infection these happened to be .hou, .oze, .pow, and .sol.
HKCUSoftwareMicrosoftWindowsCurrentVersionRun is being used for its persistence mechanism:
Additional keys being created in HKCUSoftwareMicrosoft:
Not long after the payload was dropped and executed on the host we see post-infection network traffic to 5.8.88.219 via TCP port 443:
Here are some additional DNS queries and responses captured during my second run:
This shows DNS requests for nekfad.xyz, which resolves to 5.8.88.219, as well as a PTR record with the hostname davydovamihalina02.example.com.
Origin AS: AS62088
inetnum: 5.8.88.0 – 5.8.88.255 (5.8.88.0/24)
netname: MoreneHost
country: NL
The infected host was also making connections to Google.com using the following User-Agent string:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Here are some details captured during the post-infection TCP connections:
Remote Address: 5.8.88.219
Remote Host Name: davydovamihalina02.example.com
Remote Port: 443
Process Name: svchost.exe
Process Path: C:Windowssystem32svchost.exe
Remote Address: 172.217.11.174
Remote Host Name: lax28s15-in-f14.1e100.net (Google.com)
Remote Port: 80
Process Name: svchost.exe
Process Path: C:Windowssystem32svchost.exe
The malware launches instances of svchost to communicate with the C2 server.
Network based IOCs
- 80.77.82.41 – rocksident.info – GET /banners/advertising
- 188.225.83.149 – IP literal hostname used by RIG EK
- 188.225.83.137 – IP literal hostname used by RIG EK (Run 2)
- 5.8.88.219 – callback traffic via TCP port 443
Hashes
SHA256: ebfbed3dcb88f480bffc9f8855d43b4c0d3ffc37919a25a382e8233c5f171b84
File name: popunder.php.txt
SHA256: b18b668915e46a1e3cd0515449d8f958df4e7cb998c549c9b52bd73555586edf
File name: advertising.txt
SHA256: 25ea9df2932a2441a919978151145c6aeff96c89830bb0d0cd6dfb55e7e3e6eb
File name: RigEK landing page from 188.225.83.149.txt
SHA256: ef9861034c348993c4962008860264d69c4144431b84c94483d1c3d7da3ad0dc
File name: RigEK Flash exploit from 188.225.83.149.swf
SHA256: 5007255195dc24c63dfc7bdcddaa827893c8fce5bc080bdf1ab2c55b08e267bb
File name: o32.tmp
SHA256: 161385403c4044b0ee62b56a5f038d3bb9bb62274a98bf539e978592f65fe2f5
File name: bilonebilo.exe
Hybrid-Analysis Report
SHA256: 318d7b19ac9d836eeb6ddc4ee2d767ccd4aca2c445c373a0b4b5afd142a700d8
File name: bilonebilo.exe (2nd run)
Hybrid-Analysis Report
Downloads
Malicious Artifacts from HookAds 091317
For some reason WordPress wouldn’t let me upload the files so I had to use a free hosting service called TinyUpload.com. The password for the files is “infected”.
Until next time!
Additional References:
https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
Malware breakdown 