Malvertising Leads to RIG EK and Drops Remcos RAT.

On 9/22/17, had tweeted out images of an infection chain involving some malvertising and RIG exploit kit. Below is an image of the Tweet:

Twitter

One of the images seems to show a referer from PopCash.net, which is a popunder advertising network:

Capture

The URI used by the popcash.net referer contains a base64/URL encoded string that decodes to /hxxp://mp3club[.]xyz/?q=mary-jane-girls-all-night-long?cb=6092719085137035.

It would seem that the user visited mp3club[.]xyz, which currently contains JavaScript that specifies the URL of an external script file located at cdn.popcash.net/pop.js.

The popunder from PopCash.net appears to have redirected the user to itransportandlogistics[.]com, which contained the malicious iframe:

Compromised site with iframe

page source with RIG EK landing page URL

The iframe redirected to the RIG EK landing page, which dropped the malicious payload in %TEMP%:

TEMP 1

Executing the malicious payload shows the process bilonebilo43.exe creating a hidden copy of itself at C:\Users\[Username]\AppData\Roaming\remcos\remcos.exe:

Hidden AppData Roaming

bilonebilo43.exe then sets the AutoStart registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\remcos:

Run registry

Followed by bilonebilo43.exe setting the AutoStart registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\remcos:

HKLM Run

I also found this entry in the registry (HKCU\Software\Remcos-BGXZ2U):

EXEpath

bilonebilo43.exe then created the file C:\Users\[Username]\AppData\Local\Temp\install.vbs:

Temp

install vbs file

bilonebilo43.exe then creates process WScript.exe and executes the .vbs:

process

Following the execution of remcos.exe there was attempted callback traffic to 194.68.59.62 via TCP port 1122, however the server responded with a [RST, ACK]:

attempted callback

The payload was identified as Remcos RAT by my friend @Antelox.

Fortinet has a good write-up on this RAT, which you can read at the following URL: https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2.

Network Based IOCs
  • 192.185.167.28 – itransportandlogistics[.]com
  • 5.23.49.93 – IP literal hostname used by RIG EK
  • 194.68.59.62 – Callback attempts via TCP port 1122
Hashes

SHA256: 6da78abc94cfed0728a937566590bb4c2dfc683c47b5a2447157bbc471b7a4dd
File name: Landing page.txt

SHA256: 683f29ebb7e17219cc064e340a7890ae76875cab24b0aefc23d509654f62a775
File name: Flash exploit.swf

SHA256: 96c729d88f7dc0cdb71451b9b0dc52db435f6b2769b91060e336813371ef87ed
File name: o32.tmp

SHA256: 6084cf3b71c74f9dc62f66acff51a722e9948801ad300cc68d88b7a392a01610
File name: bilonebilo43.exe
Hybrid-Analysis Report

SHA256: bc45bf7b100e55e5bed86b038404c5c9771aafb682e0db037fa0bf1b175900f1
File name: install.vbs

Downloads

Malicious artifacts REMCOS RAT.zip

The password is “infected”.

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: