On 9/22/17, @thlnk3r had tweeted out images of an infection chain involving some malvertising and RIG exploit kit. Below is an image of the Tweet:
One of the images seems to show a referer from PopCash.net, which is a popunder advertising network:
The URI used by the popcash.net referer contains a base64/URL encoded string that decodes to /hxxp://mp3club[.]xyz/?q=mary-jane-girls-all-night-long?cb=6092719085137035.
The popunder from PopCash.net appears to have redirected the user to itransportandlogistics[.]com, which contained the malicious iframe:
The iframe redirected to the RIG EK landing page, which dropped the malicious payload in %TEMP%:
Executing the malicious payload shows the process bilonebilo43.exe creating a hidden copy of itself at C:\Users\[Username]\AppData\Roaming\remcos\remcos.exe:
bilonebilo43.exe then sets the AutoStart registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\remcos:
Followed by bilonebilo43.exe setting the AutoStart registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\remcos:
I also found this entry in the registry (HKCU\Software\Remcos-BGXZ2U):
bilonebilo43.exe then created the file C:\Users\[Username]\AppData\Local\Temp\install.vbs:
bilonebilo43.exe then creates process WScript.exe and executes the .vbs:
Following the execution of remcos.exe there was attempted callback traffic to 18.104.22.168 via TCP port 1122, however the server responded with a [RST, ACK]:
The payload was identified as Remcos RAT by my friend @Antelox.
Fortinet has a good write-up on this RAT, which you can read at the following URL: https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2.
Network Based IOCs
- 22.214.171.124 – itransportandlogistics[.]com
- 126.96.36.199 – IP literal hostname used by RIG EK
- 188.8.131.52 – Callback attempts via TCP port 1122
File name: Landing page.txt
File name: Flash exploit.swf
File name: o32.tmp
File name: bilonebilo43.exe
File name: install.vbs
The password is “infected”.
Until next time!