Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.

A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us:

malicious site

Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that this site received 500K visitors over the last 30 days. When I was researching the site, I was redirected via malicious ad traffic to tech support scams. This leads me to believe the initial referer was from malvertising. The malvert likely redirected the host to pay-scale[.]us via a 3XX status code.

Examining the page source for pay-scale[.]us shows the website was mirrored from usmotors[.]com using HTTrack Website Copier:

page source

Looking a little farther down the page we can see how the user got redirected to RIG EK from pay-scale[.]us:

page source iframe

The domain in the hidden iframe, medical-help[.]top, resolves to 91.92.136.170.

Looking at the Whois information shows these domains were registered using the name “Terry Kornfeld” and email address morganaanna7@gmail.com. Searching for all domains registered using that name and/or email address returned the following:

Domain Registered
i-yourdoctor[.]top 10/8/2017
highqualitywebhelp[.]top 10/8/2017
filmsdays[.]top 10/4/2017
photosetty[.]us 10/2/2017
pay-scale[.]us 10/1/2017
madicalcareme[.]top 9/19/2017
mymedicalcare[.]us 9/17/2017
photo24[.]top 9/9/2017
medical-help[.]top 9/9/2017
These sites should be considered malicious. Additionally, some of them are being used for C2 activities. More on that later.

Below is the GET request that was generated due to the hidden iframe on pay-scale[.]us:

GET for F4tZ8S edited

The server returns a 302 Found with a location containing the RIG EK landing page URL.

Further examination of the infrastructure being used in this campaign show that the threat actor(s) are utilizing Keitaro TDS:

Below is an image of the HTTP traffic captured during this infection chain:

HTTP traffic edited

RIG EK dropped two identical Quant Loader payloads in %TEMP%:

Temp

When Quant Loader was executed it copied itself to %APPDATA%\[uid]\svchost.exe:

AppData copy edited

[uid] is the eight-digit unique ID generated for the infected host. Forcepoint shows how the unique ID is generated:

  1. Obtain the Windows GUID value from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cryptography
  2. Extract only the number values, no letters or dashes
  3. Copy 8 of the numbers, beginning with the 5th number

The malware then re-launches itself under “svchost.exe” and creates file “C:\Users\[Username]\AppData\Local\Temp\per”. The following processes and actions were recorded:

  1. svchost.exe creates process regini.exe
  2. regini.exe reads data from file %TEMP%\per
  3. svchost.exe deletes file %TEMP%\per
  4. svchost.exe sets AutoStart registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Qt”

HKCU Run edited

Quant Loader also modifies Windows Firewall to allow outbound communications using the command:

netsh.exe advfirewall firewall add rule "name=Quant" "program=c:\users\appdata\[uid]\svchost.exe" dir=Out action=allow

 
Quant Loader modifies outbound Windows Firewall rules edited

I found post-infection traffic to the C2 at filmsdays[.]top/q/, which was registered by “Terry Kornfeld” using the email address morganaanna7@gmail.com:

index filmsdays dot top

c2 traffic returns address of follow up malware edited

  • id = the unique ID of the infected host
  • c = the current index of the server being used
  • mk = string likely used as an affiliate of campaign ID
  • il = Haven’t confirmed
  • vr = Haven’t confirmed but could be version number
  • bt = Haven’t confirmed but could be x86 or x64

Below is an example of the Quant Loader C2 TCP connections captured during my infection:

Remote Address: 85.217.170.186
Remote Host Name: t.co
Remote Port: 80
Process Name: svchost.exe
Process Path: C:\Users\Win7 32bit\appdata\roaming\[uid]\svchost.exe
Remote IP Country: Bulgaria

Remote Address: 212.73.150.215
Remote Host Name: v22597.vps.ag
Remote Port: 80
Process Name: svchost.exe
Process Path: C:\Users\Win7 32bit\appdata\roaming\[uid]\svchost.exe
Remote IP Country: Bulgaria

In my infection the first server (c=1) responded with the location of follow-up malware located at motorsus[.]us/fb.exe.

Motorsus[.]us appears to be under control of the same threat actor(s). The name and email used to register this domain is “Lee M Clark” and john.benjack@mailfence.com. Below is a list of current domains using that registrant information.

Domain Registered
motorsus.us 10/1/2017
seechicagodance.us 10/1/2017

This payload is dropped in %TEMP% and executed.

FormBook

The malware being downloaded by Quant Loader was identified as FormBook by my friend @Antelox.

FormBook, once executed, copied itself (it was hidden) to %USERPROFILE%:

Users

The malware was renamed to mfcgn2pl.exe.

According to FireEye, it can also use the following prefixes for its name:

  • ms
  • mfc
  • win
  • gdi
  • vga
  • igfx
  • user
  • help
  • config
  • update
  • regsvc
  • chkdsk
  • systray
  • audiodg
  • certmgr
  • autochk
  • taskhost
  • colorcpl
  • services
  • IconCache
  • ThumbCache
  • Cookies

It can also use the following file extensions:

  • .exe
  • .com
  • .scr
  • .pif
  • .cmd
  • .bat

If it is running with normal privileges it is copied to one the following directories:

  • %USERPROFILE%
  • %APPDATA%
  • %TEMP%

Here is another image showing another copy called Cookiescz7x.cmd being created in %APPDATA%:

Cookiescz7x.cmd AppData edited

If it is running with elevated privileges it copies itself to one of the following directories:

  • %ProgramFiles%
  • %CommonProgramFiles%

In my infection I found it configuring persistence to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:

HKLM Run

However, depending on its privileges, it can also use the following locations for persistence:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

FormBook was beaconing to basefilm[.]top/tesla/shell123/config.php.

Basefilm[.]top is registered to “Shirhall Shirhall” and is using the registrant email address annacrown44@gmail.com.

I captured the following GET requests:

FormBook C2 GET edited

The parameter “id” shown in the URL contains encoded information about the system.

The malware also uses HTTP POST requests to send data back to basefilm[.]top/tesla/shell123/config.php:

POST

According to FireEye, these messages to the C2 are RC4 encrypted and Base64 encoded.

FireEye also mentions that FormBook will use “function hooks to log keystrokes, steal clipboard data, and extract authentication information from browser HTTP sessions.”

For keystrokes captured during a browsing session with Internet Explorer it created the following file:

  • %APPDATA%\JQ18T541\JQ1log.ini

AppData 3

You can see my HTTP sessions and keystrokes being captured in the .ini file:

FormBook Keystrokes

Quick note. My friend @Antelox examined the FormBook sample and discovered that it downloaded ZeuS Panda with web injects for PayPal, eBay, Amazon, and BoQ (Bank of Queensland). The ZeuS sample can be viewed below:

https://www.virustotal.com/en/file/e4474970dd8d2f9e4a3d4a0fa06d82f8d6c2af49737d6cb2e5db6a388aa930ba/analysis/

Network Based IOCs
  • 212.73.150.215 – pay-scale[.]us – Malicious dummy site
  • 91.92.136.170 – medical-help[.]top – Redirected to RIG EK
  • 176.57.217.78 – IP literal hostname used by RIG EK
  • 85.217.170.186 – filmsdays[.]top – GET /q/index.php – Quant Loader C2
  • 212.73.150.215 – motorsus[.]us – GET /fb.exe – GET for FormBook
  • 169.239.128.162 – basefilm[.]top – GET and POST /tesla/shell123/config.php – FormBook beacon and C2

DNS queries for kinnomanna.top:

DNS request

Hashes

SHA256: c10c659498c3bd5ed8454c0041739db7d324ddd09126c16ea229ab30e9232de4
File name: RigEK landing page.txt

SHA256: b5dc599319b6f0968db9318e3d5dbbd6939c4d7b879e45269210a5878b7551a4
File name: RigEK Flash exploit.swf

SHA256: 22aba6be7e754e7163e8adb72f7235ad97ff411a29c98444ddacc24bd04cdc34
File name: o32.tmp

SHA256: 8e94bd154dbea3d020cce1e216f4a327d0ddf65737847ffed34113bf3fdb22dd
File name: bilonebilo417.exe
Hybrid-Analysis Report

SHA256: 2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82
File name: fb.exe
Hybrid-Analysis Report

SHA256: 0fa6898d426a6176ff7673d2d5336879d418f5be2714605eb32985626f508357
File name: 05110.exe
Hybrid-Analysis Report

SHA256: 72a4b137b02b0ef45f5013b88228132081cff1ecfeccecae5e70069bf38c5ba0
File name: 15838.exe
Hybrid-Analysis Report

Downloads

Malicious Artifacts

Password is “infected”

References:

  1. https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground
  2. https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: