Fobos Campaign Uses HookAds Template and Delivers Bunitu Proxy Trojan via RIG EK

Originally posted at malwarebreakdown.com
Follow me on Twitter


At closer inspection, it looks like Fobos is redirecting to the HookAds template (thanks Jerome for double-checking that for me). The decoy site that had redirected to HookAds on 03/07/18, shown HERE, is the same code found in this infection chain on 03/11/18.

HTTP traffic:

Fiddler Traffic

 

The decoy site contains some packed JavaScript:

packed javascript on decoy site

Unpacked:

unpacked decoy site

The Base64 string shown above is decoded and the output is used in the iframe, causing the following GET request:

Request Response

The server responds with a 301 Moved Permanently pointing to the directory /ywkk/. The request for /ywkk/ returns the pre-landing page with more packed JavaScript:

packed and decoded

Unpacked:

pre-landing page

The pre-landing page filters out unwanted traffic and displays a page showing “404 Not Found”:

firefox 404 Not Found

Victims that are redirected to the RIG EK landing page are delivered the Bunitu proxy Trojan.

Hashes

SHA256: 0078ea2e505149a864958511f5a3f733482f8e92639a713807095d8f7a7e7fe8
File name: Pre-Landing Page.txt

SHA256: 6b46ba8d4a4ca55d7fc6781d3a53f5a2b8a2da682bc4b09624ed0e13779b7b46
File name: RIG EK Landing Page.txt

SHA256: 85c5f5a81f6701d597ada200dfd8338078752dc165f97efc094edf4874327c76
File name: RIG EK Flash Exploit.swf

SHA256: 94b882dedcaf288a9bda752767dc65d39cd15f5da4e5615c8fae3f962c806d41
File name: u32.tmp

SHA256: c669bccbd709080fc78d5931afc7337977cd4c5c94c4900052c665a533c53b71
File name: b43.exe
Hybrid-Analysis Report
Any Run Report

SHA256: 9dec506410d00e17a843f13f24241420b83ab815421b19277a620992ce3e63c4
File name: osetril.dll
Hybrid-Analysis Report

IOCs

HTTP Traffic:

88.198.94.53 – 53hshshshs1.info – GET /ywkk – Redirect
88.198.94.53 – 53hshshshs1.info – GET /ywkk/ – Pre-Landing Page
188.225.33.138 – POST and GET – RIG EK IP-Literal Hostname

DNS Queries and Responses:

n.paratozix.net – 63.23.10.118
k.paratozix.net – 4.171.174.235

From HA Reports – “CrowdStrike Bunitu Proxy C2 Registration 1”:

216.58.206.79:443
62.212.66.85:443

Samples

Malware Samples.zip

Password is “infected”

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: