Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK

Originally posted at malwarebreakdown.com
Follow me on Twitter


Traffic from 03/21/18:

Traffic

The first part of the redirection chain shown above would be from the Fobos decoy site.

The decoy site contains the following Base64 encoded string:

packed code on decoy site

The decoded string on the decoy site points to the next step in the redirection chain, the pre-landing page:

pre-landing page

Unpacked and beautified: https://pastebin.com/dy646La6

After the pre-landing page comes the POST request to the RIG EK landing page at 92.53.107.18. Finally, after successfully exploiting my system, the Fobos campaign used RIG EK to deliver the Bunitu proxy Trojan. Below are some details about the infection.

Analysis

File System

Payload downloaded to %Temp%:

Temp

Process b13.exe (PID: 2616) created file zervuxx.dll in %LocalAppData%:

LocalAppData

Processes Created

  • Command line:
    “C:\Windows\System32\netsh.exe” advfirewall firewall add rule name=”Rundll32″ dir=out action=allow protocol=any program=”C:\Windows\system32\rundll32.exe”
    Parent PID: 2616
    Child PID: 576
  • Command line:
    “C:\Windows\System32\netsh.exe” advfirewall firewall add rule name=”Rundll32″ dir=in action=allow protocol=any program=”C:\Windows\system32\rundll32.exe”
    Parent PID: 2616
    Child PID: 876
  • Command line:
    “C:\Windows\System32\rundll32.exe” “C:\Users\[User]\AppData\Local\zervuxx.dll”,zervuxx C:\Users\[User]\AppData\Local\Temp\b13.exe
    Parent PID: 2616
    Child PID: 3728

process properties

Registry

Keys created:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zervuxx
  • HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Values set:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zervuxx\Impersonate
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zervuxx\Asynchronous
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zervuxx\MaxWait
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zervuxx\DllName
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zervuxx\Startup

Winlogon Notify zervuxx

  • HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\rundll32.exe

Authorized Applications

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\zervuxx
Registry Run
Set by b13.exe (PID: 2616)
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

Internet Settings ZoneMap

Mutex

Mutex created:

\Sessions\1\BaseNamedObjects\drofyunfdou

DNS

Queries and responses:

c.cawexdom.net -> 124.56.221.48
e.cawexdom.net -> 71.19.200.66

HTTP Traffic – Pre-Infection

  • 88.198.94.53 – stomtruckdox.info GET /av2sdfy/index.php – Fobos
  • 92.53.107.18 – POST and GET – RIG EK

Hashes and Reports

SHA256: ab0987156a279050e632aa5810d2d2355bf65c611d8b563bd73ef3392948bb3a
File name: Pre-Landing Page.txt

SHA256: a36204a8c830f420475a7e8b3dde7f29d80e6dffb15facf77f6b4fe8f78d7ce6
File name: RigEK Landing Page.txt

SHA256: 971c424d839bed4037a62f85791beb559f43e77d67a83590274478bdcf0c4563
File name: RigEK Flash Exploit.swf

SHA256: 8e8ac821d17dbbbecf0afabf93b1f8fd35a333215f363acbaa826851f7ad4286
File name: b13.exe
Hybrid-Analysis

SHA256: e7ac8ae86345db9a6087d4c3e99b8f8cd52ee0bf1ad626866af5452434c87322
File name: zervuxx.dll
Hybrid-Analysis

 

Samples

Samples.zip

Password is “infected”

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: