Month: February 2017

Rig EK via Malvertising delivers Bunitu.

/ zerophage / Leave a comment

Summary:

Another Bunitu sample from the same malvertising chain. It would appear the Flash detector, etc. is designed to catch bots as ad servers treat bots differently to real users. I do not think this script plays any role in funnelling the correct targets to Rig EK.

I do doubt the ad providers are purposely serving malicious content. However there is certainly a threat actor at work here who is using Rig EK to deliver Bunitu.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

  • rigbunitu270217-> Contains pcapng and payload  in password protected zip.

Notable Details:

  • 188.72.202.219 – go.pub2srv.com[.]net – 302 redirect
  • 206.54.163.4 – onclickads[.]net – Flash version detector
  • 206.54.163.50 – onclkds[.]com – 302 redirect
  • 104.197.27.232 – adexchangeprediction[.]com – 302 redirect
  • 78.46.232.214 – sproutgames.info – iframe redirect
  • 88.198.220.122 – sproutgame15[.]pw – Compromised Site iframe redirect
  • 188.225.36.251 – lol.acemedicalsafety[.]com – Rig EK
  • Payload was pawf85q6.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

bunitu270217

302 cushioning and iframes leads to Rig EK dropping Bunitu  proxy trojan.

Full Details:

  • A malvertising URL contains a Flash version detector as well as other scripts designed to catch bots.
  • Two further 302 redirects.
  • iframe redirect to compromised website.
  • iframe to Rig EK.
  • lol.acemedicalsafety[.]com -> Landing Page -> Flash  -> Payload
  • There was no Pre-Landing page as usually seen.
  • Dropped payload “pawf85q6.exe” which is different to the usual “rad” themed ones.
  • SHA256: 06705f6df520256247e48c0da4ab81147761ef5091b012d9d5438e5121ef1187
    File name: pawf85q6.exe
    Detection ratio: 10 / 58
  • This was identified as Bunitu Trojan.
  • Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
  • Bunitu uses a DLL called nillvzs.dll.
bunito-extrra

Bunitu opens ports by changing firewall rules.

Rig EK via Malvertising drops Unknown DLL

/ zerophage / Leave a comment

Summary:

Malvertising  leads to Rig EK on another “Poker” website. This is the same method used in my two previous posts with slightly varying parameters.

This time I could not identify the payload which appeared to be a DLL. It appeared to run and there was activity in processes but it made no network connections and did not seem to have changed the host significantly even after a reboot.

The DLL is available in the download below. If you have expertise in this area, I would be very keen to know what this file does or is supposed to do.

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article from Malware Breakdown about Hookads. Similar to these infection chains:

https://malwarebreakdown.com/2017/02/19/hookads-malvertising-redirects-to-rig-v-ek-at-217-107-219-99-ek-drops-ursnif-variant-dreambot/

Downloads

  • 200217rigunkdll-> Contains pcapng and payload  in password protected zip.

Notable Details:

  • 206.54.163.50 – onclkds[.]com – Flash version detector
  • 206.54.163.50 – onclkds[.]com – 302 redirect
  • 104.197.120.151 – adexchangeprediction[.]com – 302 redirect
  • 78.46.232.211 – holdempoker.pw – iframe redirect
  • 88.198.220.122 – holdempoker2.pw – Compromised Site iframe redirect
  • 46.173.219.164 – add.neighborhoodreunions[.]net – Rig EK
  • Payload was rad9E825.tmp.dll -> VirusTotal

Details of infection chain:

(click to enlarge!)

rigunkdll

Malvertising chain leads to Rig EK which drops a DLL which did not appear to be make any noticeable changes.

Full Details:

  • A malvertising URL contains a Flash version detector.
  • Two further 302 redirects.
  • iframe redirect to compromised website.
  • iframe to Rig EK.
  • oadd.neighborhoodreunions[.]net -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • Dropped payload “rad9E825.tmp.dll” which came back 0/54 on VT.

  • 0 / 54

    SHA256: f620502a8db93560b8c40b86bb72c04555a35dc81ceabdcedae9f4cc7448ed19
    File name: rad9E825.tmp.dll
    Detection ratio:
  • The payload ran using regsvr32.exe and although there was some activity it did not appear to do anything significant. Perhaps it required a different version of Windows or maybe it made several subtle but important changes. I’ll keep monitoring the machine for any strange activity.
  • The website at 78.46.232.211 appears to have host multiple Poker themed websites. The IP is the same as the previous Bunitu infection but domain is different.

Rig EK via Malvertising delivers Bunitu Trojan

/ zerophage / Leave a comment

Summary:

I have stumbled across multiple “ad servers” which check for versions of Flash. I was playing around with one and was getting redirect to random sites. After a while I was redirected to Rig EK. Bunitu was dropped by Rig which was a nice change from the usual Cerber.

I believe these “ad servers” might be great for EK hunting. I have already found Sundown EK in this manner.

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

Notable Details:

  • 206.54.163.4 – onclickads[.]net – Flash version detector
  • 206.54.163.50 – onclkds[.]com – 302 redirect
  • 104.197.85.202 – adexchangeprediction[.]com – 302 redirect
  • 78.46.232.211 – holdem-pokers.info – iframe redirect
  • 88.198.220.112 – poks122[.]pw – Compromised Site iframe redirect
  • 185.159.130.122 – old.thebestdallasdentists[.]com – Rig EK
  • 245.147.26.100  plastic.firgo6slike.net – DNS request from Bunitu
  • Payload was rad73363.tmp.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

 

rigekbunitu

Malvertising chain starting with Flash detector leads to Rig EK which drops Bunitu Trojan.

 

Full Details:

  • A malvertising URL contains a Flash version detector.
  • Two further 302 redirects.
  • iframe redirect to compromised website.
  • iframe to Rig EK.
  • old.thebestdallasdentists[.]com -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • Dropped payload “rad73363.tmp.exe”.
  • SHA256: fa092bfd24a1255d5e870b447cfc229e3bc6b0dd3f59ade7fa7369aff45b7a29
    File name: rad73363.tmp.exe
    Detection ratio: 10 / 58
  • This was identified as Bunitu Trojan.
  • Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
  • Bunitu uses a DLL called vsgliig.dll.
  • ETPRO TROJAN Win32.Bunitu DNS Lookup (A Network Trojan was Detected) [2824943]
bunito-extrra

Bunitu opens ports by changing firewall rules.

Sundown EK via Malvertising delivers Zloader

/ zerophage / Leave a comment

Summary:

I have finally found Sundown EK without having someone give it to me or borrowed from another researcher. I actually found this from alerts of Magnitude EK and it is quite possible the malvertising site may actually lead to other EK’s. Alas, I was sent to Sundown EK and not Magnitude but this could be an indication that Sundown is using the same mechanisms to get visitors as Magnitude is known for (ads).

This version of Sundown did not use stenography and seemed relatively straight forward. A  landing page, one Flash exploit and then a payload. The payload was Zloader which I have seen before being dropped by Sundown.

Anyway the files and pcap are available for download. Perhaps someone can figure out why I saw White Lotus EK exploits ET signatures. I hope the new IOC’s will be of use to the community.

Background Information on Sundown EK:

Sundown EK has changed so much over the past few months that I’m not sure any article can cover what it is today. Sundown is known to use parts of other exploit kits. Recently however it was reported that Sundown uses stenography however I did not see this occur in this sample.

Downloads

Notable Details:

  • 206.54.163.4 – onclickads[.]net – Malvertising
  • 206.54.163.50 – onclkds[.]com – Malvertising
  • 50.87.151.234 – petloversetc[.]com – Compromised Website
  • 51.140.35.17 – ai.rqrzq[.]com – Sundown Landing Page
  • 51.140.35.17 – dqg.rkrtk[.]com – Sundown Payload download
  • 31.164.129.28 – gunsun[.]su – Zloader 
  • 31.164.129.28 – bedborder[.]su – Zloader 
  • Payload was z3qpfzic.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

140217-sundownzloader

Malvertising chain leads to Sundown EK which delivers Zloader

Full Details:

  • A malvertising URL searches for old versions of Flash and redirects to a compromised site.
  • An iframe on the compromised site redirects to Sundown EK.
  • ai.rqrzq[.]com and dqg.rkrtk[.]com is Sundown EK, from top to bottom ->  Landing Page -> Flash  -> Payload
  • Dropped payload “z3qpfzic.exe”.
  • SHA256: 43e30e3a58772743ad3fa4ae75de1a06204219eb80fbfc53fdb884d830942d44
    File name: z3qpfzic.exe
    Detection ratio: 6 / 58
  • Known also as Terdot A, Zloader periodically sends data to a command and control.
  • Interestingly I had some ET signatures for exploits used by White Lotus EK:
  • ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3 (A Network Trojan was Detected) [2017738]
    ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2 (A Network Trojan was Detected) [2017737]
    ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1 (A Network Trojan was Detected) [2017736]

Rig via PseudoDarkleech delivers Cerber Ransomware

/ zerophage / Leave a comment

Summary:

I have not been detecting as much Rig EK activity as last year. Many researchers are reporting interesting malwares dropped by other gates (EITest). I appear to be stuck with PseudoDarkleech which always delivers Cerber.

Nonetheless Cerber is a dangerous ransomware and hopefully some of the IOC’s or the pcap can help you to detect and block Cerber.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

Notable Details:

  • 87.98.231.16 – atadi[.]es – COMPROMISED WEBSITE
  • 217.107.34.172 – far.askgrannydating[.]com – RIG-V
  • 91.121.56.0 -> 91.121.56.255 UDP port 6892 – Cerber Check In IP Range
  • 91.121.57.0 -> 91.121.57.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.58.0 -> 91.121.58.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.59.0 -> 91.121.59.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.119.56.0 -> 91.119.56.31 – UDP port 6892 – Cerber Check In IP Range
  • 91.120.56.0 -> 91.120.56.31 – UDP port 6892 – Cerber Check In IP Range
  • Payload was rad0489A.tmp.exe -> VirusTotal
  • Had a time delay before UDP traffic occurred of almost less than 2 minutes indicating a possible sandbox evasion technique.

Details of infection chain:

(click to enlarge!)

130217-rigcerber

Cerber encrypts files with a .ba89 extension. This picture shows UDP traffic and an excessive attempt to generate a new ransom URL.

Full Details:

  • Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
  • far.askgrannydating[.]com is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • UDP traffic port 6892 came in two variants. The first was of length 25 and occurred around 40 seconds from the start of capture. The second was of length 14 which occurred after almost 2 minutes.
  • Dropped payload “rad0489A.tmp.exe”.
  • SHA256: ad22b0a80b153f23d4fe63ad9a26d180d2c870c59ab6aec73976ef82fc3778da
    File name: rad0489A.tmp.exe
    Detection ratio: 6 / 57
  • Payload encrypted files with a  “.ba89” extension.
  • Cerber is likely waiting for Nbstat responses before it proceeds.
  • Emerging Threat signatures for Cerber and NBTStat query response.
  • Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
  • I recorded the voice: https://instaud.io/JUA#0:00.1
  • I could not access any of the ransom URL’s and attempts to generate a new URL using the HTA tool provided by Cerber failed and resulted in an error.

Rig via PseudoDarkleech delivers Cerber Ransomware

/ zerophage / Leave a comment

Summary:

Another Cerber from Rig EK. I’ve actually done several of these runs since my last post. I only really like to post if I can contribute something to the community. In this case I noticed the payload going idle for almost 10 minutes before the UDP requests began. I believe this could be an anti-sandbox evasion technique as often sandboxes have a default time out period.

Other than that, it’s the same old Cerber 🙂

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

Notable Details:

  • 104.27.166.186 – golanguages[.]es – COMPROMISED WEBSITE
  • 194.87.238.245 – park.medlawtalk[.]tv – RIG-V
  • 91.117.40.0 -> 91.117.40.31 UDP port 6892 – Cerber Check In IP Range
  • 91.119.40.0 -> 91.119.40.31 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.40.0 -> 91.121.40.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.41.0 -> 91.121.41.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.42.0 -> 91.121.42.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.43.0 -> 91.121.43.255 – UDP port 6892 – Cerber Check In IP Range
  • Payload was rad69926.tmp.exe -> VirusTotal
  • Had a time delay before UDP traffic occurred of almost 10 minutes indicating a possible sandbox evasion technique.

Details of infection chain:

050217-rigcerber

Cerber encrypts with a .ba89 extension. Note the time delay between the payload and the first UDP check in.

Full Details:

  • Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
  • park.medlawtalk[.]tv is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • UDP traffic port 6892 all contained the data”fd6b47b9da60f3
  • Dropped payload “rad69926.tmp.exe”.
  • SHA256: bdba80fe4638b8ec8d0cde505cfd62ba89d90c86d856e409cabc032a34ec5750
    File name: rad69926.tmp.exe
    Detection ratio: 26 / 56
  • Payload encrypted files with a  “.ba89” extension.
  • The payload appeared to be idle for almost 10 minutes. After this the usual UDP and Nbstat requests occurred and the encryption completed.
  • Cerber is likely waiting for Nbstat responses before it proceeds.
  • Emerging Threat signatures for Cerber and NBTStat query response.
  • Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
  • I recorded the voice: https://instaud.io/JUA#0:00.1