Malvertising leads to Rig EK on another “Poker” website. This is the same method used in my two previous posts with slightly varying parameters.
This time I could not identify the payload which appeared to be a DLL. It appeared to run and there was activity in processes but it made no network connections and did not seem to have changed the host significantly even after a reboot.
The DLL is available in the download below. If you have expertise in this area, I would be very keen to know what this file does or is supposed to do.
- A few articles on Rig exploit kit and it’s evolution:
- Article from Malware Breakdown about Hookads. Similar to these infection chains:
- 200217rigunkdll-> Contains pcapng and payload in password protected zip.
- 188.8.131.52 – onclkds[.]com – Flash version detector
- 184.108.40.206 – onclkds[.]com – 302 redirect
- 220.127.116.11 – adexchangeprediction[.]com – 302 redirect
- 18.104.22.168 – holdempoker.pw – iframe redirect
- 22.214.171.124 – holdempoker2.pw – Compromised Site iframe redirect
- 126.96.36.199 – add.neighborhoodreunions[.]net – Rig EK
- Payload was rad9E825.tmp.dll -> VirusTotal
Details of infection chain:
(click to enlarge!)
- A malvertising URL contains a Flash version detector.
- Two further 302 redirects.
- iframe redirect to compromised website.
- iframe to Rig EK.
- oadd.neighborhoodreunions[.]net -> Pre-Landing -> Landing Page -> Flash -> Payload
- Dropped payload “rad9E825.tmp.dll” which came back 0/54 on VT.
SHA256: f620502a8db93560b8c40b86bb72c04555a35dc81ceabdcedae9f4cc7448ed19 File name: rad9E825.tmp.dll Detection ratio:
0 / 54
- The payload ran using regsvr32.exe and although there was some activity it did not appear to do anything significant. Perhaps it required a different version of Windows or maybe it made several subtle but important changes. I’ll keep monitoring the machine for any strange activity.
- The website at 188.8.131.52 appears to have host multiple Poker themed websites. The IP is the same as the previous Bunitu infection but domain is different.