Over the past few days I’ve been looking at Cerber for any changes and trying to track Sundown. I have received information to believe that Sundown is no longer operational. Anyway I returned to my usual malvertising chain but I was unable to capture the traffic as accurately as before.
This time the payload was Chthonic which is a ZeuS variant. At first I could not identify the sample so requested the help of @Antelox who quickly identified it. Upon further investigation I noticed the DNS requests which I recognised from reading MalwareTraffic in the past. I then checked my ET signatures and found one for Chthonic.
Always good to see different variants of malware and from other sources other than PseudoDarkleech and EITest.
- A few articles on Rig exploit kit and it’s evolution:
- Oldish article regarding Chthonic banking trojan:
- rigchthonicPCAP -> Pcap in password protected zip. (2nd pcap has CnC traffic)
- 130317rigchthonic-> Payload (Chthonic) in password protected zip. Unfortunately I have to use File Dropper, having a few issues with getting this file on my site.
- Multiple 302 redirects lead to compromised site
- 126.96.36.199 – fuel.psorheads.com – Compromised Site
- 188.8.131.52 – dfg.twitttwoo.co.uk – Rig EK
- 184.108.40.206 – pationare.bit – Chthonic Domain Lookup
- 220.127.116.11 – pationare.bit – Chthonic Domain Lookup
- 18.104.22.168 – pationare.bit – Chthonic Domain Lookup
- 22.214.171.124 – avaneredge.bit – Chthonic Domain Lookup
- 126.96.36.199 – avaneredge.bit – Chthonic Domain Lookup
- Payload was 73mendjd.exe -> VirusTotal
Details of infection chain:
(click to enlarge!)
- A malvertising chain used multiple 302 redirects. I had some issue capturing all the traffic so it is not all listed in the image above.
- iframe to Rig EK on the compromised website
- dfg.twitttwoo.co.uk -> Landing Page -> Flash -> Payload
- Also to note there are slight changes in Rig EK’s URL patterns. The parameters “fix” and “que” are present although not shown in the picture.
- Dropped payload “73mendjd.exe” which is different to the usual “rad” themed ones.
SHA256: ecd0a876582ec3e104aac27b93ba59e388ee822c33917deef3599b30a9c47352 File name: 73mendjd.exe Detection ratio: 9 / 59
- This was identified as Chthonic which is a ZeuS variant by @Antelox.
- Chthonic lay idle for some time in processes. It eventually created a fake Silverlight executable and deleted the original payload and forced a reboot.
- After reboot the malware had added a start up entry.
- No POST traffic was observed.