Rig EK delivers Chthonic

Summary:

Following a common malvertising chain I came across a website that redirected to a fake ad domain. Such gates have been detailed by other researchers such as Malware Breakdown. They contain a pre-landing page which further filters out unwanted visitors before the Rig EK landing page.

This example is a full chain and dropped Chthonic which is a ZeuS variant. I requested the help of @Antelox who quickly identified it as Chthonic. I thought the “.bit” traffic was familiar but it has been a while since I saw this malware.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

RigChthonic.png

Rig EK on a porn website via a fake ad domain drops ZeuS Chthonic.

Full Details:

  • A malvertising chain leads to a porn site called “likexhamster“. This is similar to the real xhamster website except with more Rig. The website contains a script called “popunder.php” which loads the fake ad domain “retalise.info“.
  • The domain contains a pre-landing page and an iframe to Rig EK.PreLanding
  • one.dailynewshunt.co.in-> Landing Page -> Flash  -> Payload
  • Dropped payload “4s64tsmt.exe”.
    SHA256: 6ef6dd38e0b763ff9877bd657ddbefc76ae72de7d49b0a5b82690c039036e1ee
    File name: 4s64tsmt.exe
    Detection ratio: 27 / 61
  • This was identified as Chthonic which is a ZeuS variant by @Antelox.
  • Chthonic lay idle for some time in processes. It eventually created an executable called “WindowsMailB” and a UAC prompt appeared which when accepted rebooted the system.
  • After reboot the malware had added a start up entry and copied itself .It also downloaded a further binary which was likely a module.
  • POST traffic to  “multifest.bit” was observed.  It is likely sending data to a CnC and getting a configuration back.comcnc
  • There may be other interesting connections in the PCAP. I have not found any recent detailed write ups about Chthonic yet. According to the 2014 article by securelist, Chthonic has the following capabilities: Capabilities

One thought on “Rig EK delivers Chthonic

  1. Pingback: Rig EK via malvertising drops Dreambot | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s