Rig EK via malvertising drops Dreambot

Summary:

Recently I have found a lot of Rig EK as have many of the other researchers from malvertising. Today I revisited an old site called “likexhamster” which in last May was dropping Chthonic via a fake ad domain served by a popunder script.

This time the same mechanism dropped Dreambot aka as gozi. Additionally Rig EK appears to have been changing it’s URL patterns of late. I was collecting several samples to investigate but @nao_sec  has posted a series of tweets which reveals the extent of the changes.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Dreambot:

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

Dreambot

Rig EK via an ad on a porn website delivers Dreambot

Full Details:

The infection chain begins on a porn website called “likexhamster“. This site is filled with ads though one particular popunder script loads a fake ad “occurent.info” Below you can see the script and then what was returned after the “eval” function.

popunderreturn

The ad leads to what appears to be the Rig EK pre-landing page. If the environment passes the checks, a redirection to Rig EK occurs.adbanner

Note the Rig EK URL parameters:

rigurlparams

The payload was Dreambot – an information stealer/banking trojan AKA Gozi/ISFB.

SHA256: d193de89f70c1049999eabf12a3523b01c695bb536ece4de8ddc62ac71a12424
File name: d193de89f70c1049999eabf12a3523b01c695bb536ece4de8ddc62ac71a12424.bin
Detection ratio: 15 / 61

Dreambot connects to a CNC server using a URL that contains the string “images” and “.avi”.  though I have seen other variant of Ursnif use different strings such as “.jpeg” etc.

dreambottraffic

The below image shows some of  the actions Dreambot took during behavioural analysis.

dreambotactions2

Dreambot sends data over TOR. Below is a screenshot of some of the domains.

dreambot

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s