Summary:
Recently I have found a lot of Rig EK as have many of the other researchers from malvertising. Today I revisited an old site called “likexhamster” which in last May was dropping Chthonic via a fake ad domain served by a popunder script.
This time the same mechanism dropped Dreambot aka as gozi. Additionally Rig EK appears to have been changing it’s URL patterns of late. I was collecting several samples to investigate but @nao_sec has posted a series of tweets which reveals the extent of the changes.
Background Information:
- A few articles on Rig exploit kit and it’s evolution:
https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html
- Article on Dreambot:
Downloads
(in password protected zip: (infected))
- 14-Jun-2017-Rig-Dream-PCAP -> Pcap
- 14-Jun-2017-Rig-Dream-CSV -> CSV of the traffic for IOC’s
- 14-Jun-2017-Dreambot -> Dreambot
Details of infection chain:
(click to enlarge!)
Rig EK via an ad on a porn website delivers Dreambot
Full Details:
The infection chain begins on a porn website called “likexhamster“. This site is filled with ads though one particular popunder script loads a fake ad “occurent.info” Below you can see the script and then what was returned after the “eval” function.
The ad leads to what appears to be the Rig EK pre-landing page. If the environment passes the checks, a redirection to Rig EK occurs.
Note the Rig EK URL parameters:
The payload was Dreambot – an information stealer/banking trojan AKA Gozi/ISFB.
| SHA256: | d193de89f70c1049999eabf12a3523b01c695bb536ece4de8ddc62ac71a12424 |
| File name: | d193de89f70c1049999eabf12a3523b01c695bb536ece4de8ddc62ac71a12424.bin |
| Detection ratio: | 15 / 61 |
Dreambot connects to a CNC server using a URL that contains the string “images” and “.avi”. though I have seen other variant of Ursnif use different strings such as “.jpeg” etc.
The below image shows some of the actions Dreambot took during behavioural analysis.
Dreambot sends data over TOR. Below is a screenshot of some of the domains.
Zerophage Malware 
Pingback: Rig EK via HookAds drops AZORult loading Quasar RAT | Zerophage Malware