Recently I have found a lot of Rig EK as have many of the other researchers from malvertising. Today I revisited an old site called “likexhamster” which in last May was dropping Chthonic via a fake ad domain served by a popunder script.
This time the same mechanism dropped Dreambot aka as gozi. Additionally Rig EK appears to have been changing it’s URL patterns of late. I was collecting several samples to investigate but @nao_sec has posted a series of tweets which reveals the extent of the changes.
- A few articles on Rig exploit kit and it’s evolution:
- Article on Dreambot:
(in password protected zip: (infected))
- 14-Jun-2017-Rig-Dream-PCAP -> Pcap
- 14-Jun-2017-Rig-Dream-CSV -> CSV of the traffic for IOC’s
- 14-Jun-2017-Dreambot -> Dreambot
Details of infection chain:
(click to enlarge!)
The infection chain begins on a porn website called “likexhamster“. This site is filled with ads though one particular popunder script loads a fake ad “occurent.info” Below you can see the script and then what was returned after the “eval” function.
Note the Rig EK URL parameters:
The payload was Dreambot – an information stealer/banking trojan AKA Gozi/ISFB.
|Detection ratio:||15 / 61|
Dreambot connects to a CNC server using a URL that contains the string “images” and “.avi”. though I have seen other variant of Ursnif use different strings such as “.jpeg” etc.
The below image shows some of the actions Dreambot took during behavioural analysis.
Dreambot sends data over TOR. Below is a screenshot of some of the domains.