Rig EK via JS Redirector leads to Pushdo dropping Cutwail.

Summary:

Today I found a probable compromised website that contained a harmless looking script by name at least. However it led to a website hosting a JavaScript redirector to Rig EK. The chain is interesting and I have not seen one like it yet since I started doing this.

The payload was Pushdo dropping Cutwail. Thanks to @Antelox for the identification. Although this is an old botnet/spammer it had been spotted by @DynamicAnalysis late last year (https://malwarebreakdown.com/2016/10/20/eitest-leads-to-rig-ek-at-185-45-193-52-which-drops-cutwailpushdo-botnet/).

The malware aggressively spammed POST requests and SMTP eating up my disk space rapidly. There is an interesting deep dive by Trend and Blueliv regarding this malware below.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Pushdo/Cutwail

https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf

https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/

 

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

RigCutwail

Rig EK via a JavaScript redirector delivers Pushdo dropping Cutwail

Full Details:

I found this website through malvertising. It appears to be an old probably compromised or even fake website that contains a script that appears harmless at a glance.

adultsite

The script appears at the bottom of the page and appears to be named similar to a legitimate script called “js/wp-emoji-release.min.js?ver=4.4.10

Harmless

The script contains code which is likely profiling then redirects to another domain hosting a JavaScript file.

FakeSCript

This script contains a 301 redirect to a another script called “scr.php“. This contains what looks like two JavaScript redirectors leading to Rig EK.

FrameToRig

The payload was Pushdo dropping Cutwail. Pushdo is a downloader dropping  Cutwail which refers to the spamming module of the Pushdo botnet.

SHA256: 93b920e774874615c40b0b59149ea0200f2c23ece5e27ca1230ffa4d646c45b2
File name: g45g4yh.bin
Detection ratio: 11 / 60

Although my PCAP will have most of not all the traffic, VT also seemed to capture the POST requests in the Behaviour Section which is useful for IOC’s.

The malware created multiple svchost processes and a startup entry. The processes began to multiply as time went on. It does not do a great job at hiding itself and did not delete itself from temp.

startup

Pushdo

It then began violently spamming POST requests and SMTP.

SMTPspam

violentposts

Here is a sample POST request which appears to return a website.

POST

One thought on “Rig EK via JS Redirector leads to Pushdo dropping Cutwail.

  1. Pingback: RIG EK at 188.225.78.135 Delivers Pushdo / Cutwail Botnet and RELST Campaign Still Pushing Chthonic. – MALWARE BREAKDOWN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s