Rig EK via Malvertising drops Panda Banker

Summary:

Today I found Panda Banker via a series of 302 redirects to Rig EK. The payload did not run on my lab so I sought the aid of @Antelox who identified it as Panda. I then put the sample into a sandbox where it did run so I managed to pull a few IOC’s.

It has been a while since I’ve seen Panda Banker  I’ll have to pour over the data and figure out why it evaded my lab but ran in a sandbox..

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Panda Banker

https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Full Details:

Found via a malvertising chain of multiple 302 redirects, Rig EK drops Panda Banker. The sample did not run on my lab. It created three files then terminated. It must have checked for something and disliked it then terminated. The sample was confirmed to be Panda by @Antelox.

SHA256: 9cdb53cc0294be1cb0699879499d17c6d450fbb5e03a6979cb7ad14cfb67c51a
File name: 16-July-2017-Rig-Malware.bin
Detection ratio: 19 / 63
Avira (no cloud) TR/AD.PandaBanker.fyxdz

Although it did not run, I did managed to put it into a sandbox which managed to run it so I have some IOC’s for traffic.

The PCAP is located here: https://www.virustotal.com/en/file/7ebd871771bfaa3eb6d3f4ffd638d709a251fd4fa487dfe0c2a9f58a7374e21c/analysis/

On my lab it created the three files below but then terminated. On the sandbox it copied itself to the path below and did the usual trojan behaviour (process injection, etc.)

Panda5

Below is port 443 HTTP POST requests which were observed to smillaopds.top.

Panda3Panda2Panda1

There was a lot more data but I’ll end with a quick summary that the sandbox gave:

Panda4

 

Rig EK delivers Kronos Banker

Summary:

I took a break for a while though was still finding the usual Chthonic, Bunitu and Dreambot Rig EK flows from the usual HookAds, Rulan and Fobos campaigns. If you are interested in those let me know. I still have the PCAP’s.

Someone also messaged me about changing the way I capture packets. I have not done this yet but will look into it.

Anyway today I found Kronos via malvertising which led to a website that contained 3 iframes that redirected to Rig EK. In this flow I was using IE 11 and the latest version of Flash.

I would be interested to know any domains that Kronos targets to see if I can see any injections occuring.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Kronos

https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

 

Full Details:

 

Found initially through malvertising, the dummy website has 3 iframes on it that redirect to Rig EK.

tripleFrame

The payload was Kronos Banker. The first EXE was dropped by Rig. It then created the second EXE and eventually injected itself into svchost:

SHA256: b024266f710c6c7a1517d4623e048b8c564dabf9ac294ba6317762fa6c830142
File name: vqb1zpvr.exe
Detection ratio: 19 / 65
SHA256: ffc1cfe4cfa36477ead629bd1a2c6ffb266502c3261b85de431137da411320a8
File name: domain.exe
Detection ratio: 8 / 62

I saw three domains associated with Kronos in total. POST requests were made to “/kronos/connect.php”:

kgkjvkjgvkgvkhg.xyz
khgkjhkjghkjgh.xyz
kljhlkjhkljh.xyz

kronosCnC

Viewing the functions of “domain.exe” shows what appears to be form grabbing and HTML injection.

functions

Magnitude EK drops Cerber (Scriplet changed to “.bmp”)

Summary:

Its been a fairly standard week for Rig EK. I’ve not spotted anything new or interesting so I decided not to blog about it this week. I did however discover a change in Magnitude EK. It’s a small one but the Scriplet now has the extension “.bmp” instead of “.ico”.

I also ran this flow with the latest IE 11 and Flash Player and still got Cerber Ransomware (still calling itself CRBR). If you’ve ever fiddled with security settings you’ll probably scream that scriplets are disabled by default which is true. I did play with the security settings to try to give see what payload the scriplet drops. Alas they still failed as usual and Cerber appeared from it’s normal vector.

Background Information:

  • Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

  • A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK drops “CBRB” (Cerber Ransomware)

Magnitude EK via malvertising delivers Cerber Ransomware

Downloads (in password protected zip)

Details of infection chain:

(click to enlarge!)

MagnitudeBMP

Full Details:

Just to note for this flow I ran IE 11 downloaded straight from the MS website and the latest Flash was installed. This was to demonstrate the need to patch your operating system as clearly these updates were not enough to stop Magnitude (albeit i did lower IE security settings)

FlashPlayerIEVersion

 

Most notable about this flow is the change of the naming of the scriplet used by Magnitude EK.

The scriplet is called in the landing page. I have deobfuscated most of it and you can see the call to the “.bmp” scriplet. Previous it has been “.ico”.

ScripletCall

This is the scriplet mostly deobfuscated with some variables renamed. Here you can see an executable is dropped and ran with cmd. These executables always fail and are 0 kb. I’m not sure why this is the case.

ScriptletDecode

If you enlarge this picture you will see  a condensed version of all the processes that were run on the endpoint.

MagProcesses

The payload is Cerber Ransomware. This version calls itself “CBRB”.

cerberpic

This version of a Cerber is at least a week old (UDP patterns are identical but sample is fresh from 3rd) however it still does a good job at evading a lot of AV vendors.

SHA256: 46e29c56d426a4c16548b74f77b2fdd75005ddac1333039567d16212cdc585e4
File name: a.exe
Detection ratio: 14 / 61