Month: August 2017

Rig EK Drops Bunitu, Smoke Loader, Andromeda and a Miner

/ zerophage / Leave a comment

Summary:

I was hunting for Rig over the weekend in the Asian region (proxy used) and found 4 different payloads. I merged these into one PCAP and began investigating the payloads and with the help of several Twitter members (mentioned down below) I got an ID on most of them. I have resolved the IP’s in the CSV and the main picture but in the PCAP you will see my proxy IP’s.

In all I found the usual Bunitu however the “small” tag was not present in the gate. I found Smoke Loader which did not run, Andromeda which did run and an unknown malware which I suspect is a cryptocurrency miner.

A good haul, enjoy!

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

  • In depth look at Smoke Loader:

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

  • Article on Andromeda Bot:

https://securityintelligence.com/andromeda-a-galaxy-of-pain-coming-to-a-machine-near-you/

Downloads

(in password protected zip)

  • 06-August-2017-Rig-PCAP-> Pcap (merged and proxy used)
  • 06-August-2017-Rig-CSV-> CSV of traffic for IOC’s (resolved IP’s as proxy was used)
  • 06-August-2017-Bunitu-SL-Andro-Miner-> Unfortunately I have to use FileDropper as WordPress doesn’t like my password protected zips sometimes…
  • Bunitu – 02978385cbeffaae26f0fbca7d84a232c147533dfa813327f77e08f91f3c1185
  • Smoke Loader – ed9fa89fbd7b2693c07c755cf1bcb1aaea1c96eb2e8bbf0721cce733bcdb2fbe
  • Andromeda – 0133522011020f0d2a3c204c218b0855a4c3fe470b86d27633572309e5aa3bce
  • Miner – 87497a8b09f1e602258c6c8e53c342209e2cbc6c5d69b0ab7a6db927a94092f1

Details of infection chain:

(click to enlarge!)

quadrig

Full Details:

This PCAP contains four Rig EK flows each one dropping a different payload.
The payload is encrypted with RC4 but it is easy to decrypt as long as you know the key which can be found by viewing an unobfuscated version of the landing page. Here we can see it is “wexykukusw“:
rc4Key
The current Rig EK landing params are:
RigParams
Let’s start at the top with Bunitu Proxy trojan. Mostly the same, using decoy casino themed websites and an iframe to another domain hosted on the same IP address. Notable this campaign AKA as Fobos had always had the <small> HTTP tag but in this sample it is not present.
Robos
Below is the sample I put into VT:
SHA256: 02978385cbeffaae26f0fbca7d84a232c147533dfa813327f77e08f91f3c1185
File name: 030817Bunitu.exe
Detection ratio: 46 / 64
Microsoft TrojanProxy:Win32/Bunitu.Q!bit

This was the usual Bunitu which allows your host to become a proxy server. A DLL is dropped which runs on startup. I didn’t include this DLL but it’s what you would be looking for if you suspect a host has been compromised. Every time someone connects there is a DNS request (12.205.191.24):

Buinut

Next up is Smoke Loader. Now I had some issues here with my Wireshark as it did not seem to capture the traffic except for the download. To make things worse my lab would not run the malware and neither would HA (ran but not properly).

I know though that this was from a TDS probably Keitaro as I have been seeing this more and more lately and have seen it in the past.

https://zerophagemalware.com/2017/05/19/rig-ek-via-tds-drops-smoke-loader-leads-to-teamviewer/

I took to Twitter to ask what the sample was and got a reply from @James_inthe_box 
Smokeloader
At the time the sample only had 5 detections but now there are a few more.
SHA256: ed9fa89fbd7b2693c07c755cf1bcb1aaea1c96eb2e8bbf0721cce733bcdb2fbe
File name: a2hglnk9.exe
Detection ratio: 27 / 64

Next we have Andromeda again through Keitaro TDS which led to a decoy website and then a 302 to Rig EK. I sought the aid of @Antelox  to identify this one.

TDS

The payload was a 25kb file and appeared to be old as the hash was seen 8 months ago. The malware injects itself into MSIEXEC and then performed several POST requests which are likely patches or  modules. It remained persistent through reboots.

Andromeda

SHA256: 0133522011020f0d2a3c204c218b0855a4c3fe470b86d27633572309e5aa3bce
File name: 040817pop.exe
Detection ratio: 49 / 64

Lastly and perhaps the most interesting is a possible Cyptocurrency miner. This was through the Rulan campaign which uses a HTTP refresh and a JavaScript redirector instead of iframes.

Rulan

The payload copied itself in a “directx” folder in Microsoft roaming and added itself to startup. The command it ran did not appear to do anything however when I browsed to the IP in the command the server returned with a message saying “mining server online”.

MiningBot

There was no CNC or traffic observed on this port. It would need some dynamic analysis I think so I have passed it onto the @malwrhunterteam as I have heard they are interested in miners.

SHA256: 87497a8b09f1e602258c6c8e53c342209e2cbc6c5d69b0ab7a6db927a94092f1
File name: 060817up.exe
Detection ratio: 17 / 64

 

That’s it for this post!

 

Rig EK via malvertising drops Imminent RAT

/ zerophage / Leave a comment

Summary:

Today I found Rig EK via a 302 redirect. It dropped what appears to be an infostealer trojan as masquerades as a Java updater. A dat file is created which appears to increase over time and there is a lot of traffic over port 5888 indicative of command and control traffic or exfiltration of data.

UPDATE * confirmed to be Imminent RAT – https://twitter.com/James_inthe_box/status/892912148497575936

I’ve included in this post a bit about the current Rig EK params and the RC4 key which seems to change between samples.

It’s interesting to see other types of malware from Rig other than the 3 common ones I kept finding (bunitu, chthonic, dreambot).

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Full Details:

The flow was found via malvertising from what I think is a TDS. A 302 eventually redirects to Rig EK.

Rig has changed it’s RC4 key making it a little more annoying to grab the payload. Here you can see it is “wexykukusw“.

Godmode

In addition here are the current params as of today:

Params

The payload was fairly large and I was not able to identify it so I’ve just called it “trojan” as it appears to pretend to be a Java Updater.

SHA256: 8d4a776e6814cf7247711c825e6bf83b1f2768f1dee8c0d896b86b68743ebeab
File name: e14tbkpm.exe
Detection ratio: 17 / 64

The malware drops another file and runs it though it appears to be legitimate software.

SHA256: 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
File name: Juscheckr.exe
Detection ratio: 0 / 64

The malware did create some unusual folders. One is a copy of itself renamed to “javaupdater.exe“. The other is a folder called “Imminent” which contains a text file that appears to be growing inside as time goes on.

Growing

The malware made requests as follows:

 DNS requests
 TCP connections
It appears to communicate to 94.140.120.149 over port 5888 likely sending the contents of the file above. Therefore it appears to have some kind of infostealing capability.
5888

 

Rig EK via JavaScript Re-director drops UrlZone Trojan Banker.

/ zerophage / Leave a comment

Summary:

First of apologies for the quality of this post and the image. I am not able to access my tools at the moment so had to piece it together using Paint…

Whilst looking for Magnitude I came across a Rig EK flow via a JavaScript redirector. The payload did not run on my lab or on Hybrid Analysis so I sought the aid of @Antelox who identified the sample as UrlZone – a trojan banker which has recently been seen in malspam.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article referencing UrlZone as part of “Avalanche”

https://www.us-cert.gov/ncas/alerts/TA16-336A

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

 

 

Full Details:

The chain begins from malvertising which leads to a website called “datingspots.co”. A HTTP refresh redirects to “datingspots.co/?”. There is also an iframe here with a suspicious URL but it did not seem to lead anywhere.

Refreshtoco

Next there is a 302 redirect to a script called “scr.php”

302

The script contains two JavaScript redirects leading to Rig EK.

redirector

Unfortunately I could not get the payload to run on my lab so I do not have any IOC’s to offer except a hash. I tried to run it in Hybrid Analysis with “High evasion” mode on but it did not run properly. It was confirmed by @Antelox to be UrlZone – a trojan banker.

SHA256: d761e6d23070cde26710566a09c847e6c9d112cc973e10a1422d94ae481056f7
File name: hgsaic3x.exe
Detection ratio: 27 / 64

I would be interested to see any IOC’s if anyone wants to analyse the sample.

Magnitude EK XML Package and changes.

/ zerophage / Leave a comment

Summary:

This PCAP shows two Magnitude EK flows. The first one appears to run an XML package which downloaded a 77 MB text file. The second flow appears to be new and makes references to IE-Edge. The landing page is something I have never seen before and it appears to have ran a Flash exploit.

I’ll will spend some time looking at it and update this blog post. In the meantime however take a look at the PCAP. I’d be interested to know if you recognise any exploits.

Background Information:

  • Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

  • A few previous Magnitude EK posts from me.

Magnitude EK drops Cerber (Scriplet changed to “.bmp”)

Magnitude EK drops “CBRB” (Cerber Ransomware)

Downloads (in password protected zip)

Details of infection chain:

(click to enlarge!)

 

 

 

MagnitudeRender

A new version of Magnitude EK makes references to IE-edge. No payload but I did not use Edge.

 

Full Details:

I will likely update this section as I learn more about what has happened. In short there appears to be many changes to Magnitude EK.

Lets start with the decoy website which is called “letsovape.com”

In the first flow we see the two Magnitgate’s. If you have seen any of my previous Magnitude EK’s you will see this is different. I will try to look at deobfuscating these.

Magnigate1

Magnigate2

Next comes the VBscript landing page which appears to be similar but again I will look into it. Here is a snapshot of part of it:

landingpage

Not entirely sure how yet but possible through the Flash exploit, Magnitude EK was able to call a JavaScript command using Rundll32 which downloaded and ran an XML package which then dropped a payload on the Desktop. This Payload despite having an .exe extention is actually a 77 MB text file seemingly filled with jibberish.

XML

Perhaps more interesting is a different version of Magnitude which I also saw. This also began with “letsovape”:

letsvape2

The landing page is something I have never seen before. It looks very interesting. I’m not sure if there are any exploits here but I do know it calls a Flash file.

letsvape

Note the header on the Flash file “IE = Edge” may indicate Edge may need to be used. I do not have this browser so could not test.

FlashFile

Lastly there are two JavaScripts which are ran which are actually Magnigate’s that appear to return to the usual chain of Magnitude events.obfus