First of apologies for the quality of this post and the image. I am not able to access my tools at the moment so had to piece it together using Paint…
- A few articles on Rig exploit kit and it’s evolution:
- Article referencing UrlZone as part of “Avalanche”
(in password protected zip)
- 01-August-2017-Rig-UrlZone-PCAP -> Pcap
- 01-August-2017-Rig-UrlZone-CSV -> CSV of traffic for IOC’s ( I used a proxy)
- 01-August-2017-Rig-UrlZone -> UrlZone (d761e6d23070cde26710566a09c847e6c9d112cc973e10a1422d94ae481056f7)
Details of infection chain:
(click to enlarge!)
The chain begins from malvertising which leads to a website called “datingspots.co”. A HTTP refresh redirects to “datingspots.co/?”. There is also an iframe here with a suspicious URL but it did not seem to lead anywhere.
Next there is a 302 redirect to a script called “scr.php”
Unfortunately I could not get the payload to run on my lab so I do not have any IOC’s to offer except a hash. I tried to run it in Hybrid Analysis with “High evasion” mode on but it did not run properly. It was confirmed by @Antelox to be UrlZone – a trojan banker.
|Detection ratio:||27 / 64|
I would be interested to see any IOC’s if anyone wants to analyse the sample.