Rig EK via JavaScript Re-director drops UrlZone Trojan Banker.

Summary:

First of apologies for the quality of this post and the image. I am not able to access my tools at the moment so had to piece it together using Paint…

Whilst looking for Magnitude I came across a Rig EK flow via a JavaScript redirector. The payload did not run on my lab or on Hybrid Analysis so I sought the aid of @Antelox who identified the sample as UrlZone – a trojan banker which has recently been seen in malspam.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article referencing UrlZone as part of “Avalanche”

https://www.us-cert.gov/ncas/alerts/TA16-336A

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

 

 

Full Details:

The chain begins from malvertising which leads to a website called “datingspots.co”. A HTTP refresh redirects to “datingspots.co/?”. There is also an iframe here with a suspicious URL but it did not seem to lead anywhere.

Refreshtoco

Next there is a 302 redirect to a script called “scr.php”

302

The script contains two JavaScript redirects leading to Rig EK.

redirector

Unfortunately I could not get the payload to run on my lab so I do not have any IOC’s to offer except a hash. I tried to run it in Hybrid Analysis with “High evasion” mode on but it did not run properly. It was confirmed by @Antelox to be UrlZone – a trojan banker.

SHA256: d761e6d23070cde26710566a09c847e6c9d112cc973e10a1422d94ae481056f7
File name: hgsaic3x.exe
Detection ratio: 27 / 64

I would be interested to see any IOC’s if anyone wants to analyse the sample.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s