Summary:
First of apologies for the quality of this post and the image. I am not able to access my tools at the moment so had to piece it together using Paint…
Whilst looking for Magnitude I came across a Rig EK flow via a JavaScript redirector. The payload did not run on my lab or on Hybrid Analysis so I sought the aid of @Antelox who identified the sample as UrlZone – a trojan banker which has recently been seen in malspam.
Background Information:
- A few articles on Rig exploit kit and it’s evolution:
https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html
- Article referencing UrlZone as part of “Avalanche”
https://www.us-cert.gov/ncas/alerts/TA16-336A
Downloads
(in password protected zip)
- 01-August-2017-Rig-UrlZone-PCAP -> Pcap
- 01-August-2017-Rig-UrlZone-CSV -> CSV of traffic for IOC’s ( I used a proxy)
- 01-August-2017-Rig-UrlZone -> UrlZone (d761e6d23070cde26710566a09c847e6c9d112cc973e10a1422d94ae481056f7)
Details of infection chain:
(click to enlarge!)
Full Details:
The chain begins from malvertising which leads to a website called “datingspots.co”. A HTTP refresh redirects to “datingspots.co/?”. There is also an iframe here with a suspicious URL but it did not seem to lead anywhere.
Next there is a 302 redirect to a script called “scr.php”
The script contains two JavaScript redirects leading to Rig EK.
Unfortunately I could not get the payload to run on my lab so I do not have any IOC’s to offer except a hash. I tried to run it in Hybrid Analysis with “High evasion” mode on but it did not run properly. It was confirmed by @Antelox to be UrlZone – a trojan banker.
| SHA256: | d761e6d23070cde26710566a09c847e6c9d112cc973e10a1422d94ae481056f7 |
| File name: | hgsaic3x.exe |
| Detection ratio: | 27 / 64 |
I would be interested to see any IOC’s if anyone wants to analyse the sample.
Zerophage Malware 