Rig EK Drops Bunitu, Smoke Loader, Andromeda and a Miner

/ zerophage

Summary:

I was hunting for Rig over the weekend in the Asian region (proxy used) and found 4 different payloads. I merged these into one PCAP and began investigating the payloads and with the help of several Twitter members (mentioned down below) I got an ID on most of them. I have resolved the IP’s in the CSV and the main picture but in the PCAP you will see my proxy IP’s.

In all I found the usual Bunitu however the “small” tag was not present in the gate. I found Smoke Loader which did not run, Andromeda which did run and an unknown malware which I suspect is a cryptocurrency miner.

A good haul, enjoy!

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

  • In depth look at Smoke Loader:

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

  • Article on Andromeda Bot:

https://securityintelligence.com/andromeda-a-galaxy-of-pain-coming-to-a-machine-near-you/

Downloads

(in password protected zip)

  • 06-August-2017-Rig-PCAP-> Pcap (merged and proxy used)
  • 06-August-2017-Rig-CSV-> CSV of traffic for IOC’s (resolved IP’s as proxy was used)
  • 06-August-2017-Bunitu-SL-Andro-Miner-> Unfortunately I have to use FileDropper as WordPress doesn’t like my password protected zips sometimes…
  • Bunitu – 02978385cbeffaae26f0fbca7d84a232c147533dfa813327f77e08f91f3c1185
  • Smoke Loader – ed9fa89fbd7b2693c07c755cf1bcb1aaea1c96eb2e8bbf0721cce733bcdb2fbe
  • Andromeda – 0133522011020f0d2a3c204c218b0855a4c3fe470b86d27633572309e5aa3bce
  • Miner – 87497a8b09f1e602258c6c8e53c342209e2cbc6c5d69b0ab7a6db927a94092f1

Details of infection chain:

(click to enlarge!)

quadrig

Full Details:

This PCAP contains four Rig EK flows each one dropping a different payload.
The payload is encrypted with RC4 but it is easy to decrypt as long as you know the key which can be found by viewing an unobfuscated version of the landing page. Here we can see it is “wexykukusw“:
rc4Key
The current Rig EK landing params are:
RigParams
Let’s start at the top with Bunitu Proxy trojan. Mostly the same, using decoy casino themed websites and an iframe to another domain hosted on the same IP address. Notable this campaign AKA as Fobos had always had the <small> HTTP tag but in this sample it is not present.
Robos
Below is the sample I put into VT:
SHA256: 02978385cbeffaae26f0fbca7d84a232c147533dfa813327f77e08f91f3c1185
File name: 030817Bunitu.exe
Detection ratio: 46 / 64
Microsoft TrojanProxy:Win32/Bunitu.Q!bit

This was the usual Bunitu which allows your host to become a proxy server. A DLL is dropped which runs on startup. I didn’t include this DLL but it’s what you would be looking for if you suspect a host has been compromised. Every time someone connects there is a DNS request (12.205.191.24):

Buinut

Next up is Smoke Loader. Now I had some issues here with my Wireshark as it did not seem to capture the traffic except for the download. To make things worse my lab would not run the malware and neither would HA (ran but not properly).

I know though that this was from a TDS probably Keitaro as I have been seeing this more and more lately and have seen it in the past.

https://zerophagemalware.com/2017/05/19/rig-ek-via-tds-drops-smoke-loader-leads-to-teamviewer/

I took to Twitter to ask what the sample was and got a reply from @James_inthe_box 
Smokeloader
At the time the sample only had 5 detections but now there are a few more.
SHA256: ed9fa89fbd7b2693c07c755cf1bcb1aaea1c96eb2e8bbf0721cce733bcdb2fbe
File name: a2hglnk9.exe
Detection ratio: 27 / 64

Next we have Andromeda again through Keitaro TDS which led to a decoy website and then a 302 to Rig EK. I sought the aid of @Antelox  to identify this one.

TDS

The payload was a 25kb file and appeared to be old as the hash was seen 8 months ago. The malware injects itself into MSIEXEC and then performed several POST requests which are likely patches or  modules. It remained persistent through reboots.

Andromeda

SHA256: 0133522011020f0d2a3c204c218b0855a4c3fe470b86d27633572309e5aa3bce
File name: 040817pop.exe
Detection ratio: 49 / 64

Lastly and perhaps the most interesting is a possible Cyptocurrency miner. This was through the Rulan campaign which uses a HTTP refresh and a JavaScript redirector instead of iframes.

Rulan

The payload copied itself in a “directx” folder in Microsoft roaming and added itself to startup. The command it ran did not appear to do anything however when I browsed to the IP in the command the server returned with a message saying “mining server online”.

MiningBot

There was no CNC or traffic observed on this port. It would need some dynamic analysis I think so I have passed it onto the @malwrhunterteam as I have heard they are interested in miners.

SHA256: 87497a8b09f1e602258c6c8e53c342209e2cbc6c5d69b0ab7a6db927a94092f1
File name: 060817up.exe
Detection ratio: 17 / 64

 

That’s it for this post!

 

Leave a comment