Month: September 2017

Rig EK via Rulan drops an Infostealer

/ zerophage / Leave a comment

Summary:

Back again with the Rulan campaign. Recently it has changed it’s usual payload and we have seen Quant Loader, Coin Miner and KINS.

This time it is back and dropped a payload which I have struggled to ID. It has all the characteristics of an infostealer (gathering data then sending to C2). I’ve been unable to decipher what data it is ending and why. The C2 domains also did not trigger any ET/Snort rules.

It’s interesting for sure and I’d be interested to know more about it so keep an eye on Twitter.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

Unfortunately  having a few issues with WordPress so the payload is on tinyupload for now. Let me know if it goes down.

Details of infection chain:

(click to enlarge!)

RigInfo.png

Full Details:

Rulan has been providing various payloads over the past week or so. A coin miner and even KINS was spotted earlier this week by @nao_sec. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.
rulan
Rig itself continues to change up it’s parameters this time using “opas“, “hopas” and “shops“.
params
The RC4 key is now “marydcetoz“. You can use this to decrypt the payload from the pcap.
newkey2
newkey1
The payload appeared to be an infostealer by nature. I was unable to identify it though sought the aid of @James_inthe_box who digged further but could not identify it.
SHA-256 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb
File name eb11bac9e73f7f6fed3506e28a13dacbfa3fbdc0
File size 288 KB

 

The payload copied itself into a folder called “ZSysRaw” and the binary was named “sysraw.exe“. It then began to collect information and store it in a folder called “data“.

 

malwarex

The malware began with a POST request ending with “load.php“. It looks like Base64 but I could not decode it into anything meaningful.

load

Next it began to POST data from the text files it created. Again I could not decode this data. Each text file it created it then sent to the C2 with each file reaching a size of around 3kb~.

steal

The payload did not trigger any signatures (ET/Snort) though it’s behaviour is indicative of an information stealer. Keep checking Twitter, it’s likely some more info will come!

zerophageicon2

 

Rig EK via Rulan drops Quant Loader (leads to Ursnif)

/ zerophage / 1 Comment

Summary:

It has a while since I have blogged. This is due to two things. First I found a new job which I start next month so that has taken up some of my time. Next I’ve found Rig EK activity to have greatly reduced. I did find other Rulan, Fobos and Seamless samples which I decided not to blog about as they were same old. So if I disappear after blogging this, it’s just that the EK landscape is drying up. I’ll be back if something changes!

Today however Rulan dropped Quant Loader which I believe in turn dropped an Ursnif banking trojan variant. This make s change from it’s usual Chthonic payload. Otherwise it’s the same campaign. This demonstrates the campaign is still active. I have also seen it live twice from malvertising campaigns.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Quant Loader:

https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground

 

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

QuantLoader.png

Rulan leads to Quant Loader which drops Ursnif Variant

Full Details:

Not much has changed with the Rulan campaign (apart from the payload) which is usually found from malvertising chains. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.
Rulan
Rig itself continues to change up it’s parameters.
RigParams
The RC4 key is now “akxyxuxusa“. You can use this to decrypt the payload from the pcap.
RigKey1
RigKey2
The payload was Quant Loader, named due to the firewall rule it opens for itself.
Quant
SHA-256 92e2ba2c8047648af88e89e1c7c2c07752ffb1d299674171a0836aeb9a313894
File name t0dlsidm.exe
File size 214 KB
The malware ran fine on my lab but I did put it on HA just to get a nice list of processes it ran.
HAQuant

 

The malware downloaded a binary which appeared to communicate using Tor. Exactly what this is I’m not certain but there are a few VT detections for an Ursnif variant. I have always found Ursnif and Dreambot  to request a URL containing “/images/” and a media file like a “avi” or “jpg”. Below you can see a similar request made by this module:

Ursnif

 

SHA256: 41e17ea8101b4fac481168afed74955d58c230e8df3c590ecbf66e7ed42a11ce
File name: Audikadp.exe
Detection ratio: 22 / 64
Kaspersky Trojan-Spy.Win32.Ursnif.twd

 

The location it was copied to is also consistent with Dreambot samples I have seen in the past.

dreambot

Here is the Hybrid Analysis report:

https://www.hybrid-analysis.com/sample/41e17ea8101b4fac481168afed74955d58c230e8df3c590ecbf66e7ed42a11ce?environmentId=100

That’s about all for now, it’s an interesting sample and it is interesting to see Rulan drop another payload other than Chthonic.

zerophageicon2