Rig EK via Rulan drops Quant Loader (leads to Ursnif)

/ zerophage

Summary:

It has a while since I have blogged. This is due to two things. First I found a new job which I start next month so that has taken up some of my time. Next I’ve found Rig EK activity to have greatly reduced. I did find other Rulan, Fobos and Seamless samples which I decided not to blog about as they were same old. So if I disappear after blogging this, it’s just that the EK landscape is drying up. I’ll be back if something changes!

Today however Rulan dropped Quant Loader which I believe in turn dropped an Ursnif banking trojan variant. This make s change from it’s usual Chthonic payload. Otherwise it’s the same campaign. This demonstrates the campaign is still active. I have also seen it live twice from malvertising campaigns.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Quant Loader:

https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground

 

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

QuantLoader.png

Rulan leads to Quant Loader which drops Ursnif Variant

Full Details:

Not much has changed with the Rulan campaign (apart from the payload) which is usually found from malvertising chains. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.
Rulan
Rig itself continues to change up it’s parameters.
RigParams
The RC4 key is now “akxyxuxusa“. You can use this to decrypt the payload from the pcap.
RigKey1
RigKey2
The payload was Quant Loader, named due to the firewall rule it opens for itself.
Quant
SHA-256 92e2ba2c8047648af88e89e1c7c2c07752ffb1d299674171a0836aeb9a313894
File name t0dlsidm.exe
File size 214 KB
The malware ran fine on my lab but I did put it on HA just to get a nice list of processes it ran.
HAQuant

 

The malware downloaded a binary which appeared to communicate using Tor. Exactly what this is I’m not certain but there are a few VT detections for an Ursnif variant. I have always found Ursnif and Dreambot  to request a URL containing “/images/” and a media file like a “avi” or “jpg”. Below you can see a similar request made by this module:

Ursnif

 

SHA256: 41e17ea8101b4fac481168afed74955d58c230e8df3c590ecbf66e7ed42a11ce
File name: Audikadp.exe
Detection ratio: 22 / 64
Kaspersky Trojan-Spy.Win32.Ursnif.twd

 

The location it was copied to is also consistent with Dreambot samples I have seen in the past.

dreambot

Here is the Hybrid Analysis report:

https://www.hybrid-analysis.com/sample/41e17ea8101b4fac481168afed74955d58c230e8df3c590ecbf66e7ed42a11ce?environmentId=100

That’s about all for now, it’s an interesting sample and it is interesting to see Rulan drop another payload other than Chthonic.

zerophageicon2

 

One thought on “Rig EK via Rulan drops Quant Loader (leads to Ursnif)

  1. Pingback: Rig EK via Malvertising drops a Miner. | Zerophage Malware

Leave a comment