Zerophage Malware

Rig EK via Rulan drops Quant Loader (leads to Ursnif)

Summary:

It has a while since I have blogged. This is due to two things. First I found a new job which I start next month so that has taken up some of my time. Next I’ve found Rig EK activity to have greatly reduced. I did find other Rulan, Fobos and Seamless samples which I decided not to blog about as they were same old. So if I disappear after blogging this, it’s just that the EK landscape is drying up. I’ll be back if something changes!

Today however Rulan dropped Quant Loader which I believe in turn dropped an Ursnif banking trojan variant. This make s change from it’s usual Chthonic payload. Otherwise it’s the same campaign. This demonstrates the campaign is still active. I have also seen it live twice from malvertising campaigns.

Background Information:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground

 

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Rulan leads to Quant Loader which drops Ursnif Variant

Full Details:

Not much has changed with the Rulan campaign (apart from the payload) which is usually found from malvertising chains. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.
Rig itself continues to change up it’s parameters.
The RC4 key is now “akxyxuxusa“. You can use this to decrypt the payload from the pcap.
The payload was Quant Loader, named due to the firewall rule it opens for itself.
SHA-256 92e2ba2c8047648af88e89e1c7c2c07752ffb1d299674171a0836aeb9a313894
File name t0dlsidm.exe
File size 214 KB
The malware ran fine on my lab but I did put it on HA just to get a nice list of processes it ran.

 

The malware downloaded a binary which appeared to communicate using Tor. Exactly what this is I’m not certain but there are a few VT detections for an Ursnif variant. I have always found Ursnif and Dreambot  to request a URL containing “/images/” and a media file like a “avi” or “jpg”. Below you can see a similar request made by this module:

 

SHA256: 41e17ea8101b4fac481168afed74955d58c230e8df3c590ecbf66e7ed42a11ce
File name: Audikadp.exe
Detection ratio: 22 / 64
Kaspersky Trojan-Spy.Win32.Ursnif.twd

 

The location it was copied to is also consistent with Dreambot samples I have seen in the past.

Here is the Hybrid Analysis report:

https://www.hybrid-analysis.com/sample/41e17ea8101b4fac481168afed74955d58c230e8df3c590ecbf66e7ed42a11ce?environmentId=100

That’s about all for now, it’s an interesting sample and it is interesting to see Rulan drop another payload other than Chthonic.