Rig EK drops Ursnif/ISFB variant

October 17, 2017 / zerophage / Leave a comment

Summary:

Today Rig EK dropped what looked like an infomation stealer. Based on the URL structure and the location in which it was copied and maintains persistence I believe this to be a Ursnif/ISFB variant.

I browsed to a website and watched it copy my browsing traffic into a folder and then periodically POST it to a C2 server bundled into a .bin file. The replies also contained an unusual header which indicated i was “infected”.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

17-October-2017-Rig-Ursnif-PCAP-> Pcap of traffic (note this pcap is a bit bare)
17-October-2017-Rig-Ursnif-CSV-> CSV of traffic for IOC’s
17-October-2017-Ursnif> Ursnif Variant –

c7bdd2ce90b35f5796531290ebac12557a68e237924b980e69e8b3265e261445

Details of infection chain:

(click to enlarge!)

Full Details:

The infection chain originated from malvertising. A 302 redirect sends the user to Rig EK landing page

The payload was what I believe to be an Ursnif/Gozi variant. The path in which it copies itself as well as the structure of the C2 URL is consistent with what I have seen from Dreambot and other Ursnif samples.

The replies from the C2 server contained a strange HTTP header called X-Zinkhole. The value was “Infected” in which I was most certainly.

The most notable action of this malware was that it logged my web browsing and periodically sent the data to a C2. The files were stored in a folder as shown below.

I tested this by browsing to a website and entering some details, specifically “HelloUrsnifHowAreYou?“

Upon viewing one of the files I saw the same string included.

Moments later the folder was cleared and a POST request was made to the C2 which seemed to bundle all files into a .bin file with 4 characters.

This was quite an interesting analysis. I also put the sample into Hybrid Analysis which had totally different C2’s. (https://www.hybrid-analysis.com/sample/c7bdd2ce90b35f5796531290ebac12557a68e237924b980e69e8b3265e261445?environmentId=100)

That’s all for now, enjoy!

zerophageicon2

Rig EK drops Smoke loader leading to XMR Miner.

October 14, 2017October 14, 2017 / zerophage / Leave a comment

Summary:

Yesterday I caught Rig EK dropping a variant of Smoke Loader which is different to todays one. Today’s sample is more consistent with what you would expect from Smoke Loader with its connectivity checks to popular domains like Microsoft and its attempts to hide processes. Yesterdays sample did not do any of this so campaign is likely ran by different threat actors.

This time only an XMR miner was dropped which did begin to connect to the mining server on port 4444. No other payloads were witnessed. It’s worth keeping an eye on the IP of the domain that redirected to Rig EK as I’m sure it will be hosting different payloads later.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Downloads

(in password protected zip)

14-October-2017-Rig-Smoke-PCAP-> Pcap of traffic
14-October-2017-Rig-Smoke-CSV-> CSV of traffic for IOC’s
14-October-2017-Rig-Smoke-> Smoke Loader – faebfbfb3939abae9d566c332105bfdaa97529fe6a9fa769b3046069b0617caa

infos

Smoke Loader- https://www.virustotal.com/#/file/faebfbfb3939abae9d566c332105bfdaa97529fe6a9fa769b3046069b0617caa/detection

XMR Miner – https://www.virustotal.com/#/file/2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120/details

Details of infection chain:

(click to enlarge!)

Full Details:

The infection chain actually came from malvertising. The webpage contained a 1px iframe which leads to Rig EK.

The payload was Smoke Loader which performed several connectivity checks to Microsoft domains before contacting the C2. Below you can see the first connection to Smoke Loader C2. The interesting thing about this version of Smoke Loader is it will attempt to hide Process Monitor preventing it from being maximised though you can still use task manager.

The second connection downloads the miner. You can see in the PCAP the reference to xmrig.com.

The miner then communicates to the address below over port 4444.

I did not see any other payloads from Smoke Loader so i will end it there.

zerophageicon2

Rig EK via Malvertising drops a Smoke Loader leading to a Miner and AZORult.

October 13, 2017October 13, 2017 / zerophage / 1 Comment

Summary:

Been an interesting few weeks and I haven’t been able to update but the other researchers appear to have found a few interesting things. I thought I would blog if anyone wanted a pcap to look at.

I actually found this through my normal malvertising route. After pondering and assistance the payload was determined to be Smoke Loader leading to a Miner and AZORult stealer. It’s an interesting sample! Thanks to @James_inthe_box for looking into it deeper.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Downloads

(in password protected zip)

13-October-2017-Rig-Miner-PCAP-> Pcap of traffic
13-October-2017-Rig-Miner-CSV-> CSV of traffic for IOC’s
13-October-2017-Rig-Miner-> Smoke Loader – 60489385b91478d36e4d027e70d662a861f305cc5d4bdce20f312ac1c7c2f126

stas

Details of infection chain:

(click to enlarge!)

Full Details:

This campaign was spotted a few days back (clicky) by @BroadAnalysis. I however found this through my usual malvertising campaign. It was only after that I realised that the IP of the domain is the same as the previous post that was reported. The payload however is different and much like the Rulan campaign it is likely the payloads will change often so it’s worth keeping an eye on this.

The chain involves a series of 302 redirects:

The final redirect takes the client to Rig EK:

The payload was actually very interesting. I noticed a process injection which is Smoke Loader. I then saw the two binaries one of which was a miner and the other is AZORult stealer. I did upload the sample to Hybrid Analysis here are the results:

Now on my lab I did not see the mining C2 which connected to 213.32.29.150:14444.

However it did change the same registry key from the sandbox analysis. Below are two examples of POST requests from the first binary believed to be Smoke Loader:

The second binary is “Asus Gaming” that produced the zbot like POST requests to C2. This is actually AZORult:

SHA-256	2919a13b964c8b006f144e3c8cc6563740d3d242f44822c8c44dc0db38137ccb
File name	Asus Gaming.exe
File size	270.5 KB

There’s a lot going on here! Enjoy.

zerophageicon2

Zerophage Malware

Presenting exploit kits and malware in a fresh way.

Month: October 2017

Rig EK drops Ursnif/ISFB variant

Summary:

Background Information:

Downloads

Details of infection chain:

Full Details:

Rig EK drops Smoke loader leading to XMR Miner.

Summary:

Background Information:

Downloads

Details of infection chain:

Full Details:

Rig EK via Malvertising drops a Smoke Loader leading to a Miner and AZORult.

Summary:

Background Information:

Downloads

Details of infection chain:

Full Details: