Rig EK via HookAds drops AZORult loading Quasar RAT

Summary:

After a bit of a break I am back with a look at a HookAds campaign leading to Rig EK. The chain starts on an adult page. This is why browsing these kind of websites using Internet Explorer and an outdated Flash is a bad idea.

The payload was AZORult which loaded Quasar RAT. Rig EK still seems to prop itself up and with the latest revelation of another zero day in IE (CVE-2018-8373) I expect this to be integrated into EK’s in the very near future.

Background Information:

Downloads

(in password protected zip)

 

  •  AZORult
    15 engines detected this file
    SHA-256 00f7ee4515a212dae20042c41342de0508499f2e203228174b769c4a16bf9ee5
    File name radF53B7.tmp.exe
    File size 257.06 KB
    Last analysis 2018-08-17 14:55:18 UTC
  • Quasar RAT
    4 engines detected this file
    SHA-256 5f201bb71a7d7429c77fd290ef49312430c2bf93e0c77f04e2d384c4c9697df3
    File name quas.exe
    File size 676.02 KB
    Last analysis 2018-08-15 14:25:05 UTC

Overview

AzoRultQuasar

Compromised/Decoy Site

The chain begins with a dubious adult website which is loaded from another adult website. The site loads a script called  “costumize.php”
CompSite.png
This script contains packed JavaScript:
PHPPacked
You can easily unpack this using a tool like http://matthewfl.com/unPacker.html
Below you can see it leading to the HookAds redirector.
PHPDedode.PNG

HookAds

HookAds is a campaign that has been used to spread RigEK. It is usually found on adult websites. Here is a previous blog I did over a year ago with similar traffic:
The webpage also contains a packed JavaScript which when decoded redirects to RigEK.
HookAdsDecode

Rig EK

Rig EK exploited CVE-2018-8174 in order to download and run the payload.

There was a new exploit revealed that is similar to this CVE. I expect this will make it way into Rig EK at some point. Read more about that here:

https://ti.360.net/blog/articles/analyzing-attack-of-cve-2018-8373-and-darkhotel/

RigCatch

AZORult Loader

The payload dropped by Rig EK is AZORult stealer but it also appears to have loading capabilities. “AZORult is a robust information stealer & downloader” according to a recent ProofPoint article detailing recent changes to version 3+

The malware has a fairly easy to identify C2 checkin with interesting headers. From the looks of it, it may be trying to patch itself.

Azorult2

At the bottom of this long POST request filled with all of my systems data is a base64 encoded part which decodes listing registry key names, software, etc. These were not all on my system so it seems to be static list.

AzoRult1.PNG

AZORult downloaded another binary from another location.

Quasar RAT

Quasar RAT is described as follows:

Quasar RAT is a .NET framework open-source remote access trojan family used in cyber-criminal and cyber-espionage campaigns to target Windows operating system devices. It is often delivered via malicious attachments in phishing and spear-phishing emails.

Impressively the RAT only had 4 detection on VT at the time of submission which was actually on the 15 Aug.

The malware attempted to connect to 137.74.247.66 over port 4782. Below you can see the connection that was established.

QuasarRATOut2

QuasarRATOUT

The RAT also dropped a number of other files (the RAD named files are AZORult) in temp.

qusarRATdrop

Other Analysis

Although I’m not using AnyRun much these days sometimes it does offer a quick and easy look at a malware. Below you can view my run starting at the AZORult binary.

https://app.any.run/tasks/9e298ea3-3634-4ec5-ab3f-76dcd0df085f

Below we can see AZORult loading Quasar RAT.

AzoRultQuasarAppAny

Here is the network traffic:

appout

And finally these are the IDS alerts:

Threats

 

 

zerophageicon2

 

GranSoftEK drops GandCrab via Ascentor Loader.

Summary:

Today I came across a set of emails which contained a URL (unique to each email) which led to a  BlackTDS domain.  These did not seem to go anywhere however using another domain not from the spam but from the same IP I was able to get an EK infection which used the same mechanism as from the malspam to redirect to the EK.

The result was GrandSoft EK using a HTA file to download a loader referenced from a string as “Ascentor Loader“. This loader then led to GandCrab ransomware infection however the C2 is fairly old and it did not infect my host.

In this blog I have decided to not use one of my usual colourful pictures but hopefully there are enough other pictures to understand what happened.

Background Information:

Downloads

(in password protected zip)

 

  •  Ascentor Loader
SHA256: 04e6a3715bc818bea17da9608e1b66c7ccff15f96018b0acdb351d4ca727d0d4
File name: suede.exe
Detection ratio: 15 / 66
Analysis date: 2018-06-15 13:49:03 UTC ( 1 hour, 19 minutes ago )
  • GandCrab
SHA256: 5e831bba1d2d7ea4a6144373d7af1d9a80c7f32a746f259b2825c0bcdf3e5c30
File name: uqehc.exe
Detection ratio: 27 / 67
Analysis date: 2018-06-15 13:50:29 UTC ( 1 hour, 19 minutes ago )

Suspect emails leading to BlackTDS.

I came across a set of emails which I am unable to show but were DHL themed from “@yahoo.co.jp” addresses. Each email contained a URL which all look like compromised WordPress sites.

I found many of these domains which all redirect to “kingerosses.top

redirectt0

On this page there was a call to load content from “darksoulshere.gq“. This domains IP address is 200.74.240.219 which belongs to BlackTDS
redirect1
In fact I put kingerosses.top into www.urlscan.io
Which returned multiple domains which all have the same redirect chain.
urlscan1
urlscan2
Upon loading, occasionally I would be presented with what looked like an attempt to load content remotely however it did not ever seem to do anything. It was from this clue that I began to look another domains hosted on the same IP and found it was BlackTDS.
Below is not from the darksouls domain but from “easternflow.ml” which belongs to the same IP but used by a different threat actor.
scriptonpage

BlackTDS leads to GrandSoft EK

Naturally, I copied the URL and browsed to it directly and this is where the infection chain begins.
This is snapshot from the PCAP:
GrandTttraffic
The webpage contained a text box which contains the GrandSoft landing page and an iframe to a HTA file.
GrandSoft1
GrandSoft is now using CVE-2018-8174 described as:
“A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka “Windows VBScript Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.”
CVE.PNG
In addition to this a HTA is loaded from an iframe. Below you can see a user agent string within the HTA VBS being “WinHTTP.WinHTTP.5.1
scripthta
The same user agent is used when requesting a executable called “suede.exe” This PE is a loader and downloads and executes GandCrab
HTADownload
When you view the strings of this loader in memory there are certainly some interesting ones:
stringsLoader
Note this string references the loader as “AscentorLoader” and also for whatever reason references our good friend Nao_Sec
strings2
The loader then runs GandCrab which attempts to connect to “carder.bit” however this C2 has been known for sometime and it was unable to connect. Notice there is also another reference to a fellow researched Vitali Kremez
downloadgand
The addition of this HTA file, the latest IE exploit shows that exploit kits are still attempting to evolve and keep up with other attack vectors.

zerophageicon2

 

RIG EK via Ngay drops Smokeloader -> XMR Miner

Summary:

Through malvertising I came across an “Ngay” website which used an iframe to redirect to Rig EK. The payload was Smoke Loader which then dropped a XMR Miner.

I’ve been using App.Any.Run sandbox a lot lately. Although I found the RigEK redirection using traditional methods and the payloads did work on my lab, I put the payload into Any.Run anyway as it portrays the IOC’s very well.

I’ve also been playing with pastebin posts so check that out though it is mainly focused on maldoc malware. https://pastebin.com/u/Zerophage

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Ngay.png

Full Details:

The chain begins with malvertising which leads to a fake Kaleidoscope domain. The domain named “ngay23ne.cf” contains an iframe which leads to Rig EK. This campaign is known simply as “ngay” and was last seen as far as I know near the end of Jan 2018.
compsite
Rig EK is it’s usual self and still using Flash exploit CVE-2018-4878. Otherwise it appears to be the same.
The payload was Smoke Loader which immediately loaded an XMR miner.
any3
any5
Below we can see the traffic. You can see Smoke Loader POST request which is followed by an EXE download. This payload then calls out then begins mining on port 4444.
any1

any2

 

And here are the file modifications. You can see persistence in Startup. The miner is copied into Roaming as “hammerlock.exe”

any4

Below we can see the XMR miner communication:

 miner

zerophageicon2

 

Rig EK via Malvertising drops Smoke Loader

Summary:

This is a quick blog about a Rig EK detection I found on Friday. I had tweeted it out as I could not figure out the payload but I also did not have time to blog it. The community all chipped in and discovered it was a new version of Smoke Loader.

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

RigSmokePic

Rig EK via malvertising drops Smoke Loader

Full Details:

As you may know, Rig EK is now using the Flash exploit 2018-4878. You can view my previous post to see a few more details about this. Essentially they appear to have just replaced the old flash file with the new one without any major changes.

During this run I had the same setup. A series of 302 redirects led to Rig EK. This malvertising chain was not as complex as my previous blog but the payload was a surprise.
SHA256: 77f9f74f074dcb5fe5c5dfb7127f6d4932f08963e9d6cb6051f802583a317a65
File name: b6.exe
Detection ratio: 19 / 65
Analysis date: 2018-04-13 20:48:12 UTC ( 2 days, 10 hours ago )
Initially I had noted some familiar observations on my endpoint. Namely that the payload immediately closed all Sysinternal tools I had opened and would not let me open them again. I have only seen this behaviour with Smoke Loader.
I also observed that the program periodically stopped and started. I did not catch any C2’s other than a DNS request or other payloads dropped on my lab. Unsure of what this was, I used Any Run to see if I could tease out any more IOC’s. You can view the run here:
AnyRun
In order to identify it I decided to ask the Twitter community what they thought about it. A lot of people chipped in and the consensus is that it was a new version of Smoke Loader.
The above run, I did browse to one of the C2’s in the sandbox which auto redirected me to a search engine. The malicious activity was before I opened Chrome.
InitialTweet

Essentially a number of Twitter users replied to this tweet with some very interesting information about the payload.

 

Please follow the Twitter thread or the hashtag #smokeloader and follow all of these great people.

 

This slideshow requires JavaScript.

zerophageicon2

 

Rig EK drops GandCrab Ransomware Via CVE-2018-4878

Summary:

After some absence, I have returned to blog on Rig EK’s inclusion of CVE-2018-4878. This was reported by @nao_sec and then @kafeine. Initially I had planed to blog about a maldoc. I had obtained a sample of a #ThreadKit document that had recently included this Flash exploit and so I updated my lab in order to display it and give me something to blog about. That’s when I saw the Twitter posts and went hunting for Rig EK instead.

Using a fully patched Win 7 64 bit machine with IE 11 and Flash player 28,0,0,126 I found a malvertising chain which in itself is very interesting. No more simple iframes and long 302 redirects, this one used multiple JavaScripts. The payload was GandCrab ransomware which encrypted my files with .CRAB.

The blog is not so detailed I’m afraid but hopefully the PCAP will be useful to some.

 

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

RigEKGandCrab.png

Win 7 64 bit, IE 11 and Flash 28,0,0,126 – Rig EK drops GandCrab ransomware via CVE-2018-4878

 

Full Details:

 The infection chain begins with malvertising. Compared to past infection chains that used old techniques such as iframes and 302 redirects, this flow appears to use a series of JavaScripts to direct the user to Rig EK. There is a lot going on here but the end result is a redirect to Rig EK.
It’s been a while since I actually looked at Rig in detail but at a glance I can see the obfuscation has changed somewhat from the older regex. I had heard it changed to a simple base64 encoding.
RigEkLandingPAge
 Testing that base64 idea reveals two URL’s which together download the Flash file along with the RC4 key “P6L5N93wsds“.
Flashpart.PNG
For this run I was using a fully patched Win 7 64 bit machine with an up to date IE 11. My Flash version was 28,0,0,126. CVE-2018-4878 is described as “A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161.”
 FlashExploit
The flash object was already on VirusTotal.
ESET-NOD32 a variant of SWF/Exploit.CVE-2018-4878.J
SHA256: 437520117f4deb7691bc0975e413b72c862aef8b18851930f515a385a6a3d54f
File name: 177_.swf
Detection ratio: 9 / 59
The payload was GandCrab ransomware which encrypted files with the .CRAB extension and left a ransom note. However it also continually restarted my PC so I was forced to suspend the process. This also meant I lost some analysis due to the way I have things setup.
GandCrab2
This is the payment page for GandCrab which states that the cost will double if I don’t pay up soon.
GandCrab

 

 

I found this flow relatively quickly after hearing about the implementation of this CVE into Rig EK. Time will tell if this exploit will evolve Rig EK or not.

That is all for now!

zerophageicon2

 

GrandSoft EK via Slots drops Leviarcoin Miner

Summary:

Time for a traditional EK post. This is the first time I’ve seen GrandSoft myself. Sadly (or great depending on your point of view) it is less sophisticated than Rig EK and lets face it – Rig EK does not try hard.

In this run I have used a “Slots” gate and a vulnerable version of IE to get GrandSoft to run.

The payload appears to be a Leviarcoin miner which is unusual as most miners tend to go for XMR (Monero) from what I have seen. I had to run the payload manually and it ended up crashing my VM after I tried to reboot to get a scheduled task to kick in. So I’m not entirely sure it works and its likely a work in progress.

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

GrandSoftMiner

Full Details:

The infection chain begins with a malvertising campaign known as “Slots“. A simple 302 redirect leads to GrandSoft EK.
Slotsredirect
The landing page of GrandSoft is not obfuscated. It still checks for various plugins such as flash,java, adobereader and silverlight.
GrandSoft1
The second part of the landing exploits CVE-2016-0189 AKA “God Mode” to download the payload in a similar fashion to Rig EK. Unfortunately I don’t have the commands it ran but there is no RC4.
GrandSoft2.PNG
The payload is suspected to be a Coin Miner. It failed to run automatically so I had to run it from Temp where it was dropped. Upon doing so it began creating scheduled tasks rapidly to the point where I thought I would restart. My VM booted in but it has basically become crippled with these scheduled tasks and I could non longer interact with it. The full path contained a folder in Roaming called “WindowsShell”. Based on the user agent string, it is likely written with AutoIt.
Was dropped file was named “bussyzz (1).exe”.
payloaddrop

processspam.png

The miner appears to be for a coin called Leviarcoin which is based on the CryptoNight algorithm. Below you can see some interesting details including two IP addresses and an email address. I guess this is an unusual coin to mine as they mostly tend to be XMR miners.
minercoin
I’m unsure of the exact function of the dropped files. So I’m not sure this miner would even work. It certainly appears to be a work in progress.
hashes
The C2 domain returns a holding page stating real content is coming soon. I was unable to access the “bussyzz” directory to see what else was there.
domain
I think that is about all. It’s interesting to see this miner and I wonder how things will develop in the future.

zerophageicon2

 

Maldoc (RTF) drops Loda Logger

Summary:

Lately I’ve been looking at a lot of maldocs. I’ve found all sorts of malware some of which I could not even identify. The problem is by the time I get around to blogging it, someone else has inevitable posted about it. For example this blog I have been preparing for the last few hours on and off yet someone has tweeted the document.

I originally found this document from an email. Out of all the emails that I had, this sample of Loda Logger was probably the most interesting (not Loki or Formbook, etc.).

I have been using any.run lately as I find it really quite good and the ability to interact with it is very useful.

This blog just gives a little more info to what is already available from the any.run run that I did.

Background:

Downloads:

The run was done using any.run and hopefully you can download any files you want to look at from it. If not though let me know.

https://app.any.run/tasks/2f5e4b28-4e8a-4418-b036-0368c2435c3a

lodapic

Overview:

LodaLogger.png

Analysis:

The maldoc came attached to a phishing email asking me to confirm receipt of a payment.

phishing email

It had relatively few detections on VT at the time of submission.

SHA256: 08db174405930afcfdbd415220e1c863dadfe9c1a049c42d735c96d1dee251e1
File name: Swift00002.doc
Detection ratio: 9 / 58
Analysis date: 2018-01-23 04:54:11 UTC ( 7 hours ago )

I believe the doc exploits CVE-2017-0199 which drops and runs a “.sct” file which is actually a scriplet.

scriptlet

The executable is added to Startup and copied to the folder “C:\Users\admin\AppData\Local\Temp\Skyp\CWAHLM.exe

Finally after an ipcheck (with a AutoIt user agent), data is sent to the C2 which matched a pattern for Loda Logger. According to Proofpoint’s article (link in the Background section) the following data is sent:

  • Victim’s Country
  • A hard coded string (seen ‘victim’, ‘Clientv4’)
  • Victim’s IP address
  • User account name
  • Windows version
  • Windows architecture (X64 or X86)
  • Webcam installed (Yes or No, enumerated using capGetDriverDescription from Avicap32.dll)
  • Installed AV Vendor (enumerated via running process names)
  • Malware version, i.e. 1.0.1
  • Hard coded string (seen ‘ddd’)
  • Monitor resolution in a special format (“Pr[Height]X2[Width]X3”)
  • OS type (can be “laptop”, “Desktop”, or “x”, enumerated using the WMI query “Select * from Win32_SystemEnclosure”)
  • Version (beta)

lodac2

If you watch the any.run video you can see the mouse moving towards the end of the video which was not something I was doing. So either someone else was looking at my run at the same time or the threat actor was connected to the VM.

ZeroPhageIcon2

Malware – Snatch Loader: Reloaded

Summary:

So I know what your thinking – “where are my EK posts”. Well truth is I’m still looking at EK’s but a lot of my sources have dried up and I don’t have the tech and tools to be able to search wide and far for them. I took a break and now I’ve decided to just post things that interest me and hopefully they will interest you as well. I’m not a reverse engineer so the tech details here are light.

Now onto the main event. I tweeted about a malware called Snatch Loader: Reloaded mid November. This is a not a new malware but Arbor Networks recently revealed multiple changes within it. I actually received a phishing email in my inbox which I deleted as you do but I kept the URL and decided to Tweet on it after some help from @James_inthe_box.

I’ve been tracking it since and now I’ve decided to quickly blog on it. I found some interesting files on the C2 domain and saw some notable changes in the processes.

 

Background Information:

Downloads

Notable Details:

  • 185.211.246.50 – tryntruiyuk[.]eu:443/css/order.php – Snatch Loader C2

C2First

Analysis:

Snatch Loader would have arrived via a phishing email. I do not have one to show you at hand but they all contain (so far) a fake “Trusted sender” message like below. The emails themselves are rather convincing and contain addresses, etc.

trusted
This email would contain a link that downloads a ZIP file that contains an LNK (shortcut) that actually runs a script in CMD. When ran this leads to a series of events such as in the image below but bear in mind that is from a sample in early November.

ePvl0TFG

I have found a sample on Virus Total which was last submitted on the 09-Dec-2017. So I ran it. Below you can see that it differs somewhat to the sample above. I did not have any iexplore or control.exe running.

Processes

I noticed that iexplore.exe was making the C2 calls

exc2

The calls were over HTTPS and I do not currently have a setup that can let me debug it to use HTTP or some way to man in the middle it. You can see the domain though in the DNS requests.

C2First

Now I waited some time but it did not seem to load any other malware at least not to my knowledge. It has been known to drop Ramnit though and contain a crypto mining (XMR) module.

Instead I decided to peek around and found some interesting stuff on the C2 domain.

First I found some encrypted data at the C2 which I guessed the rest of the URL based on past C2’s for Snatch Loader.

C2

I did not seek to decrypt this but it looks like it has multiple layers to it.

After some digging around I found an “admin” panel.

admin

Finally and most interestingly I found what appears to be data files. Note the date on some of them.

uploads

Clicking on one shows they can probably be streamed and turned into an executable.

Capture

I don’t know what these are but they likely files that can be loaded by Snatch Loader. I’m not sure what conditions are required for this. Though I presume if connected to the Snatch Loader botnet, the operators can then manually load files.

That’s all for now. It’s clear the malware is still being updated and configured. As it is sent via phishing emails that contain a URL, it is likely to bypass systems that can’t sandbox URL’s. Watch out for emails that contain a fake “Trusted Sender” message.

ZeroPhageIcon2

Rig EK drops Ursnif/ISFB variant

Summary:

Today Rig EK dropped what looked like an infomation stealer. Based on the URL structure and the location in which it was copied and maintains persistence I believe this to be a Ursnif/ISFB variant.

I browsed to a website and watched it copy my browsing traffic into a folder and then periodically POST it to a C2 server bundled into a .bin file. The replies also contained an unusual header which indicated i was “infected”.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

 

Details of infection chain:

(click to enlarge!)

UIrsnifRifg.png

Full Details:

The infection chain originated from malvertising. A 302 redirect sends the user to Rig EK landing page

 302
The payload was what I believe to be an Ursnif/Gozi variant. The path in which it copies itself as well as the structure of the C2 URL is consistent with what I have seen from Dreambot and other Ursnif samples.
copy
The replies from the C2 server contained a strange HTTP header called X-Zinkhole. The value was “Infected” in which I was most certainly.
zinkhole
The most notable action of this malware was that it logged my web browsing and periodically sent the data to a C2. The files were stored in a folder as shown below.
Folder
I tested this by browsing to a website and entering some details, specifically “HelloUrsnifHowAreYou?
webinjects
Upon viewing one of the files I saw the same string included.
datastore
Moments later the folder was cleared and a POST request was made to the C2 which seemed to bundle all files into a .bin file with 4 characters.
POST
This was quite an interesting analysis. I also put the sample into Hybrid Analysis which had totally different C2’s. (https://www.hybrid-analysis.com/sample/c7bdd2ce90b35f5796531290ebac12557a68e237924b980e69e8b3265e261445?environmentId=100)
That’s all for now, enjoy!

zerophageicon2

 

Rig EK drops Smoke loader leading to XMR Miner.

Summary:

Yesterday I caught Rig EK dropping a variant of Smoke Loader which is different to todays one. Today’s sample is more consistent with what you would expect from Smoke Loader with its connectivity checks to popular domains like Microsoft and its attempts to hide processes. Yesterdays sample did not do any of this so campaign is likely ran by different threat actors.

This time only an XMR miner was dropped which did begin to connect to the mining server on port 4444. No other payloads were witnessed.  It’s worth keeping an eye on the IP of the domain that redirected to Rig EK as I’m sure it will be hosting different payloads later.

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

infos

Smoke Loader- https://www.virustotal.com/#/file/faebfbfb3939abae9d566c332105bfdaa97529fe6a9fa769b3046069b0617caa/detection

XMR Miner – https://www.virustotal.com/#/file/2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120/details

Details of infection chain:

(click to enlarge!)

XMRRig.png

Full Details:

The infection chain actually came from malvertising. The webpage contained a 1px iframe which leads to Rig EK.

 compromised site
The payload was Smoke Loader which performed several connectivity checks to Microsoft domains before contacting the C2. Below you can see the first connection to Smoke Loader C2. The interesting thing about this version of Smoke Loader is it will attempt to hide Process Monitor preventing it from being maximised though you can still use task manager.
SmokeLoader1
The second connection downloads the miner. You can see in the PCAP the reference to xmrig.com.
rigminer
The miner then communicates to the address below over port 4444.
minerminercopmms
I did not see any other payloads from Smoke Loader so i will end it there.

zerophageicon2