Summary:

I took a break for a while though was still finding the usual Chthonic, Bunitu and Dreambot Rig EK flows from the usual HookAds, Rulan and Fobos campaigns. If you are interested in those let me know. I still have the PCAP’s.

Someone also messaged me about changing the way I capture packets. I have not done this yet but will look into it.

Anyway today I found Kronos via malvertising which led to a website that contained 3 iframes that redirected to Rig EK. In this flow I was using IE 11 and the latest version of Flash.

I would be interested to know any domains that Kronos targets to see if I can see any injections occuring.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Kronos

https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/

Downloads

(in password protected zip)

• 14-July-2017-Rig-Kronos-PCAP -> Pcap
• 14-July-2017-Rig-Kronos-CSV -> CSV of traffic for IOC’s
• 14-July-2017-Kronos -> Kronos ( b024266f710c6c7a1517d4623e048b8c564dabf9ac294ba6317762fa6c830142, ffc1cfe4cfa36477ead629bd1a2c6ffb266502c3261b85de431137da411320a8)

Details of infection chain:

(click to enlarge!)

 

 

Full Details:

 

Found initially through malvertising, the dummy website has 3 iframes on it that redirect to Rig EK.

The payload was Kronos Banker. The first EXE was dropped by Rig. It then created the second EXE and eventually injected itself into svchost:

SHA256:	b024266f710c6c7a1517d4623e048b8c564dabf9ac294ba6317762fa6c830142
File name:	vqb1zpvr.exe
Detection ratio:	19 / 65

SHA256:	ffc1cfe4cfa36477ead629bd1a2c6ffb266502c3261b85de431137da411320a8
File name:	domain.exe
Detection ratio:	8 / 62

I saw three domains associated with Kronos in total. POST requests were made to “/kronos/connect.php”:

kgkjvkjgvkgvkhg.xyz
khgkjhkjghkjgh.xyz
kljhlkjhkljh.xyz

Viewing the functions of “domain.exe” shows what appears to be form grabbing and HTML injection.

Summary:

Its been a fairly standard week for Rig EK. I’ve not spotted anything new or interesting so I decided not to blog about it this week. I did however discover a change in Magnitude EK. It’s a small one but the Scriplet now has the extension “.bmp” instead of “.ico”.

I also ran this flow with the latest IE 11 and Flash Player and still got Cerber Ransomware (still calling itself CRBR). If you’ve ever fiddled with security settings you’ll probably scream that scriplets are disabled by default which is true. I did play with the security settings to try to give see what payload the scriplet drops. Alas they still failed as usual and Cerber appeared from it’s normal vector.

Background Information:

• Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

• A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK drops “CBRB” (Cerber Ransomware)

Magnitude EK via malvertising delivers Cerber Ransomware

 

Most notable about this flow is the change of the naming of the scriplet used by Magnitude EK.

The scriplet is called in the landing page. I have deobfuscated most of it and you can see the call to the “.bmp” scriplet. Previous it has been “.ico”.

This is the scriplet mostly deobfuscated with some variables renamed. Here you can see an executable is dropped and ran with cmd. These executables always fail and are 0 kb. I’m not sure why this is the case.

If you enlarge this picture you will see  a condensed version of all the processes that were run on the endpoint.

The payload is Cerber Ransomware. This version calls itself “CBRB”.

This version of a Cerber is at least a week old (UDP patterns are identical but sample is fresh from 3rd) however it still does a good job at evading a lot of AV vendors.

SHA256:	46e29c56d426a4c16548b74f77b2fdd75005ddac1333039567d16212cdc585e4
File name:	a.exe
Detection ratio:	14 / 61

 

Summary:

Whilst the Petya variant ransomware campaign is occurring the use of WMIC reminded me of Magnitude EK which also uses it to run the payload. It’s also able to run PowerShell commands.

I hope to do a few learning tutorials on Magnitude in the near future mainly focusing on deobfuscation as it is vastly more complex than Rig EK. My current stumbling block is that I’m not entirely sure what the function of the 2nd part of the landing page is. If you know give me a nudge (its the “further exploits” part). It is not included in any articles that I have found.

This version of Cerber calls itself “CBRB” which is odd.

 

Background Information:

• Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

• A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK via malvertising delivers Cerber Ransomware

At some point I hope to take a deep dive into Magnitude EK, mostly focusing on deobfuscation. The first gate for example uses your “window.screen” object to generate the next URL and it’s quite interesting.

Although not shown in the main picture, a new trend for Magnitude is a double landing page which causes duplicate traffic.

For now here is a list of processes that were executed:

You can see the Scriplet is ran which drops 3 payloads all of which fail. I’m not sure why they fail but it’s possible that as the Flash request is one of the very first requests in the actual landing page and that Magnitude has already decided how to drop the payload and thus these fail. I will try it one day without Flash.

A PowerShell command is ran to download a file called “b.exe” and finally WMIC is used to run the payload “a.exe“.

 

The payload is of course Cerber Ransomware. This version calls itself “CBRB”.

When i submitted to VT it has relatively few detection’s and none directly refer to it as Cerber though some vendors may call it other things.

SHA256:	efe238b3d28c819b27abe668d1188d7534101bcf9a1cfef0c7d56e33b00b8424
File name:	a.exe
Detection ratio:	13 / 61

 

 

Summary:

Today I found a probable compromised website that contained a harmless looking script by name at least. However it led to a website hosting a JavaScript redirector to Rig EK. The chain is interesting and I have not seen one like it yet since I started doing this.

The payload was Pushdo dropping Cutwail. Thanks to @Antelox for the identification. Although this is an old botnet/spammer it had been spotted by @DynamicAnalysis late last year (https://malwarebreakdown.com/2016/10/20/eitest-leads-to-rig-ek-at-185-45-193-52-which-drops-cutwailpushdo-botnet/).

The malware aggressively spammed POST requests and SMTP eating up my disk space rapidly. There is an interesting deep dive by Trend and Blueliv regarding this malware below.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Pushdo/Cutwail

https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf

https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/

 

Downloads

(in password protected zip)

• 22-June-2017-Rig-Pushdo-PCAP -> Pcap
• 22-June-2017-Rig-Pushdo-CSV> CSV of traffic for IOC’s
• 22-June-17-Pushdo-Cutwail -> Pushdo/Cutwail ( 93b920e774874615c40b0b59149ea0200f2c23ece5e27ca1230ffa4d646c45b2)

Details of infection chain:

(click to enlarge!)

Full Details:

I found this website through malvertising. It appears to be an old probably compromised or even fake website that contains a script that appears harmless at a glance.

The script appears at the bottom of the page and appears to be named similar to a legitimate script called “js/wp-emoji-release.min.js?ver=4.4.10”

The script contains code which is likely profiling then redirects to another domain hosting a JavaScript file.

This script contains a 301 redirect to a another script called “scr.php“. This contains what looks like two JavaScript redirectors leading to Rig EK.

The payload was Pushdo dropping Cutwail. Pushdo is a downloader dropping  Cutwail which refers to the spamming module of the Pushdo botnet.

SHA256:	93b920e774874615c40b0b59149ea0200f2c23ece5e27ca1230ffa4d646c45b2
File name:	g45g4yh.bin
Detection ratio:	11 / 60

Although my PCAP will have most of not all the traffic, VT also seemed to capture the POST requests in the Behaviour Section which is useful for IOC’s.

The malware created multiple svchost processes and a startup entry. The processes began to multiply as time went on. It does not do a great job at hiding itself and did not delete itself from temp.

It then began violently spamming POST requests and SMTP.

Here is a sample POST request which appears to return a website.

Summary:

Here I have four Rig EK flows from 13-16 June from malvertising chains. The payloads were Chthonic and Bunitu. I have not gone into much detail in this blog regarding the infection chains as I have already written about them in previous blogs. These however are all new referrers which may be worth noting.

There are 3 gates here to redirect to Rig:

• A simple 302 redirect
• Bunitu’s “Small Gate”
• At least two domains with the same pattern “IndexZ Gate”

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

• Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

(in password protected zip: (infected))

• 16-June-17-MultiRig-PCAP -> Pcaps of traffic
• 16-June-17-MultiRig-CSV -> CSV of the traffic for IOC’s
• 16-June-2017-Chthonic-Bunitu -> ZeuS Chthonic and Bunitu

Details of infection chain:

(click to enlarge!)

 

 

Full Details:

All flows were found through malvertising chains between 13-16 June 2017. Below are two previous blogs that cover Chthonic and Bunitu.

• Rig EK Via RoughTed Delivers Chthonic
• Rig EK drops Bunitu Proxy Trojan

Due to time issues I was unable to capture all the activity from my lab. Instead with the assistance of @LedTech3 i was able to recover the payloads from the PCAP’s. I have ran them through Hybrid Analysis

advert-mal.bin (Chthonic)

SHA256 – 159cda8598b1916bcdeba8c31b88183e576d49673da6635c26f36ff9c291de07

C2 – HTTP – POST – pationare.bit/ – 86.110.117.53                                                                                                  POST – pationare.bit/www/ – 86.110.117.53

https://www.hybrid-analysis.com/sample/159cda8598b1916bcdeba8c31b88183e576d49673da6635c26f36ff9c291de07?environmentId=100

 

jackportreroll-mal.bin (Bunitu)

SHA256 – 61982aa119f5297d23300d59a1f7bcc030348025d8a224ca50894652d815a42b

C2 – DNS – p.onlinecbbeer.com – 84.210.101.33
DNS – f.onlinecbbeer.com – 94.106.242.28

https://www.hybrid-analysis.com/sample/61982aa119f5297d23300d59a1f7bcc030348025d8a224ca50894652d815a42b?environmentId=100

 

shoppinwithus-mal.bin (Chthonic)

SHA256 – afc31940380359380f27cd0cbcc18f9eb67027107d434d190a725f124b1b554e

C2 – HTTP – POST – letit2.bit/home/www/  – 47.91.124.165                                                                                     POST – letit2.bit/www/              – 47.91.124.165

https://www.hybrid-analysis.com/sample/afc31940380359380f27cd0cbcc18f9eb67027107d434d190a725f124b1b554e?environmentId=100

youcaught-mal.bin (Chthonic)

SHA256 – 4a96c45844fa6719b91d525c97b9cad479c92eec44c16f969ce7f3a3aa1a99c1

C2 – HTTP – POST – letit2.bit/home/www/  – 47.91.124.165                                                                                     POST – letit2.bit/www/              – 47.91.124.165

https://www.hybrid-analysis.com/sample/4a96c45844fa6719b91d525c97b9cad479c92eec44c16f969ce7f3a3aa1a99c1?environmentId=100

 

Summary:

Recently I have found a lot of Rig EK as have many of the other researchers from malvertising. Today I revisited an old site called “likexhamster” which in last May was dropping Chthonic via a fake ad domain served by a popunder script.

This time the same mechanism dropped Dreambot aka as gozi. Additionally Rig EK appears to have been changing it’s URL patterns of late. I was collecting several samples to investigate but @nao_sec  has posted a series of tweets which reveals the extent of the changes.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Dreambot:

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

Downloads

(in password protected zip: (infected))

• 14-Jun-2017-Rig-Dream-PCAP -> Pcap
• 14-Jun-2017-Rig-Dream-CSV -> CSV of the traffic for IOC’s
• 14-Jun-2017-Dreambot -> Dreambot

Details of infection chain:

(click to enlarge!)

Full Details:

The infection chain begins on a porn website called “likexhamster“. This site is filled with ads though one particular popunder script loads a fake ad “occurent.info” Below you can see the script and then what was returned after the “eval” function.

The ad leads to what appears to be the Rig EK pre-landing page. If the environment passes the checks, a redirection to Rig EK occurs.

Note the Rig EK URL parameters:

The payload was Dreambot – an information stealer/banking trojan AKA Gozi/ISFB.

SHA256:	d193de89f70c1049999eabf12a3523b01c695bb536ece4de8ddc62ac71a12424
File name:	d193de89f70c1049999eabf12a3523b01c695bb536ece4de8ddc62ac71a12424.bin
Detection ratio:	15 / 61

Dreambot connects to a CNC server using a URL that contains the string “images” and “.avi”.  though I have seen other variant of Ursnif use different strings such as “.jpeg” etc.

The below image shows some of  the actions Dreambot took during behavioural analysis.

Dreambot sends data over TOR. Below is a screenshot of some of the domains.

 

 

 

Summary:

I have been following an IP over the past week which I originally found dropping an interesting coin miner. In attempt to find this miner again (as it appeared as if it was in dev) I began to look into it in more detail.

When a specific resource is targeted the browser is redirected to Rig EK or to a fake Flash file. All sites use the http.equiv attribute to refresh the screen loading Rig EK landing page URL. So far I have observed a coin miner, Chthonic and Zloader as payloads.

Unfortunately I had so many payloads and pcaps that I got lost within them and owing to a lack of time I have not been able to focus to prepare my usual style blog. None the less, this IP is a great source for Rig EK for those interested in studying it.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip: (infected))

• 11-June-2017-RigZloader -> Pcap
• 12-June-2017-Rig-Chthonic -> Pcap 

Details of infection chain:

(click to enlarge!)

Full Details:

Lately I have been following an IP that is serving Rig EK via a http.equiv “REFRESH” attribute. This causes the page to refresh and “redirect” the browser to Rig EK.

The IP (ASN 24940 (Hetzner Online AG) has several domains registered to it with a general theme of “XXXredirect.ru”

https://www.virustotal.com/en/ip-address/144.76.174.172/information/

Originally I found a domain hosted on this IP through RoughTed -> Rig EK via RoughTed drops a Miner

I have also found it through an “Onclkds” variant which is shown in the picture.

You can also just browse directly to one of these domains however you need to add a resource. So far I have seen three of these:

XXXredirct.ru/lan – Rig EK -> Chthonic

https://www.hybrid-analysis.com/sample/8b2fe525ddcb3d56154a3583e8e14467046e31358a89ef56b1e9e39672f779c9?environmentId=100

XXXredirct.ru/1 – Rig EK -> Zloader

https://www.hybrid-analysis.com/sample/e1977df942e969abf6ae7c7d408766d4e8d6fb50f785ea5af384bbb068bfb86a?environmentId=100

XXXredirct.ru/xfile – Fake Flash -> Chthonic

https://www.hybrid-analysis.com/sample/66cc94449e7d45bafd9fb72668d3112bb3a156573f374139dc36dd0f8b8ffa22?environmentId=100

There is a bit more information on the Flash file from the Twitter:

I also made a few tweets (and referenced in some) throughout the week in case you missed them:

And a bonus post of Bunitu and Magnitude:

Summary:

Through RoughTed I found my old Bunitu chain. This time instead of poker or adult themes, the threat actors are using EVE Online which is a very popular space themed MMORPG.

The fake website contained the same redirection mechanisms as previous Bunitu posts. That is it redirects to a domain hosted on the same IP and then there is an iframe to Rig EK containing the “small” tag. I did not test the fake EVE website to determine if any phishing was involved.

Oddly I found strings for Space Invader within Bunitu. It will be interesting if anyone can find out why that is so.

 

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

• Article on Rough Ted:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

Downloads

(in password protected zip)

• 07-June-2017-Rig-Bunitu-PCAP -> Pcap
• 07-June-2017-Rig-Bunitu-CSV-> CSV of traffic for IOC’s
• 07-June-2017-Bunitu -> Bunitu (exe and dll)

Details of infection chain:

(click to enlarge!)

Full Details:

RoughTed is a malvertising operation known for it’s wide scope. See the MalwareBytes article above for a more in depth dive.

This led to a fake EVE Online website which appears to mirror the official EVE Online. Below is what the fake website looks like.

The website contains an iframe to a domain hosted on the same IP address

This domain contains an iframe leading to Rig EK. As with previous Bunitu posts, this gate always contains the “small” tag.

Rig EK then dropped Bunitu proxy trojan. Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy. Every time a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.

Usually I would link a Virus Total link or a Hash but I will update that later.

The below shows strings associated with firewall changes and the DLL that is dropped.

Interesting i found strings for Space Invaders. I’m not sure why these are present!

Summary:

Using the malware operation RoughTed again I came across a flow highly similar to the one I found yesterday that dropped a miner. The compromised website used the http.equiv attribute to refresh the page revealing Rig EK.

The payload was ZeuS variant known as Chthonic. Aside from using tools to statically analyse the binary I did submit it to Hybrid Analysis as there were some anomalies when it ran on my host.

 

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

• Article on Rough Ted:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

Downloads

(in password protected zip: (infected))

• 6-June-2017-RigChthonic-PCAP -> Pcap
• 6-June-2017-Rig-Chthonic-CSV -> CSV of the traffic for IOC’s
• 6-June-2017-Chthonic -> ZeuS Chthonic

Details of infection chain:

(click to enlarge!)

Full Details:

RoughTed is a malvertising operation known for it’s wide scope. See the MalwareBytes article above for a more in depth dive.

RoughTed led to a compromised website that used the “http.equiv” attribute to refresh the screen which presents the Rig EK landing page.

Rig EK crashed my browser forcing me to restart. By the time I had recognised I was on the landing page (3 secs in) the payload had already cleaned itself up so i refreshed the page causing a 2nd flow.

According to the 2014 article by securelist, Chthonic has the following capabilities: 

I was able to peer at the strings and came across what looks like security questions or checks:

The binary has a relatively low detection rate. It was 12+ hours since I found it and currently it has 9 detections on VT.

SHA256:	636fd02a030b99c2af3245052f9ff0c6d80b27e6f159a98ff1a1dba83634db9a
File name:	lwlri630.exe
Detection ratio:	9 / 60

Chthonic performed POST requests to “patrionare.bit“. I believe this to be the malware downloading modules. The binary did not prompt for a restart (I had UAC turned off) or even force a restart. After restarting The CnC traffic was observed but it had not injected itself into another process and neither did it create an executable as observed in the HA report.