Rig EK via Malvertising drops Unknown DLL

February 21, 2017February 21, 2017 / zerophage / Leave a comment

Summary:

Malvertising leads to Rig EK on another “Poker” website. This is the same method used in my two previous posts with slightly varying parameters.

This time I could not identify the payload which appeared to be a DLL. It appeared to run and there was activity in processes but it made no network connections and did not seem to have changed the host significantly even after a reboot.

The DLL is available in the download below. If you have expertise in this area, I would be very keen to know what this file does or is supposed to do.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Article from Malware Breakdown about Hookads. Similar to these infection chains:

https://malwarebreakdown.com/2017/02/19/hookads-malvertising-redirects-to-rig-v-ek-at-217-107-219-99-ek-drops-ursnif-variant-dreambot/

Downloads

200217rigunkdll-> Contains pcapng and payload in password protected zip.

Notable Details:

206.54.163.50 – onclkds[.]com – Flash version detector
206.54.163.50 – onclkds[.]com – 302 redirect
104.197.120.151 – adexchangeprediction[.]com – 302 redirect
78.46.232.211 – holdempoker.pw – iframe redirect
88.198.220.122 – holdempoker2.pw – Compromised Site iframe redirect
46.173.219.164 – add.neighborhoodreunions[.]net – Rig EK
Payload was rad9E825.tmp.dll -> VirusTotal

Details of infection chain:

(click to enlarge!)

Malvertising chain leads to Rig EK which drops a DLL which did not appear to be make any noticeable changes.

Full Details:

A malvertising URL contains a Flash version detector.
Two further 302 redirects.
iframe redirect to compromised website.
iframe to Rig EK.
oadd.neighborhoodreunions[.]net -> Pre-Landing -> Landing Page -> Flash -> Payload
Dropped payload “rad9E825.tmp.dll” which came back 0/54 on VT.
0 / 54

SHA256: f620502a8db93560b8c40b86bb72c04555a35dc81ceabdcedae9f4cc7448ed19

File name: rad9E825.tmp.dll

Detection ratio:
The payload ran using regsvr32.exe and although there was some activity it did not appear to do anything significant. Perhaps it required a different version of Windows or maybe it made several subtle but important changes. I’ll keep monitoring the machine for any strange activity.
The website at 78.46.232.211 appears to have host multiple Poker themed websites. The IP is the same as the previous Bunitu infection but domain is different.

Rig EK via Malvertising delivers Bunitu Trojan

February 15, 2017February 15, 2017 / zerophage / Leave a comment

Summary:

I have stumbled across multiple “ad servers” which check for versions of Flash. I was playing around with one and was getting redirect to random sites. After a while I was redirected to Rig EK. Bunitu was dropped by Rig which was a nice change from the usual Cerber.

I believe these “ad servers” might be great for EK hunting. I have already found Sundown EK in this manner.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

rigbunitu-150217-> Contains pcapng and payload in password protected zip.

Notable Details:

206.54.163.4 – onclickads[.]net – Flash version detector
206.54.163.50 – onclkds[.]com – 302 redirect
104.197.85.202 – adexchangeprediction[.]com – 302 redirect
78.46.232.211 – holdem-pokers.info – iframe redirect
88.198.220.112 – poks122[.]pw – Compromised Site iframe redirect
185.159.130.122 – old.thebestdallasdentists[.]com – Rig EK
245.147.26.100 – plastic.firgo6slike.net – DNS request from Bunitu
Payload was rad73363.tmp.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

Malvertising chain starting with Flash detector leads to Rig EK which drops Bunitu Trojan.

Full Details:

A malvertising URL contains a Flash version detector.
Two further 302 redirects.
iframe redirect to compromised website.
iframe to Rig EK.
old.thebestdallasdentists[.]com -> Pre-Landing -> Landing Page -> Flash -> Payload
Dropped payload “rad73363.tmp.exe”.
SHA256: fa092bfd24a1255d5e870b447cfc229e3bc6b0dd3f59ade7fa7369aff45b7a29

File name: rad73363.tmp.exe

Detection ratio: 10 / 58
This was identified as Bunitu Trojan.
Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
Bunitu uses a DLL called vsgliig.dll.
ETPRO TROJAN Win32.Bunitu DNS Lookup (A Network Trojan was Detected) [2824943]

Bunitu opens ports by changing firewall rules.

Sundown EK via Malvertising delivers Zloader

February 15, 2017February 15, 2017 / zerophage / Leave a comment

Summary:

I have finally found Sundown EK without having someone give it to me or borrowed from another researcher. I actually found this from alerts of Magnitude EK and it is quite possible the malvertising site may actually lead to other EK’s. Alas, I was sent to Sundown EK and not Magnitude but this could be an indication that Sundown is using the same mechanisms to get visitors as Magnitude is known for (ads).

This version of Sundown did not use stenography and seemed relatively straight forward. A landing page, one Flash exploit and then a payload. The payload was Zloader which I have seen before being dropped by Sundown.

Anyway the files and pcap are available for download. Perhaps someone can figure out why I saw White Lotus EK exploits ET signatures. I hope the new IOC’s will be of use to the community.

Background Information on Sundown EK:

Sundown EK has changed so much over the past few months that I’m not sure any article can cover what it is today. Sundown is known to use parts of other exploit kits. Recently however it was reported that Sundown uses stenography however I did not see this occur in this sample.

Downloads

140217-sundownzloader-> Contains pcapng and payload in password protected zip.

Notable Details:

206.54.163.4 – onclickads[.]net – Malvertising
206.54.163.50 – onclkds[.]com – Malvertising
50.87.151.234 – petloversetc[.]com – Compromised Website
51.140.35.17 – ai.rqrzq[.]com – Sundown Landing Page
51.140.35.17 – dqg.rkrtk[.]com – Sundown Payload download
31.164.129.28 – gunsun[.]su – Zloader
31.164.129.28 – bedborder[.]su – Zloader
Payload was z3qpfzic.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

Malvertising chain leads to Sundown EK which delivers Zloader

Full Details:

A malvertising URL searches for old versions of Flash and redirects to a compromised site.
An iframe on the compromised site redirects to Sundown EK.
ai.rqrzq[.]com and dqg.rkrtk[.]com is Sundown EK, from top to bottom -> Landing Page -> Flash -> Payload
Dropped payload “z3qpfzic.exe”.
SHA256: 43e30e3a58772743ad3fa4ae75de1a06204219eb80fbfc53fdb884d830942d44

File name: z3qpfzic.exe

Detection ratio: 6 / 58
Known also as Terdot A, Zloader periodically sends data to a command and control.
Interestingly I had some ET signatures for exploits used by White Lotus EK:
ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3 (A Network Trojan was Detected) [2017738]
ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2 (A Network Trojan was Detected) [2017737]
ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1 (A Network Trojan was Detected) [2017736]

Rig via PseudoDarkleech delivers Cerber Ransomware

February 13, 2017February 14, 2017 / zerophage / Leave a comment

Summary:

I have not been detecting as much Rig EK activity as last year. Many researchers are reporting interesting malwares dropped by other gates (EITest). I appear to be stuck with PseudoDarkleech which always delivers Cerber.

Nonetheless Cerber is a dangerous ransomware and hopefully some of the IOC’s or the pcap can help you to detect and block Cerber.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

cerberrig-130217-> Contains pcapng and payload in password protected zip.

Notable Details:

87.98.231.16 – atadi[.]es – COMPROMISED WEBSITE
217.107.34.172 – far.askgrannydating[.]com – RIG-V
91.121.56.0 -> 91.121.56.255 UDP port 6892 – Cerber Check In IP Range
91.121.57.0 -> 91.121.57.255 – UDP port 6892 – Cerber Check In IP Range
91.121.58.0 -> 91.121.58.255 – UDP port 6892 – Cerber Check In IP Range
91.121.59.0 -> 91.121.59.255 – UDP port 6892 – Cerber Check In IP Range
91.119.56.0 -> 91.119.56.31 – UDP port 6892 – Cerber Check In IP Range
91.120.56.0 -> 91.120.56.31 – UDP port 6892 – Cerber Check In IP Range
Payload was rad0489A.tmp.exe -> VirusTotal
Had a time delay before UDP traffic occurred of almost less than 2 minutes indicating a possible sandbox evasion technique.

Details of infection chain:

(click to enlarge!)

Cerber encrypts files with a .ba89 extension. This picture shows UDP traffic and an excessive attempt to generate a new ransom URL.

Full Details:

Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
far.askgrannydating[.]com is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash -> Payload
UDP traffic port 6892 came in two variants. The first was of length 25 and occurred around 40 seconds from the start of capture. The second was of length 14 which occurred after almost 2 minutes.
Dropped payload “rad0489A.tmp.exe”.
SHA256: ad22b0a80b153f23d4fe63ad9a26d180d2c870c59ab6aec73976ef82fc3778da

File name: rad0489A.tmp.exe

Detection ratio: 6 / 57
Payload encrypted files with a “.ba89” extension.
Cerber is likely waiting for Nbstat responses before it proceeds.
Emerging Threat signatures for Cerber and NBTStat query response.
Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
I recorded the voice: https://instaud.io/JUA#0:00.1
I could not access any of the ransom URL’s and attempts to generate a new URL using the HTA tool provided by Cerber failed and resulted in an error.

Rig via PseudoDarkleech delivers Cerber Ransomware

February 6, 2017 / zerophage / Leave a comment

Summary:

Another Cerber from Rig EK. I’ve actually done several of these runs since my last post. I only really like to post if I can contribute something to the community. In this case I noticed the payload going idle for almost 10 minutes before the UDP requests began. I believe this could be an anti-sandbox evasion technique as often sandboxes have a default time out period.

Other than that, it’s the same old Cerber 🙂

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

050217-rigcerber-> Contains pcapng and payload in password protected zip.

Notable Details:

104.27.166.186 – golanguages[.]es – COMPROMISED WEBSITE
194.87.238.245 – park.medlawtalk[.]tv – RIG-V
91.117.40.0 -> 91.117.40.31 UDP port 6892 – Cerber Check In IP Range
91.119.40.0 -> 91.119.40.31 – UDP port 6892 – Cerber Check In IP Range
91.121.40.0 -> 91.121.40.255 – UDP port 6892 – Cerber Check In IP Range
91.121.41.0 -> 91.121.41.255 – UDP port 6892 – Cerber Check In IP Range
91.121.42.0 -> 91.121.42.255 – UDP port 6892 – Cerber Check In IP Range
91.121.43.0 -> 91.121.43.255 – UDP port 6892 – Cerber Check In IP Range
Payload was rad69926.tmp.exe -> VirusTotal
Had a time delay before UDP traffic occurred of almost 10 minutes indicating a possible sandbox evasion technique.

Details of infection chain:

Cerber encrypts with a .ba89 extension. Note the time delay between the payload and the first UDP check in.

Full Details:

Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
park.medlawtalk[.]tv is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash -> Payload
UDP traffic port 6892 all contained the data”fd6b47b9da60f3“
Dropped payload “rad69926.tmp.exe”.
SHA256: bdba80fe4638b8ec8d0cde505cfd62ba89d90c86d856e409cabc032a34ec5750

File name: rad69926.tmp.exe

Detection ratio: 26 / 56
Payload encrypted files with a “.ba89” extension.
The payload appeared to be idle for almost 10 minutes. After this the usual UDP and Nbstat requests occurred and the encryption completed.
Cerber is likely waiting for Nbstat responses before it proceeds.
Emerging Threat signatures for Cerber and NBTStat query response.
Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
I recorded the voice: https://instaud.io/JUA#0:00.1

Rig via PseudoDarkleech delivers Cerber Ransomware.

January 30, 2017January 30, 2017 / zerophage / Leave a comment

Summary:

I finally sorted out my lab and successful got Cerber infection which encrypted everything with a .ba89 extension. Interestingly this Cerber did not send the standard HTTP request you would expect from Cerber. I did see a lot of Nbstat responses however from several of the IP addresses that sent data over UDP port 6892. I’m presuming these responses is what has allowed Cerber proceed with encryption.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

300117-rigcerber -> Contains pcapng and payload in password protected zip.

Notable Details:

192.185.91.202 – sewellwilson.co[.]nz – COMPROMISED WEBSITE
195.133.147.212 – guv.mobilevcilhayvan[.]com – RIG-V
91.117.40.0 -> 91.117.40.31 UDP port 6892 – Cerber Check In IP Range
91.119.40.0 -> 91.119.40.31 – UDP port 6892 – Cerber Check In IP Range
91.121.40.0 -> 91.121.40.255 – UDP port 6892 – Cerber Check In IP Range
91.121.41.0 -> 91.121.41.255 – UDP port 6892 – Cerber Check In IP Range
91.121.42.0 -> 91.121.42.255 – UDP port 6892 – Cerber Check In IP Range
91.121.43.0 -> 91.121.43.255 – UDP port 6892 – Cerber Check In IP Range
Payload was rad14017.tmp.exe -> VirusTotal
I also put it into HybridAnalysis which failed to deliver Cerber indicating that Cerber might be able to detect a sand boxed environment.
Created several additional files.

Details of infection chain:

Cerber encrypts with a .ba89 extension. No HTTP request from Cerber.

Full Details:

Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
guv.mobilevcilhayvan[.]com is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash -> Payload
UDP traffic port 6892 all contained the data”9d5b5326527fd5“
Dropped payload “rad14017.tmp.exe “.
SHA256: f62b4a1a3dbe7b0cf7e4b1fe55255d74655b96e5d143925d108be1f63f429df1

File name: rad14017.tmp.exe

Detection ratio: 8 / 56
Payload encrypted files with a “.ba89” extension.
I did not see the usual HTTP request of Cerber. It is likely the Nbstat responses are giving Cerber the go ahead.
Emerging Threat signatures for Cerber and NBTStat query response.
Even though I see the Conficker emerging threat signature I can now safely rule this out.
Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.

Rig-V via PseudoDarkleech delivers Cerber..

January 25, 2017January 25, 2017 / zerophage / Leave a comment

Summary:

I had previously done analysis on the compromised website on 2nd January. I thought I would try it again to see if there were any differences. The website still contains the PseudoDarkleech gate which is delivering Cerber.

My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed again. I put the payload through an online sandbox to see what would happen and found the exact same result. The payload did not create a file with a strange extension as I have previously seen so the function of that file is unknown.

I have been unable to find an answer as to why Cerber creates the UDP traffic. It is possible the payload has other functionality such as commands to a bot net to perform DDoS or the Emerging Threat signature is a not a false positive and it is an action of the infamous Conficker.

Interestingly an article regarding Sage Ransomware mentions a similar UDP traffic:

When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted. BleepingComputer’s September 2016 write-up on CryLocker shows the same type of UDP post-infection traffic, but CryLocker’s traffic was not encrypted.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

250117-rigcerber -> Contains pcap and payload in password protected zip.

Notable Details:

50.87.146.184 – crowsrunrecycling.com – COMPROMISED WEBSITE
92.53.120.151 – cast[.]rednationrising[.]tv – RIG-V
91.239.25.0/24 – UDP port 6892 – Cerber Check In IP Range
91.239.24.0/24 – UDP port 6892 – Cerber Check In IP Range
17.35.12.0 -> 17.35.12.31 – UDP port 6892 – Other UDP Traffic
11.56.22.0 -> 11.56.22.31 – UDP port 6892 – Other UDP Traffic
Payload was radC873.tmp.exe -> VirusTotal
Conscious that I did not receive Cerber I also put it into HybridAnalysis which reported the exact same result.
Did not create any other file with unusual extension like previous attempts

Details of infection chain:

Rig-V via PseudoDarkleech delivers Cerber?

Full Details:

Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
cast[.]rednationrising[.]tv is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash -> Payload
I included the shellcode that is run after the successful exploit.
UDP traffic port 6892 all contained the data”7c1cf9fa1c20008c1700000ec“
Dropped payload “radC873.tmp.exe“. Payload did not create any unusual files like I have seen previously.
SHA256: 346aa416f048b2733b0971f3ae02ad353f7d3b22f447c372b16bab16af5a290a

File name: radC8973.tmp.exe

Detection ratio: 9 / 56
Payload terminated itself, did a Ping – n 127.0.0.1 and then deleted itself.
Emerging Threat signatures for Cerber and Conficker.
Malwarebytes detects it as Cerber Ransomware.
I have not ruled out that this could be an action of Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past and received Cerber.

Phishing email “Company Investigations” leads to Ursnif.

January 23, 2017January 26, 2017 / zerophage / Leave a comment

Overview

I received this email on several email accounts. You can read about more specific details on Dynamoo’s Blog which is a great site for malspam. This is my first attempt at reporting on malspam it in this manner.

My sample was slightly different. Different domains and when I ran it through Hybrid Analysis there was a POST request which triggered the signature “ET TROJAN Ursnif Variant CnC Data Exfil”. There is some indication that it could be ransomware (Cerber or Nemucod) but the POST request does not match either of these. I was unable to run the sample in my lab (although i did do it in another lab) so unfortunately no PCAP is available.

In short the link in the email redirects to a domain that appears to be from the UK government and is fairly convincing. There a CAPTCHA code required to download the file and you do actually have to input the correct code. This downloads a ZIP and in the ZIP is a JS file called “Case Details.js”. When executed this script downloads a “PDF” which is actually an executable.

Downloads

zeroursnifmalspa – This ZIP contains the JS downloader and the “PDF” in a password protected ZIP.

Notable Details:

35.166.113.223 -> XXXX.gbinsolvencydirect[.]com -> All initial links redirect to this domain (random subdomain).
104.238.71.250 -> http://handsthatcreate[.]com/wp-content/ev7npohd26gjy/inv1086[.]pdf -> Payload from the JS downloader
213.111.163.37 -> POST /images/qqO4c7m7K0o1v1WaOVqlM3/gaduzOaWDj2Ej/dky1oD5G/b6eIbElkyYDazgJD9EVZGDf/1dS_2FD7Gk/dXjVvDWW8rFW6kynB/Q1JBt76ghIE7/J3wvFgJCKkr/IoK2klRrS mJw07/d9ga1urO7Np7wV2dbnEiH/uj5TnbCyo8_2FAIv/a0CVotDtB13_2FX/1b5vIlIROvQI1IjtGB/_2FRlkFQIOb97/D3hcwhDN/Q.bmp -> Ursnif CnC

Details of infection chain:

Phishing email “Company Investigations” leaders to Ursnif

Further Details:

SHA256: 8d2bd198ca268762b9e429f44c68f8953e1dce60bc1bc820ff82c87ebd3e4eb6

File name: Case_Details.js

Detection ratio: 7 / 53
SHA256: 98c939c7a2406055ad0c000c6c27b46a2cba29eaf5f8a9eafd93c8bf573f309b

File name: inv1086.pdf

Detection ratio: 30 / 55

Result of inv1086.pdf on Hybrid Analysis which shows Urnsif CnC.

Rig-V via PseudoDarkleech delivers Cerber?

January 19, 2017January 20, 2017 / zerophage / Leave a comment

Summary:

I found this website through someone mentioning Rig EK so decided to analyse it to look for any new changes. The website contains the PseudoDarkleech gate.

My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed again. I decided this time to save the payload before it terminated itself. I then put it through an online sandbox to see what would happen and found the exact same result.

The payload also created a strange “.8H” file which was not readable. I have been unable to find an answer as to why Cerber creates the UDP traffic. It is possible the payload has other functionality such as commands to a bot net to perform DDoS or the Emerging Threat signature is a not a false positive and it is an action of the infamous Conficker.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

zerorigek190117 -> Contains Pcap, payload and interesting files in password protected zip.

Notable Details:

94.23.51.27 – lacaze-tarn[.]com – COMPROMISED WEBSITE
188.255.32.189 – 4wx[.]leecrismanradio[.]com – RIG-V
91.239.25.0/24 – UDP port 6892 – Cerber Check In IP Range
91.239.24.0/24 – UDP port 6892 – Cerber Check In IP Range
90.2.1.0 -> 90.2.1.31 – UDP port 6892 – Other UDP Traffic
90.3.1.0 -> 90.3.1.31 – UDP port 6892 – Other UDP Traffic
Payload was rad92106.tmp.exe -> VirusTotal
Conscious that I did not receive Cerber I also put it into HybridAnalysis which reported the exact same result.
Also created a “.8H” file called “clearance“.

Details of infection chain:

Rig-V via PseudoDarkleech delivers Cerber?

Full Details:

Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
4wx[.]leecrismanradio[.]com is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash exploit -> Payload
UDP traffic port 6892 to 91.239.25.0/24 all contained the data”0ca5ea83d2eb008c170000026“
Dropped payload “rad4DE50.tmp.exe“
Payload terminated itself and then deleted itself but also created a “.8H” file called “clearance“.
Emerging Threat signatures for Cerber and Conficker
I have not ruled out that this could be an action of Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past and received Cerber.

Compromised site with PseudoDarkleech (Rig EK and Cerber Ransomware) and Mobile Malware redirect.

January 17, 2017January 20, 2017 / zerophage / Leave a comment

Summary:

I found this website through someone mentioning Rig EK patterns so decided to see what it was all about. The website actually contained two redirects. One looked for a mobile user agent and redirected to a website and the other was the PseudoDarkleech gate.

My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed and I believe an issue with my setup was to blame. I observed the payload terminating and deleting itself. It will be interesting to find out why this was the case.

Background Information:

A few articles on Rig exploit kit and it’s evolution:

Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

zerorigek150117 -> PCAP of the traffic.

Notable Details:

107.180.41.47 – tlcbarandgrill[.]com – COMPROMISED WEBSITE
92.53.127.208 – seo[.]marketingactivo[.]club – RIG-V
91.239.25.0/24 – UDP port 6892 – Cerber Check In IP Range
185.93.187.41 – No domain – Mobile malware re-director

Details of infection chain:

Compromised site with PseudoDarkleech (Rig EK and Cerber Ransomware) and Mobile Malware redirect.

Full Details:

Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
seo[.]marketingactivo[.]club GET /?br_fl=5730&oq=CelSA9KIuKLUBbArphEyCcgZjnt9aUwtC9ampjESEy0Ob1MbR9CW9U U4HupE&q=z3bQMvXcJwDQDoTCMvrESLtEMU_OHkKK2OH_783VCZn9JHT1vvHPRAP 2tgW&tuif=2014&yus=Vivaldi.99zf91.406v4o7r8&biw=Vivaldi.107xr110.406u4n4a9&ct=Vivaldi – Pre-Landing Page
seo[.]marketingactivo[.]club POST /?ct=SeaMonkey&oq=2aCm3YpPcsfLFXbFLoik2JcgdonoxdA10SpvisjkHXzEee1ZDW- 0TeUTp1&tuif=1830&yus=SeaMonkey.124zw109.406n6g1m6&biw=SeaMonkey.102pl5 8.406w0o3q4&br_fl=3934&q=wXbQMvXcJwDQDobGMvrESLtANknQA0KK2Ib2_dqyEo H9eGnihNzUSkr76B – seo[.]marketingactivo[.]club GET /? q=wHjQMvXcJwDKFYbGMvrERqNbNknQA0KPxpH2_drSdZqxKGni0eb5UUSk6F6CEh3 h_&ct=Microsoft_Edge&yus=Microsoft_Edge.91fh110.406b7f1a2&tuif=3751&oq=KIkL ONTOlKwjUyIcgxjlYdfUAsU9vio30PVyxPNhZXX- kHcMg51_ZKTFLIy6B6ymQ&br_fl=4546&biw=Microsoft_Edge.99ue70.406l7h6j3 – Flash exploit
seo[.]marketingactivo[.]club GET /? tuif=5613&ct=Mozilla&br_fl=2142&biw=Mozilla.109db100.406y5d8m0&oq=xfIkfLMBP gvm3BSJcwxolYxUUF0Rpq6v30CEyxaehZTT_0CKNQgUrKKTE7ALhR32&yus=Mozilla.9 8lg70.406z1b0j8&q=w3vQMvXcJx7QFYbGMvvDSKNbNkjWHViPxouG9MildZeqZGX_k 7vDfF-qoVzcCgWR – Payload
UDP traffic port 6892 to 91.239.25.0/24 all contained the data “400cd244ca0f008c170000034“
Dropped payload “rad92106.tmp.exe“UDP traffic port 6892 to 91.239.25.0/24 all contained the data “400cd244ca0f008c170000034“
Payload terminated itself and then deleted itself.
Emerging Threat signatures for Cerber, Conficker and Mobile Malware re-director.
I have not ruled out that this could be Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past.
Mobile malware URL link was dead but here is the Virus Total link which suggest it could be Kryptik: https://www.virustotal.com/en/url/16036f676ae68af394551bef757b828985d1f1f805cd3561e851fca8b6c0179a/analysis/

SHA256:	f620502a8db93560b8c40b86bb72c04555a35dc81ceabdcedae9f4cc7448ed19
File name:	rad9E825.tmp.dll
Detection ratio:

SHA256:	fa092bfd24a1255d5e870b447cfc229e3bc6b0dd3f59ade7fa7369aff45b7a29
File name:	rad73363.tmp.exe
Detection ratio:	10 / 58

SHA256:	43e30e3a58772743ad3fa4ae75de1a06204219eb80fbfc53fdb884d830942d44
File name:	z3qpfzic.exe
Detection ratio:	6 / 58

SHA256:	ad22b0a80b153f23d4fe63ad9a26d180d2c870c59ab6aec73976ef82fc3778da
File name:	rad0489A.tmp.exe
Detection ratio:	6 / 57

SHA256:	bdba80fe4638b8ec8d0cde505cfd62ba89d90c86d856e409cabc032a34ec5750
File name:	rad69926.tmp.exe
Detection ratio:	26 / 56

SHA256:	f62b4a1a3dbe7b0cf7e4b1fe55255d74655b96e5d143925d108be1f63f429df1
File name:	rad14017.tmp.exe
Detection ratio:	8 / 56

SHA256:	346aa416f048b2733b0971f3ae02ad353f7d3b22f447c372b16bab16af5a290a
File name:	radC8973.tmp.exe
Detection ratio:	9 / 56

SHA256:	8d2bd198ca268762b9e429f44c68f8953e1dce60bc1bc820ff82c87ebd3e4eb6
File name:	Case_Details.js
Detection ratio:	7 / 53

SHA256:	98c939c7a2406055ad0c000c6c27b46a2cba29eaf5f8a9eafd93c8bf573f309b
File name:	inv1086.pdf
Detection ratio:	30 / 55