July-24-2019-> An update on what I’ve been up to.

Why have you not updated?

Many may have noticed that I’ve not update my blog for almost a year now. Although exploit kits are still about and are still used there has been little innovation around them to the point where you really need to try to get infected to be infected. If you really are using IE11 to browse with an old version of Flash then you need to stop unless you know you have the proper mitigation in place.

So I noticed a decline in EK’s and that combined with a new job and relationships etc. meant it was getting harder to find EK’s and I didn’t have the time to do my usual graphical displays.

I also questioned what it was I was posting and for what reason. Essentially I grew tired of the format and I don’t believe my posts were adding much value to the community towards the end.


What have you been doing instead?

Many things in the background! Like most EK hunters I moved into malspam. The problem with that is its much more difficult to get samples and by the time I had gotten all the info together to present someone else had already tweeted the campaign out, etc. So really I’ve been in the background watching and chiming in when I find an interesting maldoc.

I’ve been working on Yara Rules for example the below snippet of the rule still seems to pickup current samples of Ryuk. I have numerous amount of these rules looking for specific malwares of interest.



I started my own private MISP which I keep adding to to hopefully see changes and evolution over time. The data I put into it comes from fresh samples I come across.



I also started to develop Suricata Rules which I run against PCAP’s i get from my lab. Because they not commercial it really allows me to be a bit more broader as they are not intended to be used for general business traffic.



None of these ventures are complete by any means. I usually go back to each one every so often and add to it but they are not in a state to share yet. It’s really great for learning new things though and keeping your mind fresh.


Whats your plan for this site?

That’s the big question. I don’t believe I will carry on with my old format using pictures and such as it was simply too time consuming. I can’t really do what @malware_traffic does because I don’t have access to as much data as he has.

I could blog about my experiences in Cyber as I have seen many things and dealt with all sorts of people perhaps my insights would help new analysts? I also have several peeves with the industry I could use the blog to get them off my chest.

I haven’t made up my mind yet but for sure it’s staying up.



Rig EK via HookAds drops AZORult loading Quasar RAT


After a bit of a break I am back with a look at a HookAds campaign leading to Rig EK. The chain starts on an adult page. This is why browsing these kind of websites using Internet Explorer and an outdated Flash is a bad idea.

The payload was AZORult which loaded Quasar RAT. Rig EK still seems to prop itself up and with the latest revelation of another zero day in IE (CVE-2018-8373) I expect this to be integrated into EK’s in the very near future.

Background Information:


(in password protected zip)


  •  AZORult
    15 engines detected this file
    SHA-256 00f7ee4515a212dae20042c41342de0508499f2e203228174b769c4a16bf9ee5
    File name radF53B7.tmp.exe
    File size 257.06 KB
    Last analysis 2018-08-17 14:55:18 UTC
  • Quasar RAT
    4 engines detected this file
    SHA-256 5f201bb71a7d7429c77fd290ef49312430c2bf93e0c77f04e2d384c4c9697df3
    File name quas.exe
    File size 676.02 KB
    Last analysis 2018-08-15 14:25:05 UTC



Compromised/Decoy Site

The chain begins with a dubious adult website which is loaded from another adult website. The site loads a script called  “costumize.php”
This script contains packed JavaScript:
You can easily unpack this using a tool like http://matthewfl.com/unPacker.html
Below you can see it leading to the HookAds redirector.


HookAds is a campaign that has been used to spread RigEK. It is usually found on adult websites. Here is a previous blog I did over a year ago with similar traffic:
The webpage also contains a packed JavaScript which when decoded redirects to RigEK.

Rig EK

Rig EK exploited CVE-2018-8174 in order to download and run the payload.

There was a new exploit revealed that is similar to this CVE. I expect this will make it way into Rig EK at some point. Read more about that here:



AZORult Loader

The payload dropped by Rig EK is AZORult stealer but it also appears to have loading capabilities. “AZORult is a robust information stealer & downloader” according to a recent ProofPoint article detailing recent changes to version 3+

The malware has a fairly easy to identify C2 checkin with interesting headers. From the looks of it, it may be trying to patch itself.


At the bottom of this long POST request filled with all of my systems data is a base64 encoded part which decodes listing registry key names, software, etc. These were not all on my system so it seems to be static list.


AZORult downloaded another binary from another location.

Quasar RAT

Quasar RAT is described as follows:

Quasar RAT is a .NET framework open-source remote access trojan family used in cyber-criminal and cyber-espionage campaigns to target Windows operating system devices. It is often delivered via malicious attachments in phishing and spear-phishing emails.

Impressively the RAT only had 4 detection on VT at the time of submission which was actually on the 15 Aug.

The malware attempted to connect to over port 4782. Below you can see the connection that was established.



The RAT also dropped a number of other files (the RAD named files are AZORult) in temp.


Other Analysis

Although I’m not using AnyRun much these days sometimes it does offer a quick and easy look at a malware. Below you can view my run starting at the AZORult binary.


Below we can see AZORult loading Quasar RAT.


Here is the network traffic:


And finally these are the IDS alerts:






GranSoftEK drops GandCrab via Ascentor Loader.


Today I came across a set of emails which contained a URL (unique to each email) which led to a  BlackTDS domain.  These did not seem to go anywhere however using another domain not from the spam but from the same IP I was able to get an EK infection which used the same mechanism as from the malspam to redirect to the EK.

The result was GrandSoft EK using a HTA file to download a loader referenced from a string as “Ascentor Loader“. This loader then led to GandCrab ransomware infection however the C2 is fairly old and it did not infect my host.

In this blog I have decided to not use one of my usual colourful pictures but hopefully there are enough other pictures to understand what happened.

Background Information:


(in password protected zip)


  •  Ascentor Loader
SHA256: 04e6a3715bc818bea17da9608e1b66c7ccff15f96018b0acdb351d4ca727d0d4
File name: suede.exe
Detection ratio: 15 / 66
Analysis date: 2018-06-15 13:49:03 UTC ( 1 hour, 19 minutes ago )
  • GandCrab
SHA256: 5e831bba1d2d7ea4a6144373d7af1d9a80c7f32a746f259b2825c0bcdf3e5c30
File name: uqehc.exe
Detection ratio: 27 / 67
Analysis date: 2018-06-15 13:50:29 UTC ( 1 hour, 19 minutes ago )

Suspect emails leading to BlackTDS.

I came across a set of emails which I am unable to show but were DHL themed from “@yahoo.co.jp” addresses. Each email contained a URL which all look like compromised WordPress sites.

I found many of these domains which all redirect to “kingerosses.top


On this page there was a call to load content from “darksoulshere.gq“. This domains IP address is which belongs to BlackTDS
In fact I put kingerosses.top into www.urlscan.io
Which returned multiple domains which all have the same redirect chain.
Upon loading, occasionally I would be presented with what looked like an attempt to load content remotely however it did not ever seem to do anything. It was from this clue that I began to look another domains hosted on the same IP and found it was BlackTDS.
Below is not from the darksouls domain but from “easternflow.ml” which belongs to the same IP but used by a different threat actor.

BlackTDS leads to GrandSoft EK

Naturally, I copied the URL and browsed to it directly and this is where the infection chain begins.
This is snapshot from the PCAP:
The webpage contained a text box which contains the GrandSoft landing page and an iframe to a HTA file.
GrandSoft is now using CVE-2018-8174 described as:
“A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka “Windows VBScript Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.”
In addition to this a HTA is loaded from an iframe. Below you can see a user agent string within the HTA VBS being “WinHTTP.WinHTTP.5.1
The same user agent is used when requesting a executable called “suede.exe” This PE is a loader and downloads and executes GandCrab
When you view the strings of this loader in memory there are certainly some interesting ones:
Note this string references the loader as “AscentorLoader” and also for whatever reason references our good friend Nao_Sec
The loader then runs GandCrab which attempts to connect to “carder.bit” however this C2 has been known for sometime and it was unable to connect. Notice there is also another reference to a fellow researched Vitali Kremez
The addition of this HTA file, the latest IE exploit shows that exploit kits are still attempting to evolve and keep up with other attack vectors.



RIG EK via Ngay drops Smokeloader -> XMR Miner


Through malvertising I came across an “Ngay” website which used an iframe to redirect to Rig EK. The payload was Smoke Loader which then dropped a XMR Miner.

I’ve been using App.Any.Run sandbox a lot lately. Although I found the RigEK redirection using traditional methods and the payloads did work on my lab, I put the payload into Any.Run anyway as it portrays the IOC’s very well.

I’ve also been playing with pastebin posts so check that out though it is mainly focused on maldoc malware. https://pastebin.com/u/Zerophage

Background Information:


(in password protected zip)

Details of infection chain:

(click to enlarge!)


Full Details:

The chain begins with malvertising which leads to a fake Kaleidoscope domain. The domain named “ngay23ne.cf” contains an iframe which leads to Rig EK. This campaign is known simply as “ngay” and was last seen as far as I know near the end of Jan 2018.
Rig EK is it’s usual self and still using Flash exploit CVE-2018-4878. Otherwise it appears to be the same.
The payload was Smoke Loader which immediately loaded an XMR miner.
Below we can see the traffic. You can see Smoke Loader POST request which is followed by an EXE download. This payload then calls out then begins mining on port 4444.



And here are the file modifications. You can see persistence in Startup. The miner is copied into Roaming as “hammerlock.exe”


Below we can see the XMR miner communication:




Rig EK via Malvertising drops Smoke Loader


This is a quick blog about a Rig EK detection I found on Friday. I had tweeted it out as I could not figure out the payload but I also did not have time to blog it. The community all chipped in and discovered it was a new version of Smoke Loader.

Background Information:


(in password protected zip)

Details of infection chain:

(click to enlarge!)


Rig EK via malvertising drops Smoke Loader

Full Details:

As you may know, Rig EK is now using the Flash exploit 2018-4878. You can view my previous post to see a few more details about this. Essentially they appear to have just replaced the old flash file with the new one without any major changes.

During this run I had the same setup. A series of 302 redirects led to Rig EK. This malvertising chain was not as complex as my previous blog but the payload was a surprise.
SHA256: 77f9f74f074dcb5fe5c5dfb7127f6d4932f08963e9d6cb6051f802583a317a65
File name: b6.exe
Detection ratio: 19 / 65
Analysis date: 2018-04-13 20:48:12 UTC ( 2 days, 10 hours ago )
Initially I had noted some familiar observations on my endpoint. Namely that the payload immediately closed all Sysinternal tools I had opened and would not let me open them again. I have only seen this behaviour with Smoke Loader.
I also observed that the program periodically stopped and started. I did not catch any C2’s other than a DNS request or other payloads dropped on my lab. Unsure of what this was, I used Any Run to see if I could tease out any more IOC’s. You can view the run here:
In order to identify it I decided to ask the Twitter community what they thought about it. A lot of people chipped in and the consensus is that it was a new version of Smoke Loader.
The above run, I did browse to one of the C2’s in the sandbox which auto redirected me to a search engine. The malicious activity was before I opened Chrome.

Essentially a number of Twitter users replied to this tweet with some very interesting information about the payload.


Please follow the Twitter thread or the hashtag #smokeloader and follow all of these great people.


This slideshow requires JavaScript.



Rig EK drops GandCrab Ransomware Via CVE-2018-4878


After some absence, I have returned to blog on Rig EK’s inclusion of CVE-2018-4878. This was reported by @nao_sec and then @kafeine. Initially I had planed to blog about a maldoc. I had obtained a sample of a #ThreadKit document that had recently included this Flash exploit and so I updated my lab in order to display it and give me something to blog about. That’s when I saw the Twitter posts and went hunting for Rig EK instead.

Using a fully patched Win 7 64 bit machine with IE 11 and Flash player 28,0,0,126 I found a malvertising chain which in itself is very interesting. No more simple iframes and long 302 redirects, this one used multiple JavaScripts. The payload was GandCrab ransomware which encrypted my files with .CRAB.

The blog is not so detailed I’m afraid but hopefully the PCAP will be useful to some.


Background Information:


(in password protected zip)

Details of infection chain:

(click to enlarge!)



Win 7 64 bit, IE 11 and Flash 28,0,0,126 – Rig EK drops GandCrab ransomware via CVE-2018-4878


Full Details:

 The infection chain begins with malvertising. Compared to past infection chains that used old techniques such as iframes and 302 redirects, this flow appears to use a series of JavaScripts to direct the user to Rig EK. There is a lot going on here but the end result is a redirect to Rig EK.
It’s been a while since I actually looked at Rig in detail but at a glance I can see the obfuscation has changed somewhat from the older regex. I had heard it changed to a simple base64 encoding.
 Testing that base64 idea reveals two URL’s which together download the Flash file along with the RC4 key “P6L5N93wsds“.
For this run I was using a fully patched Win 7 64 bit machine with an up to date IE 11. My Flash version was 28,0,0,126. CVE-2018-4878 is described as “A use-after-free vulnerability was discovered in Adobe Flash Player before”
The flash object was already on VirusTotal.
ESET-NOD32 a variant of SWF/Exploit.CVE-2018-4878.J
SHA256: 437520117f4deb7691bc0975e413b72c862aef8b18851930f515a385a6a3d54f
File name: 177_.swf
Detection ratio: 9 / 59
The payload was GandCrab ransomware which encrypted files with the .CRAB extension and left a ransom note. However it also continually restarted my PC so I was forced to suspend the process. This also meant I lost some analysis due to the way I have things setup.
This is the payment page for GandCrab which states that the cost will double if I don’t pay up soon.



I found this flow relatively quickly after hearing about the implementation of this CVE into Rig EK. Time will tell if this exploit will evolve Rig EK or not.

That is all for now!



GrandSoft EK via Slots drops Leviarcoin Miner


Time for a traditional EK post. This is the first time I’ve seen GrandSoft myself. Sadly (or great depending on your point of view) it is less sophisticated than Rig EK and lets face it – Rig EK does not try hard.

In this run I have used a “Slots” gate and a vulnerable version of IE to get GrandSoft to run.

The payload appears to be a Leviarcoin miner which is unusual as most miners tend to go for XMR (Monero) from what I have seen. I had to run the payload manually and it ended up crashing my VM after I tried to reboot to get a scheduled task to kick in. So I’m not entirely sure it works and its likely a work in progress.

Background Information:


(in password protected zip)

Details of infection chain:

(click to enlarge!)


Full Details:

The infection chain begins with a malvertising campaign known as “Slots“. A simple 302 redirect leads to GrandSoft EK.
The landing page of GrandSoft is not obfuscated. It still checks for various plugins such as flash,java, adobereader and silverlight.
The second part of the landing exploits CVE-2016-0189 AKA “God Mode” to download the payload in a similar fashion to Rig EK. Unfortunately I don’t have the commands it ran but there is no RC4.
The payload is suspected to be a Coin Miner. It failed to run automatically so I had to run it from Temp where it was dropped. Upon doing so it began creating scheduled tasks rapidly to the point where I thought I would restart. My VM booted in but it has basically become crippled with these scheduled tasks and I could non longer interact with it. The full path contained a folder in Roaming called “WindowsShell”. Based on the user agent string, it is likely written with AutoIt.
Was dropped file was named “bussyzz (1).exe”.


The miner appears to be for a coin called Leviarcoin which is based on the CryptoNight algorithm. Below you can see some interesting details including two IP addresses and an email address. I guess this is an unusual coin to mine as they mostly tend to be XMR miners.
I’m unsure of the exact function of the dropped files. So I’m not sure this miner would even work. It certainly appears to be a work in progress.
The C2 domain returns a holding page stating real content is coming soon. I was unable to access the “bussyzz” directory to see what else was there.
I think that is about all. It’s interesting to see this miner and I wonder how things will develop in the future.



Maldoc (RTF) drops Loda Logger


Lately I’ve been looking at a lot of maldocs. I’ve found all sorts of malware some of which I could not even identify. The problem is by the time I get around to blogging it, someone else has inevitable posted about it. For example this blog I have been preparing for the last few hours on and off yet someone has tweeted the document.

I originally found this document from an email. Out of all the emails that I had, this sample of Loda Logger was probably the most interesting (not Loki or Formbook, etc.).

I have been using any.run lately as I find it really quite good and the ability to interact with it is very useful.

This blog just gives a little more info to what is already available from the any.run run that I did.



The run was done using any.run and hopefully you can download any files you want to look at from it. If not though let me know.






The maldoc came attached to a phishing email asking me to confirm receipt of a payment.

phishing email

It had relatively few detections on VT at the time of submission.

SHA256: 08db174405930afcfdbd415220e1c863dadfe9c1a049c42d735c96d1dee251e1
File name: Swift00002.doc
Detection ratio: 9 / 58
Analysis date: 2018-01-23 04:54:11 UTC ( 7 hours ago )

I believe the doc exploits CVE-2017-0199 which drops and runs a “.sct” file which is actually a scriplet.


The executable is added to Startup and copied to the folder “C:\Users\admin\AppData\Local\Temp\Skyp\CWAHLM.exe

Finally after an ipcheck (with a AutoIt user agent), data is sent to the C2 which matched a pattern for Loda Logger. According to Proofpoint’s article (link in the Background section) the following data is sent:

  • Victim’s Country
  • A hard coded string (seen ‘victim’, ‘Clientv4’)
  • Victim’s IP address
  • User account name
  • Windows version
  • Windows architecture (X64 or X86)
  • Webcam installed (Yes or No, enumerated using capGetDriverDescription from Avicap32.dll)
  • Installed AV Vendor (enumerated via running process names)
  • Malware version, i.e. 1.0.1
  • Hard coded string (seen ‘ddd’)
  • Monitor resolution in a special format (“Pr[Height]X2[Width]X3”)
  • OS type (can be “laptop”, “Desktop”, or “x”, enumerated using the WMI query “Select * from Win32_SystemEnclosure”)
  • Version (beta)


If you watch the any.run video you can see the mouse moving towards the end of the video which was not something I was doing. So either someone else was looking at my run at the same time or the threat actor was connected to the VM.


Malware – Snatch Loader: Reloaded


So I know what your thinking – “where are my EK posts”. Well truth is I’m still looking at EK’s but a lot of my sources have dried up and I don’t have the tech and tools to be able to search wide and far for them. I took a break and now I’ve decided to just post things that interest me and hopefully they will interest you as well. I’m not a reverse engineer so the tech details here are light.

Now onto the main event. I tweeted about a malware called Snatch Loader: Reloaded mid November. This is a not a new malware but Arbor Networks recently revealed multiple changes within it. I actually received a phishing email in my inbox which I deleted as you do but I kept the URL and decided to Tweet on it after some help from @James_inthe_box.

I’ve been tracking it since and now I’ve decided to quickly blog on it. I found some interesting files on the C2 domain and saw some notable changes in the processes.


Background Information:


Notable Details:

  • – tryntruiyuk[.]eu:443/css/order.php – Snatch Loader C2



Snatch Loader would have arrived via a phishing email. I do not have one to show you at hand but they all contain (so far) a fake “Trusted sender” message like below. The emails themselves are rather convincing and contain addresses, etc.

This email would contain a link that downloads a ZIP file that contains an LNK (shortcut) that actually runs a script in CMD. When ran this leads to a series of events such as in the image below but bear in mind that is from a sample in early November.


I have found a sample on Virus Total which was last submitted on the 09-Dec-2017. So I ran it. Below you can see that it differs somewhat to the sample above. I did not have any iexplore or control.exe running.


I noticed that iexplore.exe was making the C2 calls


The calls were over HTTPS and I do not currently have a setup that can let me debug it to use HTTP or some way to man in the middle it. You can see the domain though in the DNS requests.


Now I waited some time but it did not seem to load any other malware at least not to my knowledge. It has been known to drop Ramnit though and contain a crypto mining (XMR) module.

Instead I decided to peek around and found some interesting stuff on the C2 domain.

First I found some encrypted data at the C2 which I guessed the rest of the URL based on past C2’s for Snatch Loader.


I did not seek to decrypt this but it looks like it has multiple layers to it.

After some digging around I found an “admin” panel.


Finally and most interestingly I found what appears to be data files. Note the date on some of them.


Clicking on one shows they can probably be streamed and turned into an executable.


I don’t know what these are but they likely files that can be loaded by Snatch Loader. I’m not sure what conditions are required for this. Though I presume if connected to the Snatch Loader botnet, the operators can then manually load files.

That’s all for now. It’s clear the malware is still being updated and configured. As it is sent via phishing emails that contain a URL, it is likely to bypass systems that can’t sandbox URL’s. Watch out for emails that contain a fake “Trusted Sender” message.


Rig EK drops Ursnif/ISFB variant


Today Rig EK dropped what looked like an infomation stealer. Based on the URL structure and the location in which it was copied and maintains persistence I believe this to be a Ursnif/ISFB variant.

I browsed to a website and watched it copy my browsing traffic into a folder and then periodically POST it to a C2 server bundled into a .bin file. The replies also contained an unusual header which indicated i was “infected”.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:



(in password protected zip)


Details of infection chain:

(click to enlarge!)


Full Details:

The infection chain originated from malvertising. A 302 redirect sends the user to Rig EK landing page

The payload was what I believe to be an Ursnif/Gozi variant. The path in which it copies itself as well as the structure of the C2 URL is consistent with what I have seen from Dreambot and other Ursnif samples.
The replies from the C2 server contained a strange HTTP header called X-Zinkhole. The value was “Infected” in which I was most certainly.
The most notable action of this malware was that it logged my web browsing and periodically sent the data to a C2. The files were stored in a folder as shown below.
I tested this by browsing to a website and entering some details, specifically “HelloUrsnifHowAreYou?
Upon viewing one of the files I saw the same string included.
Moments later the folder was cleared and a POST request was made to the C2 which seemed to bundle all files into a .bin file with 4 characters.
This was quite an interesting analysis. I also put the sample into Hybrid Analysis which had totally different C2’s. (https://www.hybrid-analysis.com/sample/c7bdd2ce90b35f5796531290ebac12557a68e237924b980e69e8b3265e261445?environmentId=100)
That’s all for now, enjoy!