Why have you not updated?

Many may have noticed that I’ve not update my blog for almost a year now. Although exploit kits are still about and are still used there has been little innovation around them to the point where you really need to try to get infected to be infected. If you really are using IE11 to browse with an old version of Flash then you need to stop unless you know you have the proper mitigation in place.

So I noticed a decline in EK’s and that combined with a new job and relationships etc. meant it was getting harder to find EK’s and I didn’t have the time to do my usual graphical displays.

I also questioned what it was I was posting and for what reason. Essentially I grew tired of the format and I don’t believe my posts were adding much value to the community towards the end.

What have you been doing instead?

Many things in the background! Like most EK hunters I moved into malspam. The problem with that is its much more difficult to get samples and by the time I had gotten all the info together to present someone else had already tweeted the campaign out, etc. So really I’ve been in the background watching and chiming in when I find an interesting maldoc.

I’ve been working on Yara Rules for example the below snippet of the rule still seems to pickup current samples of Ryuk. I have numerous amount of these rules looking for specific malwares of interest.

I started my own private MISP which I keep adding to to hopefully see changes and evolution over time. The data I put into it comes from fresh samples I come across.

I also started to develop Suricata Rules which I run against PCAP’s i get from my lab. Because they not commercial it really allows me to be a bit more broader as they are not intended to be used for general business traffic.

None of these ventures are complete by any means. I usually go back to each one every so often and add to it but they are not in a state to share yet. It’s really great for learning new things though and keeping your mind fresh.

Whats your plan for this site?

That’s the big question. I don’t believe I will carry on with my old format using pictures and such as it was simply too time consuming. I can’t really do what @malware_traffic does because I don’t have access to as much data as he has.

I could blog about my experiences in Cyber as I have seen many things and dealt with all sorts of people perhaps my insights would help new analysts? I also have several peeves with the industry I could use the blog to get them off my chest.

I haven’t made up my mind yet but for sure it’s staying up.

Summary:

After a bit of a break I am back with a look at a HookAds campaign leading to Rig EK. The chain starts on an adult page. This is why browsing these kind of websites using Internet Explorer and an outdated Flash is a bad idea.

The payload was AZORult which loaded Quasar RAT. Rig EK still seems to prop itself up and with the latest revelation of another zero day in IE (CVE-2018-8373) I expect this to be integrated into EK’s in the very near future.

Background Information:

• Recent article about AZORult – https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

Downloads

(in password protected zip)

•  17-August-2018-Rig-Azorult-Quasar – PCAP for traffic
• 17-August-2018-Rig-Azorult-Quasar-CSV – CSV of IOC’s
• AZORultQuasarRAT – AZORult and Quasar RAT

•  AZORult
  15 engines detected this file

  SHA-256	00f7ee4515a212dae20042c41342de0508499f2e203228174b769c4a16bf9ee5
  File name	radF53B7.tmp.exe
  File size	257.06 KB
  Last analysis	2018-08-17 14:55:18 UTC

• Quasar RAT
  4 engines detected this file

  SHA-256	5f201bb71a7d7429c77fd290ef49312430c2bf93e0c77f04e2d384c4c9697df3
  File name	quas.exe
  File size	676.02 KB
  Last analysis	2018-08-15 14:25:05 UTC

Overview

Compromised/Decoy Site

HookAds

Rig EK

Rig EK exploited CVE-2018-8174 in order to download and run the payload.

There was a new exploit revealed that is similar to this CVE. I expect this will make it way into Rig EK at some point. Read more about that here:

https://ti.360.net/blog/articles/analyzing-attack-of-cve-2018-8373-and-darkhotel/

AZORult Loader

The payload dropped by Rig EK is AZORult stealer but it also appears to have loading capabilities. “AZORult is a robust information stealer & downloader” according to a recent ProofPoint article detailing recent changes to version 3+

The malware has a fairly easy to identify C2 checkin with interesting headers. From the looks of it, it may be trying to patch itself.

At the bottom of this long POST request filled with all of my systems data is a base64 encoded part which decodes listing registry key names, software, etc. These were not all on my system so it seems to be static list.

AZORult downloaded another binary from another location.

Quasar RAT

Quasar RAT is described as follows:

Quasar RAT is a .NET framework open-source remote access trojan family used in cyber-criminal and cyber-espionage campaigns to target Windows operating system devices. It is often delivered via malicious attachments in phishing and spear-phishing emails.

Impressively the RAT only had 4 detection on VT at the time of submission which was actually on the 15 Aug.

The malware attempted to connect to 137.74.247.66 over port 4782. Below you can see the connection that was established.

The RAT also dropped a number of other files (the RAD named files are AZORult) in temp.

Other Analysis

Although I’m not using AnyRun much these days sometimes it does offer a quick and easy look at a malware. Below you can view my run starting at the AZORult binary.

https://app.any.run/tasks/9e298ea3-3634-4ec5-ab3f-76dcd0df085f

Below we can see AZORult loading Quasar RAT.

Here is the network traffic:

And finally these are the IDS alerts:

Summary:

Today I came across a set of emails which contained a URL (unique to each email) which led to a  BlackTDS domain.  These did not seem to go anywhere however using another domain not from the spam but from the same IP I was able to get an EK infection which used the same mechanism as from the malspam to redirect to the EK.

The result was GrandSoft EK using a HTA file to download a loader referenced from a string as “Ascentor Loader“. This loader then led to GandCrab ransomware infection however the C2 is fairly old and it did not infect my host.

In this blog I have decided to not use one of my usual colourful pictures but hopefully there are enough other pictures to understand what happened.

Background Information:

• CVE-2018-8174 added to GrandSoft https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html#grandsoft

Downloads

(in password protected zip)

• 15-June-GrandSoft-PCAP> PCAP for traffic
• 15-Jun-2018-Loader-GandCrab> Loader and GandCrab (I had to use tinyupload because WordPress won’t let me upload it)

•  Ascentor Loader

• GandCrab

Suspect emails leading to BlackTDS.

I came across a set of emails which I am unable to show but were DHL themed from “@yahoo.co.jp” addresses. Each email contained a URL which all look like compromised WordPress sites.

I found many of these domains which all redirect to “kingerosses.top”

BlackTDS leads to GrandSoft EK

Summary:

Through malvertising I came across an “Ngay” website which used an iframe to redirect to Rig EK. The payload was Smoke Loader which then dropped a XMR Miner.

I’ve been using App.Any.Run sandbox a lot lately. Although I found the RigEK redirection using traditional methods and the payloads did work on my lab, I put the payload into Any.Run anyway as it portrays the IOC’s very well.

I’ve also been playing with pastebin posts so check that out though it is mainly focused on maldoc malware. https://pastebin.com/u/Zerophage

Background Information:

• An article regarding the integration of Flash exploit CVE-2018-4878
  https://malware.dontneedcoffee.com/2018/03/CVE-2018-4878.html
• CVE-2018-4878 information https://nvd.nist.gov/vuln/detail/CVE-2018-4878

Downloads

(in password protected zip)

• 22-May-2018-Rig-Smoke-PCAP-> PCAP for traffic
• 22-May-2018-Rig-Smoke-CSV-> IOCs in CSV
• Pastebin – https://pastebin.com/NMLpGFSk
• 22-May-2018-Smoke-XMR-> Smoke Loader and XMR Miner
• Smoke Loader- “b37.exe”

  sha256 – 393a6fc616adbefad87e8946be9e4cce127749fde58b892e26c7c24b703efae1 sha1     – 89ded1a96fb527828affcec59df70313ea45419e

  md5     –  673817bbb2672a7c4cfc1118aae648c0
• Any.Run of the payload -> https://app.any.run/tasks/b7e731ff-bb63-4c35-9d05-9563b0cf3bbc

Details of infection chain:

(click to enlarge!)

Full Details:

And here are the file modifications. You can see persistence in Startup. The miner is copied into Roaming as “hammerlock.exe”

Below we can see the XMR miner communication:

 

Summary:

This is a quick blog about a Rig EK detection I found on Friday. I had tweeted it out as I could not figure out the payload but I also did not have time to blog it. The community all chipped in and discovered it was a new version of Smoke Loader.

Background Information:

• An article regarding the integration of Flash exploit CVE-2018-4878
  https://malware.dontneedcoffee.com/2018/03/CVE-2018-4878.html
• CVE-2018-4878 information https://nvd.nist.gov/vuln/detail/CVE-2018-4878

Downloads

(in password protected zip)

• 13-April-2018-Rig-Smoke-> PCAP for traffic
• 13-April-2018-Rig-Smoke-CSV-> IOCs in CSV
• 13-April-2018-Smoke-Loader -> Smoke Loader
• Smoke Loader hash – 77f9f74f074dcb5fe5c5dfb7127f6d4932f08963e9d6cb6051f802583a317a65
• Any.Run of the payload: https://app.any.run/tasks/60f95e10-7ec8-4592-82cf-273f682541f1

Details of infection chain:

(click to enlarge!)

Rig EK via malvertising drops Smoke Loader

Full Details:

As you may know, Rig EK is now using the Flash exploit 2018-4878. You can view my previous post to see a few more details about this. Essentially they appear to have just replaced the old flash file with the new one without any major changes.

Summary:

After some absence, I have returned to blog on Rig EK’s inclusion of CVE-2018-4878. This was reported by @nao_sec and then @kafeine. Initially I had planed to blog about a maldoc. I had obtained a sample of a #ThreadKit document that had recently included this Flash exploit and so I updated my lab in order to display it and give me something to blog about. That’s when I saw the Twitter posts and went hunting for Rig EK instead.

Using a fully patched Win 7 64 bit machine with IE 11 and Flash player 28,0,0,126 I found a malvertising chain which in itself is very interesting. No more simple iframes and long 302 redirects, this one used multiple JavaScripts. The payload was GandCrab ransomware which encrypted my files with .CRAB.

The blog is not so detailed I’m afraid but hopefully the PCAP will be useful to some.

Background Information:

• An article regarding the integration of Flash exploit CVE-2018-4878
  https://malware.dontneedcoffee.com/2018/03/CVE-2018-4878.html
• CVE-2018-4878                                                                          https://nvd.nist.gov/vuln/detail/CVE-2018-4878

Downloads

(in password protected zip)

• 09-April-2018-Rig-GandCrab-> PCAP for traffic
• 09-April-2018-Rig-GandCrab-CSV-> IOCs in CSV
• 09-April-2018-GandCrab-Flash -> GandCrab Ransomware and Rig Flash Exploit (on tinyupload due to WP issues)
• GandCrab hash – 4302aac62e41f4355206d49257c3aaae

Details of infection chain:

(click to enlarge!)

Win 7 64 bit, IE 11 and Flash 28,0,0,126 – Rig EK drops GandCrab ransomware via CVE-2018-4878

Full Details:

 

Summary:

Time for a traditional EK post. This is the first time I’ve seen GrandSoft myself. Sadly (or great depending on your point of view) it is less sophisticated than Rig EK and lets face it – Rig EK does not try hard.

In this run I have used a “Slots” gate and a vulnerable version of IE to get GrandSoft to run.

The payload appears to be a Leviarcoin miner which is unusual as most miners tend to go for XMR (Monero) from what I have seen. I had to run the payload manually and it ended up crashing my VM after I tried to reboot to get a scheduled task to kick in. So I’m not entirely sure it works and its likely a work in progress.

Background Information:

• An article regarding the original GrandSoft EK
  http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html

Downloads

(in password protected zip)

• 09-Feb-2018-GranSoft-Miner-PCAP -> PCAP for traffic
• 09-Feb-2018-GrandSoft-Miner-CSV -> Some IOCs in CSV
• 09-Feb-2018-GrandSoft-Miner-Files -> Miner files dropped
• C2 from details -> 
  pool.leviarcoin.org:555

  188.214.128.81:5055

  pool.leviarcoin.hashvault.pro:5555

  195.133.145.16:90

  

Details of infection chain:

(click to enlarge!)

Full Details:

Summary:

Lately I’ve been looking at a lot of maldocs. I’ve found all sorts of malware some of which I could not even identify. The problem is by the time I get around to blogging it, someone else has inevitable posted about it. For example this blog I have been preparing for the last few hours on and off yet someone has tweeted the document.

I originally found this document from an email. Out of all the emails that I had, this sample of Loda Logger was probably the most interesting (not Loki or Formbook, etc.).

I have been using any.run lately as I find it really quite good and the ability to interact with it is very useful.

This blog just gives a little more info to what is already available from the any.run run that I did.

Background:

• https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware

Downloads:

The run was done using any.run and hopefully you can download any files you want to look at from it. If not though let me know.

https://app.any.run/tasks/2f5e4b28-4e8a-4418-b036-0368c2435c3a

Overview:

Analysis:

The maldoc came attached to a phishing email asking me to confirm receipt of a payment.

It had relatively few detections on VT at the time of submission.

I believe the doc exploits CVE-2017-0199 which drops and runs a “.sct” file which is actually a scriplet.

The executable is added to Startup and copied to the folder “C:\Users\admin\AppData\Local\Temp\Skyp\CWAHLM.exe”

Finally after an ipcheck (with a AutoIt user agent), data is sent to the C2 which matched a pattern for Loda Logger. According to Proofpoint’s article (link in the Background section) the following data is sent:

• Victim’s Country
• A hard coded string (seen ‘victim’, ‘Clientv4’)
• Victim’s IP address
• User account name
• Windows version
• Windows architecture (X64 or X86)
• Webcam installed (Yes or No, enumerated using capGetDriverDescription from Avicap32.dll)
• Installed AV Vendor (enumerated via running process names)
• Malware version, i.e. 1.0.1
• Hard coded string (seen ‘ddd’)
• Monitor resolution in a special format (“Pr[Height]X2[Width]X3”)
• OS type (can be “laptop”, “Desktop”, or “x”, enumerated using the WMI query “Select * from Win32_SystemEnclosure”)
• Version (beta)

If you watch the any.run video you can see the mouse moving towards the end of the video which was not something I was doing. So either someone else was looking at my run at the same time or the threat actor was connected to the VM.

Summary:

So I know what your thinking – “where are my EK posts”. Well truth is I’m still looking at EK’s but a lot of my sources have dried up and I don’t have the tech and tools to be able to search wide and far for them. I took a break and now I’ve decided to just post things that interest me and hopefully they will interest you as well. I’m not a reverse engineer so the tech details here are light.

Now onto the main event. I tweeted about a malware called Snatch Loader: Reloaded mid November. This is a not a new malware but Arbor Networks recently revealed multiple changes within it. I actually received a phishing email in my inbox which I deleted as you do but I kept the URL and decided to Tweet on it after some help from @James_inthe_box.

I’ve been tracking it since and now I’ve decided to quickly blog on it. I found some interesting files on the C2 domain and saw some notable changes in the processes.

Background Information:

• Article by Arbor about Snatch Loader: Reloaded
  https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/

Downloads

• Snatch Loader: Reloaded – Snatchloader-10-Dec-2017
• Virus Total – d38945a93a926169cbe878afa6b292a5b52c570b61dc096725a0ddb8fdd5209e

Notable Details:

• 185.211.246.50 – tryntruiyuk[.]eu:443/css/order.php – Snatch Loader C2

Analysis:

Snatch Loader would have arrived via a phishing email. I do not have one to show you at hand but they all contain (so far) a fake “Trusted sender” message like below. The emails themselves are rather convincing and contain addresses, etc.

This email would contain a link that downloads a ZIP file that contains an LNK (shortcut) that actually runs a script in CMD. When ran this leads to a series of events such as in the image below but bear in mind that is from a sample in early November.

I have found a sample on Virus Total which was last submitted on the 09-Dec-2017. So I ran it. Below you can see that it differs somewhat to the sample above. I did not have any iexplore or control.exe running.

I noticed that iexplore.exe was making the C2 calls

The calls were over HTTPS and I do not currently have a setup that can let me debug it to use HTTP or some way to man in the middle it. You can see the domain though in the DNS requests.

Now I waited some time but it did not seem to load any other malware at least not to my knowledge. It has been known to drop Ramnit though and contain a crypto mining (XMR) module.

Instead I decided to peek around and found some interesting stuff on the C2 domain.

First I found some encrypted data at the C2 which I guessed the rest of the URL based on past C2’s for Snatch Loader.

I did not seek to decrypt this but it looks like it has multiple layers to it.

After some digging around I found an “admin” panel.

Finally and most interestingly I found what appears to be data files. Note the date on some of them.

Clicking on one shows they can probably be streamed and turned into an executable.

I don’t know what these are but they likely files that can be loaded by Snatch Loader. I’m not sure what conditions are required for this. Though I presume if connected to the Snatch Loader botnet, the operators can then manually load files.

That’s all for now. It’s clear the malware is still being updated and configured. As it is sent via phishing emails that contain a URL, it is likely to bypass systems that can’t sandbox URL’s. Watch out for emails that contain a fake “Trusted Sender” message.

Summary:

Today Rig EK dropped what looked like an infomation stealer. Based on the URL structure and the location in which it was copied and maintains persistence I believe this to be a Ursnif/ISFB variant.

I browsed to a website and watched it copy my browsing traffic into a folder and then periodically POST it to a C2 server bundled into a .bin file. The replies also contained an unusual header which indicated i was “infected”.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

• 17-October-2017-Rig-Ursnif-PCAP-> Pcap of traffic (note this pcap is a bit bare)
• 17-October-2017-Rig-Ursnif-CSV-> CSV of traffic for IOC’s
• 17-October-2017-Ursnif> Ursnif Variant  –
  

  c7bdd2ce90b35f5796531290ebac12557a68e237924b980e69e8b3265e261445

Details of infection chain:

(click to enlarge!)

Full Details:

The infection chain originated from malvertising. A 302 redirect sends the user to Rig EK landing page