HookAds Campaign Delivers Bunitu Proxy Trojan via RIG EK


#1

Originally posted at malwarebreakdown.com
Follow me on Twitter

The HookAds campaign recently became active after disappearing near the end of 2017. Last week I wrote about it coming back and delivering Bunitu proxy Trojan. This post will go over the infection chain found on 03/11/18.

HTTP traffic:

The decoy site contains some packed JavaScript:

packed javascript on decoy site

Unpacked:

unpacked decoy site

The Base64 string shown above is decoded and the output is used in the iframe, causing the following GET request:

Request Response

The server responds with a 301 Moved Permanently pointing to the directory /ywkk/. The request for /ywkk/ returns the pre-landing page with more packed JavaScript:

packed and decoded

Unpacked:

pre-landing page

The pre-landing page filters out unwanted traffic and displays a page showing “404 Not Found”:

firefox 404 Not Found

Victims that are redirected to the RIG EK landing page are delivered the Bunitu proxy Trojan.

Hashes

SHA256: 0078ea2e505149a864958511f5a3f733482f8e92639a713807095d8f7a7e7fe8
File name: Pre-Landing Page.txt

SHA256: 6b46ba8d4a4ca55d7fc6781d3a53f5a2b8a2da682bc4b09624ed0e13779b7b46
File name: RIG EK Landing Page.txt

SHA256: 85c5f5a81f6701d597ada200dfd8338078752dc165f97efc094edf4874327c76
File name: RIG EK Flash Exploit.swf

SHA256: 94b882dedcaf288a9bda752767dc65d39cd15f5da4e5615c8fae3f962c806d41
File name: u32.tmp

SHA256: c669bccbd709080fc78d5931afc7337977cd4c5c94c4900052c665a533c53b71
File name: b43.exe
Hybrid-Analysis Report
Any Run Report

SHA256: 9dec506410d00e17a843f13f24241420b83ab815421b19277a620992ce3e63c4
File name: osetril.dll
Hybrid-Analysis Report

IOCs

HTTP Traffic:

88.198.94.53 – 53hshshshs1.info – GET /ywkk – HookAds Redirect
188.225.33.138 – POST and GET – RIG EK IP-Literal Hostname

DNS Queries and Responses:

n.paratozix.net – 63.23.10.118
k.paratozix.net – 4.171.174.235

From HA Reports – “CrowdStrike Bunitu Proxy C2 Registration 1”:

216.58.206.79:443
62.212.66.85:443

Samples

Malware Samples.zip

Password is “infected”

Article Link: https://malwarebreakdown.com/2018/03/12/hookads-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/