A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us:
Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that this site received 500K visitors over the last 30 days. When I was researching the site, I was redirected via malicious ad traffic to tech support scams. This leads me to believe the initial referer was from malvertising. The malvert likely redirected the host to pay-scale[.]us via a 3XX status code.
Examining the page source for pay-scale[.]us shows the website was mirrored from usmotors[.]com using HTTrack Website Copier:
Looking a little farther down the page we can see how the user got redirected to RIG EK from pay-scale[.]us:
The domain in the hidden iframe, medical-help[.]top, resolves to 91.92.136.170.
Looking at the Whois information shows these domains were registered using the name “Terry Kornfeld” and email address [email protected]. Searching for all domains registered using that name and/or email address returned the following:
Domain | Registered |
i-yourdoctor[.]top | 10/8/2017 |
highqualitywebhelp[.]top | 10/8/2017 |
filmsdays[.]top | 10/4/2017 |
photosetty[.]us | 10/2/2017 |
pay-scale[.]us | 10/1/2017 |
madicalcareme[.]top | 9/19/2017 |
mymedicalcare[.]us | 9/17/2017 |
photo24[.]top | 9/9/2017 |
medical-help[.]top | 9/9/2017 |
Below is the GET request that was generated due to the hidden iframe on pay-scale[.]us:
The server returns a 302 Found with a location containing the RIG EK landing page URL.
Further examination of the infrastructure being used in this campaign show that the threat actor(s) are utilizing Keitaro TDS:
Below is an image of the HTTP traffic captured during this infection chain:
RIG EK dropped two identical Quant Loader payloads in %TEMP%:
When Quant Loader was executed it copied itself to %APPDATA%\[uid]\svchost.exe:
[uid] is the eight-digit unique ID generated for the infected host. Forcepoint shows how the unique ID is generated:
- Obtain the Windows GUID value from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cryptography
- Extract only the number values, no letters or dashes
- Copy 8 of the numbers, beginning with the 5th number
The malware then re-launches itself under “svchost.exe” and creates file “C:\Users\[Username]\AppData\Local\Temp\per”. The following processes and actions were recorded:
- svchost.exe creates process regini.exe
- regini.exe reads data from file %TEMP%\per
- svchost.exe deletes file %TEMP%\per
- svchost.exe sets AutoStart registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Qt”
We then see post infection traffic to the C2 at filmsdays[.]top/q/, which was registered by “Terry Kornfeld” using the email address [email protected]:
- id = the unique ID of the infected host
- c = the current index of the server being used
- mk = string likely used as an affiliate of campaign ID
- il =
- vr =
- bt = x86 or x64
Below is an example of the Quant Loader C2 TCP connections captured during my infection:
Remote Address: 85.217.170.186
Remote Host Name: t.co
Remote Port: 80
Process Name: svchost.exe
Process Path: C:\Users\Win7 32bit\appdata\roaming\[uid]\svchost.exe
Remote IP Country: Bulgaria
Remote Address: 212.73.150.215
Remote Host Name: v22597.vps.ag
Remote Port: 80
Process Name: svchost.exe
Process Path: C:\Users\Win7 32bit\appdata\roaming\[uid]\svchost.exe
Remote IP Country: Bulgaria
In my infection the first server (c=1) responded with the location of follow-up malware located at motorsus[.]us/fb.exe.
Motorsus[.]us appears to be under control of the same threat actor(s). The name and email used to register this domain is “Lee M Clark” and [email protected]. Below is a list of current domains using that registrant information.
Domain | Registered |
motorsus.us | 10/1/2017 |
seechicagodance.us | 10/1/2017 |
This payload is dropped in %TEMP% and executed.
The malware being downloaded by Quant Loader was identified as FormBook by my friend @Antelox.
FormBook, once executed, copied itself (it was hidden) to %USERPROFILE%:
The malware was renamed to mfcgn2pl.exe.
According to FireEye, it can also use the following prefixes for its name:
- ms
- mfc
- win
- gdi
- vga
- igfx
- user
- help
- config
- update
- regsvc
- chkdsk
- systray
- audiodg
- certmgr
- autochk
- taskhost
- colorcpl
- services
- IconCache
- ThumbCache
- Cookies
It can also use the following file extensions:
- .exe
- .com
- .scr
- .pif
- .cmd
- .bat
If it is running with normal privileges it is copied to one the following directories:
- %USERPROFILE%
- %APPDATA%
- %TEMP%
Here is another image showing another copy called Cookiescz7x.cmd being created in %APPDATA%:
If it is running with elevated privileges it copies itself to one of the following directories:
- %ProgramFiles%
- %CommonProgramFiles%
In my infection I found it configuring persistence to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
However, depending on its privileges, it can also use the following locations for persistence:
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FormBook was beaconing to basefilm[.]top/tesla/shell123/config.php.
Basefilm[.]top is registered to “Shirhall Shirhall” and is using the registrant email address [email protected].
I captured the following GET requests:
The parameter “id” shown in the URL contains encoded information about the system.
The malware also uses HTTP POST requests to send data back to basefilm[.]top/tesla/shell123/config.php:
According to FireEye, these messages to the C2 are RC4 encrypted and Base64 encoded.
FireEye also mentions that FormBook will use “function hooks to log keystrokes, steal clipboard data, and extract authentication information from browser HTTP sessions.”
For keystrokes captured during a browsing session with Internet Explorer it created the following file:
- %APPDATA%\JQ18T541\JQ1log.ini
You can see my HTTP sessions and keystrokes being captured in the .ini file:
Quick note. My friend @Antelox examined the FormBook sample also discovered that it downloaded ZeuS Panda with web injects for PayPal, eBay, Amazon, and BoQ (Bank of Queensland). The ZeuS sample can be viewed below:
Network Based IOCs
- 212.73.150.215 – pay-scale[.]us – Malicious dummy site
- 91.92.136.170 – medical-help[.]top – Redirected to RIG EK
- 176.57.217.78 – IP literal hostname used by RIG EK
- 85.217.170.186 – filmsdays[.]top – GET /q/index.php – Quant Loader C2
- 212.73.150.215 – motorsus[.]us – GET /fb.exe – GET for FormBook
- 169.239.128.162 – basefilm[.]top – GET and POST /tesla/shell123/config.php – FormBook beacon and C2
DNS queries for kinnomanna.top:
Hashes
SHA256: c10c659498c3bd5ed8454c0041739db7d324ddd09126c16ea229ab30e9232de4
File name: RigEK landing page.txt
SHA256: b5dc599319b6f0968db9318e3d5dbbd6939c4d7b879e45269210a5878b7551a4
File name: RigEK Flash exploit.swf
SHA256: 22aba6be7e754e7163e8adb72f7235ad97ff411a29c98444ddacc24bd04cdc34
File name: o32.tmp
SHA256: 8e94bd154dbea3d020cce1e216f4a327d0ddf65737847ffed34113bf3fdb22dd
File name: bilonebilo417.exe
Hybrid-Analysis Report
SHA256: 2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82
File name: fb.exe
Hybrid-Analysis Report
SHA256: 0fa6898d426a6176ff7673d2d5336879d418f5be2714605eb32985626f508357
File name: 05110.exe
SHA256: 72a4b137b02b0ef45f5013b88228132081cff1ecfeccecae5e70069bf38c5ba0
File name: 15838.exe
Downloads
Password is “infected”
Chrome might give you a warning but the link is perfectly safe. Until next time!
References:
- https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground
- https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html
Article Link: https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/