Rig EK via JavaScript Re-director drops UrlZone Trojan Banker

Summary:

First of apologies for the quality of this post and the image. I am not able to access my tools at the moment so had to piece it together using Paint…

Whilst looking for Magnitude I came across a Rig EK flow via a JavaScript redirector. The payload did not run on my lab or on Hybrid Analysis so I sought the aid of @Antelox who identified the sample as UrlZone – a trojan banker which has recently been seen in malspam.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article referencing UrlZone as part of “Avalanche”

https://www.us-cert.gov/ncas/alerts/TA16-336A

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

RigUrlZone

Rig EK via a JavaScript Re-director drops UrlZone but evades my lab.

 

 

Full Details:

The chain begins from malvertising which leads to a website called “datingspots.co”. A HTTP refresh redirects to “datingspots.co/?”. There is also an iframe here with a suspicious URL but it did not seem to lead anywhere.

Refreshtoco

Next there is a 302 redirect to a script called “scr.php”

302

The script contains two JavaScript redirects leading to Rig EK.

redirector

Unfortunately I could not get the payload to run on my lab so I do not have any IOC’s to offer except a hash. I tried to run it in Hybrid Analysis with “High evasion” mode on but it did not run properly. It was confirmed by @Antelox to be UrlZone – a trojan banker.

SHA256: d761e6d23070cde26710566a09c847e6c9d112cc973e10a1422d94ae481056f7
File name: hgsaic3x.exe
Detection ratio: 27 / 64

I would be interested to see any IOC’s if anyone wants to analyse the sample.


Article Link: https://zerophagemalware.com/2017/08/01/rig-ek-via-javascript-re-director-drops-urlzone-trojan-banker/