2017-02-23 - EITEST RIG EK FROM 188.225.35.79 SENDS DREAMBOT

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-02-23-EITest-Rig-EK-sends-Dreambot.pcap.zip   5.5 MB (5,500,088 bytes)

• 2017-02-23-EITest-Rig-EK-sends-Dreambot.pcap   (5,828,648 bytes)

• ZIP archive of the malware:  2017-02-23-EITest-Rig-EK-sends-Dreambot-malware-and-artifacts.zip   139 kB (138,704 bytes)

• 2017-02-23-EITest-Rig-EK-payload-Dreambot-rad73A09.tmp.exe   (194,048 bytes)
• 2017-02-23-Rig-EK-flash-exploit.swf   (15,790 bytes)
• 2017-02-23-Rig-EK-landing-page.txt   (5,229 bytes)
• 2017-02-23-page-from-sunlab.org-with-injected-EITest-script.txt   (15,921 bytes)

BACKGROUND ON THE EITEST CAMPAIGN AND RIG EXPLOIT KIT:

• My most recent write-up on the EITest campaign can be found here.
• Rig-V is actually the current version of Rig EK (Rig 4.0), so I've stopped calling it "Rig-V."  Now I'm just calling it "Rig EK."

BACKGROUND ON DREAMBOT:

• Dreambot is a banking Trojan sometimes referred to as Ursnif or Gozi ISFB.
• Proofpoint published an article about it in Aug 2016 named "Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality"

OTHER NOTES:

• A Twitter account established earlier this month named @nao_sec has been routinely posting indicators for exploit kit (EK) campaigns.
• Today's compromised site came from one of the tweets by that account.
• As always, thanks to @nao_sec and everyone else who tweets about compromised websites!

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

COMRPOMISED WEBSITE AND RIG EK:

• www.sunlab.org - Compromised site (used by EITest campaign)
• 188.225.35.79 port 80 - red.andrewmelbourne.net - Rig EK

POST-INFECTION TRAFFIC:

• 5.196.159.175 port 80 - 5.196.159.175 - GET /images/[long string of characters]
• 5.196.159.175 port 80 - 5.196.159.175 - GET /tor/t64.dll
• curlmyip.net - GET /
• Various IP addresses on various ports - various domains - Tor traffic

 

SHA256 FILE HASHES

FLASH EXPLOIT:

• a83064eb620ded9dfcbed8a97146e7fef1bfd1626246a79e734cb48482dbf06f - 15,790 bytes - Rig EK flash exploit

PAYLOAD:

• a51f24f534c3db9851fc3bea661c8b1aead926eba918c722d58a31693defb13a - 194,048 bytes - Dreambot

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

Shown above:  Alerts the Snort subscriber ruleset using Snort 2.9.9.0 on Debian 7.

 

Shown above:  Dreambot made persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-02-23-EITest-Rig-EK-sends-Dreambot.pcap.zip   5.5 MB (5,500,088 bytes)
• ZIP archive of the malware:  2017-02-23-EITest-Rig-EK-sends-Dreambot-malware-and-artifacts.zip   139 kB (138,704 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.