Malware-Traffic-Analysis.net - 2018-05-27 - SlyIP campaign uses Grandsoft EK to push Ursnif

2018-05-27 - SLYIP CAMPAIGN USES GRANDSOFT EK TO PUSH URSNIF

ASSOCIATED FILES:

Zip archive with pcaps of the traffic: 2018-05-27-SlyIP-Grandsoft-EK-pcaps.zip 24.9 MB (24,861,885 bytes)

2018-05-27-1st-run-SlyIP-Grandsoft-EK-with-post-infection-traffic.pcap (10,428,474 bytes)

2018-05-27-2nd-run-SlyIP-Grandsoft-EK-with-post-infection-traffic.pcap (16,254,665 bytes)

Zip archive of the malware and artifacts: 2018-05-27-SlyIP-Grandsoft-EK-malware-and-artifacts.zip 830 kB (829,605 bytes)

2018-05-27-1st-run-SlyIP-Grandsoft-EK-payload-Ursnif.exe (558,592 bytes)

2018-05-27-2nd-run-SlyIP-Grandsoft-EK-payload-Ursnif.exe (522,240 bytes)

2018-05-27-both-runs-Grandsoft-EK-CVE-2016-0189.txt (25,393 bytes)

2018-05-27-both-runs-Grandsoft-EK-dwie.hta.txt (2,031 bytes)

2018-05-27-both-runs-Grandsoft-EK-fake-DLL-from-VBscript-in-CVE-2016-0189.dll (4,429 bytes)

2018-05-27-both-runs-Grandsoft-EK-landing-page.txt (530 bytes)

NOTES:

Since 2018-05-11, @nao_sec has been documenting an exploit kit (EK) campaign called "SlyIP" at traffic.moe.
It's called the SlyIP campaign, because the URL redirecting to the EK has a domain ending with "slyip.com" or "slyip.net".
Original reference in this tweet, and more examples are available at traffic.moe.
These SlyIP URLs have led to Grandsoft EK or Rig EK, and this campaign has been documented pushing Ursnif malware or Gandcrab ransomware.
Today's SlyIP example has Grandsoft EK pushing Ursnif.
I recorded two infection runs to show the minor differences in Grandsoft EK domains (from .xyz to .tk) and the post-infection traffic.

WEB TRAFFIC BLOCK LIST

Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:

fasthosting.slyip.com
fasthosting.slyip.net
vzdnprediction.project-x-adminko-test.tk
owkhdharshness.ebxseoccupationeclr.xyz
hxxp://www.dalmo.cz/files/AZE.bin
hxxp://5.64.157.228/a3.sign
u55.evama.at
work.a-poster.info

TRAFFIC

Shown above: Some of the HTTP requests from an infection filtered in Wireshark.

Shown above: Some of the Tor traffic with the HTTP requests from an infection filtered in Wireshark.

Shown above: More filtering in Wireshark to for a better idea of the SMTP traffic and HTTP traffic on non-standard ports.

Shown above: One of the HTTP POST requests related to work.a-poster.info.

Shown above: Another one of the HTTP POST requests related to work.a-poster.info.

GRANDSOFT EK TRAFFIC:

185.17.122.212 port 80 - owkhdharshness.ebxseoccupationeclr.xyz - Grandsoft EK (1st run)
185.17.122.212 port 80 - vzdnprediction.project-x-adminko-test.tk - Grandsoft EK (2nd run)

POST-INFECTION TRAFFIC CAUSED BY THE URSNIF MALWARE:

185.17.122.212 port 80 - owkhdharshness.ebxseoccupationeclr.xyz - Grandsoft EK (1st run)
185.17.122.212 port 80 - vzdnprediction.project-x-adminko-test.tk - Grandsoft EK (2nd run)
93.185.104.14 port 80 - dalmo.cz - GET /files/AZE.bin (legitimate domain, bad URL)
93.185.104.14 port 80 - www.dalmo.cz - GET /files/AZE.bin (legitimate domain, bad URL)
5.63.157.228 port 80 - 5.63.157.228 - GET /a3.sign (from 1st run post-infection traffic)
45.113.71.16 port 80 - u55.evama.at - GET wpapi/[long string of characters] (from 2nd run post-infection traffic)
176.9.118.142 port 7834 - [from my infected Windows host] - POST hxxp://work.a-poster.info:25000/
37.1.206.139 port 25000 - work.a-poster.info - POST /
81.19.77.166 port 465 - smtp.rambler.ru - Encrypted SSL/TLS traffic, not inherently malicious
94.100.180.104 port 25 - mxs.mail.ru - SMTP traffic, not inherently malicious