Overlooking Decimal IP Campaign

It was April 26 that I first observed Decimal IP Campaign. At that time, I thought that it was a simple embedded RigEK iframe, but then I read the blog of Zerophage and Malwarebytes and noticed that it is Decimal IP Campaign.

For Decimal IP Campaign, please refer to the blog of Zerophage and Malwarebytes.
https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/
https://zerophagemalware.com/2017/04/27/rig-ek-via-decimal-redirect-drops-smoke-loader/

It was a few hours ago when I started investigating, but I found three Compromised sites. Since they were very interesting, I write the behavior and features here.

In conclusion, Decimal IP Campaign does two things. The behavior is changed by the browser. Here, I introduce the behavior when accessing with Internet Explorer and Chrome (or FireFox).

For Internet Explorer

Please look at this. The whole flow is like this.

When I access the Compromised site in Internet Explorer, I get a response "301 Moved Permanently". This redirect you to the host http://1755118211. This host is not my typo, it is Decimal IP. It is an unfamiliar format, but it is actually interpreted by the browser.


In this way the user is redirected to http://104.156.250.131. A response of "302 Found" is returned and redirected to http://144.76.195.195/rig.php. The html returned at this time contains an iframe connected to RigEK, and the processing flows to RigEK. RigEK is the same as other Campaign, but the file being dropped always seems to be Smoke Loader.

https://www.hybrid-analysis.com/sample/0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330?environmentId=100
https://www.virustotal.com/en/file/0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330/analysis/


For Chrome

Unlike IE, Chrome does not redirect to RigEK. The flow is as follows.


When accessed with Chrome, it is redirected to Decimal IP, same as Internet Explorer. After that, it will be redirected to http://162.220.246.254 instead of http://144.76.195.195/rig.php. In this case, html disguised as "Adobe Flash Player" is displayed and the exe file is downloaded. This file is Smoke Loader.

https://www.hybrid-analysis.com/sample/b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7?environmentId=100
https://www.virustotal.com/en-gb/file/b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7/analysis/


Even if you changed "dl=1" which is the URL parameter of exe to "dl=2", the malware that was dropped was the same.

---

Next, I introduce about cloaking.

Decimal IP Campaign seems to preserve the IP of the user who accessed it. When a user accesses a Compromised site, it sees the user's IP and checks whether you have visited this Compromised site and other Compromised sites before. If the user is not accessing, will do the operation I introduced earlier. Otherwise, it returns a normal page.

Also, the Compromised site is not always redirecting to Decimal IP. It may return a normal page. It is like a Round-Robin, and it may be redirected when accessed several times.

---

That's all I have figured out for a couple of hours. I will also write articles as I know something.

Have a good analysis day😉