An article published by malwarebreakdown two days ago was very interesting.
https://malwarebreakdown.com/2017/07/03/seamless-campaign-leads-to-rig-ek-at-188-225-79-43-and-drops-ramnit/
I supplement that article. This is an article for that.
---
In that wonderful article some redirect flows and the latter half were introduced. I introduce the flow of the first half.
First redirected to "194.58.60.51/usa" by some malicious Ad. "usa" looks like a general web site, showing part of the actual code.
It looks like a general code, but there is an obfuscated code. It's decoded as follows.
This looks like code for Google Analytics, but it's actually different. It's sending a POST request to "usa".
It uses JavaScript to acquire time zone information and send it. When sending Japanese information at this time, it will be redirected to a general website. In the case of the USA it will lead to the next flow.
This is redirecting to "outedward-engrees.com". When you access "outedward-engrees.com", it looks like this.
Please see the malwarebreakdown article after this :)
---
Well, I had a chance interesting discovery. I investigated "194.58.60.51" in VirusTotal. Then I got this information.
Surprisingly, "japan.php" exists on the same server!
"japan.php" code is exactly the same as "usa", but you have to set the time zone to be sent to Japan so that you will be connected to RigEK.
"usa" was redirected to "signup3.php", but "japan.php" redirects to "signup1.php".
The dropped malware is Ramnit as usual.
https://www.hybrid-analysis.com/sample/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361?environmentId=100
https://virustotal.com/en/file/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361/analysis/1499245648/
---
P.S. added pcap link
https://gist.github.com/koike/8f3fcbb2e6906e29155a57d6f87df396
Localization other than Japan may also exist.
If you knew, please let me know ;)
It was April 26 that I first observed Decimal IP Campaign. At that time, I thought that it was a simple embedded RigEK iframe, but then I read the blog of Zerophage and Malwarebytes and noticed that it is Decimal IP Campaign.
For Decimal IP Campaign, please refer to the blog of Zerophage and Malwarebytes.
https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/
https://zerophagemalware.com/2017/04/27/rig-ek-via-decimal-redirect-drops-smoke-loader/
It was a few hours ago when I started investigating, but I found three Compromised sites. Since they were very interesting, I write the behavior and features here.
In conclusion, Decimal IP Campaign does two things. The behavior is changed by the browser. Here, I introduce the behavior when accessing with Internet Explorer and Chrome (or FireFox).
For Internet Explorer
Please look at this. The whole flow is like this.
When I access the Compromised site in Internet Explorer, I get a response "301 Moved Permanently". This redirect you to the host http://1755118211. This host is not my typo, it is Decimal IP. It is an unfamiliar format, but it is actually interpreted by the browser.
In this way the user is redirected to http://104.156.250.131. A response of "302 Found" is returned and redirected to http://144.76.195.195/rig.php. The html returned at this time contains an iframe connected to RigEK, and the processing flows to RigEK. RigEK is the same as other Campaign, but the file being dropped always seems to be Smoke Loader.
https://www.hybrid-analysis.com/sample/0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330?environmentId=100
https://www.virustotal.com/en/file/0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330/analysis/
For Chrome
Unlike IE, Chrome does not redirect to RigEK. The flow is as follows.
When accessed with Chrome, it is redirected to Decimal IP, same as Internet Explorer. After that, it will be redirected to http://162.220.246.254 instead of http://144.76.195.195/rig.php. In this case, html disguised as "Adobe Flash Player" is displayed and the exe file is downloaded. This file is Smoke Loader.
https://www.hybrid-analysis.com/sample/b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7?environmentId=100
https://www.virustotal.com/en-gb/file/b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7/analysis/
Even if you changed "dl=1" which is the URL parameter of exe to "dl=2", the malware that was dropped was the same.
---
Next, I introduce about cloaking.
Decimal IP Campaign seems to preserve the IP of the user who accessed it. When a user accesses a Compromised site, it sees the user's IP and checks whether you have visited this Compromised site and other Compromised sites before. If the user is not accessing, will do the operation I introduced earlier. Otherwise, it returns a normal page.
Also, the Compromised site is not always redirecting to Decimal IP. It may return a normal page. It is like a Round-Robin, and it may be redirected when accessed several times.
---
That's all I have figured out for a couple of hours. I will also write articles as I know something.
Have a good analysis day😉
nao_sec
