The HookAds campaign is still active and there have been some recent changes. For starters, this campaign usually drops a variant of Ursnif known as Dreambot. However, the sample that I got today seems more likely to be a ZeuS variant. This was later confirmed by my friend @Antelox who identified it as ZeuS Panda.

Let’s first look at the HTTP traffic involved in the infection chain and then we will examine some of the code:

We see my host making connections to the decoy site, which I’ve hidden. Normally, host would be redirected to one of these decoy sites via malvertising.

The decoy site still contains a script to grab the file popunder.php:

Popunder.php contains the following packed and obfuscated code:

Running the code shows variable p returning the following code:

At the bottom of the code you can see var scr = containing a base64 encoded string:

aHR0cDovL3JvY2tzaWRlbnQuaW5mby9iYW5uZXJzL2FkdmVydGlzaW5n

Decoding the string returns the following URL:

hxxp://rocksident.info/banners/advertising

We can also see that an iframe is inserted in the web page, instructing the browser to load content from the malicious URL.

The URL returns what has been called the pre-landing page which is designed to filter out unwanted traffic. Here is an image of the pre-landing page showing some more packed code:

The browser will execute the embedded script, allowing us to examine the contents of variable p:

Here we can see that if (BrowserInfo.is_bot == true) then the host should expect to see a page showing “404 Not Found,” among other things. This is followed by the else statement, used to specify the next block of code to be executed if the same condition is false (not a “bot”).

This section of the code also contains another base64 encoded string:

aHR0cDovLzE4OC4yMjUuODMuMTQ5Lz9OalkzTmpRNSZ0d2l4eT14WHZRTXZXWmJSWFFDNTNFS3ZqY1Q2TkVNVkhSSEVDTDJZcWRtckhTZWZqYWVWV2t6cmJGVEZfd296S0FUd1NHNl9KdGRmSiZwYXJ0eT1VRFFyampCSFJlZ2Rvbk50Y1d3Z1Q5cXFuaWtXRXp4U1kxSi1GLVVIZk1nc1RyY2FVRnJadDJWejBtN1VrUVBzbGcxVEg2R0kmYm13YT1PRFUxTURreE5BPT0=

As you might have already guessed, this decodes to show the URL of the RIG EK landing page:

hxxp://188.225.83.149/?NjY3NjQ5&twixy=xXvQMvWZbRXQC53EKvjcT6NEMVHRHECL2YqdmrHSefjaeVWkzrbFTF_wozKATwSG6_JtdfJ&party=UDQrjjBHRegdonNtcWwgT9qqnikWEzxSY1J-F-UHfMgsTrcaUFrZt2Vz0m7UkQPslg1TH6GI&bmwa=ODU1MDkxNA==

It also shows that the host is to use the POST method when requesting the RIG EK landing page. This matches the HTTP traffic shown at the beginning of the article.

I already mentioned that the payload being delivered by the HookAds campaign is usually Dreambot, however, this time it was ZeuS Panda.

The initial malware payload (bilonebilo.exe) was dropped and executed in %TEMP%:

We can also see some .tmp files being created in %TEMP%.

The malware copied itself to C:Users[username]AppDataRoamingMacromediaFlash Playermacromedia.comsupportflashplayersyswebapps.exe:

An in-depth report from G Data, which can be found HERE, explains how ZeuS Panda finds a directory under %APPDATA%Roaming that is empty, has a path that is at least 140 characters long, doesn’t contain certain strings like “Microsoft”, and is as deep in the directory tree as possible. Their analysis also showed that Panda created four files with random extensions. In my infection these happened to be .hou, .oze, .pow, and .sol.

HKCUSoftwareMicrosoftWindowsCurrentVersionRun is being used for its persistence mechanism:

Additional keys being created in HKCUSoftwareMicrosoft:

Not long after the payload was dropped and executed on the host we see post-infection network traffic to 5.8.88.219 via TCP port 443:

Here are some additional DNS queries and responses captured during my second run:

This shows DNS requests for nekfad.xyz, which resolves to 5.8.88.219, as well as a PTR record with the hostname davydovamihalina02.example.com.

Origin AS: AS62088

inetnum: 5.8.88.0 – 5.8.88.255 (5.8.88.0/24)

netname: MoreneHost

country: NL

The infected host was also making connections to Google.com using the following User-Agent string:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Here are some details captured during the post-infection TCP connections:

Remote Address: 5.8.88.219

Remote Host Name: davydovamihalina02.example.com

Remote Port: 443

Process Name: svchost.exe

Process Path: C:Windowssystem32svchost.exe

Remote Address: 172.217.11.174

Remote Host Name: lax28s15-in-f14.1e100.net (Google.com)

Remote Port: 80

Process Name: svchost.exe

Process Path: C:Windowssystem32svchost.exe

The malware launches instances of svchost to communicate with the C2 server.

Network based IOCs

80.77.82.41 – rocksident.info – GET /banners/advertising

188.225.83.149 – IP literal hostname used by RIG EK

188.225.83.137 – IP literal hostname used by RIG EK (Run 2)

5.8.88.219 – callback traffic via TCP port 443

Hashes

SHA256: ebfbed3dcb88f480bffc9f8855d43b4c0d3ffc37919a25a382e8233c5f171b84

File name: popunder.php.txt

SHA256: b18b668915e46a1e3cd0515449d8f958df4e7cb998c549c9b52bd73555586edf

File name: advertising.txt

SHA256: 25ea9df2932a2441a919978151145c6aeff96c89830bb0d0cd6dfb55e7e3e6eb

File name: RigEK landing page from 188.225.83.149.txt

SHA256: ef9861034c348993c4962008860264d69c4144431b84c94483d1c3d7da3ad0dc

File name: RigEK Flash exploit from 188.225.83.149.swf

SHA256: 5007255195dc24c63dfc7bdcddaa827893c8fce5bc080bdf1ab2c55b08e267bb

File name: o32.tmp

SHA256: 161385403c4044b0ee62b56a5f038d3bb9bb62274a98bf539e978592f65fe2f5

File name: bilonebilo.exe

Hybrid-Analysis Report

SHA256: 318d7b19ac9d836eeb6ddc4ee2d767ccd4aca2c445c373a0b4b5afd142a700d8

File name: bilonebilo.exe (2nd run)

Hybrid-Analysis Report

Downloads

Malicious Artifacts from HookAds 091317

For some reason WordPress wouldn’t let me upload the files so I had to use a free hosting service called TinyUpload.com. The password for the files is “infected”.

Until next time!

Additional References:

https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

Like this: Like Loading...