2014-10-04 - RIG EK AND UPATRE FROM EMAIL LINKS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-10-04-Rig-EK-and-Upatre-traffic.pcap.zip
• 2014-10-04-Rig-EK-and-Upatre-malware.zip

 

NOTES:

• On Thursday, 2014-10-02, I saw a few emails with secure@docs-gg[.]com listed as a sender that went to UK email addresses.

• These emails contain links to a zip file; however, these URLs also generate Rig EK traffic that will infect a vulnerable host with the same malware.

Shown above:  The zip file offered as a download, while Rig EK happens in the background.

• Today's Upatre and follow-up malware are the same type I documented yesterday on 2014-10-03 (see the link below).

 

WAVES OF PHISHING EMAILS I'VE DOCUMENTED BY (WHAT I THINK IS) THE SAME ACTOR:

• 2014-09-18 - Phishing campaign - NatWest and fake fax messages
• 2014-09-22 - Phishing email - Subject: NatWest Statement
• 2014-10-03 - Phishing campaign - Incoming fax reports - fake HMRC tax notices
• 2014-10-04 - Rig EK and Upatre from phishing emails   [emails dated 2014-10-02]

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 177.55.108[.]130 - camaraguape.mg[.]gov[.]br - Site with page for the malware download
• 37.200.69[.]87 - story.christophertawes[.]com - Rig EK
• various IP addresses - various domains - Post-infection traffic (see below)

 

PHISHING LINK FROM THE EMAIL (PROVIDES A ZIP FILE OF THE MALWARE):

• 2014-10-04 00:29:25 UTC - 177.55.108[.]130:80 - camaraguape.mg[.]gov[.]br - GET /go2/document.php
• 2014-10-04 00:29:27 UTC - 177.55.108[.]130:80 - camaraguape.mg[.]gov[.]br - POST /go2/document.php
• 2014-10-04 00:29:33 UTC - 91.121.220.193:80 - counter6.statcounterfree[.]com - GET /private/counter.js?c=
  a9f26a8b178b1b373c1d6618b0a2ea72
• 2014-10-04 00:29:40 UTC - 177.55.108[.]130:80 - camaraguape.mg[.]gov[.]br - GET /go2/document.php?h=900&w=1440&ua=
  Mozilla%2F4.0%20(compatible%3B%20MSIE%208.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F4.0%3B%20SLCC2
  %3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0)&e=1

 

RIG EK (INFECTS A VULNERABLE HOST WITH THE SAME MALWARE):

• 2014-10-04 00:29:33 UTC - 37.200.69[.]87:80 - story.christophertawes[.]com - GET /?PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:37 UTC - 37.200.69[.]87:80 - story.christophertawes[.]com - GET /index.php?req=mp3&num=95&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:39 UTC - 37.200.69[.]87:80 - story.christophertawes[.]com - GET /index.php?req=swf&num=467&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:46 UTC - 37.200.69[.]87:80 - story.christophertawes[.]com - GET /index.php?req=xml&num=4797&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:47 UTC - 37.200.69[.]87:80 - story.christophertawes[.]com - GET /index.php?req=jar&num=6704&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:48 UTC - 37.200.69[.]87:80 - story.christophertawes[.]com - GET /index.php?req=mp3&num=479131&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE

 

POST-INFECTION TRAFFIC:

• 2014-10-04 00:29:43 UTC - 82.98.157[.]8:80 - msoluciona[.]com - GET /images/inicio/0210uk4.pdf
• 2014-10-04 00:29:44 UTC - 82.98.157[.]8:80 - www.msoluciona[.]com - GET /images/inicio/0210uk4.pdf

• 2014-10-04 00:29:53 UTC - 66.51.128[.]43:3478 - STUN traffic to stun.voip.aebc[.]com
• 2014-10-04 00:30:27 UTC - 77.72.169[.]155:3478 - STUN traffic to stun.voiparound[.]com
• 2014-10-04 00:30:45 UTC - 77.72.169[.]154:3479 - STUN traffic to stun.voiparound[.]com
• 2014-10-04 00:31:03 UTC - 203.183.172[.]196 - STUN traffic to s2.taraba[.]net
• 2014-10-04 00:31:21 UTC - 203.183.172[.]212 - STUN traffic to s2.taraba[.]net (?)

• 2014-10-04 00:29:39 UTC - 188.165.198[.]52:64078 - attempted TCP connection RST by server
• 2014-10-04 00:29:41 UTC - 188.165.198[.]52:64078 - attempted TCP connection RST by server
• 2014-10-04 00:29:47 UTC - 188.165.198[.]52:64078 - attempted TCP connection RST by server
• 2014-10-04 00:31:39 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:42 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:43 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:43 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:46 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:46 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:49 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:49 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:54 UTC - 37.59.46[.]50:4443 - encrypted TCP traffic

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-04-Rig-EK-flash-exploit.swf
File size:  4,238 bytes
MD5 hash:  1ca3694873a7975dc4a286e11799a004
Detection ratio:  2 / 54
First submission:  2014-10-02 07:51:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f0c210787ecd044c48792635998e4574a4c5abed1b150c02c62083b757b02f9/analysis/

 

JAVA EXPLOIT:

File name:  2014-10-04-Rig-EK-java-exploit.jar
File size:  9,380 bytes
MD5 hash:  3fd18b6e0fb0f88d897fadbeae36c860
Detection ratio:  5 / 55
First submission:  2014-10-04 02:19:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4840f1d8a86e25528b4b6931d5cfa198b9afef5bd84c7544a81b6a706f405960/analysis/

 

MALWARE PAYLOAD (SAME AS EXTRACTED MALWARE FROM ZIP FILE):

File name:  document8621-79101_pdf.exe
File size:  45,568 bytes
MD5 hash:  322cc3be1d5b0c41d707867146304d85
Detection ratio:  23 / 53
First submission:  2014-10-02 14:42:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3ac7b3e1c679134d3b63793dc6df49f8467f387b78e17947a22b516636b89aed/analysis/

 

ZIPE ARCHIVE FROM THE WEB PAGE:

File name:  document8621-79101_pdf.zip
File size:  13,446 bytes
MD5 hash:  c516abc8eb1acd38c57f3175032cb17c
Detection ratio:  26 / 55
First submission:  2014-10-02 14:40:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/39d8f256dcb91eab3c92dae72ab54fbb38157847336646ce23f26924f59a4b33/analysis/

 

FOLLOW-UP MALWARE:

File name:  junbc.exe
File size:  434,176 bytes
MD5 hash:  27b8d15950022f53ca4ca7004932cf2b
Detection ratio:  21 / 54
First submission:  2014-10-02 18:44:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/286938569b92147be5ec50e06d4d7429eb442a751c0772cb57e146a0a1d0b489/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2014-10-04 00:29:11 UTC - 177.55.108[.]130:80 - ET CURRENT_EVENTS Upatre redirector 29 Sept 2014 - POST (sid:2019321)
• 2014-10-04 00:29:13 UTC - 177.55.108[.]130:80 - ET CURRENT_EVENTS suspicious embedded zip file in web page (sid:2019324)
• 2014-10-04 00:29:15 UTC - 37.200.69[.]87:80 - ET CURRENT_EVENTS RIG EK Landing URI Struct (sid:2019072)
• 2014-10-04 00:29:16 UTC - 177.55.108[.]130:80 - ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014 (sid:2019311)
• 2014-10-04 00:29:34 UTC - 37.200.69[.]87:80 - ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File (sid:2018783)
• 2014-10-04 00:29:37 UTC - 37.200.69[.]87:80 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 (sid:2018441)
• 2014-10-04 00:29:38 UTC - 37.200.69[.]87:80 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
• 2014-10-04 00:29:40 UTC - 177.55.108[.]130:80 - ET TROJAN Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014 (sid:2018182)
• 2014-10-04 00:29:43 UTC - 82.98.157[.]8:80 - ET TROJAN Common Upatre Header Structure 2 (sid:2018635)
• 2014-10-04 00:29:43 UTC - 82.98.157[.]8:80 - ET TROJAN Common Upatre Header Structure (sid:2018394)
• 2014-10-04 00:29:43 UTC - 82.98.157[.]8:80 - ET MALWARE Suspicious User-Agent (update) (sid:2003583)
• 2014-10-04 00:29:47 UTC - 37.200.69[.]87:80 - ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity (sid:2017064)
• 2014-10-04 00:29:47 UTC - 37.200.69[.]87:80 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Java Exploit to Client (sid:2013961)
• 2014-10-04 00:29:47 UTC - 37.200.69[.]87:80 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
• 2014-10-04 00:29:47 UTC - 37.200.69[.]87:80 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs (sid:2016540)
• 2014-10-04 00:29:47 UTC - 37.200.69[.]87:80 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass (sid:2800029)
• 2014-10-04 00:31:39 UTC - 37.59.46[.]50:4443 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014 (sid:2019320)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):

• 2014-10-04 00:29:37 UTC - 37.200.69[.]87:80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (x5)
• 2014-10-04 00:29:38 UTC - 37.200.69[.]87:80 - [1:30934:2] EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download
• 2014-10-04 00:29:47 UTC - 37.200.69[.]87:80 - [1:25562:4] FILE-JAVA Oracle Java obfuscated jar file download attempt
• 2014-10-04 00:29:47 UTC - 37.200.69[.]87:80 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt

 

Click here to return to the main page.