Hackin9

Introduction

This diary is a follow-up to my previous diary on the actor using Rig exploit kit (EK) to deliver Qbot [1]. For this diary, Ive infected more Windows hosts from other compromised websites, so we have additional data on this actor.

As previously noted, this actor has been delivering Qbot (also known as Qakbot) malware. The actor uses a gate to route traffic from the compromised website to the EK landing page. In this case, the gate returns a variable that is translated to a URL for the EK landing page. The sequence of events is:

  • User visits a website compromised by this actor.
  • An HTTP GET request for a .js file from the compromised site returns text with malicious script appended to it.
  • An HTTP GET request to the gate returns a variable used by the malicious script.
  • The variable sent by the gate is decrypted, and an HTTP GET request for the EK landing page is sent.

Details

Ive collected more samples of Rig EK infections from this actor as shown below. Of note:

  • The first line is the .js file from the compromised website with malicious script appended to it.
  • The second line is the gate used by this actor.
  • The third line shows the IP address and domain name for Rig EK used by this actor.

The following four infection occurred within the past 24 hours:

  • 2015-12-29 20:51 UTC - www.pavtube.com - GET /public/temp/js/jquery.js
  • 2015-12-29 20:51 UTC - 192.185.21.183 port 80 - st.naughtytimebooks.com - GET /mmviewforumboiu.php
  • 2015-12-29 20:51 UTC - 46.30.46.93 port 80 - ert.selectiondesebooks.info - Rig EK
  • 2015-12-30 00:38 UTC - www.wolfgnards.com - GET /rsc/js/jquery.min.js
  • 2015-12-30 00:38 UTC - 192.185.21.183 port 80 - st.naughtytimebooks.com - GET /omoviewforumfjcic.php
  • 2015-12-30 00:38 UTC - 46.30.46.93 port 80 - htr.amazinng.com - Rig EK
  • 2015-12-30 01:04 UTC - www.pavtube.com - GET /public/temp/js/jquery.js
  • 2015-12-30 01:04 UTC - 192.185.21.183 port 80 - st.naughtytimebooks.com - GET /lvviewforumilu.php
  • 2015-12-30 01:04 UTC - 46.30.46.93 port 80 - htr.amazinng.com - Rig EK
  • 2015-12-30 01:16 UTC - eaaforums.org - GET /clientscript/vbulletin-core.js?v=422
  • 2015-12-30 01:16 UTC - 192.185.21.183 port 80 - st.naughtytimebooks.com - GET /auqviewforumixx.php
  • 2015-12-30 01:16 UTC - 46.30.46.93 port 80 - htr.broadwhiz.com - Rig EK

Below are images of pcaps from the traffic filtered in Wireshark." />

The FTP server shown in the last example had information from my infected host, along with other infected hosts." />

Gate traffic review

Although I went over it in my last diary, lets review again how the gate traffic works. First, we get the malicious script added to a .js file from the compromised website. Its usually appended, and youll find it at the end. Ive also seen the malicious script at the beginning of the .js files. It might take a while for people to find it, but its there." />

The first highlighted section shows how the value from the main_color_handle variable is translated by replacing all symbols with a % and replacing all alphabetic characters g and higher with nothing. This returns a through f and 0 through 9 that will be grouped as two-character hexadecimal pairs, with a % before each pair.

The second highlighted section shows the URL for the gate. As I mentioned in my previous diary about this actor, the text is obfuscated, so its not easy to find. However, if you know what youre looking for, you can find it.

This injected script calls the main_color_handle variable from the gate URL and translates the variable to the EK landing page URL." />

Final words

Todays diary provides more examples of Rig EK infections by this particular actor. Hopefully, it provides a better understanding of the infection traffic. If anyone has access to your organizations web proxy logs, search for 192.185.21.183 and see if the HTTP GET requests follow the patterns seen in this diary. If you can find the referer for that HTTP GET request, you may have discovered another website compromised by this actor.

Pcap and malware samples used in this diary are available here.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/Actor+using+Rig+EK+to+deliver+Qbot/20513/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: Linus Bohman)

As happens from time to time, somebody has spotted a feature in Windows 10 that isn't actually new and has largely denounced it as a great privacy violation.

The Intercept has written that if you have bought a Windows PC recently then Microsoft probably has your encryption key. This is a reference to Windows' device encryption feature. We wrote about this feature when it was new, back when Microsoft introduced it in Windows 8.1 in 2013 (and before that, in Windows RT).

Device encryption is a simplified version of the BitLocker drive encryption that made its debut in Windows Vista in 2006. The full BitLocker requires a Pro or Enterprise edition of Windows, and includes options such as integration with Active Directory, support for encrypting removable media, and the use of passwords or USB keys to unlock the encrypted disk. Device encryption is more restricted. It only supports internal system drives, and it requires the use of Secure Boot, Trusted Platform Module 2.0 (TPM), and Connected Standby-capable hardware. This is because Device encryption is designed to be automatic; it uses the TPM to store the password used to decrypt the disk, and it uses Secure Boot to ensure that nothing has tampered with the system to compromise that password.

Read 12 remaining paragraphs | Comments

 

Infosec Professionals Needed for Annual Wireless and Wired Device Threat Study
Virtual-Strategy Magazine
BOSTON, MA -- (Marketwired) -- 12/29/15 -- Pwnie Express, the only company providing threat detection of the billions of wireless and wired devices in and around your workplace, today announced its second annual Device Threat Survey. The company is ...

and more »
 
Internet Storm Center Infocon Status