# Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook. **malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-** formbook/ October 10, 2017 A couple days ago I came across an unusual looking request for a RIG EK landing page. The log showed the referer to be coming from a site called pay-scale[.]us: Looking through the logs surrounding the event I could see that the user visited a shady site using the .ac ccTLD. Traffic estimates showed that this site received 500K visitors over the last 30 days. When I was researching the site, I was redirected via malicious ad traffic to tech support scams. This leads me to believe the initial referer was from malvertising. The malvert likely redirected the host to pay-scale[.]us via a 3XX status code. Examining the page source for pay-scale[.]us shows the website was mirrored from usmotors[.]com using HTTrack Website Copier: ----- Looking a little farther down the page we can see how the user got redirected to RIG EK from pay-scale[.]us: The domain in the hidden iframe, medical-help[.]top, resolves to 91.92.136.170. Looking at the Whois information shows these domains were registered using the name “Terry Kornfeld” and email address morganaanna7@gmail.com. Searching for all domains registered using that name and/or email address returned the following: **Domain** **Registered** i-yourdoctor[.]top 10/8/2017 highqualitywebhelp[.]top 10/8/2017 filmsdays[.]top 10/4/2017 photosetty[.]us 10/2/2017 pay-scale[.]us 10/1/2017 madicalcareme[.]top 9/19/2017 mymedicalcare[.]us 9/17/2017 photo24[.]top 9/9/2017 medical-help[.]top 9/9/2017 These sites should be considered malicious. Additionally, some of them are being used for C2 activities. More on that later. Below is the GET request that was generated due to the hidden iframe on pay-scale[.]us: The server returns a 302 Found with a location containing the RIG EK landing page URL. ----- Further examination of the infrastructure being used in this campaign show that the threat actor(s) are utilizing Keitaro TDS: Below is an image of the HTTP traffic captured during this infection chain: RIG EK dropped two identical Quant Loader payloads in %TEMP%: ----- When Quant Loader was executed it copied itself to %APPDATA%[uid]svchost.exe: [[uid] is the eight-digit unique ID generated for the infected host. Forcepoint shows how the](https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground) unique ID is generated: 1. Obtain the Windows GUID value from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCryptography 2. Extract only the number values, no letters or dashes 3. Copy 8 of the numbers, beginning with the 5th number The malware then re-launches itself under “svchost.exe” and creates file “C:Users[Username]AppDataLocalTempper”. The following processes and actions were recorded: 1. svchost.exe creates process regini.exe 2. regini.exe reads data from file %TEMP%per 3. svchost.exe deletes file %TEMP%per 4. svchost.exe sets AutoStart registry key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunQt” ----- Quant Loader also modifies Windows Firewall to allow outbound communications using the command: ``` netsh.exe advfirewall firewall add rule "name=Quant" "program=c:usersappdata[uid]svchost.exe" dir=Out action=allow ``` I found post-infection traffic to the C2 at filmsdays[.]top/q/, which was registered by “Terry Kornfeld” using the email address morganaanna7@gmail.com: id = the unique ID of the infected host c = the current index of the server being used mk = string likely used as an affiliate of campaign ID il = Haven’t confirmed vr = Haven’t confirmed but could be version number ----- bt = Haven t confirmed but could be x86 or x64 Below is an example of the Quant Loader C2 TCP connections captured during my infection: Remote Address: 85.217.170.186 Remote Host Name: t.co Remote Port: 80 Process Name: svchost.exe Process Path: C:UsersWin7 32bitappdataroaming[uid]svchost.exe Remote IP Country: Bulgaria Remote Address: 212.73.150.215 Remote Host Name: v22597.vps.ag Remote Port: 80 Process Name: svchost.exe Process Path: C:UsersWin7 32bitappdataroaming[uid]svchost.exe Remote IP Country: Bulgaria In my infection the first server (c=1) responded with the location of follow-up malware located at motorsus[.]us/fb.exe. Motorsus[.]us appears to be under control of the same threat actor(s). The name and email used to register this domain is “Lee M Clark” and john.benjack@mailfence.com. Below is a list of current domains using that registrant information. Domain Registered motorsus.us 10/1/2017 seechicagodance.us 10/1/2017 This payload is dropped in %TEMP% and executed. The malware being downloaded by Quant Loader was identified as FormBook by my [friend @Antelox.](https://twitter.com/Antelox) ----- FormBook, once executed, copied itself (it was hidden) to %USERPROFILE%: The malware was renamed to mfcgn2pl.exe. According to [FireEye, it can also use the following prefixes for its name:](https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html) ms mfc win gdi vga igfx user help config update regsvc chkdsk systray ----- audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies It can also use the following file extensions: .exe .com .scr .pif .cmd .bat If it is running with normal privileges it is copied to one the following directories: %USERPROFILE% %APPDATA% %TEMP% Here is another image showing another copy called Cookiescz7x.cmd being created in %APPDATA%: If it is running with elevated privileges it copies itself to one of the following directories: ----- %ProgramFiles% %CommonProgramFiles% In my infection I found it configuring persistence to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun: However, depending on its privileges, it can also use the following locations for persistence: HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun FormBook was beaconing to basefilm[.]top/tesla/shell123/config.php. Basefilm[.]top is registered to “Shirhall Shirhall” and is using the registrant email address annacrown44@gmail.com. I captured the following GET requests: The parameter “id” shown in the URL contains encoded information about the system. The malware also uses HTTP POST requests to send data back to basefilm[.]top/tesla/shell123/config.php: According to FireEye these messages to the C2 are RC4 encrypted and Base64 encoded ----- FireEye also mentions that FormBook will use function hooks to log keystrokes, steal clipboard data, and extract authentication information from browser HTTP sessions.” For keystrokes captured during a browsing session with Internet Explorer it created the following file: %APPDATA%JQ18T541JQ1log.ini You can see my HTTP sessions and keystrokes being captured in the .ini file: Quick note. My friend [@Antelox examined the FormBook sample and discovered that it](https://twitter.com/Antelox) downloaded ZeuS Panda with web injects for PayPal, eBay, Amazon, and BoQ (Bank of Queensland). The ZeuS sample can be viewed below: https://www.virustotal.com/en/file/e4474970dd8d2f9e4a3d4a0fa06d82f8d6c2af49737d6cb2e 5db6a388aa930ba/analysis/ Network Based IOCs 212.73.150.215 – pay-scale[.]us – Malicious dummy site 91.92.136.170 – medical-help[.]top – Redirected to RIG EK 176.57.217.78 – IP literal hostname used by RIG EK 85.217.170.186 – filmsdays[.]top – GET /q/index.php – Quant Loader C2 212.73.150.215 – motorsus[.]us – GET /fb.exe – GET for FormBook 169.239.128.162 – basefilm[.]top – GET and POST /tesla/shell123/config.php – FormBook beacon and C2 ----- DNS queries for kinnomanna.top: Hashes [SHA256: c10c659498c3bd5ed8454c0041739db7d324ddd09126c16ea229ab30e9232de4](https://www.virustotal.com/en/file/c10c659498c3bd5ed8454c0041739db7d324ddd09126c16ea229ab30e9232de4/analysis/) File name: RigEK landing page.txt [SHA256: b5dc599319b6f0968db9318e3d5dbbd6939c4d7b879e45269210a5878b7551a4](https://www.virustotal.com/en/file/b5dc599319b6f0968db9318e3d5dbbd6939c4d7b879e45269210a5878b7551a4/analysis/1507627342/) File name: RigEK Flash exploit.swf [SHA256: 22aba6be7e754e7163e8adb72f7235ad97ff411a29c98444ddacc24bd04cdc34](https://www.virustotal.com/en/file/22aba6be7e754e7163e8adb72f7235ad97ff411a29c98444ddacc24bd04cdc34/analysis/) File name: o32.tmp [SHA256: 8e94bd154dbea3d020cce1e216f4a327d0ddf65737847ffed34113bf3fdb22dd](https://www.virustotal.com/en/file/8e94bd154dbea3d020cce1e216f4a327d0ddf65737847ffed34113bf3fdb22dd/analysis/) File name: bilonebilo417.exe [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/8e94bd154dbea3d020cce1e216f4a327d0ddf65737847ffed34113bf3fdb22dd?environmentId=100) [SHA256: 2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82](https://www.virustotal.com/en/file/2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82/analysis/) File name: fb.exe [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82?environmentId=100) [SHA256: 0fa6898d426a6176ff7673d2d5336879d418f5be2714605eb32985626f508357](https://www.virustotal.com/en/file/0fa6898d426a6176ff7673d2d5336879d418f5be2714605eb32985626f508357/analysis/) File name: 05110.exe [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/0fa6898d426a6176ff7673d2d5336879d418f5be2714605eb32985626f508357?environmentId=100) [SHA256: 72a4b137b02b0ef45f5013b88228132081cff1ecfeccecae5e70069bf38c5ba0](https://www.virustotal.com/en/file/72a4b137b02b0ef45f5013b88228132081cff1ecfeccecae5e70069bf38c5ba0/analysis/) File name: 15838.exe [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/72a4b137b02b0ef45f5013b88228132081cff1ecfeccecae5e70069bf38c5ba0?environmentId=100) Downloads [Malicious Artifacts](https://malwarebreakdown.com/wp-content/uploads/2017/10/Malicious-Artifacts.zip) ----- Password is infected References: 1. https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant loader-sold-russian-underground 2. https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution campaigns.html ## Published by malwarebreakdown Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown -----