2019-01-10 - HOOKADS CAMPAIGN RIG EK PUSHES VIDAR

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the infection traffic:  2019-01-10-HookAds-Rig-EK-sends-Vidar.pcap.zip   747 kB (2,084,140 bytes)

• 2019-01-10-HookAds-Rig-EK-sends-Vidar.pcap   (3,400,129 bytes)

Zip archive of the malware & artifacts:  2019-01-10-Rig-EK-and-Vidar-malware-and-artifacts.zip   505 kB (504,619 bytes)

• 2019-01-10-Rig-EK-artifact-a.e.txt   (1,149 bytes)
• 2019-01-10-Rig-EK-flash-exploit.swf   (32,312 bytes)
• 2019-01-10-Rig-EK-landing-page.txt   (136,334 bytes)
• 2019-01-10-Rig-EK-payload-Vidar.exe   (620,544 bytes)

NOTES:

• For more information on Vidar, see this Malwarebytes blog post.
• The Twitter account for @nao_sec posts far more frequently on exploit kit (EK) activity than I do.
• See traffic.moe for other examples of EK traffic.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• datitngforllives[.]info
• needgrow[.]info
• tepingost[.]sg

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

TRAFFIC TO DECOY DATING SITE USED BY HOOKADS AND REDIRECT LEADING TO RIG EK:

• 88.208.7[.]193 port 80 - datitngforllives[.]info - GET /
• 185.56.233[.]186 port 443 - www.needgrow[.]info - GET /unlimited/howareyou   (HTTPS traffic)

RIG EK:

• 176.53.161[.]71 port 80 - 176.53.161[.]71 - Rig EK

VIDAR TRAFFIC:

• 190.115.22[.]22 port 80 - tepingost[.]ug - POST /251
• 190.115.22[.]22 port 80 - tepingost[.]ug - GET /freebl3.dll
• 190.115.22[.]22 port 80 - tepingost[.]ug - GET /mozglue.dll
• 190.115.22[.]22 port 80 - tepingost[.]ug - GET /msvcp140.dll
• 190.115.22[.]22 port 80 - tepingost[.]ug - GET /nss3.dll
• 190.115.22[.]22 port 80 - tepingost[.]ug - GET /softokn3.dll
• 190.115.22[.]22 port 80 - tepingost[.]ug - GET /vcruntime140.dll
• port 80 - ip-api[.]com - POST /line/   (IP address check, not inherently malicious)
• 190.115.22[.]22 port 80 - tepingost[.]ug - POST / HTTP/1.1 (zip)

 

FILE HASHES

RIG EK FLASH EXPLOIT:

• SHA256 hash:  80962b6d6ffa128bd56aba9a502c7edf9f5acf1ffc1bf8d0e41c8a5fd3de0ea3
  File size:  32312 bytes
  File description:  Rig EK flash exploit, exploiting CVE-2018-4878, seen on 2019-01-10

PAYLOAD FROM RIG EK:

• SHA256 hash:  076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c
  File size:  620,544 bytes
  File description:  Vidar malware EXE distributed by the HookAds campaign through Rig EK on 2019-01-10

 

Click here to return to the main page.