2019-02-28 - FALLOUT EK FROM HOOKADS CAMPAIGN

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the infection traffic:  2019-02-28-Fallout-EK-from-HookAds-campaign.pcap.zip   2.5 MB (2,496,951 bytes)

• 2019-02-28-Fallout-EK-from-HookAds-campaign.pcap   (3,989,978 bytes)

• Fiddler capture of the infection traffic:  2019-02-28-Fallout-EK-from-HookAds-campaign.saz.zip   2.3 MB (2,263,111 bytes)

• 2019-02-28-Fallout-EK-from-HookAds-campaign.saz   (2,268,427 bytes)

• Zip archive of the malware & artifacts:  2019-02-28-Fallout-EK-malware-and-artifacts.zip   667 kB (666,848 bytes)

• 2019-02-28-Fallout-EK-1-of-5-landing-page.txt   (4,998 bytes)
• 2019-02-28-Fallout-EK-2-of-5.txt   (12,352 bytes)
• 2019-02-28-Fallout-EK-3-of-5-CVE-2018-8174-on-raw.githubusercontent_com.txt   (19,855 bytes)
• 2019-02-28-Fallout-EK-4-of-5.bin   (4,513 bytes)
• 2019-02-28-Fallout-EK-5-of-5-payload.exe   (140,484 bytes)
• 2019-02-28-go.exe-from-51_15_252_131.exe   (560,640 bytes)

NOTES:

• As @nao_sec tweeted, Fallout exploit kit (EK) is using a proof of concept (PoC) on Github for CVE-2018-8174 (link to tweet)
• More info on the Fallout EK payload, Amadey (according to the alerts I saw):
• https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Shown above:  Tweet by @nao_sec related to today's traffic (link).

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• onlinedattingforlive[.]info
• russkistandart[.]info
• not-my-guilty[.]com
• hxxps[:]//raw.githubusercontent[.]com/w7374520/CVE-2018-8174_EXP/master/CVE-2018-8174.py
• hxxp[:]//51.15.252[.]131/CC/index.php
• hxxp[:]//51.15.252[.]131/files/go.exe
• capitalinvest.ac[.]ug

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

Shown above:  Infection traffic from Fiddler capture.

 

Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

DECOY DATING SITE AND REDIRECT:

• 88.208.7[.]194 port 80 - www.onlinedattingforlive[.]info - GET /
• 185.56.233[.]186 port 443 - russkistandart[.]info - GET /unlimited/under-inter   (HTTPS traffic)

FALLOUT EK (HTTPS TRAFFIC):

• 37.59.197[.]177 port 443 - not-my-guilty[.]com - POST /h87p/Indices.asp?Francic=Bedsore-3985-14068&yaA=YIv
• 37.59.197[.]177 port 443 - not-my-guilty[.]com - POST /vtJn/8734/concerto.htm?Ood=C5FS6&Pigweeds=8910_10444_14033&ZrKY=13925
• port 443 - raw.githubusercontent[.]com - GET /w7374520/CVE-2018-8174_EXP/master/CVE-2018-8174.py
• 37.59.197[.]177 port 443 - not-my-guilty[.]com - POST /2005-01-16/Psoriasic
• 37.59.197[.]177 port 443 - not-my-guilty[.]com - GET /04_10_1971/beaveries/aoer.phtml

POST-INFECTION TRAFFIC:

• 51.15.252[.]131 port 80 - 51.15.252[.]131 - POST /CC/index.php   (repeats several times)
• 51.15.252[.]131 port 80 - 51.15.252[.]131 - GET /files/go.exe
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - POST /251
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - GET /freebl3.dll
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - GET /freebl3.dll?ddosprotected=1
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - GET /mozglue.dll
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - GET /msvcp140.dll
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - GET /nss3.dll
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - GET /softokn3.dll
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - GET /vcruntime140.dll
• port 80 - ip-api[.]com - POST /line/
• 86.105.1[.]12 port 80 - capitalinvest.ac[.]ug - POST /

 

SIGNIFICANT ALERTS ON THE POST-INFECTION TRAFFIC:

• 51.15.252[.]131 port 80 - ETPRO TROJAN Amadey CnC Check-In
• 86.105.1[.]12 port 80 - ETPRO TROJAN Vidar/Arkei Stealer HTTP POST Pattern
• 86.105.1[.]12 port 80 - ET TROJAN Vidar/Arkei Stealer Client Data Upload

 

FILE HASHES

PAYLOAD FROM FALLOUT EK (AMADEY):

• SHA256 hash:  9bdd885fdc1fcdcc34054062c0e3fce007a2ea5c0a4f4366eefac836c697b465
  File size:  140,484 bytes
  File location:  C:\Users\[username]\AppData\LocalLow\kfiq1jAv.tmp   (random letters and/or numbers before ".tmp")
  File location:  C:\ProgramData\6c905ff76d\vnrin.exe   (may be random folder and file names, here)
  File description:  Amadey EXE distributed by the HookAds campaign through Fallout EK on 2019-02-28

FOLLOW-UP MALWARE (VIDAR):

• SHA256 hash:  507d1559ec7507a311f2be88cd7110511402300769f0fe89fe17d36d4224c6e8
  File size:  560,640 bytes
  File location:  C:\Users\[username]\AppData\Roaming\Temp\go.exe
  File location:  C:\ProgramData\6c905ff76d\go.exe   (may be random folder name, here)
  File description:  Follow-up malware EXE for Vidar

 

IMAGES

Shown above:  Locations for malware retrieved from my infected lab host.

 

Shown above:  Folder and directories for stolen data created on my infected lab host.

 

Click here to return to the main page.