Some of the biggest companies in the world rely on Forcepoint security.

Close

Our Blog

RIG Exploit Kit Makes A Sprash In Russia

Share

Monday, Jun 27, 2016

The very popular Russian site Sprashivai[.]ru has been compromised and is silently redirecting users to the RIG Exploit Kit (EK). During our analysis we saw RIG EK drop the SmokeLoader (aka Dofoil) malware.

Image above taken from the Sprashivai homepage

Compromised Site

Sprashivai[.]ru is a popular Russian Q&A and social networking site, receiving an estimated 20 million visitors per month according to SimilarWeb. The Russian word "sprashivai" means "ask" in English.

The site has been compromised by an actor attempting to redirect users to RIG EK via an injected iFrame:

The iFrame loads up the RIG EK landing page which then attempts to exploit the machine if it is using outdated browser components, such as an old Adobe Flash Player. If successfully exploited, RIG EK will drop and execute malware on the machine. All of this is done silently in the background without any user interaction necessary.

During our analysis RIG EK sent a CVE-2015-8651 Adobe Flash Player exploit. The SWF exploit contains debug strings suggesting a user named Владимир ("Vladimir") compiled the exploit, although the ActionScript filenames appear to be somewhat randomised:

Sprashivai has been compromised since at least June 23 and was still compromised when we checked again on June 29. We notified Sprashivai of the compromise on June 27 but have not heard anything back.

June 23

hxxp://sprashivai[.]ru/ (Compromised Site)

--> hxxp://jy.raleighculturalresources[.]org/?xH**redacted** (RIG EK)

June 27

hxxp://sprashivai[.]ru/ (Compromised Site)

--> hxxp://sd.studio-aceti[.]com/?x3**redacted** (RIG EK)

June 29

hxxp://sprashivai[.]ru/ (Compromised Site)

--> hxxp://ht.navisage[.]com/?xX**redacted** (RIG EK)

SmokeLoader

During our analysis RIG EK dropped and executed the SmokeLoader (aka Dofoil) malware. The original executable that was dropped was a Nullsoft Installer System (NSIS) executable that decrypted and executed the SmokeLoader payload. This technique makes it difficult for anti-virus solutions to detect because NSIS files themselves are legitimate and the scripting ability makes them extremely versatile.

The NSIS installer dropped two important files, Aero.dll and Votary.C. The Aero.dll module is invoked from the NSIS script and is responsible for decrypting and loading the Votary.C SmokeLoader payload.

The SmokeLoader payload is then injected into explorer.exe and execution continues from there. The malware will attempt to reach out to its C&C (reamstat[.]link) among a sea of fake requests it generates to legitimate sites too. The fake requests are sent to URLs taken from the HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall registry sub-keys.

SmokeLoader's primary purpose is to download plug-ins which contain malicious functionality such as credential stealers, click fraud components, and more trojan downloaders like Win32/Recslurp.

According to a superb analysis by Stopmalvertising, SmokeLoader began to be sold to only Russian speaking individuals in March 2014. So it is interesting that we see SmokeLoader being dropped via a compromised Russian site, and therefore affecting Russian speaking individuals.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 2 (Lure) - The injected code on the compromised site is detected and the site is blocked.
  • Stage 4 (Exploit Kit) - The RIG EK landing page is detected and blocked.
  • Stage 5 (Dropper File) - The malicious NSIS executable is detected by File Sandboxing.

 

Indicators of Compromise (IOCs)

Compromised Site

hxxp://sprashivai[.]ru

RIG Exploit Kit

hxxp://jy.raleighculturalresources[.]org

hxxp://sd.studio-aceti[.]com

hxxp://ht.navisage[.]com

SmokeLoader C&C

hxxp://reamstat[.]link

SmokeLoader Samples (SHA1)

9680e89c4a11aaee448b27d25a2342ebf9b5d367

fc8756b848262c237e1e7a6028ee97a70c7f0e1f

Summary

Actors continue to compromise popular sites and develop new and unique ways to try and stay undetected. These criminals do not always need to resort to malvertising to tap into a pool of millions of potential victims. And while crypto-ransomware remains one of the most popular weapons of choice, malware developers and distributors also continue to use backdoors like SmokeLoader.

About the Author

NG

Nicholas Griffin

Security Researcher