2018-01-11 - RIG EK SENDS SMOKE LOADER AND MONERO COIN MINER

ASSOCIATED FILES:

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URL:

 

EMAILS


Shown above:  Traffic from the infection filtered in Wireshark.

 

RIG EK:

URLS TO NON-MALICIOUS DOMAINS GENERATED BY SMOKE LOADER (SHARIK):

URLS TO MALICIOUS DOMAINS GENERATED BY SMOKE LOADER (SHARIK):

MONERO (XMR) COIN MINER ACTIVITY:

 


Shown above:  Some alerts on the infection traffic from the Snort subscriber ruleset when reading the pcap with Snort 2.9.11.

 


Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

FILE HASHES

RIG EK FLASH EXPLOIT SEEN ON 2018-01-11:

RIG EK PAYLOAD - SMOKE LOADER (ALSO CALLED "SHARIK" OR "DOFIOL"):

FOLLOW-UP MALWARE - MONERO (XMR) COIN MINER:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.