2016-10-31 - EITEST RIG EK FROM 176.223.111[.]95

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-10-31-EITest-Rig-EK-traffic.pcap.zip   265.8 kB (265,796 bytes)

• 2016-10-31-EITest-Rig-EK-traffic.pcap   (403,861 bytes)

• 2016-10-31-EITest-Rig-EK-malware-and-artifacts.zip   207.3 kB (207,322 bytes)

• 2016-10-31-EITest-Rig-EK-flash-exploit.swf   (52,583 bytes)
• 2016-10-31-EITest-Rig-EK-landing-page.txt   (3,273 bytes)
• 2016-10-31-EITest-Rig-EK-payload.exe   (297,472 bytes)
• 2016-10-31-page-from-computerrepairservice_net-with-injected-EITest-script.txt   (37,903 bytes)

 

NOTES:

<
• There are currently at least 2 versions of Rig EK being used by different campaigns.
• One is an updated/evolving "VIP version" version of Rig EK that @kafeine has been calling RIG-v as described here.
• The other version of Rig EK is "regular Rig" that generally looks the same as it has for a while now.
• RIG-v is currently being used by the Afraidgate and pseudoDarkleech campaigns.
• Regular Rig EK is still being used by the EITest campaign.

• Thanks to Baber for sending me info about the compromised site used in this blog entry.

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• computerrepairservice[.]net - Compromised site
• 176.223.111[.]95 port 80 - obup0.vkfw2gz[.]top - Rig EK
• 95.211.174[.]92 port 443 - 3ch2jctqf4pa[.]org - Post-infection HTTPS/SSL/TLS traffic
• 208.100.26[.]234 port 443 - 1yf8lm3wdqn4[.]top - Post-infection HTTPS/SSL/TLS traffic
• DNS queries for several DGA-style domains (see image below)

Shown above:  Some of the DNS queries seen from the infected host.

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  e064e472676954831b8ff54dfa570cd0f4d5831bfd4cdbb80be4fbd26f600b13
  File name:  2016-10-31-EITest-Rig-EK-flash-exploit.swf   (52,583 bytes)

PAYLOADS:

• SHA256 hash:  6fae8ec841bcc23898304e130f1ce2ca0c610d8a1d64ec6a72ff6cc447641256
  File name:  C:\Users\[username]\AppData\Local\Temp\68FF.tmp   (297,472 bytes)

 

IMAGES

Shown above:  Alerts on the pcap from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 

Click here to return to the main page.