2018-03-05 - COINS LTD CAMPAIGN USES RIG EK TO PUSH URSNIF

ASSOCIATED FILES:

NOTES:


Shown above:  Fiddler screenshot from a tweet by @jeromesegura.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark (image 1 of 2).

 


Shown above:  Infection traffic filtered in Wireshark (image 2 of 2).

 

INFECTION CHAIN LEADING TO RIG EK:

POST-INFETION TRAFFIC AFTER RUNNING THE VBS FILE:

 

FILE HASHES

MALWARE ASSOCIATED WITH THIS INFECTION:

 

IMAGES


Shown above:  Injected script in page from pre-gate domain leading to the gate URL.

 


Shown above:  Script returned from gate URL leads to Rig EK landing page.

 


Shown above:  Ursnif persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.