Rig Exploit Kit from 5.200.55.71 sends Bot


NOTES:

Over the weekend I came across a compromised website which redirected to the Rig exploit kit which was exploiting flash. I ran the site numerous times and always came back with the Rig Exploit Kit and a payload which is likely Qbot. Sophos.com identified the payload as Qbot. The file directory structure in sophos.com post also fits the pattern of Qbot. Also note the Rig EK landing page IP address and domain name has changed, which makes me believe this is an active campaign.

REFERENCES:


ASSOCIATED DOMAINS:



2016-05-30 RUN:

  • COMPROMISED SITE – GET /media/system/js/modal.js – Malicious JAVASCRIPT
  • 67.215.187.94 – a.topgunn.photography – GET /irujviewforumtw.php – Rig REDIRECT GATE
  • 5.200.55.71 – gr.pageeveryday.com – Rig EK LANDING PAGE



    2016-05-29 RUN:

  • COMPROMISED SITE – GET /media/system/js/modal.js – Malicious JAVASCRIPT
  • 67.215.187.94 – a.topgunn.photography – GET /irujviewforumtw.php – Rig REDIRECT GATE
  • 46.30.46.190 – ds.fitlifemedia.com – Rig EK LANDING PAGE


IMAGES and DETAILS:

Shown above: Rig Exploit Kit redirect gate [a.topgunn.photography] and Rig EK landing page from 2016-05-30

 

Shown above: Rig Exploit Kit redirect gate [a.topgunn.photography] and Rig EK landing page from 2016-05-29

 

Shown above: Malicious obfuscated javascript from compromised site [ /media/system/js/modal.js] redirecting to Rig EKĀ  redirect gate

 

Shown above: Obfuscated code found in Rig EK redirect gate .php file using variable main_color_handle

 

Shown above: Using the process described in the above reference taking the above text and extracting the hexadecimal characters (0 through 9 and a through f) and converting it to Ascii begins to show the URL to the RIG landing page. [See below image]

 

Shown above: Converting the extracted hexadecimal code from the Rig EK redirect gate and converting it to Ascii begins to show the URL to the Rig EK landing page gr.pageeveryday.com

 

Shown above: Packet 87 shows Rig exploiting flash and packet 640 shows delivery of malicious payload

 

Shown above: Packet 640 shows encrypted partial contents of malicious payload

 

Shown above: Flash meta data from Rig Exploit Kit

 

MALICIOUS PAYLOAD SENT BY RIG EK:

  • 2016-05-29-Rig-EK.swf
    Virus Total Link
  • 2016-05-29-gnywop.exe
    C:\Documents and Settings\%username%\Application Data\Microsoft\gnywop\gnywop.exe
    Virus Total Link
  • 2016-05-29-gnywo.dll
    C:\Documents and Settings\%username%\Application Data\Microsoft\gnywop\gnywo.dll
    Virus Total Link
  • 2016-05-30-Rig-EK.swf
    Virus Total Link
  • 2016-05-30-gakyprar.exe
    C:\Documents and Settings\%username%\Application Data\Microsoft\gakyprar\gakyprar.exe
    Virus Total Link
  • 2016-05-30-gakypra.dll
    C:\Documents and Settings\%username%\Application Data\Microsoft\gakyprar\gakypra.dll
    Virus Total Link