Rig Exploit Kit sends Qbot – Bot Configuration Traffic

NOTES:

  • In a May 30th, 2016 post I detailed how Rig Exploit Kit (EK) was using a redirect gate to send a bot. You can use that blog post to decipher the obfuscation process which this campaign of Rig EK uses to reach its landing page.
  • This post describes the post infection traffic associated with Qbot. With the recent change in the Rig EK redirect gate URL it appears Qbot is still active.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-06-16-Rig-EK-pcap.zip

REFERENCES:

 

ASSOCIATED DOMAINS AND IP ADDRESS:

  • 67.215.187.94 – a.topgunnphoto.com/zpfarviewforumolirc.php – Rig Redirect GATE
  • 46.30.47.116 – ku.askornaandmatthew.com – Rig EK LANDING PAGE
  • 70.31.34.200 TCP Port 2222 – POST INFECTION TRAFFIC
  • 193.111.140.236 TCP Port 65200 – POST INFECTION TRAFFIC
  • 91.199.120.147 FTP Port 21 – FAIL POST INFECTION TRAFFIC
  • 50.87.114.63 FTP Port 21 – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Injected script found on compromised site containing obfuscated URL redirecting to Rig EK gate

 

Shown above: Rig EK redirect gate a.topgunnphoto.com

 

Shown above: Obfuscated code found in Rig EK redirect gate .php file using variable main_color_handle

 

Shown above: Rig EK landing page

 

Shown above: Qbot first post infection traffic communication using TCP port 2222

 

Shown above: Qbot second post infection traffic to various speedtest.comcast.net domains

 

Shown above: Qbot third post infection traffic communication using TCP port 65200

 

Shown above: Qbot fourth post infection traffic communication using FTP – Login failed

 

Shown above: Qbot fifth post infection traffic communication using FTP – Successful connection and transfer of data

 

Shown above: Qbot sixth post infection traffic communication to ip-score.com to obtain infected host IP address and country local language

 

Shown above: More Qbot post infection traffic to legitimate web sites

 

Show above: More post infection traffic associated with Qbot infection

 

MALICIOUS PAYLOAD SENT BY RIG EK:

DIRECTORY STRUCTURE:

C:\Users\%UserName%\AppData\Roaming\Microsoft\Xueatwnu