Neutrino EK and Rig EK send GootKit – A Brief Comparison

NOTES:

  • On July 3rd, 2016 I captured traffic from two different campaigns sending GootKit via the Neutrino Exploit Kit (EK) and the Rig Exploit Kit (EK).
  • The Rig EK was using Malvertising as its avenue of delivery, while the Neutrino EK was using the realstatistics.pro redirect gate.
  • Traffic for the Rig EK was provided from a tweet by @malekal_morte.
  • Changes to the realstatistics gate were noted by malware-traffic-analysis.net on July 1st, 2016
  • For a more detailed analysis of GootKit traffic see my June 29th, 2016 post Neutrino Exploit Kit 78.46.167.130 sends Gootkit

 

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-03-GootKit-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES FOR RIG EK:

  • 193.36.35.39 – relaxtube.tk – GET /engine/classes/js/jquery.js – Rig EK REDIRECT
  • 193.36.35.39 – waferako.cf – GET /linkx.php – Rig EK REDIRECT
  • 46.30.46.128 – ds.pacificbeachcar.com – Rig EK LANDING PAGE
  • 77.42.157.2 Port 80- googlesecurityhtml.com – POST INFECTION TRAFFIC
  • 91.219.29.65 Port 80, 443 – abusenetsdd.com – POST INFECTION TRAFFIC
  • 93.170.253.84 – dowloadupdate.com – POST INFECTION TRAFFIC
  • 198.105.254.228 Port 80  – dendroidssdsdfera.com – POST INFECTION TRAFFIC
  • 198.105.254.228 Port 80 – dendsadsddfroidsdfsdera.com – POST INFECTION TRAFFIC
  • 198.105.254.228 Port 80 – wwqwqwdendroidsdfera.com – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS AND IP ADDRESSES FOR NEUTRINO EK:

  • 5.199.130.155 – realstatistics.pro GET /js/analytics.php?id=123 – Redirect GATE
  • 151.80.7.122 – hizhr.ouovxl.xyz – Neutrino EK LANDING PAGE
  • 93.115.10.203 Port 80, 443 – sievavower.com – POST INFECTION TRAFFIC

 

DETAILS OF INFECTION CHAIN FOR RIG EK:

Shown above: Malvertising site and redirect gate using same IP address for domain names

 

Shown above: DNS traffic associated with Malvertising GootKit infection

 

Shown above: Using Wireshark filter “ssl.handshake.certificates” shows SSL certificate associated with the malvertising GootKit infection. (Using different Certificates) – organizationalUnitName=domain inc

 

Shown above: Post infection traffic associated with Malvertising GootKit

 

DETAILS OF INFECTION CHAIN FOR NEUTRINO EK:

Shown above: Compromised site and redirect gate to Neutrino EK landing which delivered GootKit

 

Shown above: DNS traffic associated with realstatistics.pro GootKit infection

 

Shown above: Using Wireshark filter “ssl.handshake.certificates” shows SSL certificate associated with the realstatistics.pro GootKit infection. (Using different Certificates) – organizationalUnitName=My Company Ltd

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: