Rig Exploit Kit from 185.158.152.195 delivers Zbot banking malware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered Zbot banking malware.
  • Upon examining the Rig EK meta data, I found that it was encrypted using DoSWF. According to its website http://www.doswf.org/ DoSWF has been designed specifically for Adobe Flash SWF Files to keep your Actionscript shielded from would-be hackers! DoSWF guards your important Actionscript code from decompilers and reverse engineering techniques.
  • Thanks to @CyberScimitar for his assistance and providing additional indicators of compromise (IOC).

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-15-Rig-EK2-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 185.158.152.195 – hgf.houstonworkshop.com – Rig EK LANDING PAGE
  • 115.28.36.224 – www.doswf.com – FLASH ENCRYPTION
  • 95.163.118.88 – specanomirasa.site (DNS QUERY)  – POST INFECTION TRAFFIC
  • 95.163.118.88 – vetrogjkzoqe.site POST /forum/visitcounter.php  – POST INFECTION TRAFFIC
  • 95.163.118.88 – vetrogjkzoqe.site GET /forum/js/d.dat  – POST INFECTION TRAFFIC
  • 95.163.118.88 – vetrogjkzoqe.site GET /forum/js/e.dat  – POST INFECTION TRAFFIC
  • 95.163.118.88 – vetrogjkzoqe.site GET /forum/js/f.dat  – POST INFECTION TRAFFIC
  • 95.163.118.88 – vetrogjkzoqe.site GET /forum/js/out.dat  – POST INFECTION TRAFFIC
  • 95.163.118.88 – vetrogjkzoqe.site GET /forum/js/g.dat  – POST INFECTION TRAFFIC
  • 95.163.118.88 – vetrogjkzoqe.site GET /forum/js/h.dat  – POST INFECTION TRAFFIC
  • 95.163.118.88 – vetrogjkzoqe.site POST /forum/visitcounter.php  – POST INFECTION TRAFFIC

INDICATORS OF COMPROMISE (IOC) PROVIDED BY @CyberScimitar :

C2s from 651B.tmp
hxxp://specanomirasa[.]site/forum/visitcounter.php
hxxp://vetrogjkzoqe[.]site/forum/visitcounter.php

C2’s from lqrwcdijop.exe
hxxp://baprikvssil[.]info/forum/visitcounter.php
hxxp://terbilkutavs[.]info/forum/visitcounter.php

5.39.222.185:10090

DNS to domains
hxxp://gerivpnosawq[.]info
hxxp://veryscotiansbel[.]site
hxxp://rebisaretox[.]info
hxxp://vetrogjkzoqe[.]site

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and Zbot infection

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Post infection DNS queries associated with Zbot infection

 

Shown above: After extracting Rig flash exploit and saving as .swf file, decompiled using Flare (http://www.nowrap.de/flare.html) and examined flash meta data with text editor. Meta data shows Rig EK flash file encrypted with DoSWF.

 

Shown above: Post infection Windows directory and associated malicious files

 

MALICIOUS PAYLOAD ASSOCIATED WITH THE RIG EXPLOIT: