Rig Exploit Kit via EITEST delivers CrypMic and Tinba Banking Malware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered CrypMic Ransomware and  what appears to be Tinba banking malware via the EITEST campaign.
  • EITEST campaign continues to use the Rig EK since switching from the Neutrino EK on August 15th 2016.
  • EITEST returns to distributing CrypMic ransomware, however via the Rig Exploit Kit
  • EITEST ransom payment site address has changed
  • Tinba banking malware detected by Emeriging Threats Ruleset

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-19-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.13 – cukese.xyz – EITEST GATE
  • 131.72.139.30 – v9ywo.titutoneheckwas.top – RIG EK LANDING PAGE
  • 217.28.218.220 – yyvyppiidpbc.online POST /tyghnbv/ – Tinba POST INFECT TRAFFIC
  • 115.28.36.224 – www.doswf.com GET /copyright– FLASH ENCRYPTION
  • 85.14.243.9 – Port 443 – C2 Check-In – POST INFECTION TRAFFIC
  • 109.230.199.18 – Numerous .ZIP POST INFECTION DOWNLOADS

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://3h7vwmdail76zfzk.onion.to
http://3h7vwmdail76zfzk.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with the Rig exploit, CrypMic ransomware and Tinba infection.

 

Shown above: Injected script found on compromised site redirecting to the EITEST redirect gate

 

Shown above: Snort alerts generated by the Emerging Threats Ruleset

 

Shown above: CrypMic ransom notes and associated payment sites

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
(Included in zip file)