Rig Exploit Kit via EITEST delivers Smokebot and Dreambot

NOTES:

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-25-Rig-EK-Smokebot-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES ORIGINAL INFECTION:

  • 85.93.0.13 – cutil.xyz – EITEST GATE
  • 178.32.92.114 – nxiymnj8ap.top – Rig EK LANDING PAGE


IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN
:

Shown above: Network traffic  associated with the Rig exploit and the delivery of the malicious payload which failed to execute.

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Script found on EITEST gate redirecting to the Rig exploit landing page

 

Shown above: Partital contents of malicious payload delivered by the Rig EK which failed to execute. Payload was found in the C:\Users\%UserName%\AppData\Local\Temp directory – named  315E.tmp.

 

DOMAINS AND IP ADDRESSES ASSOCIATED WITH @CyberScimitar ANALYSIS:

  • 204.79.197.203 – www.msn.com GET / – Smokebot Connection Check
  • 23.72.208.160 – www.microsoft.com GET / – Smokebot Connection Check
  • 23.72.192.132 – www.adobe.com POST / – Smokebot Connection Check
  • 104.238.131.117 – loremipsumdolorsitamet.pw POST / – Smokebot C&C
  • 23.72.204.132 – java.com POST / – Smokebot Connection Check
  • 185.141.25.64 – GET /banner/1200.exe – Dreambot Download
  • 216.99.193.149 – korats.com GET /Sunkats/images/tr_w.so – Dreambot Post Infection Traffic
  • 37.48.122.26 – curlmyip.net – Dreambot IP Address Check
  • 5.39.55.14 – updates.merqurio.it GET /iphone/Pdr94.so – Dreambot Post Infection Download
  • 62.149.128.160 – particolardesign.it GET /wp-includes/ID3/ts/904855tos.so – Dreambot Post Infection Traffic
  • 62.149.140.195 – www.particolardesign.it GET /wp-includes/ID3/ts/904855tos.so – Dreambot Post Infection Traffic

 

IMAGES AND DETAILS OF POST INFECTION CHAIN:

Shown Above: Network traffic  associated with the Smokebot and Dreambot infection

 

Shown Above: Network traffic  associated with the Dreambot infection

 

Shown above: Smokebot C&C redirecting to Dreambot download file 1200.exe

 

Shown above: Smokebot post infection download associated with Dreambot

 

Shown above: Partial contents of file download associated with Dreambot – Tor Client

 

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:


FINAL NOTES:

  • The above information is to provide Indicators of Compromise (IOC). Hope this helps.
  • Again thanks to @CyberScimitar for his post infection analysis.