EiTest campaign drops flash gate for obfuscated script sending GootKit banking malware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered GootKit banking malware via the EITEST campaign.
  • The EITEST campaign has dropped the use of its signature flash redirect gate for the obfuscated script redirect only.
  • History on the EiTest campaign and its use of the flash redirect gate from a MalwareBytes post – Exposing the Flash ‘EITest’ malware campaign

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-10-03-Rig-EK-pcaps.zip

 

Shown above: Eitest campaign flash redirect gate used on September 26th 2016 prior to being dropped

 

Shown above: Partial packet contents of Eitest campaign flash redirect gate used on September 26th 2016 prior to being dropped

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • dxf-world.de – COMPROMISED SITE
  • 185.117.73.94 – b6l2op.dxzvkr.top – RIG EK LANDING PAGE
  • 116.127.248.229 – beargrizzler.win – Port 443 and 80 GOOTKIT POST INFECT TRAFFIC
  • 120.114.184.49 – beargrizzler.win – GOOTKIT POST INFECTION TRAFFIC
  • 116.127.248.229 – bearbigger.top – Port 443 and 80 GOOTKIT POST INFECT TRAFFIC
  • 120.114.184.49 – bearbigger.top – GOOTKIT POST INFECTION TRAFFIC
  • badbigbearr.com – NO DNS RECORD

  • bluristorante.com – COMPROMISED SITE
  • 185.117.73.94 – b6l2op.dxzvkr.top – RIG EK LANDING PAGE
  • 79.110.251.102 – bigikurik.com – Port 443 and 80 GOOTKIT POST INFECT TRAFFIC
  • 199.180.115.105 – bigikurik.com – NO NETWORK COMMUNICATION
  • tibilanruk.com – NO RECORD

 

DETAILS OF INFECTION CHAIN FOR RIG EK:

Shown above: Network traffic  associated with the Rig exploit and GootKit infection

 

Shown above: Network traffic  associated with the Rig exploit and GootKit infection

 

Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: DNS traffic traffic  associated with the GootKit infection

 

Shown above: More DNS traffic traffic  associated with the GootKit infection

 

Shown above: SSL certificate organizationalUnitName=StartCom Ltd. associated with GootKit post infection

 

MALICIOUS PAYLOAD ASSOCIATED WITH THE RIG EXPLOIT:

[UPDATE] – MORE INDICATORS OF COMPROMISE (IOC):

62.255.210.203 – marenule.com
43.239.221.51 – marenule.com
198.105.254.228 – chupasab.com
198.105.244.228 – chupasab.com
198.105.254.228 – galaxans.com
198.105.244.228 – galaxans.com
198.105.254.228 – purquewe.com
198.105.244.228 – purquewe.com
198.105.254.228 – quporost.com
198.105.244.228 – quporost.com
198.105.254.228 – piploeno.com
198.105.244.228 – piploeno.com
198.105.254.228 – quiporos.com
198.105.244.228 – quiporos.com
198.105.254.228 – monosewi.com
198.105.244.228 – monosewi.com
198.105.254.228 – parsgcha.com
198.105.244.228 – parsgcha.com
198.105.254.228 – jerrufer.com
198.105.244.228 – jerrufer.com