Rig Exploit Kit via EITEST delivers SmokeBot DreamBot banking malware



NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered SmokeBot DreamBot banking malware via the EITEST campaign.
  • Reference: Proofpoint – Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality.
  • Replaying the pcap file with Snort using the Emerging Threats open ruleset generated alerts on about 98 TOR SSL IP addresses. I added the Snort Alert log file containing these IP addresses to the zip file.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-10-04-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • alimentonlocal.fr – COMPROMISED SITE
  • 185.117.73.215 – hyt8.yi0k0299n.top – RIG EK LANDING PAGE
  • 23.63.188.67 – www.microsoft.com – GET / – Smokebot Connection Check
  • 23.63.188.67 – www.microsoft.com – GET /en-ca/ – Smokebot Connection Check
  • 104.238.131.117 – loremipsumdolorsitamet.pw – POST / – Smokebot C&C
  • 185.141.25.64 – GET /banner/1200.exe – Dreambot Download
  • 50.62.111.1 – advanceroyaltysolutions.com – GET /GoogleEarth/KlOpAnAuI49M.iso – Dreambot Post Infection Traffic
  • 37.48.122.26 – curlmyip.net – Dreambot IP Address Check
  • 162.220.246.43 – GET /footer-bg.jpg – Dreambot Post Infection Traffic
  • 94.76.75.232 – exafull.at – Dreambot Post Infection Traffic
  • 188.212.158.206 – jss-cdn.at – Dreambot Post Infection Traffic

DNS TRAFFIC ASSOCIATED WITH INFECTION:

94.76.75.232 – exafull.at
31.43.95.26 – exafull.at
77.122.114.185 – exafull.at
81.163.141.195 – exafull.at
176.114.38.113 – exafull.at
93.78.174.103 – exafull.at
130.255.128.185 – exafull.at
188.212.158.206 – exafull.at
176.102.207.142 – exafull.at
109.122.25.10 – exafull.at
188.212.158.206 – jss-cdn.at
77.122.114.185 – jss-cdn.at
94.76.75.232 – jss-cdn.at
130.255.128.185 – jss-cdn.at
93.78.174.103 – jss-cdn.at
109.122.25.10 – jss-cdn.at
176.114.38.113 – jss-cdn.at
81.163.141.195 – jss-cdn.at
176.102.207.142 – jss-cdn.at
31.43.95.26 – jss-cdn.at

IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of SmokeBot and  DreamBot

 

Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: SmokeBot C&C redirecting to DreamBot download file 1200.exe

 

Shown above: Smokebot post infection download associated with Dreambot

 

Shown above: Partial contents of file download associated with Dreambot – Tor Client

 

Shown above: Post infection traffic associated with DreamBot

 

Shown above: DNS network traffic associated with SmokeBot DreamBot infection

 

Shown above: Registry key associated with the TOR Client and DreamBot

 

Shown above: Some Snort alerts generated by Emerging Threats open ruleset

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: