Rig Exploit Kit via EITEST delivers Hancitor aka Chanitor loader

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered the Hancitor aka Chanitor loader via the EITEST campaign.
  • Hancitor aka Chanitor is a loader commonly used to download other malware such as pony and vawtrak.
  • Thanks to @CyberScimitar for finding and sharing compromised site, along with further analyzing malicious payload.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-10-05-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.terminustees.com – COMPROMISED SITE
  • 185.117.72.142 – g8l4a.yanvnep.top – RIG EK LANDING PAGE
  • 54.197.251.22 – api.ipify.org – IP ADDRESS CHECK
  • 198.105.254.228 – morowtyateld.ru POST /ls6/gate.php – NO COMMUNICATION
  • 91.217.90.134 – gotevengsorol.ru POST /ls6/gate.php – HANCITOR C&C
  • 92.243.94.176 – donhenmuchit.com – DNS QUERY – NO COMMUNICATION

 

IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Hancitor loader

 

Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page

 

Shown above: DNS network traffic associated with the Hancitor loader infection

 

Shown above: Hancitor loader network communication with the command and control (C&C) host

 

Shown above: Hancitor disguises itself as Malwarebytes Anti-Malware in Windows start-up

 

Shown above: File details for Hancitor loader

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: