Rig Exploit Kit via EITEST delivers Hancitor aka Chanitor loader
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered the Hancitor aka Chanitor loader via the EITEST campaign.
- Hancitor aka Chanitor is a loader commonly used to download other malware such as pony and vawtrak.
- Thanks to @CyberScimitar for finding and sharing compromised site, along with further analyzing malicious payload.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- www.terminustees.com – COMPROMISED SITE
- 220.127.116.11 – g8l4a.yanvnep.top – RIG EK LANDING PAGE
- 18.104.22.168 – api.ipify.org – IP ADDRESS CHECK
- 22.214.171.124 – morowtyateld.ru POST /ls6/gate.php – NO COMMUNICATION
- 126.96.36.199 – gotevengsorol.ru POST /ls6/gate.php – HANCITOR C&C
- 188.8.131.52 – donhenmuchit.com – DNS QUERY – NO COMMUNICATION
IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: