Rig Exploit Kit via EiTest delivers Ursnif variant

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered a variant of Ursnif via the EITEST campaign. (Quick post for Indicators of Compromise)
  • Ursnif is classified as data stealing malware.
  • The Ursnif variant closely resembles the banking malware Gozi ISFB.
  • I have provided a link to a Gozi ISFB publication – Gozi ISFB When A Bug Really Is A Feature – should you want to research further.
  • Thanks to @CyberScimitar for finding and sharing compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-11-Rig-EK-2-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • jacosmarine.com – COMPROMISED SITE
  • 185.106.120.229 – a8y1w.c75apif.top – RIG EK LANDING PAGE
  • 17.251.224.146 – opensource.apple.com GET /source/Security/Security-29/SecureTransport/LICENSE.txt?txt – POSSIBLY USED FOR Domain Generation Algorithm
  • 91.215.52.106 – thenotwithsoldsuequiv.ru GET /key/x64.bin – POST INFECT TRAFFIC
  • 37.48.122.26 – curlmyip.net – IP ADDRESS CHECK
  • 46.35.239.253 – andfeinclinternal.ru GET /images/ – POST INFECT TRAFFIC
  • 198.105.254.228 – anyconsequentialterms.ru GET /images/ – POST INFECT TRAFFIC
  • 198.105.254.228 – unilicensewhen.ru GET /images/ – POST INFECT TRAFFIC
  • 198.105.254.228 – apersonengcommeylimit.ru GET /images/ – POST INFECT TRAFFIC
  • 198.105.254.228 – uninotclausesyshalltafor.ru GET /images/ – POST INFECT TRAFFIC
  • 46.35.239.253 – andfeinclinternal.ru POST /images/ – POST INFECT TRAFFIC
  • 198.105.254.228 – anyconsequentialterms.ru POST /images/ – POST INFECT TRAFFIC
  • 198.105.254.228 – unilicensewhen.ru POST /images/ – POST INFECT TRAFFIC
  • 198.105.254.228 – apersonengcommeylimit.ru POST /images/ – POST INFECT TRAFFIC
  • 198.105.254.228 – uninotclausesyshalltafor.ru POST /images/ – POST INFECT TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of UrSnif variant

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Snort alerts generated by the Emerging Threats Open Rules

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: