Rig Exploit Kit via EiTest delivers malicious payloads

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered malicious payload’s via the EITEST campaign.
  • The post infection traffic appears similar to Buhtrap banking malware.
  • Thanks to @mesa_matt for sharing reference information.
  • Thanks to @CyberScimitar for finding and sharing information on compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-19-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.le-hameau-du-kashmir.com – COMPROMISED SITE
  • 185.141.26.14 – rn58cb.f298wh.top – RIG EK LANDING PAGE
  • 87.98.130.234 – dns.dot-bit.org – DNS QUERY – NO TRAFFIC
  • 50.116.23.211 – DNS QUERY OVER TCP FOR cash-money-analitica.bit
  • 188.138.71.117 – POST /r/z.php – cash-money-analitica.bit – CnC TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of malicious payload’s

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain

 

Shown above: DNS traffic associated with post infection.

NOTE: The malicious payload is communicating with an outside Domain Name Server (DNS) over TCP instead of the usual UDP.

 

Shown above: Post infection traffic to IP address 188.138.71.117 associated with cash-money-analitica.bit

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: