Rig Exploit Kit via EITEST delivers malicious payload and TeamViewer Remote Control

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered a malicious payload via the EITEST campaign.
  • The malicious payload went on to download more malicious files and TeamViewer remote control software.
  • Thanks to @CyberScimitar for sharing information on compromised site and analyzing payloads.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-22-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.h2md.net – COMPROMISED SITE
  • 192.95.15.211 – gl9q.s57ae8vl3.top – RIG EK LANDING PAGE
  • 108.61.74.45 – evoci.xyz POST /a210/gate.php – POST INFECT TRAFFIC
  • 91.218.228.52 – tk-avitek.ru GET /tseny-na-pilomaterialy-prays/zazc.exe – SECOND PAYLOAD
  • 108.61.74.45 – evoci.xyz GET /direct/fg_24e90bba.mod – POST INFECT TRAFFIC
  • 198.105.254.228 – dreamscomtrue.site POST /forum/contact.php – POST INFECT TRAFFIC
  • 198.105.254.228 – verawqamscomtrue.com POST /forum/contact.php – POST INFECT TRAFFIC
  • 95.163.127.190 – ddreamonline.site POST /forum/contact.php – POST INFECT TRAFFIC
  • 95.163.127.190 – ddreamonline.site GET /forum/ajax/d.dat – POST INFECT TRAFFIC
  • 95.163.127.190 – ddreamonline.site GET /forum/ajax/e.dat – POST INFECT TRAFFIC
  • 95.163.127.190 – ddreamonline.site GET /forum/ajax/f.dat – POST INFECT TRAFFIC
  • 95.163.127.190 – ddreamonline.site GET /forum/ajax/out.dat – POST INFECT TRAFFIC
  • 95.163.127.190 – ddreamonline.site GET /forum/ajax/w.dat – POST INFECT TRAFFIC
  • 95.163.127.190 – ddreamonline.site GET /forum/ajax/g.dat – POST INFECT TRAFFIC
  • 95.163.127.190 – ddreamonline.site GET /forum/ajax/h.dat – POST INFECT TRAFFIC
  • 37.252.248.78 – TCP Port 5938 – ping3.dyngate.com – TEAMVIEWER COMMUNICATION
  • 178.77.120.100 – TCP Port 5938 – master.dyngate.com – TEAMVIEWER COMMUNICATION
  • 169.54.137.81 – TCP Port 5938 – TEAMVIEWER COMMUNICATION
  • 173.192.194.94 – TCP Port 5938 – TEAMVIEWER COMMUNICATION

DNS QUERIES ASSOCIATED WITH INFECTION:

  • europe.pool.ntp[.]org – NO Network Communication
  • master2.dyngate.com – NO Network Communication
  • 198.105.254.228 qwerymuss.info
  • 198.105.254.228 dreamscoccmtrue.info
  • yvold.xyz – NO Network Communication

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of malicious payload’s

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain

 

Shown above: Post infection traffic associated with malicious payloads

 

Shown above: DNS traffic associated with malicious payloads

 

Shown above: Second malicious file download and TeamViewer communication over port 5938

 

Shown above: Some of the Snort alerts generated by the Emerging Threats Open ruleset

 

Shown above: TeamViewer file found on the infected host and its details

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: