Rig Exploit Kit via EITEST delivers Ramnit malware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered Ramnit malware via the EITEST campaign.
  • Ramnit was observed using a Domain Generation Algorithm (DGA) in it’s DNS queries.
  • Ramnit also scanned numerous internal private IP addresses looking for Post Office Protocol version 3 (pop3) port 110.¬† Pop3 is a standard mail protocol used to receive emails from a remote server.
  • Thanks to @CyberScimitar for sharing information on compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-24-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • littleinspiration.com – COMPROMISED SITE
  • 176.223.111.143 – qwh9w.blgkyih.top – RIG EK LANDING PAGE
  • 23.64.181.91 – fpdownload.macromedia.com GET /get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe – POST INFECT TRAFFIC
  • 23.64.181.91 – fpdownload.macromedia.com GET/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe – POST INFECT TRAFFIC
  • 95.215.108.159 Port 443 – certificationforinfinitylifeexp.com – RAMNIT CnC

DNS QUERIES ASSOCIATED WITH INFECTION:

208.100.26.234 – vliiflsilgr.com
52.9.84.146 – plrgcyms.com
198.105.254.228 – hxstuylhmnxipiqvi.com
198.105.244.228 – hxstuylhmnxipiqvi.com
198.105.254.228 – nwwrxhdshbwbgdfal.com
198.105.244.228 – nwwrxhdshbwbgdfal.com
198.105.254.228 – hggpabhhebpmkm.com
198.105.244.228 – hggpabhhebpmkm.com
198.105.254.228 – vepolyblerqplclarbp.com
198.105.244.228 – vepolyblerqplclarbp.com
198.105.254.228 – vrnixstxftvpfo.com
198.105.244.228 – vrnixstxftvpfo.com
198.105.254.228 – derrwpsasaui.com
198.105.244.228 – derrwpsasaui.com
198.105.254.228 – nbngrdaairlbtvd.com
198.105.244.228 – nbngrdaairlbtvd.com

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Ramnit malware

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain

 

Shown above: Ramnit makes numerous HTTP GET requests to fpdownload .macromedia.com

 

Shown above: Post infection traffic associated with Ramnit and the use of Domain Generation Algorithm (DGA)

 

Shown above: Some of the post infection port scan’s for pop3 port 110

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: