Rig Exploit Kit via EiTest delivers Quant loader, Ursnif malware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered the Quant Loader via the EITEST campaign.
  • The Quant Loader is described as a Trojan down-loader.
  • The follow-up traffic is similar to a post I did on the DreamBot loader. You can read the post [HERE]
  • Thanks to @CyberScimitar for sharing information on compromised site and further analysis on traffic.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-25-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • scadradio.org – COMPROMISED SITE
  • 176.223.111.82 – po1289k.kremalopsi.gq – RIG EK LANDING PAGE
  • 104.238.131.117 – loremipsumdolorsitamet.pw – Quant Loader POST
  • 82.165.174.205 – institut-angeetbeaute.fr GET /img/381m6bv285.exe – Payload Download
  • 46.30.215.31 – gingapura.de GET /micha/fsa/zj47dn49.iso – TOR Client Download
  • 208.67.222.222 – resolver1.opendns.com – POST INFECT TRAFFIC
  • 37.48.122.26 – curlmyip.net GET / HTTP/1.1 – IP Check
  • 173.199.65.38 – myip.opendns.com – POST INFECT TRAFFIC
  • 198.105.254.228 – voligon.cn POST /krp3cmg/images/ – Ursnif Variant CnC
  • 198.105.244.228 – voligon.cn POST /krp3cmg/images/ – Ursnif Variant CnC
  • 198.105.254.228 – hipohook.cn – Ursnif Variant CnC
  • 198.105.254.228 – hipohook.cn – Ursnif Variant CnC

 

IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of the Quant Loader and UrSnif variant

 

Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Hybrid-Analysis.com analysis of original payload shows Quant Loader attempting to create a firewall rule

 

Shown above: Download instructions from loremipsumdolorsitamet.pw compressed with gzip. Extraction of html file shows download URL for payload 381m6bv285.exe.

 

Shown above: Partial packet contents of image file (iso) believed to be TOR Client

 

Shown above: DNS traffic associated with Quant Loader and malicious payload

 

Shown above: Registry key associated with TOR client

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: