Websites compromised by Eitest and Rig EK deliver GootKit, Chthonic and more

NOTES:

  • Below are websites found to be compromised by the EiTest campaign which redirect visitors to the Rig Exploit Kit (EK) landing pages delivering malicious payloads.
  • Thanks to Baber for sharing information on compromised website’s.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-25-Rig-EK-2-pcap.zip
2016-10-25-Rig-EK-3-pcap.zip
2016-10-25-Rig-EK-4-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES for dutchcreekresort.com:

  • dutchcreekresort.com – COMPROMISED SITE
  • 185.141.25.207 – za95uur.ag0clk.top – COMPROMISED SITE
  • 79.110.251.102 Ports 80 443- ianusshale.net – GOOTKIT POST INFECT TRAFFIC
  • 79.110.251.102 – mannyshrag.com – GOOTKIT POST INFECT TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN for dutchcreekresort.com:

Shown above: Network traffic  associated with the Rig exploit and the delivery of GootKit banking malware

 

Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

ASSOCIATED DOMAINS AND IP ADDRESSES for activaclinics.com:

  • activaclinics.com – COMPROMISED SITE
  • 185.141.25.234 – h01wi.d7riwiu.top – RIG EK LANDING PAGE
  • 195.123.209.74 – miligratonylaonella.com POST /www/ – CHTHONIC CnC

IMAGES AND DETAILS OF INFECTION CHAIN for activaclinics.com:

Shown above: Network traffic  associated with the Rig exploit and the delivery of CHTHONIC malware

 

Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

ASSOCIATED DOMAINS AND IP ADDRESSES for emploiadomicile.info:

  • emploiadomicile.info – COMPROMISED SITE
  • 185.141.25.234 – h01wi.d7riwiu.top – RIG EK LANDING PAGE
  • 213.252.244.121 Port 443- kasdima.top – POST INFECT TRAFFIC
    [ Lets Encrypt Free SSL Certificate ]
     

IMAGES AND DETAILS OF INFECTION CHAIN for emploiadomicile.info:

Shown above: Network traffic  associated with the Rig exploit and the delivery of malicious payload

 

Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Post infection network traffic to kasdima.top is encrypted with Lets Encrypt Free SSL Certificate

 

MALICIOUS PAYLOAD ASSOCIATED WITH dutchcreekresort.com:

  • 2016-10-25-Rig-EK.swf
    SHA256:
    49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd
  • 2016-10-25-BCBC.tmp – [Original Payload]
    SHA256:
    2ab8768a94a4983f4c5a19fc486c85386305e51d6f86854cc50db89f98701d5d
  • 2016-10-25-ntpreke.dll – [GootKit]
    SHA256:
    31f8dbc34d8c34982ff6248a60786175cd010bbb80f18eb6cfd8ff83d2c3a0e5

MALICIOUS PAYLOAD ASSOCIATED WITH activaclinics.com:

  • 2016-10-25-Rig-EK.swf
    SHA256:
    49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd
  • 2016-10-25-MSBuildm.exe – [CHTHONIC]
    SHA256:
    6ca263b7d150b820c5f13458d1ceaaf0360ac401779379bcec77a99f2bf8e5ce

MALICIOUS PAYLOAD ASSOCIATED WITH emploiadomicile.info:

  • 2016-10-25-Rig-EK.swf
    SHA256:
    49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd
  • 2016-10-25-.exe – [Malicious Payload]
    SHA256:
    6993b911a6310ff7097105922de714d7a070c13633e79c36701d3cccf4086719