Compromised site redirects to Rig Exploit Kit delivering Kronos and Nymaim

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered Kronos banking malware on run 1 and Nymaim which is known as an information stealer on run 2. Both were delivered by an injected script found on the compromised site associated with the EITEST campaign.
  • I started seeing Kronos traffic on October 26th 2016. Prior to that I last saw Kronos on June 3rd 2016 when it was delivered by the Angler exploit kit, 2016-06-03 Angler Exploit Kit sends Kronos .
  • I last saw Nymaim traffic on April 19th 2016 when it was delivered via a malicious Word document, Malicious Word Doc Downloads Nymaim and Info Stealer .
  • Thanks to @CyberScimitar for sharing information on compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-31-Rig-EK-Kronos-pcap.zip
2016-10-31-Rig-EK-Nymaim-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES for KRONOS INFECTION:

  • www.trackingsharks.com – COMPROMISED SITE
  • 176.223.111.52 – mwsc.uhona67fa.top – RIG EK LANDING PAGE
  • 46.249.57.167 – 2mynameins3344.net POST /ZRNlFwIb/connect.php –
    KRONOS POST INFECTION TRAFFIC

Note:
On previous run johane3234.net POST /ZRNlFwIb/connect.php also resolves to IP address 46.249.57.167 .

IMAGES AND DETAILS OF INFECTION CHAIN for KRONOS INFECTION:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Kronos banking malware

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Post infection traffic associated with Kronos banking malware

 

ASSOCIATED DOMAINS AND IP ADDRESSES for NYMAIM INFECTION:

  • trackingsharks.com – COMPROMISED SITE
  • 176.223.111.52 – ygzt2u.otun7oh.top – RIG EK LANDING PAGE
  • 176.53.118.240 – quilaine.com – NYMAIM POST INFECTION TRAFFIC
  • 111.118.188.250 – nylon.com – NYMAIM POST INFECTION TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN for NYMAIM INFECTION:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Nymaim malware

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Original payload’s executable file Digital Signature

 

MALICIOUS PAYLOAD ASSOCIATED WITH KRONOS INFECTION:

MALICIOUS PAYLOAD ASSOCIATED WITH NYMAIM INFECTION: