Compromised site redirects to Rig Exploit Kit delivering KRONOS malware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered Kronos banking malware. The malware was delivered by an injected script found on the compromised site associated with the EITEST campaign.
  • Kronos is known for “Common credential-stealing techniques such as form grabbing and HTML injection compatible with the major browsers (Internet Explorer, Firefox and Chrome)”, as reported by securityintelligence.com in its blog post The Father of Zeus: Kronos Malware Discovered
  • Thanks to Baber for sharing information on compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-31-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • computerrepairservice.net – COMPROMISED SITE
  • 176.223.111.95 – v1l3.twegfc5i.top – RIG EK LANDING PAGE
  • 148.163.90.98 – m3ynameins3344.net POST /ZRNlFwIb/connect.php –
    KRONOS POST INFECTION TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Kronos banking malware

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Partial content of packet 103 shows Rig EK exploiting flash

 

Shown above: Partial contents of packet 681 shows Rig EK delivering malicious payload

 

Shown above: Post infection traffic associated with Kronos malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH KRONOS INFECTION: