Rig-E Exploit Kit delivers Loader and Tor client

NOTES:

  • Today I captured traffic from the Rig-E Exploit Kit (EK) which delivered a loader and the TOR client via the EITEST campaign.
  • Traffic patterns are similar to past Quant-Loader and DreamBot infections
  • Presently there are 3 versions of the Rig Exploit Kit. For more details on the versions see malware-traffic-analysis.net

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-12-05-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • titanicthemes.com – COMPROMISED SITE
  • 185.162.8.79 – mrmisrh.qx33wu.xyz – RIG-E LANDING PAGE
  • 81.4.108.169 – vitaetortorvitaesuscipit.us – LOADER DOWNLOAD LINK
  • 217.160.34.53 – hotel-orsoni.com GET /templates/alt/oimy6bc2h16.exe – MALICIOUS DOWNLOAD
  • 62.149.128.72 – artkar.it GET /style/uenUsn.zip – REDIRECT TO TOR DOWNLOAD
  • 62.149.140.138 – www.artkar.it GET /style/uenUsn.zip – TOR CLIENT DOWNLOAD
  • 193.23.244.244 – SSL – POST INFECTION TRAFFIC
  • 37.48.122.26 – curlmyip.net – IP ADDRESS CHECK
  • 62.210.82.44 – FTP – POST INFECTION TRAFFIC
  • 162.220.246.43 – GET /footer-bg.jpg – POST INFECTION TRAFFIC

 

IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig-E exploit and the delivery  of a loader and Tor client

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig-E EK landing page

 

Shown above: Link for loader to download malicious payload

 

Shown above: Partial content of downloaded malicious payload

 

Shown above: 301 redirect to Tor client download link

 

Shown above: Partial content of TOR client download

 

Shown above: Post infection SSL traffic over port 443

 

Shown above: Post infection FTP traffic over port 21

 

Shown above: Some post infection traffic associated with infection. (Not included in pcap)

 

Shown above: Malicious file added to Windows start-up

 

Shown above: Registry entry associated with the TOR client

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: