Rig-E Exploit Kit delivers Chthonic and GootKit malware

NOTES:

  • Today I captured traffic from the Rig-E Exploit Kit (EK) which delivered Chthonic on the first run and GootKit on the second run via the EITEST campaign.
  • Presently there are 3 versions of the Rig Exploit Kit. For more details on the versions see malware-traffic-analysis.net

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-12-06-Rig-EK-1-pcap.zip
2016-12-06-Rig-EK-2-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES from run 1:

  • www.woodwardfab.com – COMPROMISED SITE
  • 185.162.8.114 – fiogy.hls96yt.xyz – RIG-E EK LANDING PAGE
  • 195.123.210.75 – scenabit.bit POST / – POST INFECTION TRAFFIC
  • 31.3.135.232 – DNS OVER TCP PORT 53
  • 193.183.98.154 – DNS OVER TCP PORT 53

 

IMAGES AND DETAILS OF INFECTION CHAIN from run 1:

Shown above: Network traffic  associated with the Rig-E exploit and the delivery of Chthonic banking malware

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig-E EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: DNS traffic over TCP port 53 associated with Chthonic banking malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E EXPLOIT run 1:

 

ASSOCIATED DOMAINS AND IP ADDRESSES from run 2:

  • www.woodwardfab.com – COMPROMISED SITE
  • 185.162.8.114 – l1gk.wgls8ofrd.xyz – RIG-E LANDING PAGE
  • 5.39.48.106 Ports 80 443 – vnoskokos.win – GOOTKIT POST INFECT TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN from run 2:

Shown above: Network traffic  associated with the Rig-E exploit and the delivery of GootKit malware

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig-E EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: DNS traffic associated with GootKit infection

 

Shown above: When GootKit is delivered as an EXE file it creates a Scheduled Task to remain persistent

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E EXPLOIT run 2: