Rig-E Exploit Kit delivers SmokeBot loader and TOR client

NOTES:

  • Today I captured traffic from the Rig-E Exploit Kit (EK) which delivered the SmokeBot loader and the TOR client via the EITEST campaign.
  • The pcap file shows an addition layer in the landing page. For reasons unknown the exploit delivered two identical payloads.
  • Presently there are 3 versions of the Rig Exploit Kit. For more details on the versions see malware-traffic-analysis.net
  • The flash exploit meta data has change from 709×124 px to 710×120 px.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-12-07-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.dataproec.com – COMPROMISED SITE
  • 81.95.7.26 – .crpq1.xyz – RIG-E EK LANDING PAGE
  • 13.107.21.200 – www.bing.com – POST INFECT TRAFFIC
  • 23.209.176.126 – www.adobe.com – POST INFECT TRAFFIC
  • 220.132.37.89 – www.etron.com.tw – POST INFECT TRAFFIC
  • 218.210.127.131 – www.realtek.com – POST INFECT TRAFFIC
  • 146.0.77.16 – coifn333.info POST / – SECONDARY PAYLOAD DOWNLOAD
  • 93.171.217.53 – GET /tor/t32.dll – TOR CLIENT DOWNLOAD
  • 37.48.122.26 – curlmyip.net – IP ADDRESS CHECK
  • 192.42.118.104 – spamhaus.org – POST INFECT TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig-E exploit and the delivery of SmokeBot loader and more

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig-E EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: After extracting Rig flash exploit and saving as .swf file, decompiled using Flare (http://www.nowrap.de/flare.html) and examined flash meta data with text editor.

 

Shown above: DNS traffic associated with infection used with TOR traffic to generate dynamic domain names

 

Shown above: Some network traffic associated with the TOR client (Not included in pcap)

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E EXPLOIT: