Compromised Sites Rig-E and Rig-V Exploit Kits deliver Cerber Chthonic GootKit

NOTES:

  • Today’s compromised sites redirect to Rig-E and Rig-V exploit kits delivering Cerber ransomware, Chthonic and GootKit banking malware.
  • Presently there are 3 versions of the Rig Exploit Kit. For more details on the versions see malware-traffic-analysis.net

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-12-09-Rig-EK-GootKit-pcap.zip
2016-12-09-Rig-EK-Chthonic-pcap.zip
2016-12-09-Rig-EK-cerber-pcap.zip

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig-E exploit and the delivery of GootKit

 

Shown above: Network traffic  associated with the Rig-E exploit and the delivery of Chthonic

 

Shown above: Network traffic  associated with the Rig-V exploit and the delivery of Cerber ransomware

 

ASSOCIATED DOMAINS AND IP ADDRESSES [GOOTKIT]:

  • www.sessantallora.com – COMPROMISED SITE
  • 185.106.120.180 – sxczf.iiopwposols.top – RIG-E EK LANDING PAGE
  • 86.106.131.133 – trend4u2k.com – GOOTKIT POST INFECT TRAFFIC

 

ASSOCIATED DOMAINS AND IP ADDRESSES [CHTHONIC]:

  • www.sessantallora.com – COMPROMISED SITE
  • 185.106.120.180 – sxczf.iiopwposols.top – RIG-E EK LANDING PAGE
  • 31.3.135.232 – DNS OVER TCP PORT 53
  • 185.14.30.160 – scenabit.bit – CHTHONIC POST INFECT TRAFFIC
  • 144.76.133.38 – DNS OVER TCP PORT 53
  • 107.181.187.174 – scenabit.bit – CHTHONIC POST INFECT TRAFFIC

 

ASSOCIATED DOMAINS AND IP ADDRESSES [CERBER]:

  • cynergyergonomics.com – COMPROMISED SITE
  • 109.234.35.39 – top.marbleheadestates.com – RIG-V EK LANDING PAGE
  • 185.69.153.226 – ffoqr3ug7m726zou.omc09c.top – CERBER POST INFECT TRAFFIC

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E [GOOTKIT]:

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E [CHTHONIC]:

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG-V [CERBER]: