Rig-E Exploit Kit delivers GootKit banking malware from 191.101.31.119

NOTES:

  • Today I captured traffic from the Rig-E Exploit Kit (EK) which delivered GootKit banking malware via the EITEST campaign.
  • The pcap file shows an addition layer in the landing page. For reasons unknown the exploit delivered two identical payloads.
  • Presently there are 3 versions of the Rig Exploit Kit. For more details on the versions see malware-traffic-analysis.net

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-12-31-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • cedar.igrooveweb.com –COMPROMISED SITE
  • 191.101.31.119 – salsx.sedtinterrighthe.top – Rig-E LANDING PAGE
  • 31.220.55.102 – nintedrer.com – RESOLVED DNS QUERY
  • 54.218.53.194 – nintedrer.com – RESOLVED DNS QUERY
  • 198.105.254.228 – karachark.com – RESOLVED DNS QUERY
  • kurtillon.com – DNS QUERY
  • chebersto.com – DNS QUERY
  • markrelso.com – DNS QUERY
  • reregaton.com – DNS QUERY
  • jejefolso.com – DNS QUERY
  • kalambint.com – DNS QUERY
  • chelkibot.com – DNS QUERY
  • kerukiron.com – DNS QUERY

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: HTTP traffic  associated with the Rig-E exploit and the delivery of GootKit banking malware

 

Shown above: DNS traffic  associated with the Rig-E exploit and the delivery of GootKit banking malware

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig-E EK landing page

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E EXPLOIT: