Rig Exploit Kit via EITEST delivers GootKit Banking Malware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered GootKit banking malware via the EITEST campaign.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-03-13-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • cedar.igrooveweb.com – COMPROMISED SITE
  • 5.200.52.240 – dfg.twitttwoo.co.uk – RIG EK LANDING PAGE
  • 89.42.212.124 – duplanty.top – GOOTKIT Check-in

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of GootKit banking malware

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: DNS traffic  associated with the GootKit banking malware

 

Shown above: GootKit communicating with its command and control using SSL protocol over port 443

 

Shown above: Windows registry entry associated with GootKit infection

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: