Rig Exploit Kit via malvertising delivers Ramnit banking malware

NOTES

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered Ramnit banking malware via a malvertising campaign.
  • Malvertising is the name the security industry give to criminally-controlled adverts which intentionally infect people and businesses. These can be any ad on any site – often ones which you use as part of your everyday Internet usage. [Defined by Malwarebytes]

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-03-25-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 188.225.37.141 – all.kodaikanal.org – RIG EK LANDING PAGE
  • 95.215.108.213 Port 443 – mudsaoojbjijj999.com – POST INFECTION TRAFFIC
  • 217.160.0.220 – bargainner.com GET /wp-content/themes/twentyfifteen/Bobbi.exe – DOWNLOAD OF ADDITIONAL MALWARE
  • 208.74.205.76 – support.mozilla.org – POST INFECTION TRAFFIC
  • 31.41.44.84 Port 443 – zabugrom.bit POST / – POST INFECTION TRAFFIC

UPDATED POST INFECTION TRAFFIC:

31.41.44.84 zabugrom.bit

198.105.254.228 – iutwddseukcdplwpslq.com
198.105.244.228 – iutwddseukcdplwpslq.com
198.105.254.228 – pkjkgprlgtu.com
198.105.244.228 – pkjkgprlgtu.com
198.105.254.228 – onaxjbfinflx.com
198.105.244.228 – onaxjbfinflx.com
198.105.254.228 – ghvcoagkccor.com
198.105.244.228 – ghvcoagkccor.com
198.105.254.228 – xnvxmdujhycgicmgso.com
198.105.244.228 – xnvxmdujhycgicmgso.com
198.105.254.228 – dnjvsqdkisxqtbyghsm.com
198.105.244.228 – dnjvsqdkisxqtbyghsm.com
198.105.254.228 – wiulqdhkoqmih.com
198.105.244.228 – wiulqdhkoqmih.com
198.105.254.228 – lwqmgevnftflytvbgs.com
198.105.244.228 – lwqmgevnftflytvbgs.com
198.105.254.228 – cxownbsefbc.com
198.105.244.228 – cxownbsefbc.com
198.105.254.228 – fnvweaywlctnxsi.com
198.105.244.228 – fnvweaywlctnxsi.com
198.105.254.228 – mpfyngouhnboktq.com
198.105.244.228 – mpfyngouhnboktq.com

UPDATED POST INFECTION TRAFFIC [04-04-2017]

31.41.44.85 – zabugor.bit
5.9.49.12 Port 53 – DNS used to resolve zabugor.bit

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Ramnit banking malware

 

Shown above: DNS traffic  associated with Ramnit banking malware

 

Shown above: Downloading of additional malware

 

Shown above: Post infection traffic associated with Ramnit banking malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: