Rig Exploit Kit via Rough Ted campaign delivers Chthonic banking malware

NOTES:

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-09-02-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 144.76.174.172 – vip-red.ru GET /hil – Rough Ted Gate
  • 188.225.85.172 – Rig EK landing page
  • 23.94.5.133 – Port 53 – DNS query for pationare.bit
  • 51.255.48.78 – Port 53 – DNS query for pationare.bit
  • 47.89.246.216 – pationare.bit POST / – Chthonic C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Chthonic banking malware

 

Shown above:  Script redirecting to the Rig EK landing page

 

Shown above: Post infection traffic associated with Chthonic banking malware

 

Shown above: Communication with malware campaigns DNS server over tcp port 53

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: