Rig Exploit Kit via Rough Ted campaign delivers Chthonic banking malware
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered Chthonic via the Rough Ted gate.
- Malwarebytes blog article on Rough Ted
- zerophagemalware.com analysis of Rough Ted
- malware-traffic-analysis.net pcap on Rough Ted
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 22.214.171.124 – vip-red.ru GET /hil – Rough Ted Gate
- 126.96.36.199 – Rig EK landing page
- 188.8.131.52 – Port 53 – DNS query for pationare.bit
- 184.108.40.206 – Port 53 – DNS query for pationare.bit
- 220.127.116.11 – pationare.bit POST / – Chthonic C2
IMAGES AND DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: