Rig Exploit Kit via Rulan campaign delivers Chthonic banking malware

NOTES:

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-09-15-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • rus-red.ru – GET /hil – Rulan Gate
  • 188.225.83.5 – Rig EK landing page
  • 144.76.133.38 – Port 53 – DNS query for ponedobla.bit
  • 23.94.5.133 – Port 53 – DNS query for ponedobla.bit
  • 47.74.144.54 – ponedobla.bit – POST /net/ – Chthonic C2
  • 47.74.144.54 – ponedobla.bit – POST /us/ – Chthonic C2
  • 87.98.175.85 – Port 53 – DNS query for ponedobla.bit
  • 93.170.96.235 – Port 53 – DNS query for ponedobla.bit
  • 52.174.55.168 – Port 53 – DNS query for ponedobla.bit

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig exploit and the delivery of Chthonic banking malware

 

Shown above:  Script associated with Rulan campaign redirecting to the Rig EK landing page

 

Shown above: Communication with malware campaigns DNS server over tcp port 53

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: