Rig Exploit Kit via Rulan campaign delivers PandaBanker

NOTES:

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-09-30-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • redigroup.ru – GET /hil – Rulan Gate
  • 188.225.82.250– Rig EK landing page
  • gordinka.xyz – Unresolved DNS query
  • kostinka.xyz – Unresolved DNS query
  • makabob.xyz – Unresolved DNS query

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig exploit and the delivery of PandaBanker malware

 

Shown above:  Script associated with Rulan campaign redirecting to the Rig EK landing page

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

Follow on Twitter @broadanalysis