Rig Exploit Kit via Rulan campaign delivers Pony downloader and LokiBot
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered Pony downloader and LokiBot via the Rulan gate.
- Thanks to @thlnk3r for sharing Rulan redirect on twitter. Someone I follow daily on twitter.
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- redi-club.ru – Rulan redirect to Rig Exploit Kit
- 126.96.36.199 – Rig EK landing page
- 188.8.131.52 – colimna.me – POST /pony/order.php – Pony C2
- 184.108.40.206 – GET /build11.exe – LokiBot download
- 220.127.116.11 – colimna.me – POST /lok/fre.php – LokiBot C2
IMAGES AND DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- 2017-10-01-Rig-EK.swf – Rig Flash Exploit
- bilonebilo543.exe – Pony Downloader
- build11.exe – LokiBot
Follow on Twitter @broadanalysis