Rig Exploit Kit via Rulan campaign delivers Pony downloader and LokiBot

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered Pony downloader and LokiBot via the Rulan gate.
  • Thanks to @thlnk3r for sharing Rulan redirect on twitter. Someone I follow daily on twitter.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-1-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • redi-club.ru – Rulan redirect to Rig Exploit Kit
  • 188.225.84.73 –  Rig EK landing page
  • 185.141.24.64 – colimna.me – POST /pony/order.php – Pony C2
  • 185.106.122.248 – GET /build11.exe – LokiBot download
  • 185.141.24.64 – colimna.me – POST /lok/fre.php – LokiBot C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig exploit and the delivery of Pony downloader and LokiBot

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

Follow on Twitter @broadanalysis