Rig Exploit Kit via Malvertising redirects

Thanks to @James_inthe_box for analyzing the payload and identifying it as Recslurp. Something I have never seen before.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-09-Rig-EK-pcap.zip


ASSOCIATED DOMAINS AND IP ADDRESSES
:

  • 194.67.194.142 – e-btc.us – GET /mLkBTT – Redirect to Rig EK
  • 176.57.217.77 – Rig EK landing page
  • 194.67.194.142 – aircoin.ltd – GET /mLkBTT – Redirect to Rig EK
  • 176.57.214.101 – Redirect to Rig EK

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Malvertising network traffic associated with the Rig exploit

 

Shown above: Malvertising network traffic associated with the Rig exploit

 

Shown above: Redirect page to Rig Exploit Kit

 

Shown above: Post infection DNS traffic associated with payload

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: