Rig Exploit Kit via malvertising delivers Chthonic banking malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-20-Rig-EK-Chthonic-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 50.75.90.195 – GET /wp/wnymedical_new/wp-includes/Requests/Utility/pr.php – Redirect to Rig EK landing page
  • 217.107.219.149 – Rig EK landing page
  • 93.170.96.235 – Port 53 – DNS query for letit2.bit
  • 31.3.135.232 – Port 53 – DNS query for letit2.bit
  • 35.189.99.49 – letit2.bit – POST /q/ – Chthonic C2
  • 35.189.99.49 – letit2.bit – POST /q/www/ – Chthonic C2
  • 23.94.5.133 – Port 53 – DNS query for letit2.bit
  • 51.255.48.78 – Port 53 – DNS query for letit2.bit
  • 130.255.73.90 – Port 53 – DNS query for letit2.bit

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig exploit and the delivery of Chthonic banking malware

 

Shown above: Communication with malware campaigns DNS servers over tcp port 53

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

Follow on Twitter @broadanalysis