Rig Exploit Kit delivers Chthonic banking malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-27-Rig-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • new-businesseurope.com – GET /wp-content/themes/online-marketer/library/images/a.php – Redirect to Rig EK
  • 188.225.10.219 – Rig EK landing page
  • 23.94.5.133 – TCP Port 53 – DNS query for letit2.bit
  • 51.255.48.78 – TCP Port 53 – DNS query for letit2.bit
  • 151.80.147.153 – TCP Port 53 – DNS query for letit2.bit
  • 46.183.119.7 – letit2.bit – POST /q/ – Chthonic C2
  • 46.183.119.7 – letit2.bit – POST /q/www/ – Chthonic C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig exploit and the delivery of Chthonic banking malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: