Rig EK drops Smoke loader leading to XMR Miner

Summary:

Yesterday I caught Rig EK dropping a variant of Smoke Loader which is different to todays one. Today’s sample is more consistent with what you would expect from Smoke Loader with its connectivity checks to popular domains like Microsoft and its attempts to hide processes. Yesterdays sample did not do any of this so campaign is likely ran by different threat actors.

This time only an XMR miner was dropped which did begin to connect to the mining server on port 4444. No other payloads were witnessed.  It’s worth keeping an eye on the IP of the domain that redirected to Rig EK as I’m sure it will be hosting different payloads later.

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

infos

Smoke Loader- https://www.virustotal.com/#/file/faebfbfb3939abae9d566c332105bfdaa97529fe6a9fa769b3046069b0617caa/detection

XMR Miner – https://www.virustotal.com/#/file/2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120/details

Details of infection chain:

(click to enlarge!)

XMRRig.png

Full Details:

The infection chain actually came from malvertising. The webpage contained a 1px iframe which leads to Rig EK.

 compromised site
The payload was Smoke Loader which performed several connectivity checks to Microsoft domains before contacting the C2. Below you can see the first connection to Smoke Loader C2. The interesting thing about this version of Smoke Loader is it will attempt to hide Process Monitor preventing it from being maximised though you can still use task manager.
SmokeLoader1
The second connection downloads the miner. You can see in the PCAP the reference to xmrig.com.
rigminer
The miner then communicates to the address below over port 4444.
minerminercopmms
I did not see any other payloads from Smoke Loader so i will end it there.

zerophageicon2

 


Article Link: https://zerophagemalware.com/2017/10/14/rig-ek-drops-smoke-loaders-leading-to-xmr-miner/