Summary:
Been an interesting few weeks and I haven’t been able to update but the other researchers appear to have found a few interesting things. I thought I would blog if anyone wanted a pcap to look at.
I actually found this through my normal malvertising route. After pondering and assistance the payload was determined to be Smoke Loader leading to a Miner and AZORult stealer. It’s an interesting sample! Thanks to @James_inthe_box for looking into it deeper.
Background Information:
- A few articles on Rig exploit kit and it’s evolution:
https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html
Downloads
(in password protected zip)
- 13-October-2017-Rig-Miner-PCAP-> Pcap of traffic
- 13-October-2017-Rig-Miner-CSV-> CSV of traffic for IOC’s
- 13-October-2017-Rig-Miner-> Smoke Loader – 60489385b91478d36e4d027e70d662a861f305cc5d4bdce20f312ac1c7c2f126
Details of infection chain:
(click to enlarge!)
Full Details:
SHA-256 | 2919a13b964c8b006f144e3c8cc6563740d3d242f44822c8c44dc0db38137ccb |
---|---|
File name | Asus Gaming.exe |
File size | 270.5 KB |
Article Link: https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/