Summary:
Today I found Rig EK via a 302 redirect. It dropped what appears to be an infostealer trojan as masquerades as a Java updater. A dat file is created which appears to increase over time and there is a lot of traffic over port 5888 indicative of command and control traffic or exfiltration of data.
UPDATE * confirmed to be Imminent RAT – https://twitter.com/James_inthe_box/status/892912148497575936
I’ve included in this post a bit about the current Rig EK params and the RC4 key which seems to change between samples.
It’s interesting to see other types of malware from Rig other than the 3 common ones I kept finding (bunitu, chthonic, dreambot).
Background Information:
- A few articles on Rig exploit kit and it’s evolution:
https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html
Downloads
(in password protected zip)
- 02-August-2017-Rig-> Pcap
- 02-August-Rig-Trojan-CSV-> CSV of traffic for IOC’s (resolved IP’s as proxy was used)
- 02-August-Trojan-> Trojan (8d4a776e6814cf7247711c825e6bf83b1f2768f1dee8c0d896b86b68743ebeab)
Details of infection chain:
(click to enlarge!)
Full Details:
The flow was found via malvertising from what I think is a TDS. A 302 eventually redirects to Rig EK.
Rig has changed it’s RC4 key making it a little more annoying to grab the payload. Here you can see it is “wexykukusw“.
In addition here are the current params as of today:
The payload was fairly large and I was not able to identify it so I’ve just called it “trojan” as it appears to pretend to be a Java Updater.
SHA256: | 8d4a776e6814cf7247711c825e6bf83b1f2768f1dee8c0d896b86b68743ebeab |
File name: | e14tbkpm.exe |
Detection ratio: | 17 / 64 |
The malware drops another file and runs it though it appears to be legitimate software.
SHA256: | 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b |
File name: | Juscheckr.exe |
Detection ratio: | 0 / 64 |
The malware did create some unusual folders. One is a copy of itself renamed to “javaupdater.exe“. The other is a folder called “Imminent” which contains a text file that appears to be growing inside as time goes on.
The malware made requests as follows:
DNS requests
TCP connections
Article Link: https://zerophagemalware.com/2017/08/03/rig-ek-via-malvertising-drops-a-trojaninfostealer/