Rig EK via Malvertising drops Smoke Loader


This is a quick blog about a Rig EK detection I found on Friday. I had tweeted it out as I could not figure out the payload but I also did not have time to blog it. The community all chipped in and discovered it was a new version of Smoke Loader.

Background Information:


(in password protected zip)

Details of infection chain:

(click to enlarge!)


Rig EK via malvertising drops Smoke Loader

Full Details:

As you may know, Rig EK is now using the Flash exploit 2018-4878. You can view my previous post to see a few more details about this. Essentially they appear to have just replaced the old flash file with the new one without any major changes.

 Rig EK drops GandCrab Ransomware Via CVE-2018-4878
During this run I had the same setup. A series of 302 redirects led to Rig EK. This malvertising chain was not as complex as my previous blog but the payload was a surprise.
SHA256: 77f9f74f074dcb5fe5c5dfb7127f6d4932f08963e9d6cb6051f802583a317a65
File name: b6.exe
Detection ratio: 19 / 65
Analysis date: 2018-04-13 20:48:12 UTC ( 2 days, 10 hours ago )
Initially I had noted some familiar observations on my endpoint. Namely that the payload immediately closed all Sysinternal tools I had opened and would not let me open them again. I have only seen this behaviour with Smoke Loader.
I also observed that the program periodically stopped and started. I did not catch any C2’s other than a DNS request or other payloads dropped on my lab. Unsure of what this was, I used Any Run to see if I could tease out any more IOC’s. You can view the run here:
In order to identify it I decided to ask the Twitter community what they thought about it. A lot of people chipped in and the consensus is that it was a new version of Smoke Loader.
The above run, I did browse to one of the C2’s in the sandbox which auto redirected me to a search engine. The malicious activity was before I opened Chrome.

Essentially a number of Twitter users replied to this tweet with some very interesting information about the payload.


Please follow the Twitter thread or the hashtag #smokeloader and follow all of these great people.


Click to view slideshow.



Article Link: https://zerophagemalware.com/2018/04/16/rig-ek-via-malvertising-drops-smoke-loader/