Today I found a strange instance of Rig EK. I was presented with the landing page directly without it being silently loaded via an iframe, etc. There was no Flash exploits used against me as well. An old style Rig EK URL from another Rig EK domain downloaded a payload. It was possible the download was split.
The payload was Smoke Loader which is a loader that downloads additional malware known as plugins. It has been dropped before by Rig EK though last month it was seen to be dropped by Sundown EK. Now that Sundown EK is dead it looks like it is shifting back to Rig EK.
Hope you enjoy this seemingly unusual instance of Rig EK. Smoke Loader is a very interesting malware so I will be looking into it in more detail.
I also had a recommendation to split the pcaps and artifacts so I have done that.
- A few articles on Rig exploit kit and it’s evolution:
- In depth look at Smoke Loader:
Downloads (in password protected zip)
- 290317-RigSmoke – Pcap of Rig and Smoke Loader traffic. Note I was using a proxy so IP addresses won’t nessesarily match the rest of this article.
- 290317-SmokeLoader-> Smoke Loader (hosted on FileDropper because WordPress issues, long story..)
- 126.96.36.199 – sextosex.club – Gate 1
- 188.8.131.52 – freecouponcodes.ga – Gate 2
- 184.108.40.206 – name.bellofpeace.org – Rig EK
- 220.127.116.11 – city.urbanpicker.com – Rig EK (old pattern)
- 18.104.22.168 – adobe.com – Smoke Loader Connectivity
- 22.214.171.124 – mailsrv.xsayeszhaifa.bit – Smoke Loader CnC
- 126.96.36.199 – mailserv.nutsystem323z.bit – Smoke Loader CnC
- 188.8.131.52 – nutsystem3.bit – Smoke Loader CnC
- Payload was faummt45.exe-> VirusTotal (fbe635771408899275746442a499c7cc36f602fa8028863b9b20b66e48568199)
Details of infection chain:
(click to enlarge!)
- Two 302 redirects to Rig EK
- This Rig EK did not use a Flash exploit against me.
- The Rig EK flow also included one old URL style Rig EK which was very peculiar. I was also presented with the landing page directly without it being silently loaded via and iframe, etc.
- The Payload was Smoke Loader.
- Smoke Loader added itself to startup and prevented itself from being manually terminated. It also minimised Process Explorer when ever it was loaded up.
- Smoke Loader copied itself into a hidden folder in Roaming. This file has the same hash as the payload downloaded. When the system is rebooted the show hidden files option is reverted to default.
- Smoke Loader downloaded one additional “plugin” and I’m sure it would have fetched more over time.
- There was an executable added to startup called “Macromedia” but I was unable to copy this file as it was “in use” and I could not terminate Smoke Loader.
|Detection ratio:||16 / 61|
|Detection ratio:||20 / 61|