Rig EK delivers August Stealer

/ zerophage

 Summary:

On 2 March a site was tweeted by @St3f4nMZ to myself and two others which claimed to show different Sundown patterns. This actually turned out to be Nebula EK.

By the time I had noticed and gotten around to checking Nebula was gone and Rig EK  seemed to have taken its place.

The payload this time looked very strange. It looked like an information stealer but did not trigger any ET signatures and I could not find similar patterns anywhere in the wild. I ended up tweeting @Antelox who said it was August Stealer. It seemed to be a very unusual payload and was very interesting to watch.

At the time having no idea what I didn’t really know what to look for. By the time it had been identified (today) I had already wiped the machine so could not investigate further. None the less this is an interesting find and I hope you enjoy it. Files and PCAP’s are below.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on August Stealer:

https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene

Downloads

Notable Details:

  • 188.215.92.103 – hurtmehard.net – Compromised site 
  • 92.53.97.222 – 1rew.neighbourhoodreunion.com – Rig EK
  • 91.226.10.138 – POST blog.ru/blog/gate – August Stealer CnC
  • Payload was qvzyux09.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

040317-RigAugust

August stealer posts encrypted data to C2.

Full Details:

  • Compromised site has iframe redirecting to Rig EK.
  • Site seemed to have two iframes which caused double landing page, etc.
  • 1rew.neighbourhoodreunion.com -> Landing Page -> Flash  -> Payload
  • There was no Pre-Landing page.
  • Dropped payload “qvzyux09.exe” which is different to the usual “rad” themed ones.
  • SHA256: de519cd2ac49e2d608f4785fb2434fbd0075e39ecfd482edab5b60524376cd12
    File name: qvzyux09.exe
    Detection ratio: 29 / 59
  • With the help of @Antelox this was identified as “August stealer”
  • I used an article from Proofpoint to confirm that it was or at least this is a variant of August.
  • This is a picture from Proofpoint of C2 traffic:
  • stealer-9
  • Note the user agent, cookie and data after the “q=” is very similar to my POST traffic.

2 thoughts on “Rig EK delivers August Stealer

  1. Pingback: Terror EK delivers ZeuSVM/K.I.N.S. | Zerophage Malware

  2. Pingback: Finding a Good Man: Part 2 – MALWARE BREAKDOWN

Leave a comment