Rig EK delivers Smoke Loader

Summary:

Today I found a strange instance of Rig EK. I was presented with the landing page directly without it being silently loaded via an iframe, etc. There was no Flash exploits used against me as well. An old style Rig EK URL from another Rig EK domain downloaded a payload. It was possible the download was split.

The payload was Smoke Loader which is a loader that downloads additional malware known as plugins. It has been dropped before by Rig EK though last month it was seen to be dropped by Sundown EK. Now that Sundown EK is dead it looks like it is shifting back to Rig EK.

Hope you enjoy this seemingly unusual instance of Rig EK. Smoke Loader is a very interesting malware so I will be looking into it in more detail.

I also had a recommendation to split the pcaps and artifacts so I have done that.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • In depth look at Smoke Loader:

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

Downloads (in password protected zip)

  • 290317-RigSmoke – Pcap of Rig and Smoke Loader traffic. Note I was using a proxy so IP addresses won’t nessesarily match the rest of this article.
  • 290317-SmokeLoader-> Smoke Loader (hosted on FileDropper because WordPress issues, long story..)

Notable Details:

  • 173.208.245.114 – sextosex.club – Gate 1
  • 23.238.19.56 – freecouponcodes.ga – Gate 2
  • 92.53.124.144 – name.bellofpeace.org – Rig EK
  • 46.173.214.185 – city.urbanpicker.com – Rig EK (old pattern)
  • 104.96.50.180 – adobe.com – Smoke Loader Connectivity
  • 112.78.9.34 – mailsrv.xsayeszhaifa.bit – Smoke Loader CnC
  • 60.26.136.1 – mailserv.nutsystem323z.bit – Smoke Loader CnC
  • 83.96.168.183 – nutsystem3.bit – Smoke Loader CnC
  • Payload was faummt45.exe-> VirusTotal (fbe635771408899275746442a499c7cc36f602fa8028863b9b20b66e48568199)

Details of infection chain:

(click to enlarge!)

RigEKSmokeLoader.png

A strange Rig EK drops Smoke Loader. Note the Rig EK flow contains an old Rig Pattern and the landing page URL seems to be directly accessed. Smoke Loader downloads additional malware known as plugins.

Full Details:

  • Two 302 redirects to Rig EK
  • This Rig EK did not use a Flash exploit against me.
  • The Rig EK flow also included one old URL style Rig EK which was very peculiar. I was also presented with the landing page directly without it being silently loaded via and iframe, etc.
  • LandingDirect
  • The Payload was Smoke Loader.
  • Smoke Loader added itself to startup and prevented itself from being manually terminated. It also minimised Process Explorer when ever it was loaded up.
  • Smoke Loader copied itself into a hidden folder in Roaming. This file has the same hash as the payload downloaded. When the system is rebooted the show hidden files option is reverted to default.
  • Smoke Loader downloaded one additional “plugin” and I’m sure it would have fetched more over time.
  • There was an executable added to startup called “Macromedia” but I was unable to copy this file as it was “in use” and I could not terminate Smoke Loader.

This slideshow requires JavaScript.

SHA256: fbe635771408899275746442a499c7cc36f602fa8028863b9b20b66e48568199
File name: faummt45.exe
Detection ratio: 16 / 61
SHA256: a11be3646626bf210b355f8dc2d4236ec6651da595ab8a7b364ae2f28ad01996
File name: 3BE1.tmp.exe
Detection ratio: 20 / 61

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s