This is the first time i’ve detected a decimal redirect to Rig EK. The mechanism is described by Malwarebytes. The redirect led to a file called “rig.php” which is something I have not seen before. The page then displays a “loading” GIF which makes it appear as if something should be happening. Something is indeed happening – Smoke loader was dropped and I have demonstrated before what happens if you leave it running.
Apologies for an incomplete picture. I bodged it together with Paint as my current tools are not available.
- A few articles on Rig exploit kit and it’s evolution:
- Article on Decimal Redirects
(in password protected zip)
- 2017-Apr-27-Rig-Smoke-PCAP -> Pcap
- 2017-Apr-27-Smoke-Loader -> Smoke Loader (0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330)
- 2017-Apr-27-Rig-Smoke-CSV – CSV of URL’s.
Details of infection chain:
(click to enlarge!)
There is a URL request from the compromised site to “1755118211” which the browser interprets as an IP address (126.96.36.199). This then 302’s to an IP hosting a PHP file.
This leads to a file amusingly named “rig.php”. This contains an iframe to Rig EK and a GIF file which makes it appear as if the website is “loading”.
Rig then dropped Smoke Loader. The only thing that I have not seen before is Rig using a 5th level domain.