Summary:

This is the first time i’ve detected a decimal redirect to Rig EK. The mechanism is described by Malwarebytes. The redirect led to a file called “rig.php” which is something I have not seen before. The page then displays a “loading” GIF which makes it appear as if something should be happening. Something is indeed happening – Smoke loader was dropped and I have demonstrated before what happens if you leave it running.

Apologies for an incomplete picture. I bodged it together with Paint as my current tools are not available.

 

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Decimal Redirects

https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/

Downloads

(in password protected zip)

• 2017-Apr-27-Rig-Smoke-PCAP -> Pcap
• 2017-Apr-27-Smoke-Loader -> Smoke Loader (0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330)
• 2017-Apr-27-Rig-Smoke-CSV – CSV of URL’s.

Details of infection chain:

(click to enlarge!)

Full Details:

There is a URL request from the compromised site to “1755118211” which the browser interprets as an IP address (104.156.250.131).  This then 302’s to an IP hosting a PHP file.

This leads to a file amusingly named “rig.php”. This contains an iframe to Rig EK and a GIF file which makes it appear as if the website is “loading”.

Rig then dropped Smoke Loader. The only thing that I have not seen before is Rig using a 5th level domain.