Rig EK via Decimal Redirect Drops Smoke Loader.

Summary:

This is the first time i’ve detected a decimal redirect to Rig EK. The mechanism is described by Malwarebytes. The redirect led to a file called “rig.php” which is something I have not seen before. The page then displays a “loading” GIF which makes it appear as if something should be happening. Something is indeed happening – Smoke loader was dropped and I have demonstrated before what happens if you leave it running.

Apologies for an incomplete picture. I bodged it together with Paint as my current tools are not available.

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Decimal Redirects

https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Rigsmoke.png

Decimal Redirect to Rig EK which drops smoke loader.

Full Details:

There is a URL request from the compromised site to “1755118211” which the browser interprets as an IP address (104.156.250.131).  This then 302’s to an IP hosting a PHP file.

DecimalRedirect

This leads to a file amusingly named “rig.php”. This contains an iframe to Rig EK and a GIF file which makes it appear as if the website is “loading”.

iframetorigandgif

35

Rig then dropped Smoke Loader. The only thing that I have not seen before is Rig using a 5th level domain.

4 thoughts on “Rig EK via Decimal Redirect Drops Smoke Loader.

  1. Pingback: Shadowfall - InfoSecHotSpot

  2. Pingback: Shadowfall - Speaking of Security - The RSA Blog

  3. Pingback: 【技术分享】ShadowFall:对域名阴影攻击活动的详细分析报告-安全路透社

  4. Pingback: 【技术分享】ShadowFall:对域名阴影攻击活动的详细分析报告 – 安百科技

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s