Rig EK drops failed payload. (new params)

Summary:

I’ve been away for some time busy moving house but it seems the EK front is very quiet the last few weeks. I’ve been unable to find Magnitude EK and many of my malvertising chains have turned up dry. Not even hurtmehard.net had something.

So I decided to revisit an IP hosting a gate I called the ‘small’ gate on account that the iframe to Rig always contained the small tag. This gate always led to Bunitu proxy trojan. However this time it failed.

I have seen several failures since I began hunting EK’s. I saw a few with Sundown and many with Magnitude. I have always presumed it may be my lab but this could indicate an update to Rig but the threat actors have yet to push it. I did notice the new parameters several other researches have mentioned. This lull could indicate calm before a storm or a decline in Rig EK.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

RigEKFailed

Rig EK with new parameters with a failed payload.

Full Details:

As noted by other researchers, Rig EK is using 3 new parameters.

NewParams

This particular gate which could be referred to as the “small” gate (since all redirections to Rig EK contained the “small” tag) used to drop Bunitu

SmallGate

However this time it appeared to fail. In addition I did not see any wscript. The EK did run the following command however.

cmdaction.PNG

I have not dug into the landing page yet to look for any significant changes. I’m not sure why the payload failed but it could be due to my host or a Rig EK update that the threat actor has yet to apply.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s