Summary:
I’ve been away for some time busy moving house but it seems the EK front is very quiet the last few weeks. I’ve been unable to find Magnitude EK and many of my malvertising chains have turned up dry. Not even hurtmehard.net had something.
So I decided to revisit an IP hosting a gate I called the ‘small’ gate on account that the iframe to Rig always contained the small tag. This gate always led to Bunitu proxy trojan. However this time it failed.
I have seen several failures since I began hunting EK’s. I saw a few with Sundown and many with Magnitude. I have always presumed it may be my lab but this could indicate an update to Rig but the threat actors have yet to push it. I did notice the new parameters several other researches have mentioned. This lull could indicate calm before a storm or a decline in Rig EK.
Background Information:
- A few articles on Rig exploit kit and it’s evolution:
https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html
Downloads
(in password protected zip)
- 2017-May-09-Rig-Fail-> Pcap
- 2017-May-09-RigFlash -> Rig EK Flash File (5a0dbcb57a68f3ac3c00e7de1a5de577e3fe747829eccf62ba294b1db0c60b7e)
- 2017-May-09-Rig-CSV– CSV of URL’s.
Details of infection chain:
(click to enlarge!)
Rig EK with new parameters with a failed payload.
Full Details:
As noted by other researchers, Rig EK is using 3 new parameters.
This particular gate which could be referred to as the “small” gate (since all redirections to Rig EK contained the “small” tag) used to drop Bunitu
However this time it appeared to fail. In addition I did not see any wscript. The EK did run the following command however.
I have not dug into the landing page yet to look for any significant changes. I’m not sure why the payload failed but it could be due to my host or a Rig EK update that the threat actor has yet to apply.
Zerophage Malware 