Rig EK via RoughTed drops a Miner

Summary:

Following RoughTed again I came across a website that used the “http.eqiv” attribute to refresh the page which led to Rig EK. Rig EK dropped two payloads which both were the same file with different names. The Flash exploit was also present which is worth mentioning as for a few days it had stopped using Flash. The final payload appeared to be a coin miner but it did not perform any of its capabilities. The payload could be a work in progress so I will pass it to the @MalwareHunterTeam who may find it of interest.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Rough Ted:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

RigRoughMiner

Rig EK via RoughTed malvertising leads to a suspicious coin miner application.

Full Details:

RoughTed is a malvertising operation known for it’s wide scope. See the MalwareBytes article above for a more in depth dive. In this chain I started with the RoughTed URL and within 8 seconds Rig EK had dropped a payload.

RoughTed

RoughTed led to a compromised website that used the “http.equiv” attribute to refresh the screen which presents the Rig EK landing page.

Redirecttorig

Rig EK dropped two payloads both of which were the same file as the final binary but with different names. I also observed the Flash exploit which was missing from Rig EK for the last few days.

2payloads

The payload copied itself to “Appdata/Roaming/MetaData” and created a startup entry. Multiple vendors detected the executable as “MSILPerseus” which is considered a form of adware.

SHA256: 0411b1ea2fecb65eb91d7d95b57a53e1d3032dbde666f705c619411869bf196b
File name: curl.exe
Detection ratio: 19 / 61

The binary did not seem to perform any actions. It is possible it was waiting for a user action or that the code was corrupt. I did fine 2 URL’s in the strings one of which returns your public IP:

  • 0x00.shop/xxl/bd.php
  • icanhazip.com

I also viewed the functions and saw multiple suspicious commands such as modules, file downloads, POST requests.

botfunctions

I also passed the sample to @Antelox who identified a string:

“%USERPROFILE%\Desktop\miner no tor\mayweather\obj\Debug\utcsvc.pdb”

 

 

2 thoughts on “Rig EK via RoughTed drops a Miner

  1. Pingback: Rig EK Via Rough Ted Delivers Chthonic | Zerophage Malware

  2. Pingback: Rig EK via Malvertising drops Zloader and Chthonic | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s