Summary:

First off apologies for the lack of update. I have been following a few Rig EK campaigns lately but have not really seen anything new in terms of payloads. I have also not done the usual picture, rather a small version (with one mistake in..) I’ve been very busy lately with moving career and juggling life in general.

There has been a few Rig EK changes which @Nao_sec has reported on. Things like the RC4 key changing. I’ll dig into these myself at some point.

None the less if you are looking for Rig EK hopefully this blog post may help you find a source. These three campaigns are good sources for Rig EK so happy hunting!

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

• Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

• Article on Dreambot:

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

Downloads

(in password protected zip: (infected))

• 28-July-2017-Rig-Multi-PCAP -> Pcap of traffic
• 28-July-2017-Rig-Multi-CSV-> CSV of the traffic for IOC’s
• 28-July-2017-Rig-BunituChthonicDreambot -> Dreambot, Chthonic and Bunitu

Details of infection chain:

(click to enlarge!)

Full Details:

There are three campaigns currently that are easy sources of Rig EK.

Fobos Campaign by “official” name but I call it the “Small gate” on account that the iframe always contains the “<small>” tag. These are often decoy websites with a casino or gaming theme. There is iframe either to a domain on the same IP or another IP that belongs to the threat actor. On that page there is an iframe to Rig EK. Currently it drops Bunitu proxy trojan.

HookAds is quite interesting in that the URL’s appear to be “packed”. I had to debug the script to reveal the URL. The website requests script called “popunder.php” which leads to a URL that usually has a pattern like “domain/banners/string“. Both of these domains contain a JavaScript which has to be decoded to see the target URL. I almost always get Dreambot from this campaign.

Finally there is the “Rulan” campaign which I have seen use two different redirect mechanisms. There is a HTTP Refresh which reloads the page to the URL specified and a JavaScript redirect. There are tonnes of these domains from a single IP (144.76.174.172). This always seems to drop Chthonic.

 

Summary:

Today I found Panda Banker via a series of 302 redirects to Rig EK. The payload did not run on my lab so I sought the aid of @Antelox who identified it as Panda. I then put the sample into a sandbox where it did run so I managed to pull a few IOC’s.

It has been a while since I’ve seen Panda Banker  I’ll have to pour over the data and figure out why it evaded my lab but ran in a sandbox..

 

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Panda Banker

https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/

Downloads

(in password protected zip)

• 16-July-2017-Rig-Panda-PCAP -> Pcap
•  16-July-2017-Rig-Panda-CSV -> CSV of traffic for IOC’s
• 16-July-2017-Rig-Malware -> Panda (9cdb53cc0294be1cb0699879499d17c6d450fbb5e03a6979cb7ad14cfb67c51a)

Details of infection chain:

(click to enlarge!)

Full Details:

Found via a malvertising chain of multiple 302 redirects, Rig EK drops Panda Banker. The sample did not run on my lab. It created three files then terminated. It must have checked for something and disliked it then terminated. The sample was confirmed to be Panda by @Antelox.

SHA256:	9cdb53cc0294be1cb0699879499d17c6d450fbb5e03a6979cb7ad14cfb67c51a
File name:	16-July-2017-Rig-Malware.bin
Detection ratio:	19 / 63

Avira (no cloud)

TR/AD.PandaBanker.fyxdz

Although it did not run, I did managed to put it into a sandbox which managed to run it so I have some IOC’s for traffic.

The PCAP is located here: https://www.virustotal.com/en/file/7ebd871771bfaa3eb6d3f4ffd638d709a251fd4fa487dfe0c2a9f58a7374e21c/analysis/

On my lab it created the three files below but then terminated. On the sandbox it copied itself to the path below and did the usual trojan behaviour (process injection, etc.)

Below is port 443 HTTP POST requests which were observed to smillaopds.top.

There was a lot more data but I’ll end with a quick summary that the sandbox gave:

 

Summary:

I took a break for a while though was still finding the usual Chthonic, Bunitu and Dreambot Rig EK flows from the usual HookAds, Rulan and Fobos campaigns. If you are interested in those let me know. I still have the PCAP’s.

Someone also messaged me about changing the way I capture packets. I have not done this yet but will look into it.

Anyway today I found Kronos via malvertising which led to a website that contained 3 iframes that redirected to Rig EK. In this flow I was using IE 11 and the latest version of Flash.

I would be interested to know any domains that Kronos targets to see if I can see any injections occuring.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Kronos

https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/

Downloads

(in password protected zip)

• 14-July-2017-Rig-Kronos-PCAP -> Pcap
• 14-July-2017-Rig-Kronos-CSV -> CSV of traffic for IOC’s
• 14-July-2017-Kronos -> Kronos ( b024266f710c6c7a1517d4623e048b8c564dabf9ac294ba6317762fa6c830142, ffc1cfe4cfa36477ead629bd1a2c6ffb266502c3261b85de431137da411320a8)

Details of infection chain:

(click to enlarge!)

 

 

Full Details:

 

Found initially through malvertising, the dummy website has 3 iframes on it that redirect to Rig EK.

The payload was Kronos Banker. The first EXE was dropped by Rig. It then created the second EXE and eventually injected itself into svchost:

SHA256:	b024266f710c6c7a1517d4623e048b8c564dabf9ac294ba6317762fa6c830142
File name:	vqb1zpvr.exe
Detection ratio:	19 / 65

SHA256:	ffc1cfe4cfa36477ead629bd1a2c6ffb266502c3261b85de431137da411320a8
File name:	domain.exe
Detection ratio:	8 / 62

I saw three domains associated with Kronos in total. POST requests were made to “/kronos/connect.php”:

kgkjvkjgvkgvkhg.xyz
khgkjhkjghkjgh.xyz
kljhlkjhkljh.xyz

Viewing the functions of “domain.exe” shows what appears to be form grabbing and HTML injection.

Summary:

Its been a fairly standard week for Rig EK. I’ve not spotted anything new or interesting so I decided not to blog about it this week. I did however discover a change in Magnitude EK. It’s a small one but the Scriplet now has the extension “.bmp” instead of “.ico”.

I also ran this flow with the latest IE 11 and Flash Player and still got Cerber Ransomware (still calling itself CRBR). If you’ve ever fiddled with security settings you’ll probably scream that scriplets are disabled by default which is true. I did play with the security settings to try to give see what payload the scriplet drops. Alas they still failed as usual and Cerber appeared from it’s normal vector.

Background Information:

• Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

• A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK drops “CBRB” (Cerber Ransomware)

Magnitude EK via malvertising delivers Cerber Ransomware

 

Most notable about this flow is the change of the naming of the scriplet used by Magnitude EK.

The scriplet is called in the landing page. I have deobfuscated most of it and you can see the call to the “.bmp” scriplet. Previous it has been “.ico”.

This is the scriplet mostly deobfuscated with some variables renamed. Here you can see an executable is dropped and ran with cmd. These executables always fail and are 0 kb. I’m not sure why this is the case.

If you enlarge this picture you will see  a condensed version of all the processes that were run on the endpoint.

The payload is Cerber Ransomware. This version calls itself “CBRB”.

This version of a Cerber is at least a week old (UDP patterns are identical but sample is fresh from 3rd) however it still does a good job at evading a lot of AV vendors.

SHA256:	46e29c56d426a4c16548b74f77b2fdd75005ddac1333039567d16212cdc585e4
File name:	a.exe
Detection ratio:	14 / 61