Rig EK via Malvertising drops Panda Banker

Summary:

Today I found Panda Banker via a series of 302 redirects to Rig EK. The payload did not run on my lab so I sought the aid of @Antelox who identified it as Panda. I then put the sample into a sandbox where it did run so I managed to pull a few IOC’s.

It has been a while since I’ve seen Panda Banker  I’ll have to pour over the data and figure out why it evaded my lab but ran in a sandbox..

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Panda Banker

https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Full Details:

Found via a malvertising chain of multiple 302 redirects, Rig EK drops Panda Banker. The sample did not run on my lab. It created three files then terminated. It must have checked for something and disliked it then terminated. The sample was confirmed to be Panda by @Antelox.

SHA256: 9cdb53cc0294be1cb0699879499d17c6d450fbb5e03a6979cb7ad14cfb67c51a
File name: 16-July-2017-Rig-Malware.bin
Detection ratio: 19 / 63
Avira (no cloud) TR/AD.PandaBanker.fyxdz

Although it did not run, I did managed to put it into a sandbox which managed to run it so I have some IOC’s for traffic.

The PCAP is located here: https://www.virustotal.com/en/file/7ebd871771bfaa3eb6d3f4ffd638d709a251fd4fa487dfe0c2a9f58a7374e21c/analysis/

On my lab it created the three files below but then terminated. On the sandbox it copied itself to the path below and did the usual trojan behaviour (process injection, etc.)

Panda5

Below is port 443 HTTP POST requests which were observed to smillaopds.top.

Panda3Panda2Panda1

There was a lot more data but I’ll end with a quick summary that the sandbox gave:

Panda4

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s