Summary:

First off apologies for the lack of update. I have been following a few Rig EK campaigns lately but have not really seen anything new in terms of payloads. I have also not done the usual picture, rather a small version (with one mistake in..) I’ve been very busy lately with moving career and juggling life in general.

There has been a few Rig EK changes which @Nao_sec has reported on. Things like the RC4 key changing. I’ll dig into these myself at some point.

None the less if you are looking for Rig EK hopefully this blog post may help you find a source. These three campaigns are good sources for Rig EK so happy hunting!

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

• Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

• Article on Dreambot:

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

Downloads

(in password protected zip: (infected))

• 28-July-2017-Rig-Multi-PCAP -> Pcap of traffic
• 28-July-2017-Rig-Multi-CSV-> CSV of the traffic for IOC’s
• 28-July-2017-Rig-BunituChthonicDreambot -> Dreambot, Chthonic and Bunitu

Details of infection chain:

(click to enlarge!)

Full Details:

There are three campaigns currently that are easy sources of Rig EK.

Fobos Campaign by “official” name but I call it the “Small gate” on account that the iframe always contains the “<small>” tag. These are often decoy websites with a casino or gaming theme. There is iframe either to a domain on the same IP or another IP that belongs to the threat actor. On that page there is an iframe to Rig EK. Currently it drops Bunitu proxy trojan.

HookAds is quite interesting in that the URL’s appear to be “packed”. I had to debug the script to reveal the URL. The website requests script called “popunder.php” which leads to a URL that usually has a pattern like “domain/banners/string“. Both of these domains contain a JavaScript which has to be decoded to see the target URL. I almost always get Dreambot from this campaign.

Finally there is the “Rulan” campaign which I have seen use two different redirect mechanisms. There is a HTTP Refresh which reloads the page to the URL specified and a JavaScript redirect. There are tonnes of these domains from a single IP (144.76.174.172). This always seems to drop Chthonic.