Three Rig EK Campaigns

Summary:

First off apologies for the lack of update. I have been following a few Rig EK campaigns lately but have not really seen anything new in terms of payloads. I have also not done the usual picture, rather a small version (with one mistake in..) I’ve been very busy lately with moving career and juggling life in general.

There has been a few Rig EK changes which @Nao_sec has reported on. Things like the RC4 key changing. I’ll dig into these myself at some point.

None the less if you are looking for Rig EK hopefully this blog post may help you find a source. These three campaigns are good sources for Rig EK so happy hunting!

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

  • Article on Dreambot:

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

refferers

Full Details:

There are three campaigns currently that are easy sources of Rig EK.

Fobos Campaign by “official” name but I call it the “Small gate” on account that the iframe always contains the “<small>” tag. These are often decoy websites with a casino or gaming theme. There is iframe either to a domain on the same IP or another IP that belongs to the threat actor. On that page there is an iframe to Rig EK. Currently it drops Bunitu proxy trojan.

Bunitu280717

HookAds is quite interesting in that the URL’s appear to be “packed”. I had to debug the script to reveal the URL. The website requests script called “popunder.php” which leads to a URL that usually has a pattern like “domain/banners/string“. Both of these domains contain a JavaScript which has to be decoded to see the target URL. I almost always get Dreambot from this campaign.

Hookads1.PNG

Hookads2.PNG

Finally there is the “Rulan” campaign which I have seen use two different redirect mechanisms. There is a HTTP Refresh which reloads the page to the URL specified and a JavaScript redirect. There are tonnes of these domains from a single IP (144.76.174.172). This always seems to drop Chthonic.

Rulan.PNG

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s