I was hunting for Rig over the weekend in the Asian region (proxy used) and found 4 different payloads. I merged these into one PCAP and began investigating the payloads and with the help of several Twitter members (mentioned down below) I got an ID on most of them. I have resolved the IP’s in the CSV and the main picture but in the PCAP you will see my proxy IP’s.
In all I found the usual Bunitu however the “small” tag was not present in the gate. I found Smoke Loader which did not run, Andromeda which did run and an unknown malware which I suspect is a cryptocurrency miner.
A good haul, enjoy!
- A few articles on Rig exploit kit and it’s evolution:
- Article on Bunitu Trojan:
- In depth look at Smoke Loader:
- Article on Andromeda Bot:
(in password protected zip)
- 06-August-2017-Rig-PCAP-> Pcap (merged and proxy used)
- 06-August-2017-Rig-CSV-> CSV of traffic for IOC’s (resolved IP’s as proxy was used)
- 06-August-2017-Bunitu-SL-Andro-Miner-> Unfortunately I have to use FileDropper as WordPress doesn’t like my password protected zips sometimes…
- Bunitu – 02978385cbeffaae26f0fbca7d84a232c147533dfa813327f77e08f91f3c1185
- Smoke Loader – ed9fa89fbd7b2693c07c755cf1bcb1aaea1c96eb2e8bbf0721cce733bcdb2fbe
- Andromeda – 0133522011020f0d2a3c204c218b0855a4c3fe470b86d27633572309e5aa3bce
- Miner – 87497a8b09f1e602258c6c8e53c342209e2cbc6c5d69b0ab7a6db927a94092f1
Details of infection chain:
(click to enlarge!)
|Detection ratio:||46 / 64|
This was the usual Bunitu which allows your host to become a proxy server. A DLL is dropped which runs on startup. I didn’t include this DLL but it’s what you would be looking for if you suspect a host has been compromised. Every time someone connects there is a DNS request (126.96.36.199):
Next up is Smoke Loader. Now I had some issues here with my Wireshark as it did not seem to capture the traffic except for the download. To make things worse my lab would not run the malware and neither would HA (ran but not properly).
I know though that this was from a TDS probably Keitaro as I have been seeing this more and more lately and have seen it in the past.
|Detection ratio:||27 / 64|
Next we have Andromeda again through Keitaro TDS which led to a decoy website and then a 302 to Rig EK. I sought the aid of @Antelox to identify this one.
The payload was a 25kb file and appeared to be old as the hash was seen 8 months ago. The malware injects itself into MSIEXEC and then performed several POST requests which are likely patches or modules. It remained persistent through reboots.
|Detection ratio:||49 / 64|
The payload copied itself in a “directx” folder in Microsoft roaming and added itself to startup. The command it ran did not appear to do anything however when I browsed to the IP in the command the server returned with a message saying “mining server online”.
There was no CNC or traffic observed on this port. It would need some dynamic analysis I think so I have passed it onto the @malwrhunterteam as I have heard they are interested in miners.
|Detection ratio:||17 / 64|
That’s it for this post!