Rig EK via malvertising drops Imminent RAT

Summary:

Today I found Rig EK via a 302 redirect. It dropped what appears to be an infostealer trojan as masquerades as a Java updater. A dat file is created which appears to increase over time and there is a lot of traffic over port 5888 indicative of command and control traffic or exfiltration of data.

UPDATE * confirmed to be Imminent RAT – https://twitter.com/James_inthe_box/status/892912148497575936

I’ve included in this post a bit about the current Rig EK params and the RC4 key which seems to change between samples.

It’s interesting to see other types of malware from Rig other than the 3 common ones I kept finding (bunitu, chthonic, dreambot).

Background Information:

A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

02-August-2017-Rig-> Pcap
02-August-Rig-Trojan-CSV-> CSV of traffic for IOC’s (resolved IP’s as proxy was used)
02-August-Trojan-> Trojan (8d4a776e6814cf7247711c825e6bf83b1f2768f1dee8c0d896b86b68743ebeab)

Details of infection chain:

(click to enlarge!)

Rig EK via a malvertising 302 redirect drops what appears to be a fake Java updater

Full Details:

The flow was found via malvertising from what I think is a TDS. A 302 eventually redirects to Rig EK.

Rig has changed it’s RC4 key making it a little more annoying to grab the payload. Here you can see it is “wexykukusw“.

In addition here are the current params as of today:

The payload was fairly large and I was not able to identify it so I’ve just called it “trojan” as it appears to pretend to be a Java Updater.

SHA256:	8d4a776e6814cf7247711c825e6bf83b1f2768f1dee8c0d896b86b68743ebeab
File name:	e14tbkpm.exe
Detection ratio:	17 / 64

The malware drops another file and runs it though it appears to be legitimate software.

SHA256:	51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
File name:	Juscheckr.exe
Detection ratio:	0 / 64

The malware did create some unusual folders. One is a copy of itself renamed to “javaupdater.exe“. The other is a folder called “Imminent” which contains a text file that appears to be growing inside as time goes on.

The malware made requests as follows:

DNS requests

niggershateim.mooo.com (94.140.120.149)

www[.]iptrackeronline.com (45.55.57.244)

TCP connections

94.140.120.149:5888

45.55.57.244:80

45.55.57.244:443

It appears to communicate to 94.140.120.149 over port 5888 likely sending the contents of the file above. Therefore it appears to have some kind of infostealing capability.

Zerophage Malware

Presenting exploit kits and malware in a fresh way.

Rig EK via malvertising drops Imminent RAT

Summary:

Background Information:

Downloads

Details of infection chain:

Full Details:

DNS requests

TCP connections

Leave a comment Cancel reply

Summary:

Background Information:

Downloads

Details of infection chain:

Full Details:

DNS requests

TCP connections

Share this:

Related

Leave a comment Cancel reply