Today I found Rig EK via a 302 redirect. It dropped what appears to be an infostealer trojan as masquerades as a Java updater. A dat file is created which appears to increase over time and there is a lot of traffic over port 5888 indicative of command and control traffic or exfiltration of data.
UPDATE * confirmed to be Imminent RAT – https://twitter.com/James_inthe_box/status/892912148497575936
I’ve included in this post a bit about the current Rig EK params and the RC4 key which seems to change between samples.
It’s interesting to see other types of malware from Rig other than the 3 common ones I kept finding (bunitu, chthonic, dreambot).
- A few articles on Rig exploit kit and it’s evolution:
(in password protected zip)
- 02-August-2017-Rig-> Pcap
- 02-August-Rig-Trojan-CSV-> CSV of traffic for IOC’s (resolved IP’s as proxy was used)
- 02-August-Trojan-> Trojan (8d4a776e6814cf7247711c825e6bf83b1f2768f1dee8c0d896b86b68743ebeab)
Details of infection chain:
(click to enlarge!)
The flow was found via malvertising from what I think is a TDS. A 302 eventually redirects to Rig EK.
Rig has changed it’s RC4 key making it a little more annoying to grab the payload. Here you can see it is “wexykukusw“.
In addition here are the current params as of today:
The payload was fairly large and I was not able to identify it so I’ve just called it “trojan” as it appears to pretend to be a Java Updater.
|Detection ratio:||17 / 64|
The malware drops another file and runs it though it appears to be legitimate software.
|Detection ratio:||0 / 64|
The malware did create some unusual folders. One is a copy of itself renamed to “javaupdater.exe“. The other is a folder called “Imminent” which contains a text file that appears to be growing inside as time goes on.
The malware made requests as follows: