Rig EK via malvertising drops Imminent RAT

Summary:

Today I found Rig EK via a 302 redirect. It dropped what appears to be an infostealer trojan as masquerades as a Java updater. A dat file is created which appears to increase over time and there is a lot of traffic over port 5888 indicative of command and control traffic or exfiltration of data.

UPDATE * confirmed to be Imminent RAT – https://twitter.com/James_inthe_box/status/892912148497575936

I’ve included in this post a bit about the current Rig EK params and the RC4 key which seems to change between samples.

It’s interesting to see other types of malware from Rig other than the 3 common ones I kept finding (bunitu, chthonic, dreambot).

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Full Details:

The flow was found via malvertising from what I think is a TDS. A 302 eventually redirects to Rig EK.

Rig has changed it’s RC4 key making it a little more annoying to grab the payload. Here you can see it is “wexykukusw“.

Godmode

In addition here are the current params as of today:

Params

The payload was fairly large and I was not able to identify it so I’ve just called it “trojan” as it appears to pretend to be a Java Updater.

SHA256: 8d4a776e6814cf7247711c825e6bf83b1f2768f1dee8c0d896b86b68743ebeab
File name: e14tbkpm.exe
Detection ratio: 17 / 64

The malware drops another file and runs it though it appears to be legitimate software.

SHA256: 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
File name: Juscheckr.exe
Detection ratio: 0 / 64

The malware did create some unusual folders. One is a copy of itself renamed to “javaupdater.exe“. The other is a folder called “Imminent” which contains a text file that appears to be growing inside as time goes on.

Growing

The malware made requests as follows:

 DNS requests
 TCP connections
It appears to communicate to 94.140.120.149 over port 5888 likely sending the contents of the file above. Therefore it appears to have some kind of infostealing capability.
5888

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s