Rig EK via Rulan drops an Infostealer

Summary:

Back again with the Rulan campaign. Recently it has changed it’s usual payload and we have seen Quant Loader, Coin Miner and KINS.

This time it is back and dropped a payload which I have struggled to ID. It has all the characteristics of an infostealer (gathering data then sending to C2). I’ve been unable to decipher what data it is ending and why. The C2 domains also did not trigger any ET/Snort rules.

It’s interesting for sure and I’d be interested to know more about it so keep an eye on Twitter.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

Unfortunately  having a few issues with WordPress so the payload is on tinyupload for now. Let me know if it goes down.

Details of infection chain:

(click to enlarge!)

RigInfo.png

Full Details:

Rulan has been providing various payloads over the past week or so. A coin miner and even KINS was spotted earlier this week by @nao_sec. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.
rulan
Rig itself continues to change up it’s parameters this time using “opas“, “hopas” and “shops“.
params
The RC4 key is now “marydcetoz“. You can use this to decrypt the payload from the pcap.
newkey2
newkey1
The payload appeared to be an infostealer by nature. I was unable to identify it though sought the aid of @James_inthe_box who digged further but could not identify it.
SHA-256 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb
File name eb11bac9e73f7f6fed3506e28a13dacbfa3fbdc0
File size 288 KB

 

The payload copied itself into a folder called “ZSysRaw” and the binary was named “sysraw.exe“. It then began to collect information and store it in a folder called “data“.

 

malwarex

The malware began with a POST request ending with “load.php“. It looks like Base64 but I could not decode it into anything meaningful.

load

Next it began to POST data from the text files it created. Again I could not decode this data. Each text file it created it then sent to the C2 with each file reaching a size of around 3kb~.

steal

The payload did not trigger any signatures (ET/Snort) though it’s behaviour is indicative of an information stealer. Keep checking Twitter, it’s likely some more info will come!

zerophageicon2

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s