Summary:

Back again with the Rulan campaign. Recently it has changed it’s usual payload and we have seen Quant Loader, Coin Miner and KINS.

This time it is back and dropped a payload which I have struggled to ID. It has all the characteristics of an infostealer (gathering data then sending to C2). I’ve been unable to decipher what data it is ending and why. The C2 domains also did not trigger any ET/Snort rules.

It’s interesting for sure and I’d be interested to know more about it so keep an eye on Twitter.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

• 21-September-2018-Rig-Infostealer-PCAP-> Pcap of traffic
• 21-September-2017-Rig-Infostealer-CSV-> CSV of traffic for IOC’s
• 21-September-2017-Infostealer-> Infostealer – 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb

Unfortunately  having a few issues with WordPress so the payload is on tinyupload for now. Let me know if it goes down.

Details of infection chain:

(click to enlarge!)

Full Details:

The malware began with a POST request ending with “load.php“. It looks like Base64 but I could not decode it into anything meaningful.

Next it began to POST data from the text files it created. Again I could not decode this data. Each text file it created it then sent to the C2 with each file reaching a size of around 3kb~.

The payload did not trigger any signatures (ET/Snort) though it’s behaviour is indicative of an information stealer. Keep checking Twitter, it’s likely some more info will come!