Back again with the Rulan campaign. Recently it has changed it’s usual payload and we have seen Quant Loader, Coin Miner and KINS.
This time it is back and dropped a payload which I have struggled to ID. It has all the characteristics of an infostealer (gathering data then sending to C2). I’ve been unable to decipher what data it is ending and why. The C2 domains also did not trigger any ET/Snort rules.
It’s interesting for sure and I’d be interested to know more about it so keep an eye on Twitter.
- A few articles on Rig exploit kit and it’s evolution:
(in password protected zip)
- 21-September-2018-Rig-Infostealer-PCAP-> Pcap of traffic
- 21-September-2017-Rig-Infostealer-CSV-> CSV of traffic for IOC’s
- 21-September-2017-Infostealer-> Infostealer – 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb
Unfortunately having a few issues with WordPress so the payload is on tinyupload for now. Let me know if it goes down.
Details of infection chain:
(click to enlarge!)
|File size||288 KB|
The payload copied itself into a folder called “ZSysRaw” and the binary was named “sysraw.exe“. It then began to collect information and store it in a folder called “data“.
The malware began with a POST request ending with “load.php“. It looks like Base64 but I could not decode it into anything meaningful.
Next it began to POST data from the text files it created. Again I could not decode this data. Each text file it created it then sent to the C2 with each file reaching a size of around 3kb~.
The payload did not trigger any signatures (ET/Snort) though it’s behaviour is indicative of an information stealer. Keep checking Twitter, it’s likely some more info will come!