Rig EK drops Smoke loader leading to XMR Miner.


Yesterday I caught Rig EK dropping a variant of Smoke Loader which is different to todays one. Today’s sample is more consistent with what you would expect from Smoke Loader with its connectivity checks to popular domains like Microsoft and its attempts to hide processes. Yesterdays sample did not do any of this so campaign is likely ran by different threat actors.

This time only an XMR miner was dropped which did begin to connect to the mining server on port 4444. No other payloads were witnessed.  It’s worth keeping an eye on the IP of the domain that redirected to Rig EK as I’m sure it will be hosting different payloads later.


Background Information:

  • A few articles on Rig exploit kit and it’s evolution:



(in password protected zip)


Smoke Loader- https://www.virustotal.com/#/file/faebfbfb3939abae9d566c332105bfdaa97529fe6a9fa769b3046069b0617caa/detection

XMR Miner – https://www.virustotal.com/#/file/2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120/details

Details of infection chain:

(click to enlarge!)


Full Details:

The infection chain actually came from malvertising. The webpage contained a 1px iframe which leads to Rig EK.

 compromised site
The payload was Smoke Loader which performed several connectivity checks to Microsoft domains before contacting the C2. Below you can see the first connection to Smoke Loader C2. The interesting thing about this version of Smoke Loader is it will attempt to hide Process Monitor preventing it from being maximised though you can still use task manager.
The second connection downloads the miner. You can see in the PCAP the reference to xmrig.com.
The miner then communicates to the address below over port 4444.
I did not see any other payloads from Smoke Loader so i will end it there.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s