Rig EK drops Ursnif/ISFB variant

Summary:

Today Rig EK dropped what looked like an infomation stealer. Based on the URL structure and the location in which it was copied and maintains persistence I believe this to be a Ursnif/ISFB variant.

I browsed to a website and watched it copy my browsing traffic into a folder and then periodically POST it to a C2 server bundled into a .bin file. The replies also contained an unusual header which indicated i was “infected”.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

 

Details of infection chain:

(click to enlarge!)

UIrsnifRifg.png

Full Details:

The infection chain originated from malvertising. A 302 redirect sends the user to Rig EK landing page

 302
The payload was what I believe to be an Ursnif/Gozi variant. The path in which it copies itself as well as the structure of the C2 URL is consistent with what I have seen from Dreambot and other Ursnif samples.
copy
The replies from the C2 server contained a strange HTTP header called X-Zinkhole. The value was “Infected” in which I was most certainly.
zinkhole
The most notable action of this malware was that it logged my web browsing and periodically sent the data to a C2. The files were stored in a folder as shown below.
Folder
I tested this by browsing to a website and entering some details, specifically “HelloUrsnifHowAreYou?
webinjects
Upon viewing one of the files I saw the same string included.
datastore
Moments later the folder was cleared and a POST request was made to the C2 which seemed to bundle all files into a .bin file with 4 characters.
POST
This was quite an interesting analysis. I also put the sample into Hybrid Analysis which had totally different C2’s. (https://www.hybrid-analysis.com/sample/c7bdd2ce90b35f5796531290ebac12557a68e237924b980e69e8b3265e261445?environmentId=100)
That’s all for now, enjoy!

zerophageicon2

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s