Today Rig EK dropped what looked like an infomation stealer. Based on the URL structure and the location in which it was copied and maintains persistence I believe this to be a Ursnif/ISFB variant.
I browsed to a website and watched it copy my browsing traffic into a folder and then periodically POST it to a C2 server bundled into a .bin file. The replies also contained an unusual header which indicated i was “infected”.
- A few articles on Rig exploit kit and it’s evolution:
(in password protected zip)
- 17-October-2017-Rig-Ursnif-PCAP-> Pcap of traffic (note this pcap is a bit bare)
- 17-October-2017-Rig-Ursnif-CSV-> CSV of traffic for IOC’s
- 17-October-2017-Ursnif> Ursnif Variant –
Details of infection chain:
(click to enlarge!)
The infection chain originated from malvertising. A 302 redirect sends the user to Rig EK landing page