Rig EK drops Ursnif/ISFB variant


Today Rig EK dropped what looked like an infomation stealer. Based on the URL structure and the location in which it was copied and maintains persistence I believe this to be a Ursnif/ISFB variant.

I browsed to a website and watched it copy my browsing traffic into a folder and then periodically POST it to a C2 server bundled into a .bin file. The replies also contained an unusual header which indicated i was “infected”.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:



(in password protected zip)


Details of infection chain:

(click to enlarge!)


Full Details:

The infection chain originated from malvertising. A 302 redirect sends the user to Rig EK landing page

The payload was what I believe to be an Ursnif/Gozi variant. The path in which it copies itself as well as the structure of the C2 URL is consistent with what I have seen from Dreambot and other Ursnif samples.
The replies from the C2 server contained a strange HTTP header called X-Zinkhole. The value was “Infected” in which I was most certainly.
The most notable action of this malware was that it logged my web browsing and periodically sent the data to a C2. The files were stored in a folder as shown below.
I tested this by browsing to a website and entering some details, specifically “HelloUrsnifHowAreYou?
Upon viewing one of the files I saw the same string included.
Moments later the folder was cleared and a POST request was made to the C2 which seemed to bundle all files into a .bin file with 4 characters.
This was quite an interesting analysis. I also put the sample into Hybrid Analysis which had totally different C2’s. (https://www.hybrid-analysis.com/sample/c7bdd2ce90b35f5796531290ebac12557a68e237924b980e69e8b3265e261445?environmentId=100)
That’s all for now, enjoy!



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s