RIG EK via Ngay drops Smokeloader -> XMR Miner


Through malvertising I came across an “Ngay” website which used an iframe to redirect to Rig EK. The payload was Smoke Loader which then dropped a XMR Miner.

I’ve been using App.Any.Run sandbox a lot lately. Although I found the RigEK redirection using traditional methods and the payloads did work on my lab, I put the payload into Any.Run anyway as it portrays the IOC’s very well.

I’ve also been playing with pastebin posts so check that out though it is mainly focused on maldoc malware. https://pastebin.com/u/Zerophage

Background Information:


(in password protected zip)

Details of infection chain:

(click to enlarge!)


Full Details:

The chain begins with malvertising which leads to a fake Kaleidoscope domain. The domain named “ngay23ne.cf” contains an iframe which leads to Rig EK. This campaign is known simply as “ngay” and was last seen as far as I know near the end of Jan 2018.
Rig EK is it’s usual self and still using Flash exploit CVE-2018-4878. Otherwise it appears to be the same.
The payload was Smoke Loader which immediately loaded an XMR miner.
Below we can see the traffic. You can see Smoke Loader POST request which is followed by an EXE download. This payload then calls out then begins mining on port 4444.



And here are the file modifications. You can see persistence in Startup. The miner is copied into Roaming as “hammerlock.exe”


Below we can see the XMR miner communication:




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s