Through malvertising I came across an “Ngay” website which used an iframe to redirect to Rig EK. The payload was Smoke Loader which then dropped a XMR Miner.
I’ve been using App.Any.Run sandbox a lot lately. Although I found the RigEK redirection using traditional methods and the payloads did work on my lab, I put the payload into Any.Run anyway as it portrays the IOC’s very well.
I’ve also been playing with pastebin posts so check that out though it is mainly focused on maldoc malware. https://pastebin.com/u/Zerophage
- An article regarding the integration of Flash exploit CVE-2018-4878
- CVE-2018-4878 information https://nvd.nist.gov/vuln/detail/CVE-2018-4878
(in password protected zip)
- 22-May-2018-Rig-Smoke-PCAP-> PCAP for traffic
- 22-May-2018-Rig-Smoke-CSV-> IOCs in CSV
- Pastebin – https://pastebin.com/NMLpGFSk
- 22-May-2018-Smoke-XMR-> Smoke Loader and XMR Miner
Smoke Loader- “b37.exe”sha256 – 393a6fc616adbefad87e8946be9e4cce127749fde58b892e26c7c24b703efae1 sha1 – 89ded1a96fb527828affcec59df70313ea45419emd5 – 673817bbb2672a7c4cfc1118aae648c0
- Any.Run of the payload -> https://app.any.run/tasks/b7e731ff-bb63-4c35-9d05-9563b0cf3bbc
Details of infection chain:
(click to enlarge!)
The chain begins with malvertising which leads to a fake Kaleidoscope domain. The domain named “ngay23ne.cf” contains an iframe which leads to Rig EK. This campaign is known simply as “ngay” and was last seen as far as I know near the end of Jan 2018.
Rig EK is it’s usual self and still using Flash exploit CVE-2018-4878. Otherwise it appears to be the same.
The payload was Smoke Loader which immediately loaded an XMR miner.
Below we can see the traffic. You can see Smoke Loader POST request which is followed by an EXE download. This payload then calls out then begins mining on port 4444.
And here are the file modifications. You can see persistence in Startup. The miner is copied into Roaming as “hammerlock.exe”
Below we can see the XMR miner communication: