RIG EK via Ngay drops Smokeloader -> XMR Miner

Summary:

Through malvertising I came across an “Ngay” website which used an iframe to redirect to Rig EK. The payload was Smoke Loader which then dropped a XMR Miner.

I’ve been using App.Any.Run sandbox a lot lately. Although I found the RigEK redirection using traditional methods and the payloads did work on my lab, I put the payload into Any.Run anyway as it portrays the IOC’s very well.

I’ve also been playing with pastebin posts so check that out though it is mainly focused on maldoc malware. https://pastebin.com/u/Zerophage

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Ngay.png

Full Details:

The chain begins with malvertising which leads to a fake Kaleidoscope domain. The domain named “ngay23ne.cf” contains an iframe which leads to Rig EK. This campaign is known simply as “ngay” and was last seen as far as I know near the end of Jan 2018.
compsite
Rig EK is it’s usual self and still using Flash exploit CVE-2018-4878. Otherwise it appears to be the same.
The payload was Smoke Loader which immediately loaded an XMR miner.
any3
any5
Below we can see the traffic. You can see Smoke Loader POST request which is followed by an EXE download. This payload then calls out then begins mining on port 4444.
any1

any2

 

And here are the file modifications. You can see persistence in Startup. The miner is copied into Roaming as “hammerlock.exe”

any4

Below we can see the XMR miner communication:

 miner

zerophageicon2

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s