I was hunting for Rig over the weekend in the Asian region (proxy used) and found 4 different payloads. I merged these into one PCAP and began investigating the payloads and with the help of several Twitter members (mentioned down below) I got an ID on most of them. I have resolved the IP’s in the CSV and the main picture but in the PCAP you will see my proxy IP’s.
In all I found the usual Bunitu however the “small” tag was not present in the gate. I found Smoke Loader which did not run, Andromeda which did run and an unknown malware which I suspect is a cryptocurrency miner.
A good haul, enjoy!
- A few articles on Rig exploit kit and it’s evolution:
- Article on Bunitu Trojan:
- In depth look at Smoke Loader:
- Article on Andromeda Bot:
(in password protected zip)
- 06-August-2017-Rig-PCAP-> Pcap (merged and proxy used)
- 06-August-2017-Rig-CSV-> CSV of traffic for IOC’s (resolved IP’s as proxy was used)
- 06-August-2017-Bunitu-SL-Andro-Miner-> Unfortunately I have to use FileDropper as WordPress doesn’t like my password protected zips sometimes…
- Bunitu – 02978385cbeffaae26f0fbca7d84a232c147533dfa813327f77e08f91f3c1185
- Smoke Loader – ed9fa89fbd7b2693c07c755cf1bcb1aaea1c96eb2e8bbf0721cce733bcdb2fbe
- Andromeda – 0133522011020f0d2a3c204c218b0855a4c3fe470b86d27633572309e5aa3bce
- Miner – 87497a8b09f1e602258c6c8e53c342209e2cbc6c5d69b0ab7a6db927a94092f1
Details of infection chain:
(click to enlarge!)
This PCAP contains four Rig EK flows each one dropping a different payload.
The payload is encrypted with RC4 but it is easy to decrypt as long as you know the key which can be found by viewing an unobfuscated version of the landing page. Here we can see it is “wexykukusw“:
The current Rig EK landing params are:
Let’s start at the top with Bunitu Proxy trojan. Mostly the same, using decoy casino themed websites and an iframe to another domain hosted on the same IP address. Notable this campaign AKA as Fobos had always had the <small> HTTP tag but in this sample it is not present.
Below is the sample I put into VT:
||46 / 64
This was the usual Bunitu which allows your host to become a proxy server. A DLL is dropped which runs on startup. I didn’t include this DLL but it’s what you would be looking for if you suspect a host has been compromised. Every time someone connects there is a DNS request (184.108.40.206):
Next up is Smoke Loader. Now I had some issues here with my Wireshark as it did not seem to capture the traffic except for the download. To make things worse my lab would not run the malware and neither would HA (ran but not properly).
I know though that this was from a TDS probably Keitaro as I have been seeing this more and more lately and have seen it in the past.
I took to Twitter to ask what the sample was and got a reply from
At the time the sample only had 5 detections but now there are a few more.
||27 / 64
Next we have Andromeda again through Keitaro TDS which led to a decoy website and then a 302 to Rig EK. I sought the aid of to identify this one.
The payload was a 25kb file and appeared to be old as the hash was seen 8 months ago. The malware injects itself into MSIEXEC and then performed several POST requests which are likely patches or modules. It remained persistent through reboots.
||49 / 64
The payload copied itself in a “directx” folder in Microsoft roaming and added itself to startup. The command it ran did not appear to do anything however when I browsed to the IP in the command the server returned with a message saying “mining server online”.
There was no CNC or traffic observed on this port. It would need some dynamic analysis I think so I have passed it onto the as I have heard they are interested in miners.
||17 / 64
That’s it for this post!