Neutrino EK and Rig EK send GootKit – A Brief Comparison

NOTES:

• On July 3rd, 2016 I captured traffic from two different campaigns sending GootKit via the Neutrino Exploit Kit (EK) and the Rig Exploit Kit (EK).
• The Rig EK was using Malvertising as its avenue of delivery, while the Neutrino EK was using the realstatistics.pro redirect gate.
• Traffic for the Rig EK was provided from a tweet by @malekal_morte.
• Changes to the realstatistics gate were noted by malware-traffic-analysis.net on July 1st, 2016
• For a more detailed analysis of GootKit traffic see my June 29th, 2016 post Neutrino Exploit Kit 78.46.167.130 sends Gootkit

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-03-GootKit-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES FOR RIG EK:

• 193.36.35.39 – relaxtube.tk – GET /engine/classes/js/jquery.js – Rig EK REDIRECT
• 193.36.35.39 – waferako.cf – GET /linkx.php – Rig EK REDIRECT
• 46.30.46.128 – ds.pacificbeachcar.com – Rig EK LANDING PAGE
• 77.42.157.2 Port 80- googlesecurityhtml.com – POST INFECTION TRAFFIC
• 91.219.29.65 Port 80, 443 – abusenetsdd.com – POST INFECTION TRAFFIC
• 93.170.253.84 – dowloadupdate.com – POST INFECTION TRAFFIC
• 198.105.254.228 Port 80  – dendroidssdsdfera.com – POST INFECTION TRAFFIC
• 198.105.254.228 Port 80 – dendsadsddfroidsdfsdera.com – POST INFECTION TRAFFIC
• 198.105.254.228 Port 80 – wwqwqwdendroidsdfera.com – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS AND IP ADDRESSES FOR NEUTRINO EK:

• 5.199.130.155 – realstatistics.pro GET /js/analytics.php?id=123 – Redirect GATE
• 151.80.7.122 – hizhr.ouovxl.xyz – Neutrino EK LANDING PAGE
• 93.115.10.203 Port 80, 443 – sievavower.com – POST INFECTION TRAFFIC

DETAILS OF INFECTION CHAIN FOR RIG EK:

Shown above: Malvertising site and redirect gate using same IP address for domain names

Shown above: DNS traffic associated with Malvertising GootKit infection

Shown above: Using Wireshark filter “ssl.handshake.certificates” shows SSL certificate associated with the malvertising GootKit infection. (Using different Certificates) – organizationalUnitName=domain inc

Shown above: Post infection traffic associated with Malvertising GootKit

DETAILS OF INFECTION CHAIN FOR NEUTRINO EK:

Shown above: Compromised site and redirect gate to Neutrino EK landing which delivered GootKit

Shown above: DNS traffic associated with realstatistics.pro GootKit infection

Shown above: Using Wireshark filter “ssl.handshake.certificates” shows SSL certificate associated with the realstatistics.pro GootKit infection. (Using different Certificates) – organizationalUnitName=My Company Ltd

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

• 2016-07-03-Rig-EK.swf
  Virus Total Link
• 2016-07-03-pwrgrcpb.dll
  C:\Windows\SysWOW64\
  Virus Total Link

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:

• 2016-07-03-Neutrino.swf
  Virus Total Link
• 2016-07-03-rad74571.tmp.exe
  C:\Users\%UserName%\AppData\Local\Temp\
  Virus Total Link
• 2016-07-03-qocxyv.dll
  C:\Windows\SysWOW64\
  Virus Total Link