Neutrino EK and Rig EK send GootKit – A Brief Comparison
NOTES:
- On July 3rd, 2016 I captured traffic from two different campaigns sending GootKit via the Neutrino Exploit Kit (EK) and the Rig Exploit Kit (EK).
- The Rig EK was using Malvertising as its avenue of delivery, while the Neutrino EK was using the realstatistics.pro redirect gate.
- Traffic for the Rig EK was provided from a tweet by @malekal_morte.
- Changes to the realstatistics gate were noted by malware-traffic-analysis.net on July 1st, 2016
- For a more detailed analysis of GootKit traffic see my June 29th, 2016 post Neutrino Exploit Kit 78.46.167.130 sends Gootkit
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-07-03-GootKit-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES FOR RIG EK:
- 193.36.35.39 – relaxtube.tk – GET /engine/classes/js/jquery.js – Rig EK REDIRECT
- 193.36.35.39 – waferako.cf – GET /linkx.php – Rig EK REDIRECT
- 46.30.46.128 – ds.pacificbeachcar.com – Rig EK LANDING PAGE
- 77.42.157.2 Port 80- googlesecurityhtml.com – POST INFECTION TRAFFIC
- 91.219.29.65 Port 80, 443 – abusenetsdd.com – POST INFECTION TRAFFIC
- 93.170.253.84 – dowloadupdate.com – POST INFECTION TRAFFIC
- 198.105.254.228 Port 80 – dendroidssdsdfera.com – POST INFECTION TRAFFIC
- 198.105.254.228 Port 80 – dendsadsddfroidsdfsdera.com – POST INFECTION TRAFFIC
- 198.105.254.228 Port 80 – wwqwqwdendroidsdfera.com – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS AND IP ADDRESSES FOR NEUTRINO EK:
- 5.199.130.155 – realstatistics.pro GET /js/analytics.php?id=123 – Redirect GATE
- 151.80.7.122 – hizhr.ouovxl.xyz – Neutrino EK LANDING PAGE
- 93.115.10.203 Port 80, 443 – sievavower.com – POST INFECTION TRAFFIC
DETAILS OF INFECTION CHAIN FOR RIG EK:
Shown above: Malvertising site and redirect gate using same IP address for domain names
Shown above: DNS traffic associated with Malvertising GootKit infection
Shown above: Using Wireshark filter “ssl.handshake.certificates” shows SSL certificate associated with the malvertising GootKit infection. (Using different Certificates) – organizationalUnitName=domain inc
Shown above: Post infection traffic associated with Malvertising GootKit
DETAILS OF INFECTION CHAIN FOR NEUTRINO EK:
Shown above: Compromised site and redirect gate to Neutrino EK landing which delivered GootKit
Shown above: DNS traffic associated with realstatistics.pro GootKit infection
Shown above: Using Wireshark filter “ssl.handshake.certificates” shows SSL certificate associated with the realstatistics.pro GootKit infection. (Using different Certificates) – organizationalUnitName=My Company Ltd
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- 2016-07-03-Rig-EK.swf
Virus Total Link - 2016-07-03-pwrgrcpb.dll
C:\Windows\SysWOW64\
Virus Total Link
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:
- 2016-07-03-Neutrino.swf
Virus Total Link - 2016-07-03-rad74571.tmp.exe
C:\Users\%UserName%\AppData\Local\Temp\
Virus Total Link - 2016-07-03-qocxyv.dll
C:\Windows\SysWOW64\
Virus Total Link