Rig Exploit Kit via EITEST delivers GootKit Banking Malware

August 15, 2016 Analysis

NOTES:

Today I captured traffic from the Rig Exploit Kit (EK) which delivered GootKit banking malware via the EITEST campaign.
It appears the EITEST campaign has switched from the Neutrino EK to the Rig EK.
I last saw GootKit on July 5th, 2016 when it was delivered via the Neutrino Exploit Kit and the Rig Exploit Kit [HERE].
Thanks to Brad at Malware-Traffic-Analysis.net for helping me identify the exploit kit.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-15-Rig-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

85.93.0.12 – rydogu.top – EITEST GATE
185.158.152.118 – free.giftofhair.org – RIG EK LANDING PAGE
5.157.38.50 – Port 80/443 mootwould.com – POST INFECTION TRAFFIC
5.157.38.50 – Port 80/443 gh0styns.com – POST INFECTION TRAFFIC
5.157.38.50 – Port 80/443 myfurer.org – POST INFECTION TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig exploit and GootKit infection

Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”