Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
- On August 25th, 2016 I captured traffic from the Rig Exploit Kit (EK) via the EITEST campaign which delivered a malicious file [Payload] which failed to execute.
- I uploaded the payload to Hybrid-Analysis.com which returned minimal results.
- @CyberScimitar ran an analysis on the payload. His findings are provided below.
- The downloadable zip file contains the 3 pcap files associated with the infection chain.
- Reference: Proofpoint – Nightmare on Tor Street: New Ursnif Variant Dreambot Adds Tor Functionality
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES ORIGINAL INFECTION:
- 18.104.22.168 – cutil.xyz – EITEST GATE
- 22.214.171.124 – nxiymnj8ap.top – Rig EK LANDING PAGE
IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:
Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”
DOMAINS AND IP ADDRESSES ASSOCIATED WITH @CyberScimitar ANALYSIS:
- 126.96.36.199 – www.msn.com GET / – Smokebot Connection Check
- 188.8.131.52 – www.microsoft.com GET / – Smokebot Connection Check
- 184.108.40.206 – www.adobe.com POST / – Smokebot Connection Check
- 220.127.116.11 – loremipsumdolorsitamet.pw POST / – Smokebot C&C
- 18.104.22.168 – java.com POST / – Smokebot Connection Check
- 22.214.171.124 – GET /banner/1200.exe – Dreambot Download
- 126.96.36.199 – korats.com GET /Sunkats/images/tr_w.so – Dreambot Post Infection Traffic
- 188.8.131.52 – curlmyip.net – Dreambot IP Address Check
- 184.108.40.206 – updates.merqurio.it GET /iphone/Pdr94.so – Dreambot Post Infection Download
- 220.127.116.11 – particolardesign.it GET /wp-includes/ID3/ts/904855tos.so – Dreambot Post Infection Traffic
- 18.104.22.168 – www.particolardesign.it GET /wp-includes/ID3/ts/904855tos.so – Dreambot Post Infection Traffic
IMAGES AND DETAILS OF POST INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- The above information is to provide Indicators of Compromise (IOC). Hope this helps.
- Again thanks to @CyberScimitar for his post infection analysis.