Rig Exploit Kit via EITEST delivers Hancitor aka Chanitor loader
NOTES:
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered the Hancitor aka Chanitor loader via the EITEST campaign.
- Hancitor aka Chanitor is a loader commonly used to download other malware such as pony and vawtrak.
- Thanks to @CyberScimitar for finding and sharing compromised site, along with further analyzing malicious payload.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-10-05-Rig-EK-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- www.terminustees.com – COMPROMISED SITE
- 185.117.72.142 – g8l4a.yanvnep.top – RIG EK LANDING PAGE
- 54.197.251.22 – api.ipify.org – IP ADDRESS CHECK
- 198.105.254.228 – morowtyateld.ru POST /ls6/gate.php – NO COMMUNICATION
- 91.217.90.134 – gotevengsorol.ru POST /ls6/gate.php – HANCITOR C&C
- 92.243.94.176 – donhenmuchit.com – DNS QUERY – NO COMMUNICATION
IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:
Shown above: Network traffic associated with the Rig exploit and the delivery of Hancitor loader
Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page
Shown above: DNS network traffic associated with the Hancitor loader infection
Shown above: Hancitor loader network communication with the command and control (C&C) host
Shown above: Hancitor disguises itself as Malwarebytes Anti-Malware in Windows start-up
Shown above: File details for Hancitor loader
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- 2016-10-05-Rig-EK.swf
Virus Total Link - 2016-10-05-WinHost32.exe
Virus Total Link