Rig Exploit Kit via EITEST delivers Hancitor aka Chanitor loader

NOTES:

• Today I captured traffic from the Rig Exploit Kit (EK) which delivered the Hancitor aka Chanitor loader via the EITEST campaign.
• Hancitor aka Chanitor is a loader commonly used to download other malware such as pony and vawtrak.
• Thanks to @CyberScimitar for finding and sharing compromised site, along with further analyzing malicious payload.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-10-05-Rig-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

• www.terminustees.com – COMPROMISED SITE
• 185.117.72.142 – g8l4a.yanvnep.top – RIG EK LANDING PAGE
• 54.197.251.22 – api.ipify.org – IP ADDRESS CHECK
• 198.105.254.228 – morowtyateld.ru POST /ls6/gate.php – NO COMMUNICATION
• 91.217.90.134 – gotevengsorol.ru POST /ls6/gate.php – HANCITOR C&C
• 92.243.94.176 – donhenmuchit.com – DNS QUERY – NO COMMUNICATION

IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Hancitor loader

Shown above: Obfuscated injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page

Shown above: DNS network traffic associated with the Hancitor loader infection

Shown above: Hancitor loader network communication with the command and control (C&C) host

Shown above: Hancitor disguises itself as Malwarebytes Anti-Malware in Windows start-up

Shown above: File details for Hancitor loader

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

• 2016-10-05-Rig-EK.swf
  Virus Total Link
• 2016-10-05-WinHost32.exe
  Virus Total Link