Rig Exploit Kit via EITEST delivers malicious payload and TeamViewer Remote Control
NOTES:
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered a malicious payload via the EITEST campaign.
- The malicious payload went on to download more malicious files and TeamViewer remote control software.
- Thanks to @CyberScimitar for sharing information on compromised site and analyzing payloads.
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2016-10-22-Rig-EK-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- www.h2md.net – COMPROMISED SITE
- 192.95.15.211 – gl9q.s57ae8vl3.top – RIG EK LANDING PAGE
- 108.61.74.45 – evoci.xyz POST /a210/gate.php – POST INFECT TRAFFIC
- 91.218.228.52 – tk-avitek.ru GET /tseny-na-pilomaterialy-prays/zazc.exe – SECOND PAYLOAD
- 108.61.74.45 – evoci.xyz GET /direct/fg_24e90bba.mod – POST INFECT TRAFFIC
- 198.105.254.228 – dreamscomtrue.site POST /forum/contact.php – POST INFECT TRAFFIC
- 198.105.254.228 – verawqamscomtrue.com POST /forum/contact.php – POST INFECT TRAFFIC
- 95.163.127.190 – ddreamonline.site POST /forum/contact.php – POST INFECT TRAFFIC
- 95.163.127.190 – ddreamonline.site GET /forum/ajax/d.dat – POST INFECT TRAFFIC
- 95.163.127.190 – ddreamonline.site GET /forum/ajax/e.dat – POST INFECT TRAFFIC
- 95.163.127.190 – ddreamonline.site GET /forum/ajax/f.dat – POST INFECT TRAFFIC
- 95.163.127.190 – ddreamonline.site GET /forum/ajax/out.dat – POST INFECT TRAFFIC
- 95.163.127.190 – ddreamonline.site GET /forum/ajax/w.dat – POST INFECT TRAFFIC
- 95.163.127.190 – ddreamonline.site GET /forum/ajax/g.dat – POST INFECT TRAFFIC
- 95.163.127.190 – ddreamonline.site GET /forum/ajax/h.dat – POST INFECT TRAFFIC
- 37.252.248.78 – TCP Port 5938 – ping3.dyngate.com – TEAMVIEWER COMMUNICATION
- 178.77.120.100 – TCP Port 5938 – master.dyngate.com – TEAMVIEWER COMMUNICATION
- 169.54.137.81 – TCP Port 5938 – TEAMVIEWER COMMUNICATION
- 173.192.194.94 – TCP Port 5938 – TEAMVIEWER COMMUNICATION
DNS QUERIES ASSOCIATED WITH INFECTION:
- europe.pool.ntp[.]org – NO Network Communication
- master2.dyngate.com – NO Network Communication
- 198.105.254.228 qwerymuss.info
- 198.105.254.228 dreamscoccmtrue.info
- yvold.xyz – NO Network Communication
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with the Rig exploit and the delivery of malicious payload’s
Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain
Shown above: Post infection traffic associated with malicious payloads
Shown above: DNS traffic associated with malicious payloads
Shown above: Second malicious file download and TeamViewer communication over port 5938
Shown above: Some of the Snort alerts generated by the Emerging Threats Open ruleset
Shown above: TeamViewer file found on the infected host and its details
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- 2016-10-22-Rig-EK.swf
Virus Total Link - 2016-10-22-B53F.tmp
Virus Total Link - 2016-10-22-zazc.exe
Virus Total Link - 2016-10-22-msiexec.exe
Virus Total Link