Compromised site redirects to Rig Exploit Kit delivering KRONOS malware
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered Kronos banking malware. The malware was delivered by an injected script found on the compromised site associated with the EITEST campaign.
- Kronos is known for “Common credential-stealing techniques such as form grabbing and HTML injection compatible with the major browsers (Internet Explorer, Firefox and Chrome)”, as reported by securityintelligence.com in its blog post The Father of Zeus: Kronos Malware Discovered
- Thanks to Baber for sharing information on compromised site.
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- computerrepairservice.net – COMPROMISED SITE
- 126.96.36.199 – v1l3.twegfc5i.top – RIG EK LANDING PAGE
- 188.8.131.52 – m3ynameins3344.net POST /ZRNlFwIb/connect.php –
KRONOS POST INFECTION TRAFFIC
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”
MALICIOUS PAYLOAD ASSOCIATED WITH KRONOS INFECTION: