Rig Exploit Kit via Rulan campaign delivers PandaBanker

NOTES:

• Today I captured traffic from the Rig Exploit Kit (EK) which delivered PandaBanker via the Rulan gate.
• Some information about the Rulan campaign by Malwarebytes
• Rulan Campaign delivers miner from malwarebreakdown.com

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-09-30-Rig-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

• redigroup.ru – GET /hil – Rulan Gate
• 188.225.82.250– Rig EK landing page
• gordinka.xyz – Unresolved DNS query
• kostinka.xyz – Unresolved DNS query
• makabob.xyz – Unresolved DNS query

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig exploit and the delivery of PandaBanker malware

Shown above:  Script associated with Rulan campaign redirecting to the Rig EK landing page

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

• 2017-09-30-Rig-EK.swf – Rig Flash Exploit
  VirusTotal Link
• bilonebilo36.exe – PandaBanker
  VirusTotal Link

Follow on Twitter @broadanalysis