Rig Exploit Kit via Rulan campaign delivers PandaBanker
NOTES:
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered PandaBanker via the Rulan gate.
- Some information about the Rulan campaign by Malwarebytes
- Rulan Campaign delivers miner from malwarebreakdown.com
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2017-09-30-Rig-EK-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- redigroup.ru – GET /hil – Rulan Gate
- 188.225.82.250– Rig EK landing page
- gordinka.xyz – Unresolved DNS query
- kostinka.xyz – Unresolved DNS query
- makabob.xyz – Unresolved DNS query
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with the Rig exploit and the delivery of PandaBanker malware
Shown above: Script associated with Rulan campaign redirecting to the Rig EK landing page
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- 2017-09-30-Rig-EK.swf – Rig Flash Exploit
VirusTotal Link - bilonebilo36.exe – PandaBanker
VirusTotal Link
Follow on Twitter @broadanalysis