2014-05-07 - RIG EXPLOIT PACK FROM 108.162.199.251 - FAVOROS19.INFO

ASSOCIATED FILES:

UPDATE (2014-05-14)

NOTES:

EmergingThreats has some new signatures on Goon/Infinity EK dated 05 May 2014 that are triggering on RIG Exploit Pack traffic:

PATTERNS:

I hit the exploit page again to get the different exploits...  Note the swf and swfIE below for two different Flash files:

xap for a Silverlight exploit:

xml then jar for a Java exploit:

mp3 when the encrypted EXE payload is sent:

The landing page also appears to have an MSIE exploit--I'm assuming CVE-2013-2551 based on the traffic.

 

CHAIN OF EVENTS

Compromised website and redirect (all times UTC):

HTTP GET requests to RIG Exploit Pack domain at 108.162.199.251 - favoros19.info:

Asprox-style callback for more malware:

Post-infection callback for W32/Asprox.ClickFraudBot POST CnC events and Trojan-Spy.Win32.Zbot.hmcm Checkin:

Clickfraud traffic begins:

 

PRELIMINARY MALWARE ANALYSIS

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious script at the beginning and end of page from compromised website:

 

Redirect:

 

RIG Exploit Pack landing page/MSIE CVE-2013-2551 exploit:

 

MSIE CVE-2013-2551exploit delivers EXE payload:

 

Asprox-style callback for more malware:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.