2014-07-26 - RIG EK FROM 194.58.101.51 - WELCOME.SHIRAZTSHIRTS.COM

ASSOCIATED FILES:

 

NOTES:

 

I searched for the same MD5 hash (16CF037B8C8CAAD6759AFC8C309DE0F9) on scumware.org and found the following sites, which I assume were also compromised:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

RIG EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-07-26-Rig-EK-flash-exploit.swf
File size:  4.3 KB ( 4453 bytes )
MD5 hash:  3d7e96bd371bfbac440864dc651a0ddf
Detection ratio:  0 / 53
First submission:  2014-07-25 19:39:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/48272657d2347f7dfca47f8c99822264c1ac7df44a37fbd3b555e40bed99d3dd/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-07-26-Rig-EK-silverlight-exploit.xap
File size:  47.5 KB ( 48688 bytes )
MD5 hash:  1699d8065bb7e9ae66491d6e52cc6981
Detection ratio:  16 / 53
First submission:  2014-07-23 10:46:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d6928f1c8680059cddb757a3d219717f0ed5ca42ae0cd9f8bbfeaf3602cee5c5/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-26-Rig-EK-malware-payload.exe
File size:  219.5 KB ( 224768 bytes )
MD5 hash:  2d0a723ca1bed6a4684b1d2e1e935dac
Detection ratio:  2 / 53
First submission:  2014-07-27 01:36:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c9b547f5691d9601e019446858001bee1e0cc4413ab51250f6de3a7fa4a2eb3d/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious Flash file from comrpomised website.  This was reported on scumware.org as Troj/SWFExp-DN

 

You can quickly extract the decompressed version of these files using 7-zip.

 

Z-zip will also show componenets of the decompressed flash file.  Checking the components, I found one that looked interesting.

 

It has some hex-obfuscated data, which translates to the next step of the infection chain--a script that generates the redirect URL.

 

Here's the redirect pointing to Rig EK domain...  Note the section highlighted near the bottom of the Javascript, which shows part of the domain name and URL for today's Rig EK.

 

Rig EK landing page:

 

Rig EK sends a Flash exploit, possibly CVE-2014-0515, based on the size of the file.

 

Rig EK sends a CVE-2013-0074 Silverlight exploit:

 

The same malware payload is delivered twice:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.