2014-09-01 - RIG EK FROM 5.231.72.115 - NUAYSUQ.PLANEIMPRESSIONS.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

RIG EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-01-Rig-EK-flash-exploit.swf
File size:  4.1 KB ( 4183 bytes )
MD5 hash:  06a1c5d7ad582027c211202c48af595d
Detection ratio:  3 / 55
First submission:  2014-08-14 00:55:39 UTC ( 2 weeks, 4 days prior to this blog entry )
VirusTotal link:  https://www.virustotal.com/en/file/1266294f6887c61c9d47463c2fe524eb1b0da1af5c1970df62424da6b88d9e2a/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-01-Rig-EK-silverlight-exploit.xap
File size:  18.8 KB ( 19264 bytes )
MD5 hash:  e6c0869d3a7922cb2064a5b2493f5331
Detection ratio:  2 / 55
First submission:  2014-08-29 13:26:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cc0a4889c9d5ffe3a396d021329bd88d11d5159c3b42988eadc1309c9059778d/analysis/

 

MALWARE PAYLOAD

File name:  2014-09-01-Rig-EK-malware-payload.exe
File size:  132.4 KB ( 135608 bytes )
MD5 hash:  e2c0a7b48262c7682ac84b2af3d96cc1
Detection ratio:  1 / 55
First submission:  2014-09-01 23:58:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/856e486f338cbd8daed51932698f9cdc9c60f4558d22d963f56da7240490e465/analysis/


This malware was digitally signed.

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including the preprocessor rules):

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe after closing HTML tag on page from compromised website:

 

Redirect pointing to Rig EK:

 

Rig EK delivers landing page with CVE-2013-2551 MSIE exploit:

 

Rig EK delivers encrypted malware payload after successful CVE-2013-2551 MSIE exploit:

 

Rig EK delivers flash exploit:

 

Rig EK delivers Silverlight exploit:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.