2017-01-27 - MORE AFRAIDGATE RIG-V

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-27-Afraidgate-Rig-V-infections-2-pcaps.zip   1.6 MB (1,625,435 bytes)
• 2017-01-27-Afraidgate-Rig-V-artifacts-and-associated-malware.zip   1.2 MB (1,173,622 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use.
• I currently call it "Rig-V" out of habit.  You can probably just call it Rig EK now.
• Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older-style URLs as described by Kafeine here.
• I've only seen Rig-V (Rig 4.0) when looking at Rig EK-based campaigns so far in 2017.

BACKGROUND ON THE AFRAIDGATE CAMPAIGN:

• My last in-depth write-up on the Afraidgate campaign from July 2016:  link

OTHER NOTES:

• Like yesterday, the Rig-V payload from Afraidgate (Godzilla loader) was sent twice, and it downloaded different follow-up malware each time.
• One of the follow-up malware items was Locky.
• The other I still don't have a lot of information about, so I'm still calling it "unknown" for now.
• Moritz Kroll examined that unknown malware from yesterday and called it "cirhashbot" based on comments made in this VirusTotal entry.
• Paul Burgate thinks this is a "Snatch Trojan" (or "Snatch Loader") as noted in a Twitter thread here, but I can't find any real info for that malware name.
• During one of my infection attempts, I got Madness DDoS botnet malware instead of the usual Godzilla loader for the Rig-V payload from Afraidgate.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  First time I checked piatti.com, the infection chain only got as far as the Godzilla loader.

 

Shown above:  The second time I checked, the infection chain gave me Madness DDoS botnet malware instead.

 

Shown above:  The third time I tried for an Afraidgate infection, I got the same type of infection chain as yesterday.

 

COMPROMISED WEBSITES:

• piatti.com - Compromised site (Thanks to @killamjr for the info!)
• [information removed] - Another compromised website for the third infection on 2017-01-27

AFRAIDGATE REDIRECT URLS:

• 146.185.151[.]179 port 80 - lorddayle.berita[.]co[.]uk - GET /js/dle_js.js
• 146.185.151[.]179 port 80 - lorddayle.berita[.]co[.]uk - GET /clientscript/yui/connection/connection-min.js
• 139.59.160[.]143 port 80 - microname.ssaewp[.]com[.]au - GET /scripts/star-rating.js

RIG-V DOMAINS:

• 194.87.234[.]129 port 80 - koko.anlayamiyorum[.]org - Rig-V, 2017-01-26 1st run
• 194.87.238[.]222 port 80 - fufu.efsani[.]com - Rig-V, 2017-01-26 2nd run
• 92.53.97[.]168 port 80 - help.2043kutahya[.]com - Second Rig-V domain on 2017-01-26 during the 2nd run
• 194.87.238[.]222 port 80 - cong.dogamin[.]com - Rig-V from 2017-01-27

POST-INFECTION TRAFFIC:

• 5.188.223[.]104 port 80 - spotsbill[.]com - Callback traffic caused by Godzilla Loader
• 185.162.10[.]108 port 80 - grentromz[.]com - POST /blog.php - [Callback traffic caused by unkown malware]

• 194.31.59[.]5 port 80 - 194.31.59[.]5 - POST /checkupdate - [Locky callback traffic]

• 195.161.62[.]33 80 - 195.161.62[.]33 - Callback URLs caused by Madness DDoS botnet malware

 

FILE HASHES

RIG-V FLASH EXPLOITS:

• SHA256 hash:  c51983e60892d0c011339e123f9058c390f8f4bc162e00fa1879db4a76734029   (19,230 bytes)
  File description:  Rig-V Flash exploit seen on 2017-01-26

• SHA256 hash:  b3669ec83fb4bba5257da8c68b32dc15d1a08e9e8c22c7483698f29de2839b5f   (16,261 bytes)
  File description:  Rig-V Flash exploit seen on 2017-01-27

 

RIG-V PAYLOADS FROM THE AFRAIDGATE CAMPAIGN:

• SHA256 hash:  316440f68fe6ebb902da363604b316fcbb12e555c6b0af9cb36f669a7aeaeb78   (57,344 bytes)
  File description:  Godzilla Loader sent by Rig-V from Afraidgate campaign on 2017-01-26

• SHA256 hash:  795b4949fbf4799e0d22365e403c3f443f033112f63f36055f8542293caa2d41   (39,936 bytes)
  File description:  Madness DDoS botent malware sent by Rig-V from Afraidgate campaign on 2017-01-26

• SHA256 hash:  3a1dd7352ce770a4994f6d9b4c5163d47410733a27596d69c0d03b96b1170ffc   (164,864 bytes)
  File description:  Godzilla Loader sent by Rig-V from Afraidgate campaign on 2017-01-27

FOLLOW-UP MALWARE:

• SHA256 hash:  16e80038fee80d15baeb2783d63a33dae2545a1b58c668070fb32b48f0f3fbf3   (264,704 bytes)
  File Description:  Locky ransomware

• SHA256 hash:  9f9bbdf3d06e18db9256ddf6f150bebd6c5cc11dd118c0fbdd573427d22ee042   (212,992 bytes)
  File Description:  Unknown malware (cirhashbot or Snatch loader or whatever it may be)

 

FINAL NOTES

Click here to return to the main page.