2014-05-07 - RIG EXPLOIT PACK FROM 108.162.199.251 - FAVOROS19.INFO

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-05-07-Rig-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-07-Rig-EK-malware.zip

UPDATE (2014-05-14)

• I originally thought this was Goon/Infinity EK, but this was identified as RIG Exploit Pack by Kahu Security: http://www.kahusecurity.com/2014/rig-exploit-pack/
• It's very interesting, because it looks like RIG stole a lot of things from Goon/Infinity EK.
• I've updated some of my notes below.

NOTES:

EmergingThreats has some new signatures on Goon/Infinity EK dated 05 May 2014 that are triggering on RIG Exploit Pack traffic:

• ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014 - 2018440
• ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 - 2018441

PATTERNS:

I hit the exploit page again to get the different exploits...  Note the swf and swfIE below for two different Flash files:

• GET /proxy.php?req=swf&num=1450&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|NWQxYjQ2ZGQxNzFlNmQxMmNlZDcxZTI4N2I2M2JlMjY
• GET /proxy.php?req=swfIE&num=1365&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|NWQxYjQ2ZGQxNzFlNmQxMmNlZDcxZTI4N2I2M2JlMjY

xap for a Silverlight exploit:

• GET /proxy.php?req=xap&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|NWQxYjQ2ZGQxNzFlNmQxMmNlZDcxZTI4N2I2M2JlMjY

xml then jar for a Java exploit:

• GET /proxy.php?req=xml&num=2829&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|ZmZlNmE4ZmM5ZTJiZDVhNjRkMzI0Y2ZkYzhhZjlhZjM
• GET /proxy.php?req=jar&num=7164&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4%7CZmZlNmE4ZmM5ZTJiZDVhNjRkMzI0Y2ZkYzhhZjlhZjM

mp3 when the encrypted EXE payload is sent:

• GET /proxy.php?req=mp3&num=66&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4%7CMTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE

The landing page also appears to have an MSIE exploit--I'm assuming CVE-2013-2551 based on the traffic.

 

CHAIN OF EVENTS

Compromised website and redirect (all times UTC):

• 04:09:31 - 103.29.216.130 - www.jvgroup.com.au - GET /testimonials/
• 04:09:42 - 103.31.186.31 - adv-inc-net.com - GET /trackingcode/tracker.html
• 04:09:42 - 103.31.186.31 - adv-inc-net.com - GET /trackingcode/counter.php

HTTP GET requests to RIG Exploit Pack domain at 108.162.199.251 - favoros19.info:

• 04:09:42 - GET /proxy.php?PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE
• 04:09:42 - GET /proxy.php?PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE
• 04:09:42 - GET /proxy.php?PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE
• 04:09:48 - GET /proxy.php?PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE
• 04:09:48 - GET /proxy.php?req=mp3&num=66&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4%7CMTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE
• 04:09:54 - GET /proxy.php?req=mp3&num=37&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4%7CMTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE
• 04:10:00 - GET /proxy.php?req=mp3&num=57&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4%7CMTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE
• 04:10:06 - GET /proxy.php?req=mp3&num=81&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4%7CMTNkMjQxODg5NjZjNjYwNjI3MjlhM2I5NzBkNGE4ZjE

Asprox-style callback for more malware:

• 04:10:02 - 46.237.71.11 - manufact-is.com - GET /componentsjumla-q1/jquery/   [Repeats]
• 04:09:55 - 46.160.112.212 - head-pcs.com - GET /b/shoe/1928   [Repeats]
• 04:10:50 - 46.237.71.11 - manufact-is.com - GET /jshoppresto-d2/soft32.dll

Post-infection callback for W32/Asprox.ClickFraudBot POST CnC events and Trojan-Spy.Win32.Zbot.hmcm Checkin:

• 04:11:17 - 46.98.158.160 - molinaderrec.com - GET /b/eve/a0e7a0e4c280b78aaf7ec6fd
• 04:12:12 - 62.16.38.131 - molinaderrec.com - POST /b/opt/3ACC6DEAE44C9D2F862B8A41
• 04:12:13 - 62.16.38.131 - molinaderrec.com - GET /b/letr/7D76278E4C0344012E64536F
• 04:12:14 - 62.16.38.131 - molinaderrec.com - POST /b/opt/4F3F27C669A8A5480BCFB226
• 04:12:31 - 62.16.38.131 - molinaderrec.com - POST /b/req/0B87F5A8C3E5E730A182F05E
• 04:12:51 - 62.16.38.131 - molinaderrec.com - POST /b/req/8C1289B1DB772C6AB9103B04

Clickfraud traffic begins:

• 04:12:53 - 192.162.19.34 - available-search.com - GET /
• 04:12:53 - 192.162.19.34 - perimeter-search.com - GET /
• 04:12:53 - 192.162.19.34 - available-search.com - GET /
• 04:12:53 - 192.162.19.34 - provide-search.com - GET /
• 04:12:53 - 192.162.19.34 - travels-search.com - GET /
• 04:12:53 - 192.162.19.34 - helped-search.com - GET /
• 04:12:53 - 192.162.19.34 - country-search.com - GET /
• 04:12:53 - 192.162.19.34 - recommendation-search.com - GET /
• 04:12:53 - 192.162.19.34 - companies-search.com - GET /
• 04:12:53 - 192.162.19.34 - convoy-search.com - GET /
• 04:12:53 - 192.162.19.34 - submission-search.com - GET /
• 04:12:53 - 192.162.19.34 - diseases-search.com - GET /
• 04:12:53 - 192.162.19.34 - convoy-search.com - GET /
• 04:12:53 - 192.162.19.34 - submission-search.com - GET /

 

PRELIMINARY MALWARE ANALYSIS

• 2014-05-07-Rig-EK-silverlight-exploit.xap - 13.5 KB ( 13864 bytes ) - MD5: bb07beb887f8a6d06114809ef326d9f6 - VirusTotal link
• 2014-05-07-Rig-EK-java-exploit.jar - 12.0 KB ( 12330 bytes ) - MD5: d7b74a2867b6112b58a2bba45ca2fa97 - VirusTotal link
• 2014-05-07-Rig-EK-flash-file-swf.swf - 6.0 KB ( 6141 bytes ) - MD5: 4233c65ebaa35256aca49ddaeae2d1bc - VirusTotal link
• 2014-05-07-Rig-EK-flash-file-swfIE.swf - 5.8 KB ( 5950 bytes ) - MD5: 0a2d45a93ff7db1b1a54420b457066dc - VirusTotal link
• 2014-05-07-Rig-EK-malware-payload.exe - 128.0 KB ( 131076 bytes ) - MD5: 27a3cf93eca7cdae2c2213a6d56a84fa - VirusTotal link
• UpdateFlashPlayer_02754d09.exe - 183.9 KB ( 188264 bytes ) - MD5: 0b124adc061b628ce6d64ddd69a13823 - VirusTotal link

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding
• ET WEB_CLIENT Hex Obfuscation of document.write % Encoding
• ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding
• ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
• ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding
• ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014
• ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014
• ET CURRENT_EVENTS GoonEK encrypted binary (3)
• ET POLICY PE EXE or DLL Windows file download
• ET INFO EXE - Served Attached HTTP
• ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
• GPL SHELLCODE x86 NOOP
• ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon
• ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement
• ET TROJAN Trojan-Spy.Win32.Zbot.hmcm Checkin
• ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious script at the beginning and end of page from compromised website:

 

Redirect:

 

RIG Exploit Pack landing page/MSIE CVE-2013-2551 exploit:

 

MSIE CVE-2013-2551exploit delivers EXE payload:

 

Asprox-style callback for more malware:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-05-07-Rig-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-07-Rig-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.