2014-05-10 - RIG EXPLOIT PACK FROM 141.101.116.87 - BUIADNAIUAYF.ML

ASSOCIATED FILES:

• ZIP of the PCAPs:  2014-05-10-Rig-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-10-Rig-EK-malware.zip

UPDATE (2014-05-14)

• I originally thought this was Goon/Infinity EK, but this was identified as RIG Exploit Pack by Kahu Security: http://www.kahusecurity.com/2014/rig-exploit-pack/
• It's very interesting, because it looks like RIG stole a lot of things from Goon/Infinity EK.
• I've updated some of my notes below.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 202.71.103.215 - tourtravelogue.com - Compromised website
• 82.118.17.38 - 82.118.17.38 - Redirect
• 141.101.116.87 - buiadnaiuayf.ml - RIG Exploit Pack

COMPROMISED WEBSITE AND REDIRECT:

• 01:43:10 - tourtravelogue.com - GET /
• 01:43:12 - 82.118.17.38 - GET /?2

RIG EXPLOIT PACK - HTTP GET REQUESTS TO BUIADNAIUAYF.ML:

• 01:43:14 - proxy.php?PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MGUxY2YzY2IwNWU5ZDUyMGExOGM0M2U2NGQ0YzJiOTg
• 01:43:18 - proxy.php?req=mp3&num=2&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4%7CMGUxY2YzY2IwNWU5ZDUyMGExOGM0M2U2NGQ0YzJiOTg
• 01:43:19 - proxy.php?req=swf&num=4403&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MGUxY2YzY2IwNWU5ZDUyMGExOGM0M2U2NGQ0YzJiOTg
• 01:43:19 - proxy.php?req=xap&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MGUxY2YzY2IwNWU5ZDUyMGExOGM0M2U2NGQ0YzJiOTg
• 01:43:23 - proxy.php?req=mp3&num=46054663&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4%7CMGUxY2YzY2IwNWU5ZDUyMGExOGM0M2U2NGQ0
  YzJiOTg&dop=013

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-10-Rig-EK-flash-exploit.swf
File size:  6.0 KB ( 6195 bytes )
MD5 hash:  809966c79e4944e9d7c69f3161b475ff
Detection ratio:  1 / 51
First submission:  2014-05-09 08:34:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e7eceb0f38446eb74918be3f49bc678d8653cdf4d6f3b5ef5de23f60a53e2811/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-05-10-Rig-EK-silverlight-exploit.xap
File size:  14.0 KB ( 14292 bytes )
MD5 hash:  a44a1e43652edcf93c0ec6805ff438c7
Detection ratio:  3 / 52
First submission:  2014-05-07 22:52:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9dae48b5ccb3651b79d53f3cf1f0cf206a473221434200566af26b65f9b80dd9/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-10-Rig-EK-malware-payload.exe
File size:  317.5 KB ( 325169 bytes )
MD5 hash:  0a925532cdf1e19d085f17ca6168be3d
Detection ratio:  2 / 52
First submission:  2014-05-10 02:08:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c4a612ec3108e567b90c6b6cf1cddc02fc54558cb0938b2d3649753542414e32/analysis/
Malwr link:  https://malwr.com/analysis/MTRmMjljMzVkNDQ0NDFjYjk0ZmQwNjE5ZmNhODIxODE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-10 01:42:39 UTC - 62.219.91.8:80 - 172.16.223.131:49901 - ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious
• 2014-05-10 01:42:39 UTC - 62.219.91.8:80 - 172.16.223.131:49901 - ET CURRENT_EVENTS Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012
• 2014-05-10 01:42:40 UTC - 62.219.91.8:80 - 172.16.223.131:49901 - ET CURRENT_EVENTS Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012
• 2014-05-10 01:43:15 UTC - 141.101.116.87:80 - 172.16.223.131:49925 - ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014
• 2014-05-10 01:43:17 UTC - 172.16.223.131:49925 - 141.101.116.87:80 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014
• 2014-05-10 01:43:19 UTC - 172.16.223.131:49925 - 141.101.116.87:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-05-10 01:43:28 UTC - 141.101.116.87:80 - 172.16.223.131:49925 - ET CURRENT_EVENTS GoonEK encrypted binary (3)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in web page from compromised website:

 

Redirect:

 

First request to RIG Exploit Pack landing page - buiadnaiuayf.ml
GET /proxy.php?PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MGUxY2YzY2IwNWU5ZDUyMGExOGM0M2U2NGQ0YzJiOTg

I've highlighted the part I've seen used with the CVE-2013-2551 MSIE exploit.

 

HTTP GET request for the Flash exploit:

 

HTTP GET request for the malware payload, right after the Flash exploit:

 

HTTP GET request for the Silverlight exploit after the malware was sent:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAPs:  2014-05-10-Rig-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-10-Rig-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.