2014-09-09 - RIG EK FROM 178.132.204.97 - SDFI.APARTMENTPERCH.COM

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-09-09-Rig-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-09-Rig-EK-malware.zip

 

NOTES:

• Kafeine noted Windigo group moving from FlashPack to Rig EK in July: http://malware.dontneedcoffee.com/2014/07/bye-bye-flash-ek-and-windigo-group.html
• This is the first time I've seen a Cushion redirect go to Rig EK, so I guess they've finally made the move.
• Time will tell if this is permanent.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 184.164.128.181 - www.htmlforums.com - Compromised website
• 41.77.116.82 - 0vr2is8t27hdaa7had8cfgf.karchivelia.com - First Cushion redirect domain
• 41.77.116.82 - 0vr2is8t27hdaa7had8cfgf508253fd0a975646b42bb49a281923ee0.karchivelia.com - Second Cushion redirect domain
• 178.132.204.97 - sdfi.apartmentperch.com - Rig EK

 

COMPROMISED WEBSITE AND CUSHION REDIRECT:

• 22:50:32 UTC - 172.16.165.132:49182 - 184.164.128.181:80 - www.htmlforums.com - GET /
• 22:50:32 UTC - 172.16.165.132:49183 - 41.77.116.82:80 - 0vr2is8t27hdaa7had8cfgf.karchivelia.com - GET /index.php?r=bWV1c2xkPW1hY21zaWtreCZ0aW1lPTE
  0MDkwOTIyMzIzMDk4NTk5NzI5JnNyYz04MiZzdXJsPXd3dy5odG1sZm9ydW1zLmNvbSZzcG9ydD04MCZrZXk9NjNFRDBCQkEmc3VyaT0v
• 22:50:33 UTC - 172.16.165.132:49184 - 41.77.116.82:80 - 0vr2is8t27hdaa7had8cfgf508253fd0a975646b42bb49a281923ee0.karchivelia.com - GET /index2.php

 

RIG EK:

• 22:50:35 UTC - 172.16.165.132:49186 - 178.132.204.97:80 - sdfi.apartmentperch.com - GET /?PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NGNjMTZiYzgzNWY5Nzc2YTY0MTA4ZGU3ZjdmZTNmMDY
• 22:50:39 UTC - 172.16.165.132:49186 - 178.132.204.97:80 - sdfi.apartmentperch.com - GET /index.php?req=swf&num=5933&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NGNjMTZiYzgzNWY5Nzc2YTY0MTA4ZGU3ZjdmZTNmMDY
• 22:50:42 UTC - 172.16.165.132:49187 - 178.132.204.97:80 - sdfi.apartmentperch.com - GET /index.php?req=xap&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NGNjMTZiYzgzNWY5Nzc2YTY0MTA4ZGU3ZjdmZTNmMDY
• 22:50:47 UTC - 172.16.165.132:49187 - 178.132.204.97:80 - sdfi.apartmentperch.com - GET /index.php?req=mp3&num=59185228&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CNGNjMTZiYzgzNWY5Nzc2YTY0MTA4ZGU3ZjdmZTNmMDY&dop=0190
• 22:51:29 UTC - 172.16.165.132:49188 - 178.132.204.97:80 - sdfi.apartmentperch.com - GET /index.php?req=xml&num=2900&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NGNjMTZiYzgzNWY5Nzc2YTY0MTA4ZGU3ZjdmZTNmMDY

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-09-Rig-EK-flash-exploit.swf
File size:  4.2 KB ( 4276 bytes )
MD5 hash:  cd369e91ff61a2c1c493a686dd17f777
Detection ratio:  1 / 55
First submission:  2014-09-07 05:06:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5fa303a20aa2c368c2134599f518dc0d57276e386069d086aa97d3b2a210ab83/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-09-09-Rig-EK-silverlight-exploit.xap
File size:  19.9 KB ( 20370 bytes )
MD5 hash:  e7c9442472ae16bc950408146ad2db7c
Detection ratio:  2 / 55
First submission: 
VirusTotal link:  https://www.virustotal.com/en/file/1f87dac217f5570b24c4d8b3ec7b5cc31b09449b133660864d9517595149a0f3/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-09-Rig-EK-malware-payload.exe
File size:  102.3 KB ( 104758 bytes )
MD5 hash:  250819688dc109a79a4de24eeabbb3de
Detection ratio:  2 / 55
First submission:  2014-09-09 23:32:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/689fb4c908b29aa44859bfc8eef9f6b345ac5601d1046b4f26a5bfb5ff343ecd/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2014-09-09 22:50:32 UTC - 172.16.165.132:49183 - 41.77.116.82:80 - ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
• 2014-09-09 22:50:33 UTC - 172.16.165.132:62428 - 172.16.165.2:53 - MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (sid:30881)
• 2014-09-09 22:50:33 UTC - 172.16.165.132:62428 - 172.16.165.2:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound) (sid:2018276)
• 2014-09-09 22:50:33 UTC - 172.16.165.132:62428 - 172.16.165.2:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound) (sid:2018275)
• 2014-09-09 22:50:35 UTC - 172.16.165.132:49186 - 178.132.204.97:80 - ET CURRENT_EVENTS RIG EK Landing URI Struct (sid:2019072)
• 2014-09-09 22:50:35 UTC - 178.132.204.97:80 - 172.16.165.132:49186 - ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File (sid:2018783)
• 2014-09-09 22:50:39 UTC - 172.16.165.132:49186 - 178.132.204.97:80 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 (sid:2018441)
• 2014-09-09 22:50:48 UTC - 178.132.204.97:80 - 172.16.165.132:49187 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including the preprocessor alerts):

• 2014-09-09 22:50:32 UTC - 184.164.128.181:80 - 172.16.165.132:49182 - [1:26528:3] INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt
• 2014-09-09 22:50:33 UTC - 172.16.165.132:62428 - 172.16.165.2:53 - [1:30272:1] MALWARE-OTHER Unix.Trojan.Onimiki redirected client DNS request
• 2014-09-09 22:50:39 UTC - 172.16.165.132:49186 - 178.132.204.97:80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure
• 2014-09-09 22:50:42 UTC - 172.16.165.132:49187 - 178.132.204.97:80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure
• 2014-09-09 22:50:42 UTC - 178.132.204.97:80 - 172.16.165.132:49187 - [1:28612:2] EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (x2)
• 2014-09-09 22:50:47 UTC - 172.16.165.132:49187 - 178.132.204.97:80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure
• 2014-09-09 22:50:48 UTC - 178.132.204.97:80 - 172.16.165.132:49187 - [1:30934:2] EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download
• 2014-09-09 22:51:29 UTC - 172.16.165.132:49188 - 178.132.204.97:80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-09-09-Rig-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-09-Rig-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.