2014-10-05 - RIG EK FROM 37.200.69.87 - CONTACT.COLLEGEMOTORSLTD.COM
ASSOCIATED FILES:
- ZIP of the pcap: 2014-10-05-Rig-EK-traffic.pcap.zip
- ZIP of the malware: 2014-10-05-Rig-EK-malware.zip
NOTES:
- This is Operation Windigo, which Kafeine saw serving Rig EK back in July: http://malware.dontneedcoffee.com/2014/07/bye-bye-flash-ek-and-windigo-group.html
- For more information about Operation Windigo, ESET published a report avaialable here.
MY BLOG ENTRIES ON THE WINDIGO GROUP SERVING RIG EK:
- 2014-09-09 - Rig EK from 178.132.204.97 - sdfi.apartmentperch.com
- 2014-09-23 - Rig EK from 178.132.203.26 - mdif.boroughventuremenswear.com
- 2014-10-05 - Rig EK from 37.200.69.87 - contact.collegemotorsltd.com
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 107.158.13.2 - protorrent.net - Compromised website
- 37.140.192.248 - qqcr0yuvnzaw2178w7nw1xf.ankara-tr.net - Redirect
- 37.140.192.248 - qqcr0yuvnzaw2178w7nw1xf5200540ba7eb943446ba750a4c8caf95d.ankara-tr.net - Redirect
- 37.200.69.87 - contact.collegemotorsltd.com - Rig EK
COMPROMISED WEBSITE AND REDIRECT:
- 2014-10-05 00:31:27 UTC - 172.16.165.133:49180 - 107.158.13.2:80 - protorrent.net - GET /
- 2014-10-05 00:31:28 UTC - 172.16.165.133:49181 - 37.140.192.248:80 - qqcr0yuvnzaw2178w7nw1xf.ankara-tr.net - GET /index.php?q=ZGdxbnJ6a2o9cWJ
qeSZ0aW1lPTE0MTAwNDIzNTQ0MDc3NDM4MzMyJnNyYz0yMDAmc3VybD1wcm90b3JyZW50Lm5ldCZzcG9ydD04MCZrZXk9QzgwMUU4RUYmc3VyaT0v - 2014-10-05 00:31:29 UTC - 172.16.165.133:49182 - 37.140.192.248:80 - qqcr0yuvnzaw2178w7nw1xf5200540ba7eb943446ba750a4c8caf95d.ankara-tr.net
- GET /index2.php
RIG EK:
- 2014-10-05 00:31:30 UTC - 172.16.165.133:49183 - 37.200.69.87:80 - contact.collegemotorsltd.com - GET /?PHPSSESID=
njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDAwNjA4MDU0Mjc4NWY5MDgyZDkwYjc3NmVmMDQ4ODM - 2014-10-05 00:31:35 UTC - 172.16.165.133:49183 - 37.200.69.87:80 - contact.collegemotorsltd.com - GET /index.php?req=mp3&num=37&PHPSSESID=
njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CZDAwNjA4MDU0Mjc4NWY5MDgyZDkwYjc3NmVmMDQ4ODM - 2014-10-05 00:31:37 UTC - 172.16.165.133:49183 - 37.200.69.87:80 - contact.collegemotorsltd.com - GET /index.php?req=swf&num=8413&PHPSSESID=
njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDAwNjA4MDU0Mjc4NWY5MDgyZDkwYjc3NmVmMDQ4ODM - 2014-10-05 00:31:37 UTC - 172.16.165.133:49184 - 37.200.69.87:80 - contact.collegemotorsltd.com - GET /index.php?req=xap&PHPSSESID=
njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDAwNjA4MDU0Mjc4NWY5MDgyZDkwYjc3NmVmMDQ4ODM - 2014-10-05 00:31:44 UTC - 172.16.165.133:49184 - 37.200.69.87:80 - contact.collegemotorsltd.com - GET /index.php?req=mp3&num=12465&PHPSSESID=
njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CZDAwNjA4MDU0Mjc4NWY5MDgyZDkwYjc3NmVmMDQ4ODM
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT:
File name: 2014-10-05-Rig-EK-flashe-exploit.swf
File size: 4.1 KB ( 4238 bytes )
MD5 hash: 1ca3694873a7975dc4a286e11799a004
Detection ratio: 8 / 55
First submission: 2014-10-02 07:51:57 UTC
VirusTotal link: https://www.virustotal.com/en/file/3f0c210787ecd044c48792635998e4574a4c5abed1b150c02c62083b757b02f9/analysis/
SILVERLIGHT EXPLOIT:
File name: 2014-10-05-Rig-EK-silverlight-exploit.xap
File size: 36.5 KB ( 37375 bytes )
MD5 hash: ab716b15872a59d913a7e98d57629705
Detection ratio: 2 / 55
First submission: 2014-10-05 00:46:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/46c2ff09e2be2d7af005679e364a92ca6d437aa40a24ccefd688a05dd79c4898/analysis/
MALWARE PAYLOAD:
File name: 2014-10-05-Rig-EK-malware-payload.exe
File size: 109.6 KB ( 112270 bytes )
MD5 hash: 8bb314e3b027f08891db469edb61e584
Detection ratio: 3 / 55
First submission: 2014-10-05 00:42:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/54850b1dff3148f999959d59c34e2d1be488a3d60be493261249e09ef22fde89/analysis/
Malwr link: https://malwr.com/analysis/MjM1NWJiZWY3OGM4NDdiNDk5YjU1YTM4ZWM2YTQ0ZDk/
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):
- 2014-10-05 00:31:28 UTC - 172.16.165.133:49181 - 37.140.192.248:80 - ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
- 2014-10-05 00:31:28 UTC - 172.16.165.133:62086 - 172.16.165.2:53 - MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (sid:30881)
- 2014-10-05 00:31:28 UTC - 172.16.165.133:62086 - 172.16.165.2:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound) (sid:2018275)
- 2014-10-05 00:31:28 UTC - 172.16.165.133:62086 - 172.16.165.2:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound) (sid:2018276)
- 2014-10-05 00:31:30 UTC - 172.16.165.133:49183 - 37.200.69.87:80 - ET CURRENT_EVENTS RIG EK Landing URI Struct (sid:2019072)
- 2014-10-05 00:31:30 UTC - 37.200.69.87:80 - 172.16.165.133:49183 - ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File (sid:2018783)
- 2014-10-05 00:31:30 UTC - 172.16.165.133:49183 - 37.200.69.87:80 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 (sid:2018441)
- 2014-10-05 00:31:30 UTC - 37.200.69.87:80 - 172.16.165.133:49183 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):
- 2014-10-05 00:31:27 UTC - 107.158.13.2:80 - 172.16.165.133:49180 - [1:26528:3] INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt
- 2014-10-05 00:31:28 UTC - 172.16.165.133:62086 - 172.16.165.2:53 - [1:30272:1] MALWARE-OTHER Unix.Trojan.Onimiki redirected client DNS request
- 2014-10-05 00:31:35 UTC - 172.16.165.133:various - 37.200.69.87:80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (x4)
- 2014-10-05 00:31:36 UTC - 37.200.69.87:80 - 172.16.165.133:various - [1:30934:2] EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (x2)
- 2014-10-05 00:31:38 UTC - 37.200.69.87:80 - 172.16.165.133:49184 - [1:28612:2] EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (x2)
SCREENSHOTS FROM THE TRAFFIC
Compromised website redirects when reached through a Google search:
Cushion redirect:
Redirect points to Rig EK:
Rig EK sends Silverlight exploit:
Rig EK sends malware payload:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-10-05-Rig-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-10-05-Rig-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.