2015-02-06 - RIG EK FROM 46.182.30.163 PUSHING KRONOS

ASSOCIATED FILES:

• ZIP of the traffic (pcap 1 of 2):  2015-02-05-Rig-EK-traffic.pcap.zip
• ZIP of the traffic (pcap 2 of 2):  2015-02-06-Rig-EK-traffic.pcap.zip
• ZIP of the malware:  2015-02-06-Rig-EK-malware.zip

 

NOTES:

• The malware payload appears to be Kronos, billed by one source as "the father of Zeus" (link).
• More info on Kronos is at:  http://threatpost.com/new-kronos-banking-malware-advertised-on-russian-forums/107210

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 46.182.30.163 - cast.autolistprofits.net - Rig EK from 2015-02-05
• 46.182.30.163 - booster.daily-mood-booster.com - Rig EK from 2015-02-06
• 92.87.96.9 - bitcoind.su - Post-infection traffic (Kronos checkin) over port 80

 

RIG EK FROM 2015-02-05:

• 2015-02-05 23:18:44 UTC - 192.168.221.134:49585 - 46.182.30.163:80 - cast.autolistprofits.net - GET /?PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU


• 2015-02-05 23:18:50 UTC - 192.168.221.134:49585 - 46.182.30.163:80 - cast.autolistprofits.net - GET /index.php?req=mp3&num=39&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU


• 2015-02-05 23:18:58 UTC - 192.168.221.134:49585 - 46.182.30.163:80 - cast.autolistprofits.net - GET /index.php?req=swf&num=1779&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU


• 2015-02-05 23:19:00 UTC - 192.168.221.134:49586 - 46.182.30.163:80 - cast.autolistprofits.net - GET /index.php?req=mp3&num=1155&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU&dop=1


• 2015-02-05 23:19:01 UTC - 192.168.221.134:49587 - 46.182.30.163:80 - cast.autolistprofits.net - GET /index.php?req=xap&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU


• 2015-02-05 23:19:05 UTC - 192.168.221.134:49585 - 46.182.30.163:80 - cast.autolistprofits.net - GET /index.php?req=mp3&num=90199&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU&dop=0828


• 2015-02-05 23:19:12 UTC - 192.168.221.134:49585 - 46.182.30.163:80 - cast.autolistprofits.net - GET /index.php?req=mp3&num=86327446&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU&dop=0

 

RIG EK FROM 2015-02-06:

• 2015-02-06 16:17:55 UTC - 192.168.138.158:49166 - 46.182.30.163:80 - booster.daily-mood-booster.com - GET /?PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU


• 2015-02-06 16:18:00 UTC - 192.168.138.158:49166 - 46.182.30.163:80 - booster.daily-mood-booster.com - GET /index.php?req=mp3&num=81&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CMzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU


• 2015-02-06 16:18:06 UTC - 192.168.138.158:49166 - 46.182.30.163:80 - booster.daily-mood-booster.com - GET /index.php?req=swf&num=754&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU


• 2015-02-06 16:18:08 UTC - 192.168.138.158:49167 - 46.182.30.163:80 - booster.daily-mood-booster.com - GET /index.php?req=mp3&num=1607&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU&dop=1


• 2015-02-06 16:18:17 UTC - 192.168.138.158:49166 - 46.182.30.163:80 - booster.daily-mood-booster.com - GET /index.php?req=mp3&num=91593&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CMzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU&dop=04


• 2015-02-06 16:18:22 UTC - 192.168.138.158:49166 - 46.182.30.163:80 - booster.daily-mood-booster.com - GET /index.php?req=xap&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU


• 2015-02-06 16:18:34 UTC - 192.168.138.158:49166 - 46.182.30.163:80 - booster.daily-mood-booster.com - GET /index.php?req=mp3&num=34763585&PHPSSESID=
  njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CMzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU&dop=095

 

POST-INFECTION TRAFFIC:

• 2015-02-06 17:29:38 UTC - 92.87.96.9 port 80 - bitcoind.su - POST /krpanel/connect.php
• 2015-02-06 17:29:38 UTC - 92.87.96.9 port 80 - bitcoind.su - POST /krpanel/connect.php?a=1

 

NOTE:  The malware wouldn't run on a VM, and I saw nothing from the malwr.com analysis, so I had to use another malware analysis tool.  No pcap on this, but here's a screenshot of the traffic:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• 46.182.30.163 port 80 - ET CURRENT_EVENTS RIG EK Landing URI Struct (sid:2019072)
• 46.182.30.163 port 80 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 (sid:2018441)
• 46.182.30.163 port 80 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
• 92.87.96.9 port 80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
• 92.87.96.9 port 80 - ET TROJAN Kronos Checkin (sid:2020080)
• 92.87.96.9 port 80 - ET TROJAN Kronos Checkin M2 (sid:2020077)

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

• 46.182.30.163 port 80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (x6)
• 46.182.30.163 port 80 - [1:30934:2] EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download
• 46.182.30.163 port 80 - [1:28612:2] EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (x2)
• 92.87.96.9 port 80 - [1:25050:5] MALWARE-CNC Win.Trojan.Zeus variant outbound connection

 

PRELIMINARY MALWARE ANALYSIS

NOTE:  The exploits and malware payload from 2015-02-05 have the same file hashes as the ones from 2015-02-06.

FLASH EXPLOIT:

File name:  2015-02-06-Rig-EK-flash-exploit.swf
File size:  19.8 KB ( 20239 bytes )
MD5 hash:  82a81b6f9ee1ec433678e3daabc8be59
Detection ratio:  4 / 56
First submission:  2015-02-05 14:11:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/79d84426dea00871efd41a1ba19547ef8fad672e12a2f5776f03c1da2f5d8c0d/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-02-06-Rig-EK-silverlight-exploit.xap
File size:  25.6 KB ( 26238 bytes )
MD5 hash:  5fa5959789a97d83f6b7625b86b434b9
Detection ratio:  6 / 56
First submission:  2015-01-14 14:37:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a35bc9d0db540fd8d33b7b1232d4e8714d79f12e8b6c0ecb2732a43e3d443409/analysis/

 

MALWARE PAYLOAD:

File name:  2015-02-06-Rig-EK-malware-payload.exe
File size:  288.0 KB ( 294912 bytes )
MD5 hash:  40118fcf2d286c60ee8ecd3f71aa6f52
Detection ratio:  19 / 56
First submission:  2015-02-06 17:16:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/99bd37770622b05a0c3d4179c4f8615fa00f2cc1f7c663e37f92a668d1adbf3a/analysis/
Malwr link:  https://malwr.com/analysis/MjAxZjhlNDQ4YWNlNDM1MzlmYTc0ZjE2MWIxMzc3ZTU/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic (pcap 1 of 2):  2015-02-05-Rig-EK-traffic.pcap.zip
• ZIP of the traffic (pcap 2 of 2):  2015-02-06-Rig-EK-traffic.pcap.zip
• ZIP of the malware:  2015-02-06-Rig-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.