2015-05-06 - RIG EK CHANGED HOW IT SENDS THE MALWARE PAYLOAD

ASSOCIATED FILES:

• PCAP of the traffic:  2015-05-06-Rig-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-05-06-Rig-EK-malware.zip

 

NOTES:

• Rig EK is now using Nuclear EK-style ASCII strings to XOR the malware payload.
• I originally noticed this in a Threatglass entry at:  http://threatglass.com/malicious_urls/cupidfunda-com-2015-04-15.
• Didn't think to ask around about it until now.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 162.255.119.254 port 80 - dobuntu.com - Compromised website
• 93.190.142.195 port 80 - fatburningfast.net - Redirect (gate)
• 95.128.182.108 port 80 - free.bigdathletics.net - Rig EK
• 80.242.123.144 port 80 - androjose.com   and   andromike.com - Post-infection traffic

 

COMPROMISED WEBSITE AND REDIRECT:

• 2015-05-06 19:42:09 UTC - dobuntu.com - GET /
• 2015-05-06 19:42:10 UTC - fatburningfast.net - GET /images/order.php

 

RIG EK:

• 2015-05-06 19:42:12 UTC - free.bigdathletics.net - GET /?xH6Af7ibKBvODoI=l3SKfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN
  0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWG_UeMZFtFqsfAQuJq31j9zOAUJJ4glEWCu2JTzb9IB0gbrA

• 2015-05-06 19:42:13 UTC - free.bigdathletics.net - GET /index.php?xH6Af7ibKBvODoI=l3SMfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_
  OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWG_UeMZFtFqsfAQuJq31j9zOAUJJ4glEWCu2JTzb9IB0gbogAQlryJQ-DbpgN6V0ggEkqfPZVlqx7IQnmtayh42P
  28QTJwkKM

• 2015-05-06 19:42:14 UTC - free.bigdathletics.net - GET /favicon.ico

• 2015-05-06 19:42:16 UTC - free.bigdathletics.net - GET /index.php?xH6Af7ibKBvODoI=l3SMfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_
  OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWG_UeMZFtFqsfAQuJq31j9zOAUJJ4glEWCu2JTzb9IB0gbogAQlryJQ-DbpgN6V0ggDE3KPZVlqx7IQnmtayh42
  P2ySD50nOWD&dop=0874

 

POST-INFECTION TRAFFIC:

• 2015-05-06 19:43:24 UTC - androjose.com - POST /rep159.php
• 2015-05-06 19:43:25 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:29 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:32 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:36 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:40 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:40 UTC - androjose.com - POST /rep159.php
• 2015-05-06 19:43:41 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:41 UTC - androjose.com - POST /rep159.php
• 2015-05-06 19:43:45 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:48 UTC - androjose.com - POST /rep159.php
• 2015-05-06 19:43:48 UTC - andromike.com - GET /down/spread23.exe
• 2015-05-06 19:43:49 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:50 UTC - androjose.com - POST /rep159.php
• 2015-05-06 19:43:52 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:56 UTC - andromike.com - GET /spread23.exe
• 2015-05-06 19:43:57 UTC - androjose.com - POST /rep159.php
• 2015-05-06 19:43:58 UTC - andromike.com - GET /down/spread23.exe
• 2015-05-06 19:44:00 UTC - androjose.com - POST /rep159.php
• 2015-05-06 19:44:00 UTC - androjose.com - POST /rep159.php
• 2015-05-06 19:44:29 UTC - androjose.com - POST /rep159.php

 

FINAL NOTES

Once again, here are the associated files:

• PCAP of the traffic:  2015-05-06-Rig-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-05-06-Rig-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.