2015-12-31 - FOLLOW UP TO ISC DIARY ABOUT ACTOR USING RIG EK TO DELIVER QBOT
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2015-12-31-all-8-examples-of-Rig-EK-traffic.zip 2.6 MB (2,629,359 bytes)
- 2015-12-31-Rig-EK-malware-and-artifacts.zip 2.3 MB (2,309,608 bytes)
NOTES:
- This is a follow-up to an ISC diary I wrote on 2015-12-30 ( link ). This blog entry only provides more data.
- Today, I generated 8 infections. I noticed the Rig EK payload had a different file hash each time (same size and same malware, though).
- Each pcap has been carved, and they only contain the following:
- The first HTTP GET request to the compromised site.
- HTTP GET request for .js from the compromised site with malicious script.
- Traffic to the gate domain.
- Rig EK.
- The ZIP archive has the following for each of the 8 examples:
- Part 1: The .js file with malicious script sent by the compromised site.
- Part 2: Text returned from the gate for the main_color_handle variable.
- Part 3: Rig EK landing page.
- Part 4: Flash exploit sent by Rig EK.
- Part 5: Rig EK malware payload (Qbok or Qakbot).
- In some cases, Rig EK sent the payload before the Flash exploit. If so, that means Rig EK used an IE exploit (script within the landing page) to send the malware payload.
TRAFFIC
For the 8 samples of Rig EK from this actor, the traffic breaks out as follows:
- The first line is the .js file from the compromised website with malicious script added (in one case, it's just the malicious script).
- The second line is the gate used by this actor.
- The third line shows the IP address and domain name for Rig EK used by this actor.
TRAFFIC (EXAMPLES 1 THROUGH 8):
- 2015-12-31 00:16 UTC - animal-world[.]com - GET /js/site_scripts.js
- 2015-12-31 00:16 UTC - 192.185.21[.]183 port 80 - st.naughtytimebooks[.]com - GET /nafviewforummdmzo.php
- 2015-12-31 00:16 UTC - 46.30.46[.]93 port 80 - sdf.webmonocracy[.]com - Rig EK
- 2015-12-31 06:20 UTC - cdn.mydailymoment[.]com - GET /plugins/system/t3/base/js/menu.js
- 2015-12-31 06:20 UTC - 192.185.21[.]183 port 80 - st.naughtytimebooks[.]com - GET /nyviewforumcp.php
- 2015-12-31 06:20 UTC - 46.30.46[.]93 port 80 - fds.tractorimplements.ca - Rig EK
- 2015-12-31 15:43 UTC - www.designlovefest[.]com - GET /wp-content/plugins/pinterest-plugin/jquery.js?ver=4.4
- 2015-12-31 15:44 UTC - 192.185.21[.]183 port 80 - st.dynamicwords[.]us - GET /qmnviewforumjhvhk.php
- 2015-12-31 15:44 UTC - 46.30.46[.]93 port 80 - tyj.evolvingthesolarfeminine[.]org - Rig EK
- 2015-12-31 17:18 UTC - www.mirrorlessrumors[.]com - GET /wp-includes/js/jquery/jquery.js?ver=bba2648195f0bfec61fe2ebe36f5757c
- 2015-12-31 17:18 UTC - 192.185.21[.]183 port 80 - st.domandvilma[.]com - GET /qvviewforumcbbnd.php
- 2015-12-31 17:18 UTC - 46.30.43[.]31 port 80 - dsf.viola-goodwin[.]com - Rig EK
- 2015-12-31 18:22 UTC - bowsandsequins[.]com - GET /wp-includes/js/jquery/jquery.js?ver=1.11.3
- 2015-12-31 18:22 UTC - 192.185.21[.]183 port 80 - st.domandvilma[.]com - GET /xlsifviewforumqnc.php
- 2015-12-31 18:22 UTC - 46.30.43[.]31 port 80 - dsf.viola-goodwin[.]info - Rig EK
- 2015-12-31 18:44 UTC - www.rantsports[.]com - GET /wp-includes/js/jquery/jquery.js
- 2015-12-31 18:44 UTC - 192.185.21[.]183 port 80 - st.naughtytimebooks[.]com - GET /wbyviewforummgm.php
- 2015-12-31 18:44 UTC - 46.30.43[.]31 port 80 - dsf.viola-goodwin[.]info - Rig EK
- 2015-12-31 19:06 UTC - riotimesonline[.]com - GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
- 2015-12-31 19:06 UTC - 192.185.21[.]183 port 80 - st.domandvilma[.]com - GET /mpviewforumsidw.php
- 2015-12-31 19:06 UTC - 46.30.43[.]31 port 80 - dff.viola-goodwin.net - Rig EK
- 2015-12-31 19:30 UTC - www.catholicherald[.]co[.]uk - GET /wp-includes/js/wp-emoji-release.min.js?ver=4.3.1
- 2015-12-31 19:30 UTC - 192.185.21[.]183 port 80 - st.domandvilma[.]com - GET /lvcelviewforumku.php
- 2015-12-31 19:30 UTC - 46.30.43[.]31 port 80 - dfg.viola-goodwin[.]org - Rig EK
MALWARE
EXAMPLE 1 FLASH EXPLOIT - MD5 hash: 994215eb988b86516ddd8b5cdfc59e7b
EXAMPLE 1 MALWARE PAYLOAD - MD5 hash: 2fde1700967fb6da5127b27a64769b0f
EXAMPLE 2 FLASH EXPLOIT: same as example 1
EXAMPLE 2 MALWARE PAYLOAD - MD5 hash: c4523fbc6c739998d4a9974dbb4a3284
EXAMPLE 3 FLASH EXPLOIT - MD5 hash 7826cf5a7fb8128642a487f75e428f71
EXAMPLE 3 MALWARE PAYLOAD - MD5 hash: c788f7d438731bdb6992db51b0f45e5b
EXAMPLE 4 FLASH EXPLOIT: same as example 3
EXAMPLE 4 MALWARE PAYLOAD - MD5 hash: 9743ed204f2e9dd28e3dd282265281fa
EXAMPLE 5 FLASH EXPLOIT: same as example 3
EXAMPLE 5 MALWARE PAYLOAD - MD5 hash: 5624fbc2f31d21160763db5a04482632
EXAMPLE 6 FLASH EXPLOIT: same as example 3
EXAMPLE 6 MALWARE PAYLOAD - MD5 hash: aa00bdfb7c4b174695d27166457a2e1f
EXAMPLE 7 FLASH EXPLOIT: same as example 3
EXAMPLE 7 MALWARE PAYLOAD - MD5 hash: fc7e48951130ffc53a7c618d65366797
EXAMPLE 8 FLASH EXPLOIT: same as example 3
EXAMPLE 8 MALWARE PAYLOAD - MD5 hash 6905078969a63421fd6fca0d3cb8e3c8
Click here for the malware-traffic-analysis.net index page.