2016-08-22 - EITEST RIG EK FROM 178.32.173.180 SENDS GOOTKIT

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-08-22-EITest-Rig-EK-sends-Gootkit.pcap.zip   267.0 kB (266,977 bytes)

• 2016-08-18-EITest-Rig-EK-sends-Gootkit.pcap   (344,119 bytes)

• ZIP archive of the malware:  2016-08-22-EITest-Rig-EK-sends-Gootkit-malware-and-artifacts.zip   238.7 kB (238,727 bytes)

• 2016-08-22-EITest-Rig-EK-flash-exploit-after-best-remit.com.swf   (45,962 bytes)
• 2016-08-22-EITest-Rig-EK-landing-page-after-best-remit.com.txt   (5,077 bytes)
• 2016-08-22-EITest-Rig-EK-payload-Gootkit-after-best-remit.com.exe   (105,472 bytes)
• 2016-08-22-EITest-flash-redirect-from-hybypi.xyz.swf   (5,294 bytes)
• 2016-08-22-page-from-best-remit.com-with-injected-EITest-script.txt   (72,187 bytes)
• vrtchpva.dll   (97792 bytes)

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-31 - Palo Alto Networks Unit 42 blog:  How the EITest Campaign's Path to Angler EK Evolved Over Time.
• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX  (campaigns using Angler EK switch to Neutrino EK)
• 2016-08-18 - SANS ISC diary:  1 compromised site - 2 campaigns  (EITest campaign switched to Rig EK)

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from the compromised website.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

Shown above:  Post-infection SSL traffic over port 80 using a "MyCompany Ltd" certificate.

 

ASSOCIATED DOMAINS:

• www.best-remit.com - Compromised website
• 85.93.0.12 port 80 - hybypi.xyz - EITest gate
• 178.32.173.180 port 80 - apsoo3k2i.ahgsuy3829.top - Rig EK
• 45.59.114.112 port 80 - nerdcommunity.top - Post-infection SSL traffic over port 80
• reballancefreestyle.win - DNS queries for this domain, but no data returned.

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  262ccfc5ebb5a434d0424bccf2f564028b007a43976c123f216f924a08a76c04
  File name:  2016-08-22-EITest-flash-redirect-from-hybypi.xyz.swf

• SHA256 hash:  812733f324fa1eea97db25fed942d17230c169049c18676158de881ca8c03354
  File name:  2016-08-22-EITest-Rig-EK-flash-exploit-after-best-remit.com.swf

PAYLOAD:

• SHA256 hash:  44c5a19431d1db95428286af5b3400c3fe10c58fd0b06d8a89e1734c650ce023
  File name:  2016-08-22-EITest-Rig-EK-payload-Gootkit-after-best-remit.com.exe

DROPPED DLL FILE:

• SHA256 hash:  a1b8822f1e01e1d732d04d04e5f0ceba004673035e92fe1881ff27b71d2d8912
  File name:  C:\Users\[username]\AppData\Roaming\Microsoft\Internet Explorer\vrtchpva.dll

 

IMAGES

Shown above:  Dropped DLL malware stays persistent through a scheduled task.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-08-22-EITest-Rig-EK-sends-Gootkit.pcap.zip   267.0 kB (266,977 bytes)
• ZIP archive of the malware:  2016-08-22-EITest-Rig-EK-sends-Gootkit-malware-and-artifacts.zip   238.7 kB (238,727 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.