2016-08-30 - EITEST CAMPAIGN USES RIG EK OR NEUTRINO EK

ASSOCIATED FILES:

• ZIP archive of both pcaps:  2016-08-30-EITest-Rig-EK-and-Neutrino-EK-both-pcaps.zip   634.3 kB (634,312 bytes)

• 2016-08-30-EITest-Neutrino-EK-sends-CrypMIC.pcap   (430,599 bytes)
• 2016-08-30-EITest-Rig-EK-sends-Vawtrak.pcap   (567,081 bytes)

• ZIP archive of the malware:  2016-08-30-EITest-Rig-EK-and-Neutrino-EK-malware-and-artifacts.zip   354.1 kB (354,141 bytes)

• 2016-08-30-EITest-CrypMIC-decrypt-instructions.BMP   (457,654 bytes)
• 2016-08-30-EITest-CrypMIC-decrypt-instructions.HTML   (238,187 bytes)
• 2016-08-30-EITest-CrypMIC-decrypt-instructions.TXT   (1,659 bytes)
• 2016-08-30-EITest-Neutrino-EK-flash-exploit.swf   (77,587 bytes)
• 2016-08-30-EITest-Neutrino-EK-landing-page.txt   (2,502 bytes)
• 2016-08-30-EITest-Neutrino-EK-payload-CrypMIC.dll   (73,728 bytes)
• 2016-08-30-EITest-Rig-EK-flash-exploit.swf   (46,163 bytes)
• 2016-08-30-EITest-Rig-EK-landing-page.txt   (3,679 bytes)
• 2016-08-30-EITest-Rig-EK-payload-Vawtrak.exe   (159,744 bytes)
• 2016-08-30-EITest-flash-redirect-from-ugady.xyz-both-runs.swf   (5,762 bytes)
• 2016-08-30-page-from-adaptive-business.com-with-injected-EITest-script-first.run.txt   (34,525 bytes)
• 2016-08-30-page-from-adaptive-business.com-with-injected-EITest-script-second-run.txt   (34,482 bytes)

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-31 - Palo Alto Networks Unit 42 blog:  How the EITest Campaign's Path to Angler EK Evolved Over Time.
• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX  (campaigns using Angler EK switch to Neutrino EK)
• 2016-08-18 - SANS ISC diary:  1 compromised site - 2 campaigns  (EITest campaign switched to Rig EK)

• From what I've been hearing, the EITest campaign is has been switching between Rig EK and Neutrino EK.  Today's blog post shows an example of this.

 

Shown above:  Flowcharts for this infection traffic.

 

TRAFFIC FOR RIG EK INFECTION

Shown above:  Injected EITest script in page from the compromised website.

 

Shown above:  Traffic from the EITest Rig EK infection filtered in Wireshark.

 

Shown above:  Alerts on this traffic for Vawtrak in Security Onion using Suricata and the ET Pro ruleset.

 

ASSOCIATED DOMAINS:

• adaptive-business.com - Compromised site
• 194.165.16.202 port 80 - ugady.xyz - EITest redirect
• 185.106.120.86 port 80 - one.day2second.top - Rig EK
• 146.185.254.35 port 443 - ipwrurqpc.com - Post-infection traffic caused by Vawtrak
• 146.185.254.35 port 80 - 146.185.254.35 - Post-infection traffic caused by Vawtrak
• 146.185.254.35 port 443 - panline.at - Post-infection traffic caused by Vawtrak

 

TRAFFIC FOR NEUTRINO EK INFECTION

Shown above:  Injected EITest script in page from the compromised website.

 

Shown above:  Traffic from the EITest Neutrino EK infection filtered in Wireshark.

 

Shown above:  The infected Windows host after rebooting.

 

ASSOCIATED DOMAINS:

• adaptive-business.com - Compromised site
• 194.165.16.202 port 80 - ugady.xyz - EITest redirect
• 74.208.161.160 port 80 - vblcountnark.birminghampahire.co.uk -
• 95.211.225.212 port 443 - Post-infection traffic caused by CrypMIC (custom encoded & clear text, not HTTPS/SSL)

DOMAINS FROM THE CRYPMIC DECRYPT INSTRUCTIONS:

• lmhrmbouhkffosig.onion.to
• lmhrmbouhkffosig.onion.city

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  2016-08-30-EITest-flash-redirect-from-ugady.xyz-both-runs.swf
  File name:  7123dd9744fe6e55796819b8890682395b2ebea72c0c2c5ab60f26594b6d5a43

• SHA256 hash:  1f655e31dc4d092c34bd3033427f1540ae3db4467b5d6380f63ded0cce62e807
  File name:  2016-08-30-EITest-Rig-EK-flash-exploit.swf

• SHA256 hash:  9b09a3fb43b0116ace010bdc357eb9d161aeb55ccc3990a32e14a1972e99a505
  File name:  2016-08-30-EITest-Neutrino-EK-flash-exploit.swf

PAYLOADS:

• SHA256 hash:  3ff72dec9147bbeca1ba901c42a10bf37f846d7fcaa465a8572f44c124f9c321
  File name:  2016-08-30-EITest-Rig-EK-payload-Vawtrak.exe

• SHA256 hash:  ffe7bb28360f857f6e192e116c3788351d159008ebf690ba2220a7fb6f125fa8
  File name:  2016-08-30-EITest-Neutrino-EK-payload-CrypMIC.dll

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of both pcaps:  2016-08-30-EITest-Rig-EK-and-Neutrino-EK-both-pcaps.zip   634.3 kB (634,312 bytes)
• ZIP archive of the malware:  2016-08-30-EITest-Rig-EK-and-Neutrino-EK-malware-and-artifacts.zip   354.1 kB (354,141 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.