2016-11-23 - RIG EK DATA DUMP

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-11-23-Rig-EK-data-dump-all-3-pcaps.zip
• ZIP archive of the malware:  2016-11-23-Rig-EK-data-dump-malware-and-artifacts.zip

BACKGROUND:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the EITest campaign.
• Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary)  The EITest campaign uses Rig standard to send CryptFile2 ransomware.

Shown above:  Flowchart for today's infections.

 

TRAFFIC

Shown above:  Traffic from the 1st infection filtered in Wireshark.

Shown above:  Traffic from the 2nd infection filtered in Wireshark.

Shown above:  Traffic from the 3rd infection filtered in Wireshark.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-11-23-Rig-EK-data-dump-all-3-pcaps.zip
• ZIP archive of the malware:  2016-11-23-Rig-EK-data-dump-malware-and-artifacts.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.