2016-11-28 - EITEST RIG-E FROM 146.0.72[.]186 SENDS CHTHONIC BANKING TROJAN

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-11-28-3rd-run-EITest-Rig-E-sends-Chthonic.pcap.zip   1.4 MB (1,404,635 bytes)

• 2016-11-28-3rd-run-EITest-Rig-E-sends-Chthonic.pcap   (1,518,508 bytes)

• 2016-11-28-3rd-run-EITest-Rig-E-and-Chthonic-files.zip   241.9 kB (241,877 bytes)

• 2016-11-28-3rd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-28-3rd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-11-28-3rd-run-EITest-Rig-E-landing-page.txt   (85,257 bytes)
• 2016-11-28-3rd-run-EITest-Rig-E-payload-rad2B8E4.tmp.exe   (323,584 bytes)
• 2016-11-28-3rd-run-page-from-cavallinomotorsport_com-with-injected-script.txt   (18,839 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns and RC4 encryption for the payload.  Used by the Afraidgate, EITest, and pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, but uses with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the EITest campaign.
• Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary).  The EITest campaign formerly used Rig standard to send CryptFile2 (CryptoMix) ransomware before switching to Rig-V for that purpose.

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.

BACKGROUND ON THE CHTHONIC BANKING TROJAN:

• Chthonic is a variant of the Zeus Trojan originally reported in 2014 (link).
• In July 2016, Proofpoint reported Chthonic being distributed through Paypal emails (link).
li>
• Proofpoint's ET PRO ruleset has signatures that triggered on the post-infection traffic seen below.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cavallinomotorsport[.]com - Compromised site
• 146.0.72[.]186 port 80 - yforh.a3pey0a[.]top - Rig-E
• 31.3.135[.]232 port 53 - TCP-based DNS queries from the infected host for scenabit[.]bit
• 217.12.218[.]131 port 80 - scenabit[.]bit - Chthonic post-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e
  File name:  2016-11-28-3rd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)

PAYLOAD (CHTHONIC BANKING TROJAN):

• SHA256 hash:  01fd3f6a0216c45f902cbf9d49ebe70bc7c1a13e52a0fde0ec24e4b6ce4e4ff1
  File name:  C:\Users\[Username]\AppData\Local\Temp\rad2B8E4.tmp.exe   (323,584 bytes)

 

IMAGES

Shown above:  Chthonic banking Trojan made persistent on the infected Windows host.

 

Click here to return to the main page.