2016-11-28 - EITEST RIG-E FROM 146.0.72.186 SENDS CHTHONIC BANKING TROJAN

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-11-28-3rd-run-EITest-Rig-E-sends-Chthonic.pcap.zip   1.4 MB (1,404,635 bytes)

• 2016-11-28-3rd-run-EITest-Rig-E-sends-Chthonic.pcap   (1,518,508 bytes)

• ZIP archive of the malware:  2016-11-28-3rd-run-EITest-Rig-E-sends-Chthonic-malware-and-artifacts.zip   241 kB (241,137 bytes)

• 2016-11-28-3rd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-28-3rd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-11-28-3rd-run-EITest-Rig-E-landing-page.txt   (85,257 bytes)
• 2016-11-28-3rd-run-EITest-Rig-E-payload-rad2B8E4.tmp.exe   (323,584 bytes)
• 2016-11-28-3rd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,839 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the pseudoDarkleech campaign.
• Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary).  The EITest campaign formerly used Rig standard to send CryptFile2 (CryptoMix) ransomware before switching to Rig-V for that purpose.

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate.
• 2016-10-15 - Broadanalysis.com:  EITest campaign stops using obfuscation for injected script in pages from compromised websites.

BACKGROUND ON THE CHTHONIC BANKING TROJAN:

• Chthonic is a variant of the Zeus Trojan originally reported in 2014 (link).
• In July 2016, Proofpoint reported Chthonic being distributed through Paypal emails (link).
• Proofpoint's ET PRO ruleset has signatures that triggered on the post-infection traffic seen below.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cavallinomotorsport.com - Compromised site
• 146.0.72.186 port 80 - yforh.a3pey0a.top - Rig-E
• 31.3.135.232 port 53 - TCP-based DNS queries from the infected host for scenabit.bit
• 217.12.218.131 port 80 - scenabit.bit - Chthonic post-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e
  File name:  2016-11-28-3rd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)

PAYLOAD (CHTHONIC BANKING TROJAN):

• SHA256 hash:  01fd3f6a0216c45f902cbf9d49ebe70bc7c1a13e52a0fde0ec24e4b6ce4e4ff1
  File name:  C:\Users\[Username]\AppData\Local\Temp\rad2B8E4.tmp.exe   (323,584 bytes)

 

IMAGES

Shown above:  Chthonic banking Trojan made persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-11-28-3rd-run-EITest-Rig-E-sends-Chthonic.pcap.zip   1.4 MB (1,404,635 bytes)
• ZIP archive of the malware:  2016-11-28-3rd-run-EITest-Rig-E-sends-Chthonic-malware-and-artifacts.zip   241 kB (241,137 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.