2016-12-01 - EITEST RIG-E FROM 70.39.115.202 SENDS GEODO/EMOTET

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-12-01-EITest-Rig-E-sends-Geodo-Emotet.pcap.zip   549 kB (549,183 bytes)

• 2016-12-01-EITest-Rig-E-sends-Geodo-Emotet.pcap   (615,636 bytes)

• ZIP archive of the malware:  2016-12-01-EITest-Rig-E-sends-Geodo-Emotet-malware-and-artifacts.zip   115 kB (114,568 bytes)

• 2016-12-01-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-01-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-12-01-EITest-Rig-E-landing-page.txt   (85,280 bytes)
• 2016-12-01-EITest-Rig-E-payload-Geodo-Emotet-896A.tmp   (89,395 bytes)
• 2016-12-01-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,835 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• I'm currently tracking 3 versions of Rig Exploit Kit (EK) as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the pseudoDarkleech campaign.
• Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary)  The EITest campaign formerly used Rig standard to send CryptFile2 (CryptoMix) ransomware before switching to Rig-V for that purpose.

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate.
• 2016-10-15 - Broadanalysis.com:  EITest campaign stops using obfuscation for injected script in pages from compromised websites.

BACKGROUND ON GEODO/EMOTET:

• Geodo originally surfaced in 2014 as a variant of the Cridex/Dridex family of banking Trojans.  It was first noted in malicious spam (malspam).
• Some have been calling it Geodo, while others have been calling it Emotet.
• For more information, see the links below.

• Threatpost:  Cridex Variant Geodo - Part Trojan, Part Email Worm.
• Trend Micro:  New Banking Malware Uses Network Sniffing for Data Theft.
• rebus snippets:  Geodo malware in 2015.
• Securelist:  The Banking Trojan Emotet: Detailed Analysis.

 

Shown above:  Tweet from @kafeine with the same post-infection traffic.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cavallinomotorsport.com - Compromised site
• 70.39.115.202 port 80 - huqk.lb590wedo.top - Rig-E
• 203.121.145.40 port 8080 - 203.121.145.40:8080 - Geodo/Emotet post-infection traffic
• 87.117.242.29 port 8080 - 87.117.242.29:8080 - Geodo/Emotet post-infection traffic
• 82.165.24.149 port 8080 - 82.165.24.149 - POST /pony/gate.php   [more post-infection callback]

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e   (40,141 bytes)
  File name:  2016-12-01-EITest-Rig-E-flash-exploit.swf

PAYLOAD (GEODO/EMOTET):

• SHA256 hash:  01fd3f6a0216c45f902cbf9d49ebe70bc7c1a13e52a0fde0ec24e4b6ce4e4ff1   (89,395 bytes)
  File name:  C:\Users\[Username]\AppData\Local\Temp\896A.tmp
File name:  C:\Users\[Username]\AppData\Roaming\BrightenEcho\BrightenEcho.exe

Shown above:  Malware retrieved from the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-12-01-EITest-Rig-E-sends-Geodo-Emotet.pcap.zip   549 kB (549,183 bytes)
• ZIP archive of the malware:  2016-12-01-EITest-Rig-E-sends-Geodo-Emotet-malware-and-artifacts.zip   115 kB (114,568 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.