Malware-Traffic-Analysis.net - 2016-12-27 - EITest Rig-E from 185.156.173[.]99 sends Chthonic banking Trojan

2016-12-27 - EITEST RIG-E FROM 185.156.173[.]99 SENDS CHTHONIC BANKING TROJAN

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-12-27-EITest-Rig-E-sends-Chthonic-banking-Trojan.pcap.zip 1.5 MB (1,499,173 bytes)

2016-12-27-EITest-Rig-E-sends-Chthonic-banking-Trojan.pcap (1,629,012 bytes)

2016-12-27-EITest-Rig-E-sends-Chthonic-banking-Trojan-artifacts.zip 163.5 kB (163,515 bytes)

2016-12-27-EITest-Rig-E-artifact-OTTYUADAF.txt (11,37 bytes)

2016-12-27-EITest-Rig-E-flash-exploit.swf (13,700 bytes)

2016-12-27-EITest-Rig-E-landing-page.txt (85,395 bytes)

2016-12-27-EITest-Rig-E-page-from-cavallinomotorsport_com-with-injected-EITest-script.txt (18,119 bytes)

2016-12-27-EITest-Rig-E-payload-Chthonic-radB4856.tmp.exe (172,032 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

I'm routinely intercepting 2 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
Rig-V: a "VIP version" with new URL patterns and RC4 encryption for the payload. Used by the Afraidgate, EITest, and pseudoDarkleech campaigns.
Rig-E: a variant with old URL patterns, but uses with RC4 encryption for the payload. Also known as Empire Pack. I often see Rig-E used by the EITest campaign.

BACKGROUND ON THE EITEST CAMPAIGN:

Something I wrote on exploit kit (EK) fundamentals: link
2016-10-03 - Palo Alto Networks Unit 42 blog: EITest Campaign Evolution: From Angler EK to Neutrino and Rig.

BACKGROUND ON THE CHTHONIC BANKING TROJAN:

Chthonic is a variant of the Zeus Trojan originally reported in 2014 (link).
In July 2016, Proofpoint reported Chthonic being distributed through Paypal emails (link).
I last documented Chthonic sent by Rig-E from the EITest campaign last month on 2016-11-28.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the EITest campaign from the compromised site.

Shown above: Pcap of the infection traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

cavallinomotorsport[.]com - Compromised site
185.156.173[.]99 port 80 - sjxkv.gotdirolhersheck[.]top - Rig-E
45.56.117[.]118 port 53 - TCP-based DNS query for pationare[.]bit
87.98.175[.]85 port 53 - TCP-based DNS query for pationare[.]bit
144.76.133[.]38 port 53 - TCP-based DNS query for pationare[.]bit
23.88.147[.]108 port 80 - pationare[.]bit - HTTP post-infection traffic

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: ce4eacb09dc69865c718f7bda3296d535ad71661867129bdd5539014c42f2d65 (13,700 bytes)
File description: Rig-E Flash exploit seen on 2016-12-27

PAYLOAD:

SHA256 hash: e723e6cf2b594fe223ac0b8fcdff7b90d85692d2c06de9c0702c680b2ed80f85 (172,032 bytes)
File path: C:\Users\[Username]\AppData\Local\Temp\radB4856.tmp.exe
File path: C:\Users\[username]\AppData\Roaming\Microsoft Games\MicrosoftGamest.exe
File path: C:\Users\[username]\AppData\Roaming\MSBuild\WMSBuild.exe

Shown above: Chthonic banking Trojan made persistent after the infection.

Click here to return to the main page.