2017-05-30 - RIG EK SENDS KOVTER

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-05-30-Rig-EK-sends-Kovter-pcaps.zip   1.2 MB (1,158,115 bytes)

• 2017-05-30-Rig-EK-sends-Kovter-1st-run.pcap   (680,294 bytes)
• 2017-05-30-Rig-EK-sends-Kovter-2nd-run.pcap   (794,493 bytes)

• ZIP archive of the malware and artifacts:  2017-05-30-Rig-EK-sends-Kovter-malware-and-artifacts.zip   788 kB (787,734 bytes)

• 2017-05-30-Rig-EK-artifact-o32.tmp-both-runs.txt   (1,141 bytes)
• 2017-05-30-Rig-EK-flash-exploit-both-runs.swf   (14,851 bytes)
• 2017-05-30-Rig-EK-landing-page-1st-run.txt   (119,209 bytes)
• 2017-05-30-Rig-EK-landing-page-2nd-run.txt   (119,022 bytes)
• 2017-05-30-Rig-EK-payload-Kovter-1st-run.exe   (384,070 bytes)
• 2017-05-30-Rig-EK-payload-Kovter-2nd-run.exe   (388,213 bytes)

NOTES:

• The initial URL in these pcaps is the final HTTP GET request in a probable malvertising chain of events leading to Rig EK.
• The same type of Kovter malware payload sent by this Rig EK was also seen from EITest Rig EK earlier today.

 

TRAFFIC

Shown above:  Redirect to Rig EK.

 

Shown above:  Traffic from the 1st run filtered in Wireshark.

 

Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

REDIRECT AND RIG EK:

• 193.70.73.251 port 80 - we.redeemmeall.ns02.us - GET /?sourceid=10847&sourcename=red   [final URL of a malvertising chain]
• 5.200.52.203 port 80 - add.acceleratinghealthcaretransformation.com - Rig EK (1st run)
• 5.200.52.203 port 80 - set.accumen.info - Rig EK (2nd run)
• 81.177.141.40 port 80 - add.akselegance.com - Rig EK (impromptu 3rd run)

KOVTER POST-INFECTION TRAFFIC - 1ST RUN:

• 54.92.45.205 port 80 - 54.92.45.205 - POST /
• 96.31.44.6 port 80 - 96.31.44.6 - POST /
• 133.30.228.17 port 80 - 133.30.228.17 - POST /
• 96.31.44.6 port 443 - HTTPS/SSL/TLS traffic
• Various IP addresses on TCP ports 443 and 8080 - Attempted TCP connections

KOVTER POST-INFECTION TRAFFIC - 2ND RUN:

• 40.133.197.69 port 80 - 40.133.197.69 - POST /
• 151.237.118.172 port 80 - 151.237.118.172 - POST /
• 167.160.176.181 port 80 - 167.160.176.181 - POST /
• 175.147.137.193 port 80 - 175.147.137.193 - POST /
• 2.16.122.69 port 443 - HTTPS/SSL/TLS traffic
• 118.123.100.38 port 443 - HTTPS/SSL/TLS traffic
• 192.40.57.23 port 443 - HTTPS/SSL/TLS traffic
• 202.120.202.245 port 443 - HTTPS/SSL/TLS traffic
• 76.8.251.242 port 2025 - HTTPS/SSL/TLS traffic
• 202.120.202.245 port 4343 - HTTPS/SSL/TLS traffic
• Various IP addresses on TCP ports 443 and 8080 - Attempted TCP connections

 

FILE HASHES

RIG EK FLASH EXPLOIT:

• SHA256 hash:  8f43aec2986d0705134b6b4af7e745ade1dd48897b95dc7e3844520fa8f9cd18
• File size:  14,851 bytes
• File description:  Rig EK Flash exploit seen on Tuesday 2017-05-30

MALWARE PAYLOAD (KOVTER) - 1ST RUN:

• SHA256 hash:  d58e284f53366f2545816878942dafc3a0a14a1ab5d7abaeaf028d3ac80acfd8
• File size:  384,070 bytes
• File location:  C:\Users\[username]\AppData\Local\Temp\[random numbers and letters].exe

MALWARE PAYLOAD (KOVTER) - 2ND RUN:

• SHA256 hash:  57e90c503ffd9f990d892063b626527898952a0e7a95d4656e8439f63f7caf72
• File size:  388,213 bytes
• File location:  C:\Users\[username]\AppData\Local\Temp\[random numbers and letters].exe

 

OTHER IMAGES

Shown above:  A 3rd run proved I only needed the domain name, not the full URL to get Rig EK.

 

Shown above:  Metadata for both Kovter payloads.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-05-30-Rig-EK-sends-Kovter-pcaps.zip   1.2 MB (1,158,115 bytes)
• ZIP archive of the malware and artifacts:  2017-05-30-Rig-EK-sends-Kovter-malware-and-artifacts.zip   788 kB (787,734 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.