2018-03-05 - COINS LTD CAMPAIGN USES RIG EK TO PUSH URSNIF

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-03-05-CoinsLTD-campaign-Rig-EK-and-post-infection-traffic.pcap.zip   11.1 MB (11,066,469 bytes)
• Zip archive of the associated malware and artifacts:  2018-03-05-CoinsLTD-campaign-Rig-EK-malware-and-artifacts.zip   375 kB (374,563 bytes)

NOTES:

• Description of Coins LTD campaign:  https://blog.malwarebytes.com/threat-analysis/2018/02/new-rig-malvertising-campaign-uses-cryptocurrency-theme-decoy/
• Twitter thread for today's hit on this campaign:  https://twitter.com/MrHazum/status/970580777460256769

Shown above:  Fiddler screenshot from a tweet by @jeromesegura.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• lesmobilees.science
• votrecolissimo.com
• hxxp://www.horse-technology.com/files/sofia.bmp
• hxxp://www.playmuseek.com/wp-admin/maint/user.rar
• hxxp://lnx.eridanoweb.com/gestioni/footer.png
• hxxp://fioritononi.it - GET /modules/secure.doc
• hxxp://voloweb.net/assistenze/img/wp-64.png
• hxxp://cmxsrl.it/wp-64.zip
• hxxp://onliva.at/jvassets/rk/docs.rar
• hxxp://213.159.214.114/drob/list.exe

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark (image 1 of 2).

 

Shown above:  Infection traffic filtered in Wireshark (image 2 of 2).

 

INFECTION CHAIN LEADING TO RIG EK:

• 212.237.13.137 port 80 - lesmobilees.science - GET /en-us   [Coins LTD pre-gate]
• 172.245.183.121 port 80 - votrecolissimo.com - GET /rrr/api/test   [Coins LTD gate]
• 188.225.38.224 port 80 - 188.225.38.224 - Rig EK

POST-INFETION TRAFFIC AFTER RUNNING THE VBS FILE:

• 62.149.128.154 port 80 - horse-technology.com - GET /files/sofia.bmp
• 62.149.140.206 port 80 - www.horse-technology.com - GET /files/sofia.bmp
• 62.149.128.154 port 80 - playmuseek.com - GET /wp-admin/maint/user.rar
• 62.149.142.121 port 80 - www.playmuseek.com - GET /wp-admin/maint/user.rar
• 62.149.140.73 port 80 - lnx.eridanoweb.com - GET /gestioni/footer.png
• 62.149.140.128 port 80 - fioritononi.it - GET /modules/secure.doc
• 95.110.206.14 port 80 - voloweb.net - GET /assistenze/img/wp-64.png
• 151.1.182.5 port 80 - cmxsrl.it - GET /wp-64.zip
• 47.91.223.24 port 80 - onliva.at - GET /jvassets/rk/docs.rar

• various IP addresses over various TCP ports - Tor traffic
• 213.159.214.114 port 80 - 213.159.214.114 - GET /drob/list.exe   [same binary as Rig EK payload]

 

FILE HASHES

MALWARE ASSOCIATED WITH THIS INFECTION:

• SHA256 hash:  e5b7cbe2ad65fc39adfe92a30a3b03342313cf8a64817d8aaf9fd5848406c8e1
  File size:  16,408 bytes
  File description:  Rig EK flash exploit seen on Monday 2018-03-05

• SHA256 hash:  4aefa798a43ea6b2f19bcc4eb94d737ebd4112f935a00625174284eb12f1c4d5
  File size:  390,656 bytes
  File description:  Coins LTD payload from Rig EK - Ursnif

 

IMAGES

Shown above:  Injected script in page from pre-gate domain leading to the gate URL.

 

Shown above:  Script returned from gate URL leads to Rig EK landing page.

 

Shown above:  Ursnif persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-03-05-CoinsLTD-campaign-Rig-EK-and-post-infection-traffic.pcap.zip   11.1 MB (11,066,469 bytes)
• Zip archive of the associated malware and artifacts:  2018-03-05-CoinsLTD-campaign-Rig-EK-malware-and-artifacts.zip   375 kB (374,563 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.