NOTES:
Today’s compromised sites redirect to Rig-E and Rig-V exploit kits delivering Cerber ransomware, Chthonic and GootKit banking malware.
Presently there are 3 versions of the Rig Exploit Kit. For more details on the versions see malware-traffic-analysis.net
![Compromised Sites Rig-E and Rig-V Exploit Kits deliver Cerber Chthonic GootKit]()
Shown above: Network traffic associated with the Rig-E exploit and the delivery of GootKit
![Compromised Sites Rig-E and Rig-V Exploit Kits deliver Cerber Chthonic GootKit]()
Shown above: Network traffic associated with the Rig-E exploit and the delivery of Chthonic
![Compromised Sites Rig-E and Rig-V Exploit Kits deliver Cerber Chthonic GootKit]()
Shown above: Network traffic associated with the Rig-V exploit and the delivery of Cerber ransomware ASSOCIATED DOMAINS AND IP ADDRESSES [GOOTKIT]: www.sessantallora.com COMPROMISED SITE 185.106.120.180 sxczf.iiopwposols.top RIG-E EK LANDING PAGE 86.106.131.133 trend4u2k.com GOOTKIT POST INFECT TRAFFIC ASSOCIATED DOMAINS AND IP ADDRESSES [CHTHONIC]: www.sessantallora.com COMPROMISED SITE 185.106.120.180 sxczf.iiopwposols.top RIG-E EK LANDING PAGE 31.3.135.232 DNS OVER TCP PORT 53 185.14.30.160 scenabit.bit CHTHONIC POST INFECT TRAFFIC 144.76.133.38 DNS OVER TCP PORT 53 107.181.187.174 scenabit.bit CHTHONIC POST INFECT TRAFFIC ASSOCIATED DOMAINS AND IP ADDRESSES [CERBER]: cynergyergonomics.com COMPROMISED SITE 109.234.35.39 top.marbleheadestates.com RIG-V EK LANDING PAGE 185.69.153.226 ffoqr3ug7m726zou.omc09c.top CERBER POST INFECT TRAFFIC MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E [GOOTKIT] : 2016-12-09-Rig-EK.swf
Virus Total Link 2016-12-09-fms.exe
Virus Total Link MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E [CHTHONIC] : 2016-12-09-Rig-EK.swf
Virus Total Link 2016-12-09-rad1BAD5.tmp.exe
Virus Total Link MALICIOUS PAYLOAD ASSOCIATED WITH RIG-V [CERBER] : 2016-12-09-Rig-EK.swf
Virus Total Link 2016-12-09-rad33067.tmp.exe
Virus Total Link
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2016-12-09-Rig-EK-GootKit-pcap.zip 2016-12-09-Rig-EK-Chthonic-pcap.zip 2016-12-09-Rig-EK-cerber-pcap.zip IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with the Rig-E exploit and the delivery of GootKit
Shown above: Network traffic associated with the Rig-E exploit and the delivery of Chthonic
Shown above: Network traffic associated with the Rig-V exploit and the delivery of Cerber ransomware ASSOCIATED DOMAINS AND IP ADDRESSES [GOOTKIT]: www.sessantallora.com COMPROMISED SITE 185.106.120.180 sxczf.iiopwposols.top RIG-E EK LANDING PAGE 86.106.131.133 trend4u2k.com GOOTKIT POST INFECT TRAFFIC ASSOCIATED DOMAINS AND IP ADDRESSES [CHTHONIC]: www.sessantallora.com COMPROMISED SITE 185.106.120.180 sxczf.iiopwposols.top RIG-E EK LANDING PAGE 31.3.135.232 DNS OVER TCP PORT 53 185.14.30.160 scenabit.bit CHTHONIC POST INFECT TRAFFIC 144.76.133.38 DNS OVER TCP PORT 53 107.181.187.174 scenabit.bit CHTHONIC POST INFECT TRAFFIC ASSOCIATED DOMAINS AND IP ADDRESSES [CERBER]: cynergyergonomics.com COMPROMISED SITE 109.234.35.39 top.marbleheadestates.com RIG-V EK LANDING PAGE 185.69.153.226 ffoqr3ug7m726zou.omc09c.top CERBER POST INFECT TRAFFIC MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E [GOOTKIT] : 2016-12-09-Rig-EK.swf
Virus Total Link 2016-12-09-fms.exe
Virus Total Link MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E [CHTHONIC] : 2016-12-09-Rig-EK.swf
Virus Total Link 2016-12-09-rad1BAD5.tmp.exe
Virus Total Link MALICIOUS PAYLOAD ASSOCIATED WITH RIG-V [CERBER] : 2016-12-09-Rig-EK.swf
Virus Total Link 2016-12-09-rad33067.tmp.exe
Virus Total Link