Jun 17, 2016 by Analysis in Bot
NOTES: In a May 30th, 2016 post I detailed how Rig Exploit Kit (EK) was using a redirect gate to send a bot . You can use that blog post to decipher the obfuscation process which Rig EK uses to reach its landing page. This post describes the post infection traffic associated with Qbot. With the recent change in the Rig EK redirect gate URL it appears Qbot is still active.I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-06-16-Rig-EK-pcap.zip REFERENCES: https://threatpost.com/qbot-malware-morphs-quickly-to-evade-detection/117377/ https://resources.baesystems.com/pages/view.php?ref=39115&k=46713a20f9 ASSOCIATED DOMAINS AND IP ADDRESS: 67.215.187.94 a.topgunnphoto.com/zpfarviewforumolirc.php Rig Redirect GATE 46.30.47.116 ku.askornaandmatthew.com Rig EK LANDING PAGE 70.31.34.200 TCP Port 2222 POST INFECTION TRAFFIC 193.111.140.236 TCP Port 65200 POST INFECTION TRAFFIC 91.199.120.147 FTP Port 21 FAIL POST INFECTION TRAFFIC 50.87.114.63 FTP Port 21 POST INFECTION TRAFFIC IMAGES and DETAILS:Shown above: Injected script found on compromised site containing obfuscated URL redirecting to Rig EK gate
Shown above: Rig EK redirect gate a.topgunnphoto.com
Shown above: Obfuscated code found in Rig EK redirect gate .php file using variable main_color_handle
Shown above: Rig EK landing page
Shown above: Qbot first post infection traffic communication using TCP port 2222
Shown above: Qbot second post infection traffic to various speedtest.comcast.net domains
Shown above: Qbot third post infection traffic communication using TCP 65200
Shown above: Qbot fourth post infection traffic communication using FTP Login failed
Shown above: Qbot fifth post infection traffic communication using FTP Successful connection and transfer of data
Shown above: Qbot sixth post infection traffic communication to ip-score.com to obtain infected host IP address and country local language
Shown above: More Qbot post infection traffic to legitimate web sites
Show above: More post infection traffic associated with Qbot infection MALICIOUS PAYLOAD SENT BY RIG EK:
2016-06-16-Rig-EK.swf
Virus Total Link 2016-06-16-xueatwn.exe Qbot
Virus Total Link 2016-06-16-xueatw.dll Qbot
Virus Total Link DIRECTORY STRUCTURE:
C:\Users\%UserName%\AppData\Roaming\Microsoft\Xueatwnu
Tagged with: Albany NY , Botnet , Malware analysis , Malware Research