Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Rig Exploit Kit sends Qbot Bot Configuration Traffic

0
0

Jun 17, 2016 by Analysis in Bot

NOTES: In a May 30th, 2016 post I detailed how Rig Exploit Kit (EK) was using a redirect gate to send a bot . You can use that blog post to decipher the obfuscation process which Rig EK uses to reach its landing page. This post describes the post infection traffic associated with Qbot. With the recent change in the Rig EK redirect gate URL it appears Qbot is still active.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.

info@broadanalysis.com

PCAP file of the infection traffic:

2016-06-16-Rig-EK-pcap.zip REFERENCES: https://threatpost.com/qbot-malware-morphs-quickly-to-evade-detection/117377/ https://resources.baesystems.com/pages/view.php?ref=39115&k=46713a20f9 ASSOCIATED DOMAINS AND IP ADDRESS: 67.215.187.94 a.topgunnphoto.com/zpfarviewforumolirc.php Rig Redirect GATE 46.30.47.116 ku.askornaandmatthew.com Rig EK LANDING PAGE 70.31.34.200 TCP Port 2222 POST INFECTION TRAFFIC 193.111.140.236 TCP Port 65200 POST INFECTION TRAFFIC 91.199.120.147 FTP Port 21 FAIL POST INFECTION TRAFFIC 50.87.114.63 FTP Port 21 POST INFECTION TRAFFIC IMAGES and DETAILS:
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Injected script found on compromised site containing obfuscated URL redirecting to Rig EK gate
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Rig EK redirect gate a.topgunnphoto.com
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Obfuscated code found in Rig EK redirect gate .php file using variable main_color_handle
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Rig EK landing page
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Qbot first post infection traffic communication using TCP port 2222
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Qbot second post infection traffic to various speedtest.comcast.net domains
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Qbot third post infection traffic communication using TCP 65200
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Qbot fourth post infection traffic communication using FTP Login failed
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Qbot fifth post infection traffic communication using FTP Successful connection and transfer of data
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: Qbot sixth post infection traffic communication to ip-score.com to obtain infected host IP address and country local language
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Shown above: More Qbot post infection traffic to legitimate web sites
Rig Exploit Kit sends Qbot   Bot Configuration Traffic
Show above: More post infection traffic associated with Qbot infection MALICIOUS PAYLOAD SENT BY RIG EK:
2016-06-16-Rig-EK.swf
Virus Total Link 2016-06-16-xueatwn.exe Qbot
Virus Total Link 2016-06-16-xueatw.dll Qbot
Virus Total Link DIRECTORY STRUCTURE:

C:\Users\%UserName%\AppData\Roaming\Microsoft\Xueatwnu

Tagged with: Albany NY , Botnet , Malware analysis , Malware Research


Viewing all articles
Browse latest Browse all 12749