Rig Exploit Kit via EITEST delivers malicious payload

NOTES: Today I captured traffic from the Rig Exploit Kit (EK) which delivered an unknown malicious payload via the EITEST campaign. EITEST campaign continues to use the Rig EK since switching from the Neutrino EK onAugust 15th 2016. EITEST campaign has again changed its gate to IP address 194.165.16.202

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.

info@broadanalysis.com

PCAP file of the infection traffic:

2016-08-31-Rig-EK-pcap.zip ASSOCIATED DOMAINS AND IP ADDRESSES: 194.165.16.202 usymi.xyz EITEST GATE 185.117.72.55 ucllxmt62.top RIG EK LANDING PAGE 46.183.216.182 utoftor.com POST /210/gate.php POST INFECTION TRAFFIC DETAILS OF INFECTION CHAIN FOR RIG EK:

Shown above: Network traffic associated with the initial Rig exploit and post infection

Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain Web page source code can be found by right clicking on web page and selecting “View source”

Shown above: Script found on EITEST gate redirecting to Rig EK landing page

Shown above: Partial contents of malicious payload being delivered in obstructed/encrypted form

Shown above: Post infection communication associated with infection

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

2016-08-31-Rig-EK.swf
Virus Total Link 2016-08-31-F40A.tmp [Original Payload]
Virus Total Link 2016-08-31-HelpButton.dll
Virus Total Link