Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Rig Exploit Kit via EITEST delivers malicious payload

$
0
0
NOTES: Today I captured traffic from the Rig Exploit Kit (EK) which delivered an unknown malicious payload via the EITEST campaign. EITEST campaign continues to use the Rig EK since switching from the Neutrino EK onAugust 15th 2016. EITEST campaign has again changed its gate to IP address 194.165.16.202

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.

info@broadanalysis.com

PCAP file of the infection traffic:

2016-08-31-Rig-EK-pcap.zip ASSOCIATED DOMAINS AND IP ADDRESSES: 194.165.16.202 usymi.xyz EITEST GATE 185.117.72.55 ucllxmt62.top RIG EK LANDING PAGE 46.183.216.182 utoftor.com POST /210/gate.php POST INFECTION TRAFFIC DETAILS OF INFECTION CHAIN FOR RIG EK:
Rig Exploit Kit via EITEST delivers malicious payload
Shown above: Network traffic associated with the initial Rig exploit and post infection
Rig Exploit Kit via EITEST delivers malicious payload
Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain Web page source code can be found by right clicking on web page and selecting “View source”
Rig Exploit Kit via EITEST delivers malicious payload
Shown above: Script found on EITEST gate redirecting to Rig EK landing page
Rig Exploit Kit via EITEST delivers malicious payload
Shown above: Partial contents of malicious payload being delivered in obstructed/encrypted form
Rig Exploit Kit via EITEST delivers malicious payload
Shown above: Post infection communication associated with infection

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

2016-08-31-Rig-EK.swf
Virus Total Link 2016-08-31-F40A.tmp [Original Payload]
Virus Total Link 2016-08-31-HelpButton.dll
Virus Total Link

Viewing all articles
Browse latest Browse all 12749

Trending Articles