For the First Time Ever, EITest Gate Leads to Rig EK

IOCs: – – EITest IP/Domain – – Rig EK

EITest Gate Flash Redirect: 2e562c81b88c1a2061c6aa591c25f90c
EITest Gate Landing Page: 859a8994f27d2f9ded7d3aab783d4680
Rig EK Landing Page: 50ad7f7a888954b8a79469f8662864a2
Rig EK Flash Exploit: c6014a32cc06f862ea44db720dfcf553


I believe today is the first time that anyone has ever seen the EITest gate leading to a Rig Exploit Kit. Below is the EITest script found on the compromised site:

The URL shown above points to a EITest Flash file.

Below you can see the GET request for that URL and the response containing a malicious Flash file:

That Flash file has a detection ratio of 2/55 on VirusTotal (currently as of 8/15/16).

The EITest Flash file is used a redirection mechanism and is responsible for making a GET request to the EITest gate. Below is the HTML on the EITest gate which shows JavaScript containing the URL for the Rig Exploit Kit landing page:

Note: The GET request for the EITest gate has been trying to obfuscate HTML files by appending them with .jpeg, .png, etc. I scanned the EITest gate HTML file however it is currently FUD (Fully Undetectable) on VirusTotal.

Below is the GET request caused by the JavaScript found on the EITest gate. Looking at the response from the server shows the Rig Exploit Kit landing page is being gzip compressed:

However, pulling the file via Wireshark shows the following HTML containing encoded script:

As you can see a large portion of the script is base64 encoded. Scanning that Rig Exploit Kit landing page on VirusTotal returns a detection ratio of 4/54 (as of 8/15/16).

Decoding just the base64 found on the Rig EK landing page returns the following code:

We can see the decoded data is making calls for various files, as well as what appears to be more encoded data. Additionally you can see some conditional [endif] and [if !IE] statements being used.

Here we see the GET requests for the URLs shown in the decoded data:

Oddly enough there is a second GET request for the same Flash exploit but with a slightly different URI:

Followed by the payload:

Here is a clear view of the objects found in the HTTP traffic:

As well as some alerts from the from ET:

I didn’t notice any post-infection callback traffic.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: