220.127.116.11 – epanofap.top – EITest IP/Domain
18.104.22.168 – free.giftofhair.org – Rig EK
I believe today is the first time that anyone has ever seen the EITest gate leading to a Rig Exploit Kit. Below is the EITest script found on the compromised site:
The URL shown above points to a EITest Flash file.
Below you can see the GET request for that URL and the response containing a malicious Flash file:
That Flash file has a detection ratio of 2/55 on VirusTotal (currently as of 8/15/16).
Note: The GET request for the EITest gate has been trying to obfuscate HTML files by appending them with .jpeg, .png, etc. I scanned the EITest gate HTML file however it is currently FUD (Fully Undetectable) on VirusTotal.
However, pulling the file via Wireshark shows the following HTML containing encoded script:
As you can see a large portion of the script is base64 encoded. Scanning that Rig Exploit Kit landing page on VirusTotal returns a detection ratio of 4/54 (as of 8/15/16).
Decoding just the base64 found on the Rig EK landing page returns the following code:
We can see the decoded data is making calls for various files, as well as what appears to be more encoded data. Additionally you can see some conditional [endif] and [if !IE] statements being used.
Here we see the GET requests for the URLs shown in the decoded data:
Oddly enough there is a second GET request for the same Flash exploit but with a slightly different URI:
Followed by the payload:
Here is a clear view of the objects found in the HTTP traffic:
As well as some alerts from the from ET:
I didn’t notice any post-infection callback traffic.