EITest Gate at Leads to Rig EK at and Drops Vawtrak

IOCs: – cam-machine.com – Compromised Website – focecu.xyz – EITest Gate – eeuo5tu8.top – Rig EK – GET /module/d1967c99c0c7f9b468f2e08e59e41ffe
GET /module/311ac29c5a8f6b4e7a247db98207fd6e
GET /module/96df1c84c7fb13e880e399f9627e0db0
GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d
GET /module/a104f2955999a2f1a1c881e8930b82f6

Post-Infection DNS Queries resolving to

  • zmluvsfe.com
  • machinabat.pw
  • baltolux.bid
  • twoggis.bid

Post-Infection DNS Queries resolving to

  • chanpie.pw
  • zoomir.bid
  • buhnuti.bid
  • wermoo.pw

DNS standard query responses from

  • h7m7uzgeh7i.net
  • p1lx78.net
  • kpkjko8qipc2q1.org
  • diiakqm2.com
  • gvfvmy.org
  • 01ekupp-y1z.com
  • g10m-k-8d1.net
  • 1d2wrau20duvlzf.org
  • 1dl3r.org
  • lhce.net
  • 0d0s-.org
  • lpg52d0wkpo.org
  • p5gle4w.org
  • 0dsmkgvx.com

Post-Infection HTTPS/TLS/SSL Traffic: – SSL Certificate – (id-at-commonName=vuinuzhz.com)

SHA256: 7fef33a9a695f5f5053a72b00776edb961e3f6d38a9b16f1dbddbe212ebf1dc5
File name: EITest SWF Redirect from focecu.xyz at

SHA256: 8db81976d70853c39f9402b3a90f737211de66baaa407ec203409ae3ab81a7ee
File name: EITest Gate from focecu.xyz at

SHA256: 5ad0d0cd38d400126206d3e60cbb4bb0e6a9c31aa7406891b4d64b35073bfdb2
File name: RigEK Landing Page from eeuo5tu8.top at

SHA256: 1878e064d0606514a656204776e51fcaa4746666f859fda05f96656fdcf2886a
File name: RigEK SWF Exploit from eeuo5tu8.top at

SHA256: 24676a47c4690edd89bdc311351fd9b7f9de60322f84707654e85407d2168dd4
File name: RigEK Payload from eeuo5tu8.top at

Infection Chain:

The infection chain starts with the compromised website being injected with the EITest script, located within some tags:

The URL for the EITest SWF is found within the injected script. Below is the GET request for the SWF file:

The EITest SWF redirects the host to the EITest gate where you can see the URL for the Rig EK landing page within the tag:


The response for the landing page (shown above) is being compressed so I’ll extract the file:

As always, a large portion of it is being encoded. The decoded portion is shown below:

Following the host being redirected to the Rig EK landing page we can see two GET requests for the same exact Flash exploit and the payload:

The payload is 156 KB in size. Here are some files created in %APPDATA%:

Looking through the PCAP I can see some additional GET requests directly to an IP for more data:

Following the GET for the data in /module/ I found post-infection
HTTPS/TLS/SSL Traffic to which was resolving to zmluvsfe.com. Looking at the certificate information shows “commonName=vulnuzhz.com”:

As well as these DNS standard query responses from


Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: