31.184.192.188 – kinepolis.top – EITest Gate
185.117.73.207 – culxw0.b28zu4.top – Rig Exploit Kit
108.61.99.79 – GET Requests via direct IP with the following URI pattern – “/module/[32 alphanumeric characters]”
Post Infection DNS Queries:
95.46.98.89 – ctwruhwdk.com
95.46.98.89 – apgtsdeh.com
81.177.13.242 – lkfiravihg.com
Hashes:
SHA256: 74690c93ce0fef0c40c842fba6e3963c15a4d3c02e230000c0eb8da83deb22d8
File name: EITest Flash File.swf
SHA256: 013c1c061383c27273398da975230a752487ae914bcc03892df905b859800a19
File name: EITest Gate.html
SHA256: 928bed89136d6060a084cc0e26f5148e44852aa48f9f6d0ef72c53050a0f3c84
File name: RigEK Landing Page.html
SHA256: 851d2e5d2286bb944351c3615f10335109c2200a5c4674993dbcadefe1bc47a9
File name: RigEK Flash Exploit.swf
SHA256: 25eb79b7c38b44e08d53f765805c875b5e49042076c6d5182c6ade74df56a9f8
File name: DekJanv.exe (AKA F4A0.tmp)
SHA256: 7971c8a2a725bc543ed59146054942baac21db662cd379777f3edac02fb8f418
File name: RagqEwzo
GET Requests:
Infection Chain:
The infection chain starts with a compromised website. In this case the compromised website was injected with the EITest script. It is worth noting that the EITest has gone through some changes over the last couple of weeks. For example, the EITest script is now being obfuscated and encoded. In the most recent example below we can see that the EITest script is now being hex encoded and obfuscated:
Using the replace() method to replace all hyphens with percent signs removes the obfuscation and returns the hex encoded data. The hex encoded data is then decoded via the decodeURIComponent() function and then written to the document with the document.write() function. All this was likely added to the EITest script to evade detection. Here is what the EITest script looks like fully deobfuscated and decoded:
Once the EITest script has been deobfuscated and decoded there is a GET request generated by the script. This GET request will return what I refer to as the EITest SWF Redirect . That Flash file is being hosted at the domain shown in the script above. Another recent change is the lack of a URI for the EITest Flash file and the change in the URI pattern for the gate (/index.php).
Below is the return HTTP traffic containing the EITest Flash file:
The EITest Flash file is used to redirect the host to the EITest gate. Below is the HTML file returned by the EITest gate:
In the source code above we can see a snippet of JavaScript containing the URL for the Rig Exploit Kit landing page. The href property is used to point to the EK landing page.
The return HTTP traffic contains a gzip compressed file. Extracting the file and saving it as a .html or .txt file will allow you to see the code:
The landing page contains some checks as well as the location of the Flash exploit. Here we see the host making a GET request for the Flash exploit:
Finally we see the payload being requested and delivered to the host:
The payload was dropped in %TEMP%:
The same file (but an .exe) was dropped in a newly created folder called “GapeMfijr” but was named “DekJanv.exe”. The file description claims that it is something called “HD Video Converter Factory Pro”. There is also a rather large 20MB file called “RagqEwzo”:
Checking the Registry shows a key being used for persistence. The key can be found in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:
Malware breakdown 