EITest Leads to Rig EK at 176.223.111.33 and 176.223.111.77, Malicious SSL Certificate Detected

IOCs:

• 184.168.152.59 – abc-imports.com – Compromised website
• 176.223.111.33 – hs0ql.hd9ads4fb.top – Rig EK
• 176.223.111.77 – wub2v.pgpbpgu.top – Rig EK (second run)
• 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80.
  • Domains resolving to the above IPs include:
    • nitrrotetris.com
    • monsterkillyep444.net
    • blintyris.net
    • lamerpamer.org
    • monertee39.com

Traffic (first run):

Hashes:

SHA256: 9990eb77f0d3722150115982fbdf0a11b00b73710d9b5d40d68a82d66204437a
File name: RigEK Landing Page.html

SHA256: 3aeb32dea7f8c34f1b3758f4d9c40ad09b65756cd0638835e43f52b936144e57
File name: RigEK Flash Exploit.swf

SHA256: ed16f7cf3d1e58ae48a9b84054b4ce44508c161a4b5d5fc419dc90d9ca67dab5
File name: D8F2.tmp and E66B.tmp

Hybrid-Analysis.com:

I ran the file through hybrid-analysis.com and it generated the following report. In that report we can see it flagging the SSL traffic for the following:

• ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)
  • alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:”ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)”; flow:established,from_server; content:”|16 03|”; content:”|0b|”; within:7; content:”|55 04 0a|”; content:”|0e|MyCompany Ltd.”; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:bad-unknown; sid:2015560; rev:7;)
• Recent SSL Blacklist entry for ZeuS C&C:

And here is a sample of the TCP stream from the traffic showing MyCompany Ltd used by the malware:

Infection Chain:

The infection chain begins at the compromised website. Once the compromised webpage loads in the browser a malicious script known as EITest redirects the host to a Rig EK server. Below is an image of the injected script on the compromised site:

The URL within the script points to the Rig EK landing page. Below is an image of the GET request for the obfuscated Rig EK landing page followed by the GET request for the Flash exploit:

Lastly we see the request for the payload which is then dropped in %TEMP%:

The reason why you see both D8F2.tmp and E66B.tmp is because I ran this infection chain two times to see what else it would drop. Both files are identical as scanning them via VirusTotal returned the same hash value.

Once the files ran I could see DNS queries to domains resolving back to 222.206.156.2 and 208.73.206.17. Both of those IPs are owned by China’s Education And Research Network.

VirusTotal shows the following domains resolving to 222.206.156.2 and 208.73.206.17:

• nitrrotetris.com (created on 2016-10-16)
• monsterkillyep444.net (created on 2016-10-16)
• blintyris.net (created on 2016-10-16)
• lamerpamer.org (created on 2016-10-16)
• monertee39.com (created on 2016-10-16)

Notice that all these domains were created recently. That is usually a bad sign. Scanning those domains on VirusTotal shows they are being detected by Sophos as malicious.

For now I would recommend blocking the Rig EK IP as well as 222.206.156.2 and 208.73.206.17 at your perimeter firewall(s).

• Category: Exploit Kit
• Tag: EITest, Gootkit, IOCs, Rig Exploit Kit, ZeuS

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown