EITest Leads to Rig EK 185.141.26.72, 185.141.25.207 and 185.141.25.234

IOCs:

• 46.252.207.1 – amberhsu.com – Compromised site
• 185.141.25.207 – za95uur.ag0clk.top – Rig EK run #1 (blocked by ESET)
• 185.141.25.234 – h01wi.d7riwiu.top – Rig EK run #2
• 185.141.26.72 – gyu1f1.eowjl2.top – Rig EK run #3
• 222.206.156.2, 208.73.206.179, 23.108.245.93 – post infection DNS queries shown below.
  • Domains resolving to the above IPs include:
    • nitrrotetris.com
    • monsterkillyep444.net
    • blintyris.net
    • lamerpamer.org
    • monertee39.com
    • rbnvekrer.org
    • lornointwonbt.org
    • rnwnbortobw.net
    • tinetrinmmm.org
    • flibnltnro.org
    • rbntornweob.net
    • glsrnrtonrb.com
    • ubnwotnobwrtno.org
    • lebnrltnbs.org

Traffic (run 3 and 2 in that order):

Hashes:

SHA256: 9bf7ca8dd136b02d7243f4bc367bb498d11f5aa12b540520d37ef8dc5ffc6b6f
File name: RigEK Landing Page Run 2.html

SHA256: 49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd
File name: RigEK Flash Exploit Run 2.swf

SHA256: df74546463c6a9f5a122eb56e2ee47ff9dbbdc1078d09b301c4a73cb3c0d0493
File name: E35.tmp.exe
Hybrid-Analysis Report

SHA256: 0e13ae03dd7765d49b3295351c2acb64f5c0f3e65a0cb295b5f186f9ef63184a
File name: RigEK Landing Page Run 3.html

SHA256: aa640ad259990129c2b6cc4e9a1bbe9a38bb60e6ccd8694e9f155ef0e0cbc347
File name: RigEK Flash Exploit Run 3.swf

SHA256: 17a6bdd76e895dc0f24dc117a7d0e623d139ee4dd21478f9b0e7ef8a6789fd02
File name: EB1F.tmp.exe
Hybrid-Analysis Report

Infection Chain:

The infection chain begins at the compromised website. Once the compromised webpage loads in the browser a malicious script known as EITest redirects the host to a Rig EK server. Below are images of the injected script on the compromised site over the course of a week (run 1, run 2, run 3):

The URL within the script points to the Rig EK landing page. Once on the landing page the host is sent a Flash exploit followed by the payload.

Below we can see E35.tmp from run 2 and EB1F.tmp from run 3 dropped in %Temp%:

As soon as the files are executed you can see DNS queries for the domains listed in the IOC section and shown in the Traffic section.

Both 222.206.156.2 and 208.73.206.17 are owned by China’s Education And Research Network. 23.108.245.93 is owned by Nobis Technology Group, LLC.

VirusTotal shows the following domains resolving to 222.206.156.2, 208.73.206.17 and 23.108.245.93:

• nitrrotetris.com (created on 2016-10-16)
• monsterkillyep444.net (created on 2016-10-16)
• blintyris.net (created on 2016-10-16)
• lamerpamer.org (created on 2016-10-16)
• monertee39.com (created on 2016-10-16)
• rbnvekrer.org (created on 2016-10-26)
• lornointwonbt.org (created on 2016-10-27)
• rnwnbortobw.net (created on 2016-10-27)
• tinetrinmmm.org (created on 2016-10-26)
• flibnltnro.org (created on 2016-10-27)
• rbntornweob.net (created on 2016-10-27)
• glsrnrtonrb.com (created on 2016-10-27)
• ubnwotnobwrtno.org (created on 2016-10-27)
• lebnrltnbs.org (created on 2016-10-27)

Notice that all these domains were created recently. That is usually a bad sign. Scanning those domains on VirusTotal shows they are being detected by Sophos as malicious. This could be because they are newly registered domains.

Below are some examples of the TCP stream showing “MyCompany Ltd” used by the malware:

These sometimes trigger alerts for blacklist malicious SSL certificates (ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected). This looks like it could be Gootkit but I can’t be certain.

Brad over at http://www.malware-traffic-analysis.net had similar post-infection traffic from a EITest to Rig EK infection on 10/31/16. Click HERE to read about that infection.

For now I would recommend blocking the Rig EK IPs as well as 222.206.156.2, 208.73.206.17 and 23.108.245.93 at your perimeter firewall(s).

• Category: Exploit Kit
• Tag: EITest, Gootkit, IOCs, ZeuS

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown