- 184.108.40.206 – amberhsu.com – Compromised site
- 220.127.116.11 – za95uur.ag0clk.top – Rig EK run #1 (blocked by ESET)
- 18.104.22.168 – h01wi.d7riwiu.top – Rig EK run #2
- 22.214.171.124 – gyu1f1.eowjl2.top – Rig EK run #3
- 126.96.36.199, 188.8.131.52, 184.108.40.206 – post infection DNS queries shown below.
Traffic (run 3 and 2 in that order):
File name: RigEK Landing Page Run 2.html
File name: RigEK Flash Exploit Run 2.swf
File name: E35.tmp.exe
File name: RigEK Landing Page Run 3.html
File name: RigEK Flash Exploit Run 3.swf
File name: EB1F.tmp.exe
The infection chain begins at the compromised website. Once the compromised webpage loads in the browser a malicious script known as EITest redirects the host to a Rig EK server. Below are images of the injected script on the compromised site over the course of a week (run 1, run 2, run 3):
The URL within the script points to the Rig EK landing page. Once on the landing page the host is sent a Flash exploit followed by the payload.
Below we can see E35.tmp from run 2 and EB1F.tmp from run 3 dropped in %Temp%:
As soon as the files are executed you can see DNS queries for the domains listed in the IOC section and shown in the Traffic section.
VirusTotal shows the following domains resolving to 220.127.116.11, 18.104.22.168 and 22.214.171.124:
- nitrrotetris.com (created on 2016-10-16)
- monsterkillyep444.net (created on 2016-10-16)
- blintyris.net (created on 2016-10-16)
- lamerpamer.org (created on 2016-10-16)
- monertee39.com (created on 2016-10-16)
- rbnvekrer.org (created on 2016-10-26)
- lornointwonbt.org (created on 2016-10-27)
- rnwnbortobw.net (created on 2016-10-27)
- tinetrinmmm.org (created on 2016-10-26)
- flibnltnro.org (created on 2016-10-27)
- rbntornweob.net (created on 2016-10-27)
- glsrnrtonrb.com (created on 2016-10-27)
- ubnwotnobwrtno.org (created on 2016-10-27)
- lebnrltnbs.org (created on 2016-10-27)
Notice that all these domains were created recently. That is usually a bad sign. Scanning those domains on VirusTotal shows they are being detected by Sophos as malicious. This could be because they are newly registered domains.
Below are some examples of the TCP stream showing “MyCompany Ltd” used by the malware:
These sometimes trigger alerts for blacklist malicious SSL certificates (ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected). This looks like it could be Gootkit but I can’t be certain.
For now I would recommend blocking the Rig EK IPs as well as 126.96.36.199, 188.8.131.52 and 184.108.40.206 at your perimeter firewall(s).