Advertisement Domain Led to BossTDS, Which Redirected Host to RIG-v Exploit Kit at


  • – – RIG-v EK
  • – – Post-infection traffic via TCP port 5044
  • DNS query for, response from authoritative NS:



SHA256: 7334e5f058f0ae9a0bbe073da49bb155255855705907ea84fa40098994ba3c27
File name: Flash Exploit RIG-v.swf

SHA256: 51ce2615b3b0784f55d03d1ba3f77d13aaca40931c72df750b0e298edaf6e3c4
File name: ETTYUADAF

SHA256: 01028a0702188f86b8c743cb3af891073df63310e4f3013ae7aeba0aee01e40e
File name: rad94DC8.tmp.exe, drivupdater.exe
Hybrid-Analysis Submission

Infection Chain:
I have reason to believe the infection chain began with a redirect from clicking on an advert. The redirect leads to a domain selling a skincare product. For lack of a better term I am calling it an advertisement page. It looks like a normal webpage only it isn’t being indexed so you won’t find it via Google search. The advertisement page contained an iframe pointing to a server running BossTDS. Below is an image of the iframe:


The iframe points to a location accessed via port 18001. BossTDS runs on this port by default, however, it can be configured to run on port 80 as well. The response from the server is a 200 OK. The response header contains the word “Cowboy.” BossTDS is bundled with Erlang and “Cowboy” is a small, fast and modern HTTP server for Erlang/OTP.


The server’s response is determined by the IP geolocation. For example, certain geolocations will cause the server to return a 302 Found while others will return 200 OK. In this example we see the server return a 200 OK with a window.location.href redirect.


The response from the next GET request is 302 Found with the new redirect location being a RIG-v Exploit Kit “pre-landing” page, which we’ve become accustomed to seeing since December 4th, 2016.

The next steps follow the typical RIG-v EK infection chain. For example, if the User-Agent is IE then the host is passed to the landing page where it will likely be sent a Flash exploit followed by the payload.

We see ETTYUADAF (JS.Downloader) dropped in %Temp% followed by the payload, rad94DC8.tmp.exe:


The executable is also located in AppDataRoaming and C:, both in the folder “Driver.”


It also creates persistence (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun):


Post-infection traffic is found in the DNS traffic as we see continuous queries for, which resolves to There is also communication to via TCP port 5044.

Also, there is the input sample signed with a certificate issued,, OU=LOG Department, O=Logar Inc, L=New York City, ST=New York, C=US“. Doing a quick Google search for “” returns similar malware samples that have been uploaded today (01/08/17):

Post-infection traffic from those samples includes the following DNS queries and TCP communications:

  • Connections to via TCP port 888 and DNS queries for
  • Connections to via TCP port 1555 and DNS queries for

The post-infection looks similar to njRAT or the H-worm variant. Notice the use of subdomains from abused dynamic DNS domains. Here is a good article from OpenDNS discussing the use of abused dynamic DNS domains

I recommend blocking the RIG-v EK IP at your perimeter firewall(s).

  1. […] 2017-01-09 – unspecified campaign Rig EK sends NanoCore RAT and other malware […]



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: