Campaign Leads to RIG EK and Fake Flash Player Update Site. RIG Drops URLZone and Fake Flash Player Update Drops a Miner.

On 08/02/17 I used the domain www2[.]davidhelpling[.]org to redirect my host to a RIG EK landing page located at

Redirect to RIG EK

RIG ended up dropping URLZone, which is a banking Trojan first discovered in 2009. More recently URLZone has been seen targeting Japan via malspam campaigns. You can read more about URLZone at the link below, as well as view the VirusTotal and Hybrid-Analysis report from that infection:

The VirusTotal and Hybrid-Analysis reports.

On August 3rd, I used the same campaign for another infection however instead of being redirected to RIG I was redirected to a domain hosting those all too familiar flash player “update” scams. Below is the redirection chain:

TCP stream edited

scr.php returned some script that redirected to the fake flash player update page.

scr dot php

Users will install these fake flash player updates, especially if they are coming from a video streaming site, as they tend to believe that the update is required to view the video(s).

Below is an image of the landing page:

fake flash player update edited

Nothing special here, just your typical fake flash player update page. Once the page loads the user is given the option of installing “flashplayer_install_win.exe”. I thought this would be another case of adware but after doing some basic dynamic analysis I could tell this was a Miner. This was later confirmed by @Antelox (thanks!) who identified it as XMRig CoinMiner.

Following the execution of flashplayer_install_win.exe we can see some HEAD requests for /062/system.exe and /062/1.bat located at (

HEAD requests

Looking at the process tree below we also see the download of a file called Security.exe.


The /062/ directory is still open:

Index of 062

The 1.bat file (, while obfuscated, ended up only being a couple lines of code that set the number of processors and file attributes:


Cleaned & commented by my buddy IRDivision (thanks!)

We see instructions for connections to via TCP port 45560:

Contacted host

We also see Gmail address in 1.bat.

The hidden files were in fact found in C:ProgramDataSystem32:

ProgramData System32

During further examination of the server hosting the XMRig CoinMiner I located some interesting statistics:

Stats edited

It shows the IPs, OS, browser, browser version, language, user-agent, and clicks from the users visiting the site. Other columns show the breakdown of the countries by count and click, as well as the breakdown of the platform by count and click.

Below are some quick graphs and a map that I made using the statistics:

platform and clicksBrowser countactivity by country

Internet Explorer was the clear winner of the battle of the browsers. There was also a lot of activity from Windows 7 and Windows XP users, however, Windows 7 had 59 clicks while Windows XP had only 5. Lastly, while most visitors were from Spain, the United States brings home the gold medal in clicks. Overall, the pattern shows a pretty low click rate.

I wouldn’t be surprised if we started seeing more diversity of payloads from these kind of scam pages. Furthermore, with Flash set to die off in 2020 we will likely see shifts to fake updates focusing on Java, etc.

Network Traffic
  • – RIG EK
  • –
  • via TCP port 45560

SHA256: 653c7267c92601548f3b44f304294e77284be75d7f03ed6e7a6821ca8dd156ff
File name: flashplayer_install_win.exe
Hybrid-Analysis Report

SHA256: 0ebadbfdd853d5e6977e58712b8d5912d960eec008322285dc7f3eaa86c0c166
File name: system.exe
Hybrid-Analysis Report

SHA256: 91131690a5e611a4002ff093640fb0a822ceec455b78a03431f4e82bbd3b2934
File name: Security.exe
Hybrid-Analysis Report

SHA256: 93cc8f39754cc60e4c936d07b013d3734540a7e5e50d78b62308634a2d4435af
File name: 1.bat


Password is “infected”

Until next time!

  1. […] Campaign Leads to RIG EK and Fake Flash Player Update Site. RIG Drops URLZone and Fake Flash Player … (August 7, 2017) Researchers have discovered that the RIG Exploit Kit (EK) campaign is redirecting users to malicious locations that drop the “URLZone” banking trojan. Other instances in this campaign present users with fake Adobe Flash Player updates when video streaming websites are visited in attempts to trick the user that the update is needed to properly view the video. The malware downloaded via the fake Flash update was identified to be “XMRig CoinMiner.” The malware is being distributed via redirection attacks that lead to the RIGEK.Recommendation: Exploit kits, in general, are a common threat because they are often easily available to threat kits for purchase on underground forums. The kits, put together by skilled actors, are then sold to criminal groups as easily deployable exploitation frameworks. Users should be educated on how to browse the web as safely as possible, and to report any suspicious symptoms observed on their devices to IT/secops immediately. Additionally, web browsers should be kept up-to-date and any suspicious activity should be reported to the appropriate personnel.Tags: RIGEK, Adobe Flash Player […]



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: