EITest Gate at 85.93.0.110 Leads to Rig EK at 178.32.92.122 and Drops Vawtrak

IOCs:

88.208.252.222 – cam-machine.com – Compromised Website
85.93.0.110 – focecu.xyz – EITest Gate
178.32.92.122 – eeuo5tu8.top – Rig EK
108.61.99.79 – GET /module/d1967c99c0c7f9b468f2e08e59e41ffe
GET /module/311ac29c5a8f6b4e7a247db98207fd6e
GET /module/96df1c84c7fb13e880e399f9627e0db0
GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d
GET /module/a104f2955999a2f1a1c881e8930b82f6

Post-Infection DNS Queries resolving to 91.235.129.178:

  • zmluvsfe.com
  • machinabat.pw
  • baltolux.bid
  • twoggis.bid

Post-Infection DNS Queries resolving to 185.4.67.154:

  • chanpie.pw
  • zoomir.bid
  • buhnuti.bid
  • wermoo.pw

DNS standard query responses from 72.20.57.156:

  • h7m7uzgeh7i.net
  • p1lx78.net
  • kpkjko8qipc2q1.org
  • diiakqm2.com
  • gvfvmy.org
  • 01ekupp-y1z.com
  • g10m-k-8d1.net
  • 1d2wrau20duvlzf.org
  • 1dl3r.org
  • lhce.net
  • 0d0s-.org
  • lpg52d0wkpo.org
  • p5gle4w.org
  • 0dsmkgvx.com

Post-Infection HTTPS/TLS/SSL Traffic:
91.235.129.178 – SSL Certificate – (id-at-commonName=vuinuzhz.com)

Hashes:
SHA256: 7fef33a9a695f5f5053a72b00776edb961e3f6d38a9b16f1dbddbe212ebf1dc5
File name: EITest SWF Redirect from focecu.xyz at 85.93.0.110.swf

SHA256: 8db81976d70853c39f9402b3a90f737211de66baaa407ec203409ae3ab81a7ee
File name: EITest Gate from focecu.xyz at 85.93.0.110.html

SHA256: 5ad0d0cd38d400126206d3e60cbb4bb0e6a9c31aa7406891b4d64b35073bfdb2
File name: RigEK Landing Page from eeuo5tu8.top at 178.32.92.122.html

SHA256: 1878e064d0606514a656204776e51fcaa4746666f859fda05f96656fdcf2886a
File name: RigEK SWF Exploit from eeuo5tu8.top at 178.32.92.122.swf

SHA256: 24676a47c4690edd89bdc311351fd9b7f9de60322f84707654e85407d2168dd4
File name: RigEK Payload from eeuo5tu8.top at 178.32.92.122

Infection Chain:

The infection chain starts with the compromised website being injected with the EITest script, located within some tags:

The URL for the EITest SWF is found within the injected script. Below is the GET request for the SWF file:

The EITest SWF redirects the host to the EITest gate where you can see the URL for the Rig EK landing page within the tag:

 

The response for the landing page (shown above) is being compressed so I’ll extract the file:

As always, a large portion of it is being encoded. The decoded portion is shown below:

Following the host being redirected to the Rig EK landing page we can see two GET requests for the same exact Flash exploit and the payload:

The payload is 156 KB in size. Here are some files created in %APPDATA%:

Looking through the PCAP I can see some additional GET requests directly to an IP for more data:

Following the GET for the data in /module/ I found post-infection
HTTPS/TLS/SSL Traffic to 91.235.129.178 which was resolving to zmluvsfe.com. Looking at the certificate information shows “commonName=vulnuzhz.com”:

As well as these DNS standard query responses from 72.20.57.156:

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: