- 126.96.36.199 – orfab.com – Compromised Site
- 188.8.131.52 – piperandscoot.top – EITest Gate
- 184.108.40.206 – jxlyv.xajee73.top – Rig EK
- 220.127.116.11/bt/logout.php – post infection callback traffic
File name: EITest Flash Redirect.swf
File name: EITest Gate.html
File name: RigEK Landing Page.html
File name: RigEK Flash Exploit.swf
As you can probably tell from the image of the traffic above I let the host sit a long time. I was hoping to grab more IOCs and get more clues as to the identity of the malware.
Unfortunately, I haven’t yet been able to ID this post-infection traffic. The IP has no reputation history on VirusTotal and searching for the URI or the IP via Google didn’t return any useful results. One thing I want to point out is that these POST requests were occurring in ten minute intervals.
Additional research showed that 18.104.22.168 belongs to AS 203049 CLOUDPRO in Russia. The Whois lookup information shows the netname being FIRSTBYTE-RU-MSK, which is a Russian hosting provider. I also happened to see the host making several DNS requests for PTR records. The reverse DNS request were for 22.214.171.124.in-addr.arpa. The response for these reverse DNS requests were the following:
You can see from the UDP traffic above that the responses show three FirstByte DNS servers. On to the infection chain…
The infection chain for this started out with browsing to the compromised website. Below is an image showing the obfuscated and encoded EITest script in the website’s source code:
The script is being obfuscated and hex encoded. Using the replace() method to replace all underscores with percent signs removes the obfuscation and returns the hex encoded data. The hex encoded data is then decoded via the decodeURIComponent() function and then written to the document with the document.write() function. Here is the script fully deobfuscated and decoded:
The purpose of the EITest script is to give the host instructions to download the EITest Flash file. The location for the Flash file is shown in the URL in the script. Here is the GET request for that Flash file:
The EITest Flash file is used as a redirection mechanism as it contains the URL for the EITest Gate. Shown below is the GET request (redirection) for the EITest gate:
The EITest gate is the second stage redirection mechanism for this infection chain. For example, you can see that there is a “.href = ‘http:[Rig EK]'” containing the URL for the Rig EK landing page.
Here is the GET request for the landing page, as well as the GET requests for the Rig EK Flash Exploit and the payload:
The infection from the Rig EK server caused a .tmp file to be dropped in %TEMP% and an executable named 1miy35koc5c3.exe.
That executable has a file description of “Windows Audit Service Update”. This payload seemed to be very similar to my last EITest infection written about HERE.
Here are some registry keys created by the malware:
Notice that the file path shows “C:\ProgramData\Windows Audit Service Update\1miy35koc5c3.exe” however the malware has now hidden C:\ProgramData\ from me even though I have enabled show all hidden files:
More to come later…