EITest Leads to Rig EK at 185.117.73.96 Which Sends H1N1

IOCs:

  • 159.203.83.164 – theglades-newlaunch.com – Compromised Site
  • 185.117.73.96 – dqxwriw.rfasy90.top – Rig EK
  • 185.93.185.3 – POST and GET requests via direct IP – H1N1 traffic
    • POST 185.93.185.3/h/gate.php
    • GET 185.93.185.3/zp/1bc.php?[truncated]

Traffic:

iocs

Hashes:

  1. SHA256: f0a89d5750ba6da934ac7cd680aad81b8b53c1647605ee325186d7e1009de79c
    File name: RigEK Landing Page.html
  2. SHA256: cff2e04045c905426c4e1974f591ce45011b21ac82f8880ab8ede85175427db6
    File name: RigEK Flash Exploit.swf
  3. SHA256: 540148c35dd8fb861e5472f68224f899dd7bea4c9216ed6fdcda430c5632b3b5
    File name: svcxdcl32.exe
  4. SHA256: e9b48129a44804a0e2140e6f1a66621816e95e5786f41d2f0afe8403b63f4a6b
    File name: svcxdcl32.dat

Infection Chain:

Recently EITest has stopped using the Flash redirector and gate. It has now been redirecting hosts directly to the EK server. Below is an image of the EITest script on the compromised website:

eitest

The script redirected the host the Rig EK server where the host was sent a Flash exploit and then a payload.

Doing multiple runs on the compromised website I saw .tmp files dropped in %TEMP% (which self deleted themselves) as well as two files dropped in %LOCAL%:

local

Post-infection traffic seems to be associated with H1N1. I recommend blocking the IPs listed in the IOCs section.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: