IOCs:
- 159.203.83.164 – theglades-newlaunch.com – Compromised Site
- 185.117.73.96 – dqxwriw.rfasy90.top – Rig EK
- 185.93.185.3 – POST and GET requests via direct IP – H1N1 traffic
- POST 185.93.185.3/h/gate.php
- GET 185.93.185.3/zp/1bc.php?[truncated]
Traffic:
Hashes:
- SHA256: f0a89d5750ba6da934ac7cd680aad81b8b53c1647605ee325186d7e1009de79c
File name: RigEK Landing Page.html - SHA256: cff2e04045c905426c4e1974f591ce45011b21ac82f8880ab8ede85175427db6
File name: RigEK Flash Exploit.swf - SHA256: 540148c35dd8fb861e5472f68224f899dd7bea4c9216ed6fdcda430c5632b3b5
File name: svcxdcl32.exe - SHA256: e9b48129a44804a0e2140e6f1a66621816e95e5786f41d2f0afe8403b63f4a6b
File name: svcxdcl32.dat
Infection Chain:
Recently EITest has stopped using the Flash redirector and gate. It has now been redirecting hosts directly to the EK server. Below is an image of the EITest script on the compromised website:
The script redirected the host the Rig EK server where the host was sent a Flash exploit and then a payload.
Doing multiple runs on the compromised website I saw .tmp files dropped in %TEMP% (which self deleted themselves) as well as two files dropped in %LOCAL%:
Post-infection traffic seems to be associated with H1N1. I recommend blocking the IPs listed in the IOCs section.