EITest Leads to Rig EK at 192.99.197.128

IOCs:

  • 160.153.75.199 – stampscraparttour.com – Compromised website
  • 192.99.197.128 – qca7.rsecx.top – Rig EK
  • 194.58.108.203 – GET /drb3.php?a=n [truncated]
  • 185.49.68.167 – srugbah.com GET /d8/u1.php?a=n [truncated]
  • 192.168.175.135 and 104.24.28.9 – whoer.net – IP check

There were also GET requests to cl.com, craigslist.org, google.com, yahoomail.com, mail.aol.com, and lolvn.gameinfo.garenanow.com. Furthermore, a lot of the request being made are using port 2346, which appears to be some sort of game connection port. I also found connections to a service called redstorm_join. The connections to this gaming service might help to explain the GET requests to lolvn.gameinfo.garenanow.com. Following these requests are duplicate HTTP requests. Below is an example of the traffic:

traffic-1

Looking at the example of the traffic shown above you can see identical GET request, one using port 2346 and one using the traditional HTTP port (80).

Below is some more traffic showing GET requests for sfbay.craigslist.org and dallas.craigslist.org. The URI for both SF Bay (San Francisco) and Dallas show a search query for “kia+optima&excats=&userid=&search_distance=&postal=&min_price=&max_price=&auto_make_model=&min_auto_year=&max_auto_year=&min_auto_miles=&max_auto_miles=”. See traffic below for an example:

traffic-2

My IP was set to San Francisco during this infection so the requests to sfbay.craigslist.org likely aren’t coincidental.

Here is some more traffic that I found in Wireshark after I let the host sit for a couple of hours:

traffic-3

The User-Agent information found in some of the traffic:

  • Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)(Firefox 3.6.3)
  • Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36(Chrome 54.0.2840.59)
  • Mozilla/5.0 (X11; FreeBSD i386; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 (SeaMonkey 2.33.1)
  • Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.21 (KHTML, like Gecko) konqueror/4.14.2 Safari/537.21 (Safari)
  • yewj_http_async – (Associated with the domain garenanow.com)

Hashes:

SHA256: dee797e4201fec7507209784216389491edfc64243de671be710429b2be8ba71
File name: RigEK Landing Page.html

SHA256: 00351c20222f82a931cbedc33bc142ed6549b998282baf775f2810545ce8e322
File name: RigEK Flash Exploit.swf

SHA256: f61f27b104b86c7c142525b043c69ff3346231cef4816f06627be52e526d65e4
File name: 56BD.tmp

SHA256: 51edef6374e1c84f997195977c8823510d2062e76ace86128cb889d468be7e13
File name: Linker.dll

Infection Chain:

The infection starts out with the user browsing to the compromised website. Viewing the website’s source code we can see that it has been injected with the EITest script:

compromised-site

The host is then redirected to the URL within the script. Once on the Rig EK landing page the host is fed more script and is sent a Flash exploit and then the payload. The payload (56BD.tmp) was dropped in %TEMP% along with an injector (Linker.dll) and some other files:

temp

There was also a registry key created for a shortcut to MS-DOS Program (56BD.tmp):

registry-key-for-malware

Restarting the host shows it attempting to open “suppliers Setup” (Whiplash.v6f) from %TEMP% but it returns an error:

error

I recommend blocking the Rig EK IP as well as 194.58.108.203 and 185.49.68.167 at your perimeter firewall(s).

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: