- 220.127.116.11 – theconservativeclub.us – Compromised website
- 18.104.22.168 – bj4lr.xl2sz08.top – Rig EK
- 22.214.171.124 and 126.96.36.199 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80.
File name: RigEK Landing Page.html
File name: RigEK Flash Exploit.swf
File name: 7822.tmp
I ran the file through hybrid-analysis.com and it generated the following report. In that report we can see it flagging the SSL traffic for the following:
- ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)
- alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:”ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)”; flow:established,from_server; content:”|16 03|”; content:”|0b|”; within:7; content:”|55 04 0a|”; content:”|0e|MyCompany Ltd.”; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:bad-unknown; sid:2015560; rev:7;)
Recent SSL Blacklist entries for “ZeuS C&C” and “Gootkit C&C” via sslbl.abuse.ch:
And here are some samples of the TCP stream showing MyCompany Ltd used by the malware:
The infection chain begins at the compromised website. Once the compromised webpage loads in the browser a malicious script known as EITest redirects the host to a Rig EK server. Below is an image of the injected script on the compromised site:
The URL within the script points to the Rig EK landing page. Below is an image of the GET request for the obfuscated Rig EK landing page followed by the GET request for the Flash exploit:
Lastly we see the request for the payload which is then dropped in %TEMP%:
Once 7822.tmp ran I could see DNS queries to domains resolving back to 188.8.131.52 and 184.108.40.206. Both of those IPs are owned by China’s Education And Research Network.
VirusTotal shows the following domains resolving to 220.127.116.11 and 18.104.22.168:
- nitrrotetris.com (created on 2016-10-16)
- monsterkillyep444.net (created on 2016-10-16)
- blintyris.net (created on 2016-10-16)
- lamerpamer.org (created on 2016-10-16)
- monertee39.com (created on 2016-10-16)
Notice that all these domains were created recently. That is usually a bad sign. Scanning those domains on VirusTotal shows they are being detected by Sophos as malicious.
For now I would recommend blocking the Rig EK IP as well as 22.214.171.124 and 126.96.36.199 at your perimeter firewall(s).