EITest Leads to Rig EK at 176.223.111.152. Malicious SSL Certificate Detected.

IOCs:

Traffic:

traffic

Hashes:

SHA256: 92594f381dec2034ef0e0f53d0c5dbe8b8f706d36460e84172e9de9a08d3dec3
File name: RigEK Landing Page.html

SHA256: 49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd
File name: RigEK Flash Exploit.swf

SHA256: 1f808ad8020b7730980646de6db5781859ee57d3867f6bed6a46a4c26625ace6
File name: 7822.tmp

Hybrid-Analysis.com:

I ran the file through hybrid-analysis.com and it generated the following report. In that report we can see it flagging the SSL traffic for the following:

  • ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)
    • alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:”ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)”; flow:established,from_server; content:”|16 03|”; content:”|0b|”; within:7; content:”|55 04 0a|”; content:”|0e|MyCompany Ltd.”; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:bad-unknown; sid:2015560; rev:7;)

Recent SSL Blacklist entries for “ZeuS C&C” and “Gootkit C&C” via sslbl.abuse.ch:

ssl-cert-gootkit

sslbl-abuse-ch

And here are some samples of the TCP stream showing MyCompany Ltd used by the malware:

tcp-stream

mycompany-ltd-1

Infection Chain:

The infection chain begins at the compromised website. Once the compromised webpage loads in the browser a malicious script known as EITest redirects the host to a Rig EK server. Below is an image of the injected script on the compromised site:

compromised-site

The URL within the script points to the Rig EK landing page. Below is an image of the GET request for the obfuscated Rig EK landing page followed by the GET request for the Flash exploit:

lp-and-flash-exp

Lastly we see the request for the payload which is then dropped in %TEMP%:

payloadtemp

Once 7822.tmp ran I could see DNS queries to domains resolving back to 222.206.156.2 and 208.73.206.17. Both of those IPs are owned by China’s Education And Research Network.

VirusTotal shows the following domains resolving to 222.206.156.2 and 208.73.206.17:

Notice that all these domains were created recently. That is usually a bad sign. Scanning those domains on VirusTotal shows they are being detected by Sophos as malicious.

For now I would recommend blocking the Rig EK IP as well as 222.206.156.2 and 208.73.206.17 at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: