EITest Leads to Rig EK at 70.39.114.242

IOCs:

  • 192.185.36.129 – hwcollectorsnews.com – Compromised website
  • 70.39.114.242:
    • rm96.ppw0u8za.top – Rig EK (1st run – failed)
    • fw61yxp.wlj92st.top – Rig EK (2nd and 3rd run)
    • k81qe.m1s5xy1u1.top – Rig EK (4th run)
  • Post-infection DNS queries for VitaeTortorVitaesUsciPit.us (created on 11-3-16)
    • Query responses = server failure

Traffic (1st – 4th run, in that order):

1st-run-traffic2nd-run-traffic3rd-run-traffic4th-run-traffic

Hashes:

SHA256: 8167b2d11e4123bcb5ffb1d7d2852dd7b72aa8d5188005dd428274adaea33bde
File name: RigEK Landing page 1.html

SHA256: 1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1
File name: RigEK Flash Exploit (all runs).swf

SHA256: 024ee7bb57db6a7db943fb741f3f4f1cd82924de7c1a8f6453fc3c546fd5cda9
File name: RigEK Landing Page 2.html

SHA256: 3045bcc35f44264a9810660b3b3ede3399d26fc221ed2bf10cde8c8f1105a361
File name: EF3C.tmp

SHA256: 94100dd03c2309e0844d587e0b8d7d11b0cb00b55cf7e0faf1c2042cec5604ed
File name: RigEK Landing Page 3 and 4.html

SHA256: f36d55ea650165e4b0eab9b4a4e45d19639e0a02d6062f297ec000a37a161b98
File name: 5733.tmp

SHA256: f28f327772714f6ffa061c405bde2b0da3294d5c671791b4d09681824755b32a
File name: AD70.tmp

Infection Chain:

Today I found the compromised website hwcollectorsnews.com. User’s visiting the site will be redirected to a Rig EK landing page if the EITest script is injected in the code. Below are images of the EITest script during each run (run 2 and 3 had the same sub-domain):

eitesteitest-2eitest-3eitest-4

Once on the landing page the host made GET requests for the same Flash exploit followed by the payloads. The first run failed (sad face):

fail

File size is 1kb:

fail-1

The second and third run both returned payloads however I’m not sure what they are and I couldn’t find any signs of post-infection traffic. Below are images of EF3C.tmp (2nd run) and 5733.tmp (3rd run):

Process running (5733.tmp):

lol

The last run returned AD70.tmp. Below is a brief risk assessment:

temp-4-ra

Among other things you can see that the sandbox found some network traffic, specifically DNS queries for vitaetortorvitaesuscipit.us. That matches the traffic that I found in Wireshark (see traffic images at the very top of the page). The full URL found in the binary was hxxp://vitaetortorvitaesuscipit[.]us/wiotqacklj/q/index.php?id=21480827&c=1&mk=319850

We can also see some processes, an application called “svchost.exe” in the user’s Roaming folder, and a registry run key:

svchostlol1regedit-svchost

I am recommending blocking 70.39.114.242 at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: