EITest Leads to RIG EK at 188.225.36.196 And Drops Quant Loader. Downloads ZLoader/Zbot.

IOCs

• 199.116.248.108 – saywitzproperties.com – Compromised website (shout-out to thlnk3r‏ who gave me the site)
• 188.225.36.196 – fds.japanbioenergy.org – RIG Exploit Kit
• 52.90.24.205 – unisdr.top – GET /mail.index.php – Response contains download locations for additional malware at trackerhost.us
• 52.90.24.205 – trackerhost.us – GET /drop/lsmk.exe – Additional malware
• 52.90.24.205 – gerber.gdn – POST / info.php – Post-infection traffic

DNS Queries:

• corpconor-daily.pw
• sorrycorpmail.site

Tor Traffic:

• 91.219.237.244 – 7houbwgmwbc5wyg2dz.com
• 178.62.22.36 – 6f44k7fi7cun.com
• 138.201.169.12 – rfkuhvuj2m.com

Hashes:

SHA256: 940f86837bf6c6420873e89fd3b925f0549a258e920fe51eb5f5b8b4953e3567
File name: RIG EK landing page 042117.txt

SHA256: 021e5a8ac070ff34aace3b1dbef6ee383f3dbf418c56efda6f4211eb75f0a482
File name: RIG EK Flash Exploit 042117.swf

SHA256: dc0a483dac2554b8c0682f39762762f79a48383e5f2cbf71238222137089a265
File name: o32.tmp

SHA256: 2875dcec3a20dbdff5baa8ac0b5135ac094f39f146840900252203993e3f64b8
File name: izz9290g.exe
Hybrid-Analysis Report

SHA256: 38ed182b79fd68482d97d4fe1b3c6749380fd989a4a332c6d1174bae23450fe9
File name: 115919.exe
Hybrid-Analysis Report

SHA256: 08166a3d90a2437444adf9d39ba7e5bc9c8cd579f54362e56681cea74bf6d664
File name: 115657.exe
Hybrid-Analysis Report

SHA256: 37c95a909836b641c11067384ebe50ac92a057a8f9fec150e6546c68b725d75f
File name: 16930.exe
Hybrid-Analysis Report

Analyzed Processes for izz9290g.exe:

EITest script found in compromised website:

The malware payload is dropped and executed in %Temp%. It also copies itself to %AppData%:

You can also see the secondary downloads are dropped in %Temp% as well. Instructions for the secondary downloads are found in unisdr.top – GET /mail.index.php. For example:

We also see it create various folders and files in %AppData%:

Registry:

Rules Triggered by the IDS:

• ET DNS Query to a *.top domain – Likely Hostile
• ET DNS Query to a *.pw domain – Likely Hostile
• ET TROJAN Quant Loader Download Request
• ET INFO HTTP Request to a *.top domain
• ET TROJAN Generic – POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
• ET INFO Executable Retrieved With Minimal HTTP Headers – Potential Second Stage Download
• ET POLICY TLS possible TOR SSL traffic

The samples can be downloaded from the Hybrid-Analysis reports. I am also attaching the RIG EK landing page and Flash exploit. Password is “infected”.

Malicious Artifacts 042117.zip

Other References:

• http://www.broadanalysis.com/2017/04/18/rig-ek-from-92-53-104-104-delivers-quant-loader-ursnif-and-more/
• http://www.malware-traffic-analysis.net/2017/04/20/index.html

Until next time!