Watcha know about Mining!?
Today I was doing some digging (no pun intended) into numerous domains used during recent malvertising redirection chains. These domains appear to be related to a campaign dubbed “Rulan”.
Let’s start off with showing the redirection chain:
As you can see from the TCP streams there are a lot of 302 redirects leading to the RIG EK landing page, which is being hosted at 126.96.36.199. This campaign has been known to drop the banking Trojan called Chthonic but this time it appears to have dropped a Miner.
The payload is dropped in %Temp% and copied to/run from C:\Users\User\AppData\Roaming\Microsoft\DirectX:
Callback traffic is found going to 188.8.131.52 via TCP port 21025:
Here is another view:
So, we can see instructions for 184.108.40.206 via TCP port 3333 as well as the wallet address:
Status of the mining server:
I’m starting to see a little bit of trend here with more campaigns dropping Miners. For example, on August 3rd I got XMRig CoinMiner from a fake Flash player update page. Read more about that HERE.
It would be worth an investigation if you start to see this type of traffic on your corporate networks.
Network Based Traffic
- 220.127.116.11 – mos-redirect.ru
- 18.104.22.168 – RIG EK IP-literal hostname
- 22.214.171.124 via TCP port 21025
- 126.96.36.199 via TCP port 3333 (low end hardware), 5555 (mid range hardware, and 7777 (high end hardware)
File name: RigEK landing page from 188.8.131.52.txt
File name: RigEK Flash exploit from 184.108.40.206.swf
File name: o32.tmp
File name: ukweehmi.exe
Until next time!