Rulan Campaign Redirects to RIG EK at 188.225.33.43 and Drops a Miner

Watcha know about Mining!?

9inqGw4

Today I was doing some digging (no pun intended) into numerous domains used during recent malvertising redirection chains. These domains appear to be related to a campaign dubbed “Rulan”.

Let’s start off with showing the redirection chain:

1 edited2 edited3 edited4 edited

As you can see from the TCP streams there are a lot of 302 redirects leading to the RIG EK landing page, which is being hosted at 188.225.33.43. This campaign has been known to drop the banking Trojan called Chthonic but this time it appears to have dropped a Miner.

The payload is dropped in %Temp% and copied to/run from C:\Users\User\AppData\Roaming\Microsoft\DirectX:

Callback traffic is found going to 188.209.52.54 via TCP port 21025:

Contacted host

Here is another view:

callback

So, we can see instructions for 185.62.189.10 via TCP port 3333 as well as the wallet address:

43TehHwrepkCXejbuxpz5jEtvaBJLh2bHXSzmBt2G2CrbdA1oGnfr4XaKuewv95dfcJkwi9deULn8ZHs3KUqpu3AMzahxAz

Status of the mining server:

Mining server status

Blackpool.cc (185.62.189.10):

I’m starting to see a little bit of trend here with more campaigns dropping Miners. For example, on August 3rd I got XMRig CoinMiner from a fake Flash player update page. Read more about that HERE.

1tqfn3
Needs more Zoolander memes!

It would be worth an investigation if you start to see this type of traffic on your corporate networks.

Network Based Traffic
  • 144.76.174.172 – mos-redirect.ru
  • 188.225.33.43 – RIG EK IP-literal hostname
  • 188.209.52.54 via TCP port 21025
  • 185.62.189.10 via TCP port 3333 (low end hardware), 5555 (mid range hardware, and 7777 (high end hardware)
    • Blackpool.cc
Persistence
reg1
SETVAL; Path: “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN”; Key: “DX9 C++RTL”; Value: “%APPDATA%\Microsoft\DirectX\nthost.exe”
Hashes

SHA256: b48470b9d183877fc960e3bee2e61ad9d938f0d480d290864128838fa7727145
File name: RigEK landing page from 188.225.33.43.txt

SHA256: 358605c9305679ee4070c092d070bacbb8981661445fd115596c646f8ab58a05
File name: RigEK Flash exploit from 188.225.33.43.swf

SHA256: c951cb3ccbc129d422f5cb3fa21491b208870b2f2e2650fa70739106d6755267
File name: o32.tmp

SHA256: 646d3a72332ef548fd8006f3fd798e6276472721127231a6fc207630e2528380
File name: ukweehmi.exe
Hybrid-Analysis Report

Downloads

Malicious Artifacts from 080717.zip

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: