Rig Exploit Kit “Encrypts Self” sending Zbot from 46.30.46.170

Datetime:2016-08-23 02:52:33          Topic: JavaScript  ActionScript           Share
by Analysis in Bot

NOTES:

IP address 46.30.46.170 is a well known Rig Exploit (EK) landing page. Upon examining the Rig EK meta data, I found that it was encrypted using DoSWF. According to its website http://www.doswf.org/ DoSWF has been designed specifically for Adobe Flash SWF Files to keep your Actionscript shielded from would-be hackers! DoSWF guards your important Actionscript code from decompilers and reverse engineering techniques.

This is not a new technique, however this is the first time I have seen any Exploit Kit using this technique to avoid detection and probable reverse engineering.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.info@broadanalysis.com

PCAP file of the infection traffic:

2016-06-24-Rig-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.25.95.39 – realstatistics.info GET /js/analytic.php?id=4 – Rig EK REDIRECT GATE
  • 85.25.95.39 – realstatistics.info GET //js/analytic.php?id=4&tz=-5&rs=1024×768 – Rig EK
  • REDIRECT GATE
  • 46.30.46.170 – cv.sertomaartscenter.com – Rig EK LANDING PAGE
  • 115.28.36.224 – www.doswf.com – GET /copyright/files/c.c – Zbot POST INFECTION TRAFFIC
  • 185.127.25.247 – specialbissnes.site – POST /forum/visitcounter.php – Zbot POST INFECTION TRAFFIC
  • 95.163.127.184 – specanomirasa.site – POST /forum/visitcounter.php – Zbot POST INFECTION TRAFFIC
  • 95.163.127.184 – specanomirasa.site – GET /forum/js/d.dat – Zbot POST INFECTION TRAFFIC
  • 95.163.127.184 – specanomirasa.site – GET /forum/js/e.dat – Zbot POST INFECTION TRAFFIC
  • 95.163.127.184 – specanomirasa.site – GET /forum/js/f.dat – Zbot POST INFECTION TRAFFIC
  • 95.163.127.184 – specanomirasa.site – GET /forum/js/out.dat – Zbot POST INFECTION TRAFFIC
  • 95.163.127.184 – specanomirasa.site – GET /forum/js/g.dat – Zbot POST INFECTION TRAFFIC
  • 95.163.127.184 – specanomirasa.site – GET /forum/js/h.dat – Zbot POST INFECTION TRAFFIC


DETAILS OF INFECTION CHAIN:

Shown above: Compromised site with associated infection chain websites

Shown above: Injected script found on compromised site leading to Rig EK redirect gate one

Shown above: Script on Rig EK redirect gate one leading to second redirect gate “//”

Shown above: Script on Rig EK redirect gate two leading to Rig EK landing page. Single slash “/” to double slash “//” (directory)

Shown above: Post Infection traffic associated with Zbot infection

Shown above: Post infection downloads associated with Zbot infection

Shown above: After extracting Rig flash exploit and saving as .swf file, decompiled using Flare (http://www.nowrap.de/flare.html) and examined flash meta data with text editor. Meta data shows Rig EK flash file encrypted with DoSWF.

Shown above: www.doswf.org website and software they provide

Shown above: Zbot windows directory structure and its associated .dat files

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:

  • 2016-06-24-Rig-EK.swf
    Virus Total Link
  • 2016-06-24-lqrwcdijop.exe [Zbot]
    C:\Users\%UserName%\AppData\Roaming\{F7217360-5500-D800-4000-4C7C7E82C4}
    Virus Total Link

Tagged with: Malware analysis , Malware Research , Zbot





About List