- Today I captured traffic from the Rig Exploit Kit (EK) which delivered the Quant Loader via the EITEST campaign.
- The Quant Loader is described as a Trojan down-loader.
- Originally I identified as Ursnif. Thanks to @ Antelox for identifying as ZLoader
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:2017-04-18-Rig-EK-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- www.besancon-tennis-club.fr – COMPROMISED SITE
- 22.214.171.124 – new.5efinance.com – RIG EK LANDING PAGE
- 126.96.36.199 – unisdr.top GET /mail/index.php – POST INFECT TRAFFIC
- 188.8.131.52 – trackerhost.us GET /drop/lsmk.exe – POST INFECT TRAFFIC
- 184.108.40.206 – gerber.gdn POST /info.php – POST INFECT TRAFFIC
- 220.127.116.11 – www.wfvd2tjkovfhxgdv.com – TOR TRAFFIC [Ursnif]
- 18.104.22.168 – www.2nmq4tv.com – TOR TRAFFIC [Ursnif]
- 22.214.171.124 – www.5xul.com – TOR TRAFFIC [Ursnif]
- 126.96.36.199 – www.qqruxzsz.com – TOR TRAFFIC [Ursnif]
- 188.8.131.52 – www.krhluqsns74s7wawqc6p.com – TOR TRAFFIC [Ursnif]
- 184.108.40.206 – www.d5u7.com – TOR TRAFFIC [Ursnif]
- corpconor-daily.pw – POST INFECT DNS QUERY
- sorrycorpmail.site – POST INFECT DNS QUERY
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”
Shown above: Network traffic associated with the Rig exploit and the delivery of Quant loader, ZLoader and more
Shown above: Post infection DNS queries
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: