Rig EK from 92.53.104.104 delivers Quant loader, ZLoader and more

Datetime:2017-04-19 06:01:53         Topic: Security Skill          Share        Original >>
Here to See The Original Article!!!

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered the Quant Loader via the EITEST campaign.
  • The Quant Loader is described as a Trojan down-loader.
  • Originally I identified as Ursnif. Thanks to @ Antelox for identifying as ZLoader

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:

2017-04-18-Rig-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.besancon-tennis-club.fr – COMPROMISED SITE
  • 92.53.104.104 – new.5efinance.com – RIG EK LANDING PAGE
  • 51.141.33.47 – unisdr.top GET /mail/index.php – POST INFECT TRAFFIC
  • 51.141.33.47 – trackerhost.us GET /drop/lsmk.exe – POST INFECT TRAFFIC
  • 51.141.33.47 – gerber.gdn POST /info.php – POST INFECT TRAFFIC
  • 78.142.142.246 – www.wfvd2tjkovfhxgdv.com – TOR TRAFFIC [Ursnif]
  • 46.165.230.5 – www.2nmq4tv.com – TOR TRAFFIC [Ursnif]
  • 5.9.110.236 – www.5xul.com – TOR TRAFFIC [Ursnif]
  • 188.165.5.14 – www.qqruxzsz.com – TOR TRAFFIC [Ursnif]
  • 176.9.38.38 – www.krhluqsns74s7wawqc6p.com – TOR TRAFFIC [Ursnif]
  • 92.222.103.233 – www.d5u7.com – TOR TRAFFIC [Ursnif]
  • corpconor-daily.pw – POST INFECT DNS QUERY
  • sorrycorpmail.site – POST INFECT DNS QUERY

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

Shown above: Network traffic  associated with the Rig exploit and the delivery of Quant loader, ZLoader and more

Shown above: Post infection DNS queries

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:








New

Put your ads here, just $200 per month.