Notes:

  • This was an older analysis
  • RIG EK is VM and AV aware, and this sample only fired an IE/Flash exploit-- Unsure of final payload.
Compromised Domain and Infection Chain
  • 2015-02-28 06:23:10 UTC - 184.106.55.67 - pinpointlabs.com GET /
  • 2015-02-28 06:23:15 UTC - 31.186.97.190 - capemadefieldguide.com GET /ram.html
  • 2015-02-28 06:23:15 UTC - 31.186.97.190 - capemadefieldguide.com GET /ram.phtml
  • 2015-02-28 06:23:16 UTC - 216.58.217.46 - google.com GET /?=e&rix=1425190996549
  • 2015-02-28 06:23:16 UTC - 31.186.97.190 - capemadefieldguide.org GET /ram.phtml?gonext=true&r=hxxp://pinpointlabs[.]com
RIG EK
  • 2015-02-28 06:23:17 UTC - 46.182.31.242 - fire.fairweatherleatherworks.com GET /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|NDkyYjVlNGE3MTc1OGI0YTUyMGVlZTc2NDVhZTRiZDM
  • 2015-02-28 06:23:24 UTC - 46.182.31.242 - fire.fairweatherleatherworks.com GET /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|NDkyYjVlNGE3MTc1OGI0YTUyMGVlZTc2NDVhZTRiZDM
  • 2015-02-28 06:23:24 UTC - 46.182.31.242 - fire.fairweatherleatherworks.com GET /index.php?req=mp3&num=89&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CNDkyYjVlNGE3MTc1OGI0YTUyMGVlZTc2NDVhZTRiZDM
Post-Infection Traffic
  • 2015-02-28 06:23:47 UTC - x1x2x3.me - 104.18.56.63 - POST /link/order.php?id=595867
  • 2015-02-28 06:26:48 UTC - x1x2x3.me - 104.18.56.63 - GET /link/image.php?id=2783541
Other observed RIG EK Exploits
  • 46.182.31.107 - dance.socalbellydancer.net/index.php?req=swf&num=7539&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|YmE1MjE2YjFhMmViZjYzYmZhMTg5NDgxMDk1YmJmYjM
  • 46.182.31.107 - dance.socalbellydancer.net/index.php?req=swf&num=7516&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|YmE1MjE2YjFhMmViZjYzYmZhMTg5NDgxMDk1YmJmYjM
  • 46.182.31.107 - dance.socalbellydancer.net/index.php?req=swf&num=6089&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|YmE1MjE2YjFhMmViZjYzYmZhMTg5NDgxMDk1YmJmYjM

Other referer:

  • 76.74.249.159 - oswaldinsurance.biz - GET /wp-admin/js/bbcode.php

Other Potentially Compromised Domains:
* https://meanpath.com/f/PjHC1l

IDS alerts using the Emerging Threats Open Ruleset

2015-02-28 06:23:17 UTC - 192.168.1.146:49810 -> 46.182.31.242:80 - ET CURRENT EVENTS RIG EK Landing URI Struct
2015-02-28 06:23:24 UTC - 192.168.1.146:49810 -> 46.182.31.242:80 - ET CURRENT EVENTS Goon/Infinity URI Struct EK Landing May 05 2014
2015-02-28 06:23:27 UTC - 46.182.31.242:80 -> 192.168.1.146:49810 - ET CURRENT EVENTS GoonEK encrypted binary (3)
2015-02-28 06:23:47 UTC - 192.168.1.146:49812 -> 104.18.56.63:80 - ET TROJAN Win32/Neurevt Check-in 4

Analysis of events on Victim Machine

Comprimised domain appears to have an exploited Wordpress Plugin which allowed the attackers to inject an iframe which points the user to the first redirect. Of note, the iframe isn't hidden like normally, but is positioned way off screen, not visable to the user.

The iframe points the browser to 31.186.97.190 capemadefieldguide.com GET /ram.html which contains an script pointing the user to the next redirect:

The redirect brings /ram.phtml to the user which contains obsfucated javascript. Once the code is deobsfucated, it reveals the last step before redirecting to the RIG EK landing page. In there, is some commands to call to google.com with an appended URL. More on this to come.

The RIG EK landing page is then hit and it was obsfucated itself. This is it after some general cleaning up and formatting using jsbeautifier. Note: this is not the entire block of code, it is just a screenshot from the top of it.

By using regular expressions, jsunpack, and python, we can convert all of the char codes to ASCII and begin to get some resemblance of the landing page. The first stage of the code is checking for virtual machines and anti-virus drivers on the target system. The second part of the page then is loading the various exploits. The first exploit is Flash, and the second appears to target Flash / IE specifically. Following the URL for the exploit, there is a hefty amount of shellcode which follows, starting with 4 NOPs, "value="id=90909090", and continuting into the rest of it.

From the memory image of the victim machine, we can see iexplore.exe created index[1].php. The file index[1].php actually contains an MZ header... not good. WerFault.exe is spawned and injected with malware, creating a network connection to the CnC:
^index[1].php ^WerFault.exe

Preliminary Malware Analysis

Flash Exploit

Trojan

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates