Notes
  • Sorry for the hiatus.. trying to get back into posting regularly
  • Payload was XOR'd with ascii string 'nkiOaWsg' which is the same string used in this payload from RIG back in February
  • Payload (Rovnix) was dropped and started to run but did not generate network traffic in a couple lab environments
PCAP and Malware
Compromised Domain and Redirect

2015-08-27 15:50:12 UTC - 62.75.180.34 - www.dwdl.de - GET /
2015-08-27 15:50:12 UTC - 62.75.180.34 - www.dwdl.de - GET /core/scripts/jquery-1.7.1.min.js

RIG EK Traffic

2015-08-27 15:50:13 UTC - 46.30.46.75 - best.vacation-egypt.com - GET /?w36KfrmeLhfMAoQ=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caUReA9jV_ynuUVJppzkhaF6WAFz-MfUF9C4wITma_NBKqE
2015-08-27 15:50:21 UTC - 46.30.46.75 - best.vacation-egypt.com - GET /index.php?w36KfrmeLhfMAoQ=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caUReA9jV_ynuUVJppzkhaF6WAFz-MfUF9C4wITma_NBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2p

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

2015-08-27 15:50:14 UTC - 46.30.46.75:80 -> 192.168.64.105:49201 - ET CURRENT EVENTS RIG EK Landing March 20 2015 M2
2015-08-27 15:50:21 UTC - 46.30.46.75:80 -> 192.168.64.105:49201 - ET CURRENT EVENTS RIG EK Landing March 20 2015 M2
2015-08-27 15:50:23 UTC - 192.168.64.105:49201 -> 46.30.46.75:80 - ET CURRENT EVENTS RIG Payload URI Struct March 20

Preliminary Malware Analysis

RIG EK Payload

Modified Registry Key:

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates