Notes
  • RIG EK delivering Kelihos Payload
  • Found via Threatglass here
  • Payload obsfucated via XOR using ASCII string: 'vwMKCwwA'

PCAP and Malware

PCAP here: 2015-11-11-RIG-EK-Network-Traffic.pcap
Malware and Exploits here: 2015-11-11-RIG-EK-Malware-Exploits.zip

Email jack@malwarefor.me for password

Compromised Domain

2015-11-11 04:51:47 UTC - 78.46.97.113 - mystoreshoe.com - GET /

RIG EK Traffic

2015-11-11 04:51:50 UTC - 46.30.42.129 - dream.athomeprofessionsscam.com - GET /?xXmNd7GUKhvLC4Y=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZCTRrMyjl3xzLMSdJ52kh6D7WNVxOIYUV0XtF5AmqfNBKqE
2015-11-11 04:51:51 UTC - 46.30.42.129 - dream.athomeprofessionsscam.com - GET /index.php?xXmNd7GUKhvLC4Y=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZCTRrMyjl3xzLMSdJ52kh6D7WNVxOIYUV0XtF5AmqfNBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWN_PR-jp4k3Aygig
2015-11-11 04:51:56 UTC - 46.30.42.129 - dream.athomeprofessionsscam.com - GET /index.php?xXmNd7GUKhvLC4Y=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZCTRrMyjl3xzLMSdJ52kh6D7WNVxOIYUV0XtF5AmqfNBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PZ8l9o&dop=1

Post-Infection Kelihos Traffic

2015-11-11 04:52:08 UTC - 5.58.74.104 - 5.58.74.104 - GET /mixloa7.exe
2015-11-11 04:52:48 UTC - 59.91.92.244 - 59.91.92.244 - GET /welcome.htm

IDS alerts using the Emerging Threats Pro Ruleset (INFO/POLICY disabled) on Suricata 2.0.8

2015-11-11 04:51:50 UTC - 192.168.34.10:1050 -> 46.30.42.129:80 - ET CURRENT EVENTS RIG Landing URI Struct March 20 2015
2015-11-11 04:51:52 UTC - 192.168.34.10:1052 -> 46.30.42.129:80 - ET CURRENT EVENTS RIG Payload URI Struct March 20 2015
2015-11-11 04:51:56 UTC - 192.168.34.10:1050 -> 46.30.42.129:80 - ET CURRENT EVENTS RIG Exploit URI Struct March 20 2015
2015-11-11 04:52:03 UTC - 192.168.34.10:1050 -> 46.30.42.129:80 - ET CURRENT EVENTS RIG Payload URI Struct March 20 2015
2015-11-11 04:52:09 UTC - 192.168.34.10:1064 -> 5.58.74.104:80 - ET TROJAN Possible Kelihos.F EXE Download Common Structure
2015-11-11 04:52:24 UTC - 192.168.34.10:1073 -> 46.149.62.141:80 - ET TROJAN Win32/Kelihos.F Checkin
2015-11-11 04:52:48 UTC - 192.168.34.10:1086 -> 59.91.92.244:80 - ET TROJAN Win32/Kelihos.F Checkin
2015-11-11 04:52:48 UTC - 192.168.34.10:1086 -> 59.91.92.244:80 - ET TROJAN Win32/Kelihos.F Checkin
2015-11-11 04:54:04 UTC - 5.58.74.104:80 -> 192.168.34.10:1064 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header

Preliminary Malware Analysis

Flash Exploit

RIG EK Payload - Kelihos

Secondary Malware - Kelihos

PCAP and Malware

PCAP here: 2015-11-11-RIG-EK-Network-Traffic.pcap
Malware and Exploits here: 2015-11-11-RIG-EK-Malware-Exploits.zip

Email jack@malwarefor.me for password

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates