Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Rig Exploit Kit sends Pitou.B Trojan

Published: 2019-06-25
Last Updated: 2019-06-25 00:04:20 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

As I mentioned last week, Rig exploit kit (EK) is one of a handful of EKs still active in the wild.  Today's diary examines another recent example of an infection caused by Rig EK on Monday 2019-06-24.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  Some of the alerts generated by this infection using Security Onion with Suricata and the EmergingThreats Pro ruleset viewed in Sguil.

Malvertising campaign redirect domain

EK-based malvertising campaigns have "gate" domains that redirect to an EK.  In this case, the gate domain was makemoneyeasywith[.]me.  According to Domaintools, this domain was registered on 2019-06-19, and indicators of this domain redirecting to Rig EK were reported as early as 2019-06-21.


Shown above:  makemoneyeasywith[.]me redirecting to Rig EK landing page on 2019-06-24.

Rig EK

The Rig EK activity I saw on 2019-06-24 was similar to Rig EK traffic I documented in an ISC diary last week.  See the images below for details.


Shown above:  Rig EK landing page.


Shown above:  Rig EK sends a Flash exploit.


Shown above:  Rig EK sends a malware payload.

The malware payload

The malware payload sent by this example of Rig EK appears to be Pitou.B.  In my post-infection activity, I saw several attempts at malspam, but I didn't find DNS queries for any of the mail servers associated with this spam traffic.

Prior to the spam activity, I saw traffic over TCP port 2287 which matched a signature for ETPRO TROJAN Win32/Pitou.B, and it also fit the description for Pitou.B provided by Symantec from 2016.  I didn't let my infected Windows host run long enough to generate DNS queries for remote locations described in Symantec's Technical Description for this Trojan.  However, Any.Run's sandbox analysis of this malware shows DNS queries similar to the Symantec description that happened approximately 9 to 10 minutes after the initial infection activity.


Shown above:  Post-infection traffic over TCP port 2287.


Shown above:  Filtering for indications of SMTP traffic in the pcap.


Shown above:  Using the Export Objects function in Wireshark to see successfully sent spam.


Shown above:  An example of spam sent from my infected Windows host.


Shown above:  DNS queries seen from the Any.Run analysis of this Pitou.B sample.

Indicators of Compromise (IoCs)

The following are IP addresses and domains associated with this infection:

  • 185.254.190[.]200 port 80 - makemoneyeasywith[.]me - Gate domain that redirected to Rig EK
  • 188.225.26[.]48 port 80 - 188.225.26[.]48 - Rig EK traffic
  • 195.154.255[.]65 port 2287 - Encoded/encrypted traffic caused by the Pitou.B Trojan
  • various IP addresses over TCP port 25 - spam traffic from the infected Windows host
  • various domains in DNS queries seen from the Any.Run analysis of this Pitou.B sample

The following are files associated with this infection:

SHA256 hash: 9c569f5e6dc2dd3cf1618588f8937513669b967f52b3c19993237c4aa4ac58ea

  • File size: 9,203 bytes
  • File description: Flash exploit sent by Rig EK on 2019-06-24

SHA256 hash: 835873504fdaa37c7a6a2df33828a3dcfc95ef0a2ee7d2a078194fd23d37cf64

  • File size: 827,904 bytes
  • File description: Pitou.B malware sent by Rig EK on 2019-06-24

Final words

A pcap of the infection traffic along with the associated malware and artifacts can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Extensive BGP Issues Affecting Cloudflare and possibly others
Jun 24th 2019
1 day ago by Johannes (0 comments)

Netstat Local and Remote -new and improved, now with more PowerShell!
Jun 21st 2019
4 days ago by Rob VandenBrink (0 comments)

Using a Travel Packing App for Infosec Purpose
Jun 20th 2019
5 days ago by Xme (0 comments)

What You Need To Know About TCP "SACK Panic"
Jun 19th 2019
5 days ago by Johannes (0 comments)

Critical Actively Exploited WebLogic Flaw Patched CVE-2019-2729
Jun 19th 2019
5 days ago by Johannes (0 comments)

Quick Detect: Exim "Return of the Wizard" Attack
Jun 19th 2019
6 days ago by Johannes (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
1 week ago by Brad (0 comments)

View All Diaries →

Latest Discussions

Entrust resolving to CNAME that is an invalid CDN host
created Jun 10th 2019
2 weeks ago by jauntysankey (0 replies)

Outlook Forms (forms.outlook.com)
created May 31st 2019
3 weeks ago by MasterYoshi (0 replies)

McAfee - Trenmicro - Symantec Breached by Fxmsp hackers
created May 14th 2019
1 month ago by DrGreen (0 replies)

Domain registration date plugin for email?
created Mar 30th 2019
2 months ago by Anonymous (1 reply)

Run Extracted binaries from mirror traffic on cuckoo
created Feb 6th 2019
4 months ago by ching (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (0 comments)