As I mentioned last week, Rig exploit kit (EK) is one of a handful of EKs still active in the wild. Today's diary examines another recent example of an infection caused by Rig EK on Monday 2019-06-24.
Malvertising campaign redirect domain
EK-based malvertising campaigns have "gate" domains that redirect to an EK. In this case, the gate domain was makemoneyeasywith[.]me. According to Domaintools, this domain was registered on 2019-06-19, and indicators of this domain redirecting to Rig EK were reported as early as 2019-06-21.
The Rig EK activity I saw on 2019-06-24 was similar to Rig EK traffic I documented in an ISC diary last week. See the images below for details.
The malware payload
The malware payload sent by this example of Rig EK appears to be Pitou.B. In my post-infection activity, I saw several attempts at malspam, but I didn't find DNS queries for any of the mail servers associated with this spam traffic.
Prior to the spam activity, I saw traffic over TCP port 2287 which matched a signature for ETPRO TROJAN Win32/Pitou.B, and it also fit the description for Pitou.B provided by Symantec from 2016. I didn't let my infected Windows host run long enough to generate DNS queries for remote locations described in Symantec's Technical Description for this Trojan. However, Any.Run's sandbox analysis of this malware shows DNS queries similar to the Symantec description that happened approximately 9 to 10 minutes after the initial infection activity.
Indicators of Compromise (IoCs)
The following are IP addresses and domains associated with this infection:
The following are files associated with this infection:
A pcap of the infection traffic along with the associated malware and artifacts can be found here.
Jun 25th 2019
3 weeks ago