On Wednesday 2017-05-10, @thlnk3r tweeted about Rig exploit kit (EK) activity. @DynamicAnalysis has already posted an analysis of this traffic on malwarebreakdown.com (always a good read), but I've also looked into it. Today's diary documents my investigation.
This is not one of the campaigns that use Rig EK like pseudoDarkleech or EITest (both of which I haven't seen since April 2017). This traffic has different characteristics. Cisco is calling it the Seamless Campaign due to an associated iframe attribute back when it was first discovered.
By the time I investigated this traffic, the compromised site that kicked off the chain of events was already off-line. Fortunately, I was able to generate Rig EK by going directly to the Seamless gate URL at 126.96.36.199/flow335.php.
The Seamless gate led to Rig EK, and network traffic showed indicators of a Ramnit infection after Rig EK.
Indicators of Compromise (IOCs)
The following IP addresses and domains are associated with this traffic:
The following files are associated with this traffic:
Rig EK is still an ongoing factor in our current threat landscape. Thanks to everyone on Twitter who tweets about EK activity. Without help from the community, this traffic is difficult to obtain.
As always, if you follow best security practices (keep your Windows computer up-to-date and patched, etc.), your risk of infection is minimal. Unfortunately, many people don't follow best practices. Until this situation changes, EKs will likely remain a profitable method for criminals distributing malware.
Emails, malware samples, and pcaps associated with the 2017-05-10 Rig EK traffic can be found here.
May 11th 2017
10 months ago