Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Wednesday, April 1st 2015 http://isc.sans.edu/podcastdetail.html?id=4421

Rig Exploit Kit Changes Traffic Patterns

Published: 2015-04-01
Last Updated: 2015-04-01 00:34:52 UTC
by Brad Duncan (Version: 1)
2 comment(s)

Sometime within the past month, Rig exploit kit (EK) changed URL structure.  Below is an example of Rig EK with its previous traffic patterns from February 2015:

Notice the PHPSSESID and ?req= patterns in the above example.  Below is a more recent example of Rig EK from March 31 2015:

Now, we don't see the PHPSSESID and ?req= patterns.  Let’s take a closer look at the more recent example of Rig EK.  Below is the HTTP GET request for the landing page:

The data is gzip compressed, so you have to extract the file to see what it looks like.  Below is the HTML for the first part of this Rig EK landing page:

Below is the HTTP GET request for the Flash exploit sent by the exploit kit:

Finally, the exploit kit sends the malware payload.  It’s encrypted, and the only indication this is an executable file is the Content-Type tag indicated in the image below:

A copy of the decrypted malware payload can be found at: https://malwr.com/analysis/NzIwYjgwYTcyODhiNGUwNGIxOTRjMzllNjkwMGViMzc/

The malware payload didn’t do anything on the VM, so I ran it through a malware analysis tool and got the following traffic:

Keep in mind malware payloads differ among the criminal organizations that rent these exploit kits, and the payload can also change from day-to-day.

I haven't heard too much yet about this recent change in URL patterns for Rig EK, but it's certainly happening.

---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

Keywords: Rig EK
2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Select Star from PCAP - Treating Packet Captures as Databases
1 day ago by Rob VandenBrink (3 comments)

YARA Rules For Shellcode
2 days ago by DidierStevens (0 comments)

Malicious XML: Matryoshka Edition
3 days ago by DidierStevens (0 comments)

Friday Digest - 27 MAR 2015
4 days ago by Russ McRee (5 comments)

Pin-up on your Smartphone!
6 days ago by Daniel (8 comments)

Nmap/Google Summer of Code
1 week ago by Kevin Liston (0 comments)

F-Secure: FSC-2015-2: PATH TRAVERSAL VULNERABILITY
1 week ago by Kevin Liston (0 comments)

PHP 5.5.23 is available
1 week ago by Kevin Liston (2 comments)

View All Diaries →

Latest Discussions

TLS on a mobile app
created 2 days ago by Anonymous (0 replies)

Mobile App TLS connection
created 2 days ago by Anonymous (0 replies)

Cryptofortress and variants - Network Enumeration
created 1 week ago by Anonymous (0 replies)

Getting Into Digital Forensics
created 1 week ago by Hel10s (0 replies)

Security Requirements vs. Secure Requirements
created 1 week ago by SecArchitect (0 replies)

View All Forums →

Latest News

View All News →