2018-04-06 - I WENT AFTER RIG EK LIKE IT WAS A SNAKE ON WHACKING DAY

ASSOCIATED FILES:

• Zip archive of the infection traffic:  2018-04-06-Rig-EK-sends-Bunitu-2-pcaps.zip   579 kB (579,227 bytes)

• 2018-04-06-Rig-EK-traffic-1st-run.pcap   403 kB (403,019 bytes)
• 2018-04-06-Rig-EK-traffic-2nd-run.pcap   286 kB (285,834 bytes)

Zip archive of the malware & artifacts:  2018-04-06-Rig-EK-malware-and-artifacts.zip   327 kB (326,533 bytes)

• 2018-04-06-Rig-EK-flash-exploit-both-runs.swf   16 kB (15,998 bytes)
• 2018-04-06-Rig-EK-landing-page-1st-run.txt   96 kB (95,872 bytes)
• 2018-04-06-Rig-EK-landing-page-2nd-run.txt   96 kB (95,933 bytes)
• 2018-04-06-Rig-EK-payload-1st-run.exe   279 kB (279,040 bytes)
• 2018-04-06-Rig-EK-payload-2nd-run.exe   163 kB (162,816 bytes)
• eunlock.dll   15 kB (14,848 bytes)

NOTES:

• I originally recorded this traffic on Friday 2018-04-06, but I wasn't able to review it until Monday 2018-04-09.
• No post-infection traffic is available in the pcaps.  It's just Rig EK and some traffic leading up to it.
• Bunitu doesn't immediately generate its post-infection traffic, and I didn't wait long enough when I originally recoded these pcaps.
• I used an older version of Flash, so I don't think the Flash exploit I saw from Rig EK was for CVE-2018-4878.

• Ultimately, I'm just part of a security community mob going after Rig EK like it's a snake on Whacking Day.

Shown above:  Quote from Homer, "Lisa, maybe if I'm part of that mob, I can help
steer it in wise directions.  Now, where's my giant foam cowboy hat and airhorn?"

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• thingiverse[.]com
• domslavx[.]info
• x.lxoxiaudio[.]com
• y.lxoxiaudio[.]com

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 78.47.1[.]201 port 80 - thingiverse[.]com - bogus site set up for this campaign
• 88.198.94[.]52 port 80 - domslavx[.]info - Gate leading to Rig EK
• 46.30.42[.]150 port 80 - 46.30.42[.]150 - Rig EK (1st run)
• 46.30.43[.]235 port 80 - 46.30.43[.]235 - Rig EK (2nd run)

TRAFFIC WHEN I LATER ANALYZED ONE OF THE PAYLOAD BINARIES (BUNITU):

• DNS query for x.lxoxiaudio[.]com, resolved to 136.54.81[.]16
• DNS query for y.lxoxiaudio[.]com, resolved to 130.142.198[.]45
• 95.169.186[.]63 port 443 - encoded traffic caused by Bunitu (not HTTPS/SSL/TLS)
• 85.17.45[.]2 port 443 - encoded traffic caused by Bunitu (not HTTPS/SSL/TLS)
• 96.44.144[.]181 port 443 - encoded traffic caused by Bunitu (not HTTPS/SSL/TLS)

 

FILE HASHES

RIG EK FLASH EXPLOIT:

• SHA256 hash:  d871fa0e1ac9e03e65b71fc9f3261a320e63fd1731fae33595f79ec51d5fabc4
  File size:  15,998 bytes
  File description:  Rig EK flash exploit seen on Friday 2018-04-06

1ST RUN RIG EK MALWARE PAYLOAD:

• SHA256 hash:  12dc4c44b0bdbe2efb8d10de14b09682589069e3f2ea0c82b21c4270455d199d
  File size:  279,040 bytes
  File description:  Rig EK payload - Bunitu executable

2ND RUN RIG EK MALWARE PAYLOAD:

• SHA256 hash:  5a49dfdc87158cca5e0990361d57d870fde6aa6f63d16096698ba4c244bc3b54
  File size:  162,816 bytes
  File description:  Rig EK payload - Bunitu executable

ARTIFACT AFTER RUNNING ONE OF THE ABOVE BINARIES ON A WINDOWS HOST:

• SHA256 hash:  e4a1f94d58bd5ef7875991688017465441d99edc0d663bdac813bb9d03cae258
  File size:  14,848 bytes
  File location:  C:\Users\[username]\AppData\Local\eunlock.dll
  Registry data:  rundll32.exe "C:\Users\[username]\AppData\Local\eunlock.dll",eunlock

Shown above:  Bunitu made persistent on an infected Windows host.

 

Click here to return to the main page.