Back to Posts

RIG-v EK from 195.133.146.58 sends SSL Banking Trojan

Posted in trojan, exploitkit

Zeus SSL Banking Trojan

While reviewing this RIG-v I noticed no trojan signatures for the dropped payload :(

Further investigation showed the payload was making SSL connections to uspal.cf with a legitimate cert and attempting further downloads.

After reviewing with the Emerging Threats Team, we determined these connections were related to the Zeus Banking Torjan. They will be releasing a new signature for this SSL connection tonight.

Thanks Guys!



Domains:

207.58.143.233   www.spoofee.com   Compromised site
118.178.241.78   118.178.241.78   Evil 302 Redirect
195.133.146.58   free.banayok.com   RIG-v EK
154.127.59.234   uspal.cf   Zeus SSL Checkin



Traffic:

image-title-here Evil iFrame


image-title-here Evil 302 Redirect


image-title-here RIG-v EK & CnC Traffic



Network Signatures:

[1:2017342:3] ET INFO Iframe For IP Address Site
[1:2023401:3] ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
[1:2823058:2] ETPRO CURRENT_EVENTS Evil 302 Redirect to RIG-v EK Oct 24 2016
[1:2022466:4] ET CURRENT_EVENTS Possible Keitaro TDS Redirect
[1:2023198:2] ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)
[1:2023199:2] ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)
[1:2820090:3] ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642)
[1:2820091:3] ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642)
[1:2023401:3] ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
[1:2811657:2] ETPRO CURRENT_EVENTS SunDown EK Flash June 23 2015 M1
[1:2816808:2] ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
[1:2023401:3] ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
[1:2022916:3] ET CURRENT_EVENTS RIG EK Payload Jun 26 2016



Process Tree:

image-title-here Exploit and Trojan execution



Attempted download:

image-title-here Extra Payload



SSL Connections:

image-title-here Zeus SSL Connections


image-title-here Zeus CnC Request



File Hashes:

Detection ratio: 6 / 54 Link

SHA256: 0cc84eaea2a9661c07d316aa1275ffd9227fc92e8d2507f167a9f6e534dc2644
File type: Flash


Detection ratio: 11 / 56 Link

SHA256: ce1c00243eb04d83151f41d6286abc22762bb3a307d187c947e54e71cca2d0bf
File type: Win32 EXE


Detection ratio: 11 / 56 Link

SHA256: bd694a665310fda0e7f4cea751385a31f57521c5540e558d58689b554a090081
File type: Win32 EXE



associated files:
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

Sundown/Xer EK from 164.132.116.52 sends Neurevt.A/Betabot