By: ThreatLabz

RIG EK Outbreak Continues

Exploit Kit

During daily data mining activities, we observe continual outbreaks of many exploit kits (EK) such as RIG EK. Logs are monitored and analyzed to come up with new protections, which are eventually deployed in the Zscaler cloud. The dynamic nature of EK’s landing page code, presents a constant challenge in providing generic detections. We need to take a look at various aspects of EK’s such as URLs/Domains/IP’s to come up with a generic detection guidance. In this regard, log analysis plays an important role. 
 
In this blog we'll take a look logs from  last week (8/28/2014 - 9/5/2014), observed for RIG EK.
 
RIG EK Traffic (%)
The above chart illustrates the traffic trend of RIG EK over the past week. There was a significant spike noted on Sept. 4th. 
 
Sept 4th Domains/IP:
 
Domains IP
eir.alexandrajarup[.]com 194.58.101[.]24
eir.alexandrajarup[.]com 194.58.101[.]24
uiue.nuiausqas[.]com 194.58.101[.]24
iow.alanmccaig[.]com 191.101.14[.]125
ods.alankellygang[.]com 191.101.14[.]125
uew.alankellygang[.]com 191.101.14[.]125
soi.alankellygang[.]com 191.101.14[.]125
eur.alankellygang[.]com 191.101.14[.]125
sod.alankellygang[.]com 191.101.14[.]125
soa.alankellygang[.]com 191.101.14[.]125
lol.alankellygang[.]com 191.101.14[.]125
 

Sept 4th EK URLs:
 
 
Sept 4th common URL pattern:
 
[.]com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg
 
RIG EK landing page content:
 
RIG EK Landing Page
Code analysis of the landing page shown above is not discussed here. For a full code analysis, please take a look at our blog post from last month. In that blog, we tried to come up with a generic de-obfuscation technique that helps to de-obfuscate the EKs such as RIG and Fiesta.
 
Let's now take look at the overall traffic distribution by IP for the last week (8/28/2014 - 9/5/2014).
 
Traffic distribution by EK IP's
Traffic was observed from 13 unique IP addresses. IP '191.101.14[.]125', was seen to be spreading the EK's in large volumes. We also observed many IP addresses falling into three subnets.
 
194.58.101[.]XXX
191.101.13[.]XXX
191.101.14[.]XXX
 
We recommend blocking the aforementioned IP's. Subnet level blocks can also be used but we have to be bit cautious when doing so as legitimate sites may also be hosted in the same range.
 
The following world map illustrates the geographical distribution of the EK IP's which have been observed. As noted, most activity is emanating from Russia. 
 
Geo-graphical distribution by EK IP's
 
No geo-location information was available for IP's falling into '191.101.XX.XX' subnet.
 
Below is the full list of domains and IP's seen for the previous week.
 
Domains IP
tue.allthatsin[.]com 178.132.203[.]113
qie.allthatsin[.]com 178.132.203[.]113
dfu.aloliskincare[.]com 194.58.101[.]38
uer.alistairnunes[.]com 194.58.101[.]31
eir.alexandrajarup[.]com 194.58.101[.]24
oweuryt.account-ltunes[.]com 191.101.13[.]139
teyruyt.a[.]commodationinsauze[.]com 191.101.13[.]139
weorioi.a[.]commodationinsauze[.]com 191.101.13[.]139
owiery.wikusbotha[.]com 191.101.13[.]140
nuaysuq.planeimpressions[.]com 5.31.72[.]115
suyfdys.online-moneymakingsystem[.]com 5.31.72[.]115
iuiweyr.online-moneymakingsystem[.]com 5.31.72[.]115
oweiru.laughterisgoodmedicine[.]com 5.31.72[.]115
woiero.laughterisgoodmedicine[.]com 5.31.72[.]115
aosidoa.kensymicek[.]com 191.101.13[.]202
sdfusug.kensymicek[.]com 191.101.13[.]202
qwieuu.kensymicek[.]com 191.101.13[.]202
iuasid.kensymicek[.]com 191.101.13[.]202
odigoud.helny[.]com 191.101.13[.]202
qoiweur.helny[.]com 191.101.13[.]202
miiuis.helny[.]com 191.101.13[.]202
oeriouh.francisssmith[.]com 191.101.13[.]202
dciugi.francisssmith[.]com 191.101.13[.]202
gdofigu.forgottenapples[.]com 191.101.13[.]201
miqwue.boxsteravatar[.]com 191.101.13[.]200
popoqwe.dukeanddiva[.]com 191.101.13[.]201
mbivuc.click2maps[.]com 191.101.13[.]201
oiqwour.click2maps[.]com 191.101.13[.]201
mbivuc.click2maps[.]com 191.101.13[.]201
oiqwour.click2maps[.]com 191.101.13[.]201
oiaosdu.bluffswebdesign[.]com 191.101.13[.]201
dwieru.bluffswebdesign[.]com 191.101.13[.]201
nuasiud.amiramatthews[.]com 191.101.13[.]200
miuggid.748tmp[.]com 191.101.13[.]200
owierowu.748tmp[.]com 191.101.13[.]200
eoitoe.boxsteravatar[.]com 191.101.13[.]200
miqwue.boxsteravatar[.]com 191.101.13[.]200
wueriq.boxsteravatar[.]com 191.101.13[.]200
naduq.00tim[.]com 191.101.13[.]198
miasud.bigredshed.org[.]uk 191.101.13[.]198
qiuwer.121sky[.]com 191.101.13[.]198
digudyfg.belucent.co[.]uk 191.101.13[.]196
woiero.beauchamplondon.co[.]uk 191.101.13[.]196
eir.alexandrajarup[.]com 194.58.101[.]24
uiue.nuiausqas[.]com 194.58.101[.]24
iow.alanmccaig[.]com 191.101.14[.]125
ods.alankellygang[.]com 191.101.14[.]125
uew.alankellygang[.]com 191.101.14[.]125
soi.alankellygang[.]com 191.101.14[.]125
eur.alankellygang[.]com 191.101.14[.]125
sod.alankellygang[.]com 191.101.14[.]125
soa.alankellygang[.]com 191.101.14[.]125
lol.alankellygang[.]com 191.101.14[.]125
kick.alankellygang[.]com 191.101.14[.]125
sdifu.alanhalldriving[.]com 191.101.14[.]125
pqqie.alanhalldriving[.]com 191.101.14[.]125
weoriuwyt.alanhalldriving[.]com 191.101.14[.]125
oigydfg.alanhalldriving[.]com 191.101.14[.]125
oiweyr.alanhalldriving[.]com 191.101.14[.]125
fgydy.ajrobertsconsulting[.]com 191.101.14[.]125
husaus.ajrobertsconsulting[.]com 191.101.14[.]125
super.affogatomoments[.]com 191.101.13[.]139
iuweryw.activity-partners[.]com 191.101.13[.]139
weorioi.a[.]commodationinsauze[.]com 191.101.13[.]139
owiery.wikusbotha[.]com 191.101.13[.]140
oiqwour.click2maps[.]com 191.101.13[.]201
oiaosdu.bluffswebdesign[.]com 191.101.13[.]201
dwieru.bluffswebdesign[.]com 191.101.13[.]201
owierowu.748tmp[.]com 191.101.13[.]200
eoitoe.boxsteravatar[.]com 191.101.13[.]200
miqwue.boxsteravatar[.]com 191.101.13[.]200
qiuwer.121sky[.]com 191.101.13[.]198
 
The above trend shows a continuous outbreak of RIG EK in the wild. Data mining logs for such activity provides us with a sense of the trends being followed by the attackers. We will keep on sharing such information via blogs/scrapbook posts. 
 
Stay tuned! 
 
Pradeep
 

Learn more about Zscaler.