Blogs > Security Research

RIG EK Outbreak Continues

Published on:

Authored by:

ThreatLabz

ThreatLabz

Category:

Exploit Kit

RIG EK Outbreak Continues

During daily data mining activities, we observe continual outbreaks of many exploit kits (EK) such as RIG EK. Logs are monitored and analyzed to come up with new protections, which are eventually deployed in the Zscaler cloud. The dynamic nature of EK’s landing page code, presents a constant challenge in providing generic detections. We need to take a look at various aspects of EK’s such as URLs/Domains/IP’s to come up with a generic detection guidance. In this regard, log analysis plays an important role. 
 
In this blog we'll take a look logs from  last week (8/28/2014 - 9/5/2014), observed for RIG EK.
 
RIG EK Traffic (%)
The above chart illustrates the traffic trend of RIG EK over the past week. There was a significant spike noted on Sept. 4th. 
 
Sept 4th Domains/IP:
 
DomainsIP
eir.alexandrajarup[.]com194.58.101[.]24
eir.alexandrajarup[.]com194.58.101[.]24
uiue.nuiausqas[.]com194.58.101[.]24
iow.alanmccaig[.]com191.101.14[.]125
ods.alankellygang[.]com191.101.14[.]125
uew.alankellygang[.]com191.101.14[.]125
soi.alankellygang[.]com191.101.14[.]125
eur.alankellygang[.]com191.101.14[.]125
sod.alankellygang[.]com191.101.14[.]125
soa.alankellygang[.]com191.101.14[.]125
lol.alankellygang[.]com191.101.14[.]125
 

Sept 4th EK URLs:
 
 
Sept 4th common URL pattern:
 
[.]com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg
 
RIG EK landing page content:
 
RIG EK Landing Page
Code analysis of the landing page shown above is not discussed here. For a full code analysis, please take a look at our blog post from last month. In that blog, we tried to come up with a generic de-obfuscation technique that helps to de-obfuscate the EKs such as RIG and Fiesta.
 
Let's now take look at the overall traffic distribution by IP for the last week (8/28/2014 - 9/5/2014).
 
Traffic distribution by EK IP's
Traffic was observed from 13 unique IP addresses. IP '191.101.14[.]125', was seen to be spreading the EK's in large volumes. We also observed many IP addresses falling into three subnets.
 
194.58.101[.]XXX
191.101.13[.]XXX
191.101.14[.]XXX
 
We recommend blocking the aforementioned IP's. Subnet level blocks can also be used but we have to be bit cautious when doing so as legitimate sites may also be hosted in the same range.
 
The following world map illustrates the geographical distribution of the EK IP's which have been observed. As noted, most activity is emanating from Russia. 
 
Geo-graphical distribution by EK IP's
 
No geo-location information was available for IP's falling into '191.101.XX.XX' subnet.
 
Below is the full list of domains and IP's seen for the previous week.
 
DomainsIP
tue.allthatsin[.]com178.132.203[.]113
qie.allthatsin[.]com178.132.203[.]113
dfu.aloliskincare[.]com194.58.101[.]38
uer.alistairnunes[.]com194.58.101[.]31
eir.alexandrajarup[.]com194.58.101[.]24
oweuryt.account-ltunes[.]com191.101.13[.]139
teyruyt.a[.]commodationinsauze[.]com191.101.13[.]139
weorioi.a[.]commodationinsauze[.]com191.101.13[.]139
owiery.wikusbotha[.]com191.101.13[.]140
nuaysuq.planeimpressions[.]com5.31.72[.]115
suyfdys.online-moneymakingsystem[.]com5.31.72[.]115
iuiweyr.online-moneymakingsystem[.]com5.31.72[.]115
oweiru.laughterisgoodmedicine[.]com5.31.72[.]115
woiero.laughterisgoodmedicine[.]com5.31.72[.]115
aosidoa.kensymicek[.]com191.101.13[.]202
sdfusug.kensymicek[.]com191.101.13[.]202
qwieuu.kensymicek[.]com191.101.13[.]202
iuasid.kensymicek[.]com191.101.13[.]202
odigoud.helny[.]com191.101.13[.]202
qoiweur.helny[.]com191.101.13[.]202
miiuis.helny[.]com191.101.13[.]202
oeriouh.francisssmith[.]com191.101.13[.]202
dciugi.francisssmith[.]com191.101.13[.]202
gdofigu.forgottenapples[.]com191.101.13[.]201
miqwue.boxsteravatar[.]com191.101.13[.]200
popoqwe.dukeanddiva[.]com191.101.13[.]201
mbivuc.click2maps[.]com191.101.13[.]201
oiqwour.click2maps[.]com191.101.13[.]201
mbivuc.click2maps[.]com191.101.13[.]201
oiqwour.click2maps[.]com191.101.13[.]201
oiaosdu.bluffswebdesign[.]com191.101.13[.]201
dwieru.bluffswebdesign[.]com191.101.13[.]201
nuasiud.amiramatthews[.]com191.101.13[.]200
miuggid.748tmp[.]com191.101.13[.]200
owierowu.748tmp[.]com191.101.13[.]200
eoitoe.boxsteravatar[.]com191.101.13[.]200
miqwue.boxsteravatar[.]com191.101.13[.]200
wueriq.boxsteravatar[.]com191.101.13[.]200
naduq.00tim[.]com191.101.13[.]198
miasud.bigredshed.org[.]uk191.101.13[.]198
qiuwer.121sky[.]com191.101.13[.]198
digudyfg.belucent.co[.]uk191.101.13[.]196
woiero.beauchamplondon.co[.]uk191.101.13[.]196
eir.alexandrajarup[.]com194.58.101[.]24
uiue.nuiausqas[.]com194.58.101[.]24
iow.alanmccaig[.]com191.101.14[.]125
ods.alankellygang[.]com191.101.14[.]125
uew.alankellygang[.]com191.101.14[.]125
soi.alankellygang[.]com191.101.14[.]125
eur.alankellygang[.]com191.101.14[.]125
sod.alankellygang[.]com191.101.14[.]125
soa.alankellygang[.]com191.101.14[.]125
lol.alankellygang[.]com191.101.14[.]125
kick.alankellygang[.]com191.101.14[.]125
sdifu.alanhalldriving[.]com191.101.14[.]125
pqqie.alanhalldriving[.]com191.101.14[.]125
weoriuwyt.alanhalldriving[.]com191.101.14[.]125
oigydfg.alanhalldriving[.]com191.101.14[.]125
oiweyr.alanhalldriving[.]com191.101.14[.]125
fgydy.ajrobertsconsulting[.]com191.101.14[.]125
husaus.ajrobertsconsulting[.]com191.101.14[.]125
super.affogatomoments[.]com191.101.13[.]139
iuweryw.activity-partners[.]com191.101.13[.]139
weorioi.a[.]commodationinsauze[.]com191.101.13[.]139
owiery.wikusbotha[.]com191.101.13[.]140
oiqwour.click2maps[.]com191.101.13[.]201
oiaosdu.bluffswebdesign[.]com191.101.13[.]201
dwieru.bluffswebdesign[.]com191.101.13[.]201
owierowu.748tmp[.]com191.101.13[.]200
eoitoe.boxsteravatar[.]com191.101.13[.]200
miqwue.boxsteravatar[.]com191.101.13[.]200
qiuwer.121sky[.]com191.101.13[.]198
 
The above trend shows a continuous outbreak of RIG EK in the wild. Data mining logs for such activity provides us with a sense of the trends being followed by the attackers. We will keep on sharing such information via blogs/scrapbook posts. 
 
Stay tuned! 
 
Pradeep
 


Suggested Blogs