RIG EK Outbreak Continues

September 08, 2014 - 4 Lesezeit: Min

Inhalt

Article
Weitere Blogs

During daily data mining activities, we observe continual outbreaks of many exploit kits (EK) such as RIG EK. Logs are monitored and analyzed to come up with new protections, which are eventually deployed in the Zscaler cloud. The dynamic nature of EK’s landing page code, presents a constant challenge in providing generic detections. We need to take a look at various aspects of EK’s such as URLs/Domains/IP’s to come up with a generic detection guidance. In this regard, log analysis plays an important role.

In this blog we'll take a look logs from last week (8/28/2014 - 9/5/2014), observed for RIG EK.

RIG EK Traffic (%)

The above chart illustrates the traffic trend of RIG EK over the past week. There was a significant spike noted on Sept. 4th.

Sept 4th Domains/IP:

Domains	IP
eir.alexandrajarup[.]com	194.58.101[.]24
eir.alexandrajarup[.]com	194.58.101[.]24
uiue.nuiausqas[.]com	194.58.101[.]24
iow.alanmccaig[.]com	191.101.14[.]125
ods.alankellygang[.]com	191.101.14[.]125
uew.alankellygang[.]com	191.101.14[.]125
soi.alankellygang[.]com	191.101.14[.]125
eur.alankellygang[.]com	191.101.14[.]125
sod.alankellygang[.]com	191.101.14[.]125
soa.alankellygang[.]com	191.101.14[.]125
lol.alankellygang[.]com	191.101.14[.]125

Sept 4th EK URLs:

Sept 4th common URL pattern:

[.]com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg

RIG EK landing page content:

RIG EK Landing Page

Code analysis of the landing page shown above is not discussed here. For a full code analysis, please take a look at our blog post from last month. In that blog, we tried to come up with a generic de-obfuscation technique that helps to de-obfuscate the EKs such as RIG and Fiesta.

Let's now take look at the overall traffic distribution by IP for the last week (8/28/2014 - 9/5/2014).

Traffic distribution by EK IP's

Traffic was observed from 13 unique IP addresses. IP '191.101.14[.]125', was seen to be spreading the EK's in large volumes. We also observed many IP addresses falling into three subnets.

194.58.101[.]XXX

191.101.13[.]XXX

191.101.14[.]XXX

We recommend blocking the aforementioned IP's. Subnet level blocks can also be used but we have to be bit cautious when doing so as legitimate sites may also be hosted in the same range.

The following world map illustrates the geographical distribution of the EK IP's which have been observed. As noted, most activity is emanating from Russia.

Geo-graphical distribution by EK IP's

No geo-location information was available for IP's falling into '191.101.XX.XX' subnet.

Below is the full list of domains and IP's seen for the previous week.

Domains	IP
tue.allthatsin[.]com	178.132.203[.]113
qie.allthatsin[.]com	178.132.203[.]113
dfu.aloliskincare[.]com	194.58.101[.]38
uer.alistairnunes[.]com	194.58.101[.]31
eir.alexandrajarup[.]com	194.58.101[.]24
oweuryt.account-ltunes[.]com	191.101.13[.]139
teyruyt.a[.]commodationinsauze[.]com	191.101.13[.]139
weorioi.a[.]commodationinsauze[.]com	191.101.13[.]139
owiery.wikusbotha[.]com	191.101.13[.]140
nuaysuq.planeimpressions[.]com	5.31.72[.]115
suyfdys.online-moneymakingsystem[.]com	5.31.72[.]115
iuiweyr.online-moneymakingsystem[.]com	5.31.72[.]115
oweiru.laughterisgoodmedicine[.]com	5.31.72[.]115
woiero.laughterisgoodmedicine[.]com	5.31.72[.]115
aosidoa.kensymicek[.]com	191.101.13[.]202
sdfusug.kensymicek[.]com	191.101.13[.]202
qwieuu.kensymicek[.]com	191.101.13[.]202
iuasid.kensymicek[.]com	191.101.13[.]202
odigoud.helny[.]com	191.101.13[.]202
qoiweur.helny[.]com	191.101.13[.]202
miiuis.helny[.]com	191.101.13[.]202
oeriouh.francisssmith[.]com	191.101.13[.]202
dciugi.francisssmith[.]com	191.101.13[.]202
gdofigu.forgottenapples[.]com	191.101.13[.]201
miqwue.boxsteravatar[.]com	191.101.13[.]200
popoqwe.dukeanddiva[.]com	191.101.13[.]201
mbivuc.click2maps[.]com	191.101.13[.]201
oiqwour.click2maps[.]com	191.101.13[.]201
mbivuc.click2maps[.]com	191.101.13[.]201
oiqwour.click2maps[.]com	191.101.13[.]201
oiaosdu.bluffswebdesign[.]com	191.101.13[.]201
dwieru.bluffswebdesign[.]com	191.101.13[.]201
nuasiud.amiramatthews[.]com	191.101.13[.]200
miuggid.748tmp[.]com	191.101.13[.]200
owierowu.748tmp[.]com	191.101.13[.]200
eoitoe.boxsteravatar[.]com	191.101.13[.]200
miqwue.boxsteravatar[.]com	191.101.13[.]200
wueriq.boxsteravatar[.]com	191.101.13[.]200
naduq.00tim[.]com	191.101.13[.]198
miasud.bigredshed.org[.]uk	191.101.13[.]198
qiuwer.121sky[.]com	191.101.13[.]198
digudyfg.belucent.co[.]uk	191.101.13[.]196
woiero.beauchamplondon.co[.]uk	191.101.13[.]196
eir.alexandrajarup[.]com	194.58.101[.]24
uiue.nuiausqas[.]com	194.58.101[.]24
iow.alanmccaig[.]com	191.101.14[.]125
ods.alankellygang[.]com	191.101.14[.]125
uew.alankellygang[.]com	191.101.14[.]125
soi.alankellygang[.]com	191.101.14[.]125
eur.alankellygang[.]com	191.101.14[.]125
sod.alankellygang[.]com	191.101.14[.]125
soa.alankellygang[.]com	191.101.14[.]125
lol.alankellygang[.]com	191.101.14[.]125
kick.alankellygang[.]com	191.101.14[.]125
sdifu.alanhalldriving[.]com	191.101.14[.]125
pqqie.alanhalldriving[.]com	191.101.14[.]125
weoriuwyt.alanhalldriving[.]com	191.101.14[.]125
oigydfg.alanhalldriving[.]com	191.101.14[.]125
oiweyr.alanhalldriving[.]com	191.101.14[.]125
fgydy.ajrobertsconsulting[.]com	191.101.14[.]125
husaus.ajrobertsconsulting[.]com	191.101.14[.]125
super.affogatomoments[.]com	191.101.13[.]139
iuweryw.activity-partners[.]com	191.101.13[.]139
weorioi.a[.]commodationinsauze[.]com	191.101.13[.]139
owiery.wikusbotha[.]com	191.101.13[.]140
oiqwour.click2maps[.]com	191.101.13[.]201
oiaosdu.bluffswebdesign[.]com	191.101.13[.]201
dwieru.bluffswebdesign[.]com	191.101.13[.]201
owierowu.748tmp[.]com	191.101.13[.]200
eoitoe.boxsteravatar[.]com	191.101.13[.]200
miqwue.boxsteravatar[.]com	191.101.13[.]200
qiuwer.121sky[.]com	191.101.13[.]198

The above trend shows a continuous outbreak of RIG EK in the wild. Data mining logs for such activity provides us with a sense of the trends being followed by the attackers. We will keep on sharing such information via blogs/scrapbook posts.

Stay tuned!

Pradeep