Rig EK via Rulan drops an Infostealer
Published: 2017-09-21 · Archived: 2026-04-02 11:34:38 UTC
Summary:
Back again with the Rulan campaign. Recently it has changed it’s usual payload and we have seen Quant Loader,
Coin Miner and KINS.
This time it is back and dropped a payload which I have struggled to ID. It has all the characteristics of an
infostealer (gathering data then sending to C2). I’ve been unable to decipher what data it is ending and why. The
C2 domains also did not trigger any ET/Snort rules.
It’s interesting for sure and I’d be interested to know more about it so keep an eye on Twitter.
Background Information:
A few articles on Rig exploit kit and it’s evolution:
https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html
Downloads
(in password protected zip)
21-September-2018-Rig-Infostealer-PCAP-> Pcap of traffic
21-September-2017-Rig-Infostealer-CSV-> CSV of traffic for IOC’s
21-September-2017-Infostealer-> Infostealer –
3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb
Unfortunately  having a few issues with WordPress so the payload is on tinyupload for now. Let me know if it
goes down.
Details of infection chain:
(click to enlarge!)
https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/
Page 1 of 5

Full Details:
Rulan has been providing various payloads over the past week or so. A coin miner and even KINS was spotted
earlier this week by @nao_sec. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.
https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/
Page 2 of 5

Rig itself continues to change up it’s parameters this time using “opas“, “hopas” and “shops“.
The RC4 key is now “marydcetoz“. You can use this to decrypt the payload from the pcap.
The payload appeared to be an infostealer by nature. I was unable to identify it though sought the aid
of @James_inthe_box who digged further but could not identify it.
SHA-256 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb
https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/
Page 3 of 5

File name eb11bac9e73f7f6fed3506e28a13dacbfa3fbdc0
File size 288 KB
The payload copied itself into a folder called “ZSysRaw” and the binary was named “sysraw.exe“. It then began to
collect information and store it in a folder called “data“.
The malware began with a POST request ending with “load.php“. It looks like Base64 but I could not decode it
into anything meaningful.
https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/
Page 4 of 5

Next it began to POST data from the text files it created. Again I could not decode this data. Each text file it
created it then sent to the C2 with each file reaching a size of around 3kb~.
The payload did not trigger any signatures (ET/Snort) though it’s behaviour is indicative of an information stealer.
Keep checking Twitter, it’s likely some more info will come!
Source: https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/
https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/
Page 5 of 5