# Rig EK via Rulan drops an Infostealer **[zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/](https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/)** zerophage September 21, 2017 ## Summary: Back again with the Rulan campaign. Recently it has changed it’s usual payload and we have seen Quant Loader, Coin Miner and KINS. This time it is back and dropped a payload which I have struggled to ID. It has all the characteristics of an infostealer (gathering data then sending to C2). I’ve been unable to decipher what data it is ending and why. The C2 domains also did not trigger any ET/Snort rules. It’s interesting for sure and I’d be interested to know more about it so keep an eye on Twitter. ## Background Information: A few articles on Rig exploit kit and it’s evolution: [https://www.uperesia.com/analyzing-rig-exploit-kit](https://www.uperesia.com/analyzing-rig-exploit-kit) [http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html](http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html) [http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html](http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html) ## Downloads (in password protected zip) [21-September-2018-Rig-Infostealer-PCAP-> Pcap of traffic](https://zerophagemalware.files.wordpress.com/2017/09/21-september-2018-rig-infostealer-pcap.zip) [21-September-2017-Rig-Infostealer-CSV-> CSV of traffic for IOC’s](https://zerophagemalware.files.wordpress.com/2017/09/21-september-2017-rig-infostealer-csv.zip) [21-September-2017-Infostealer-> Infostealer –](http://s000.tinyupload.com/index.php?file_id=01836829626557774852) 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb Unfortunately having a few issues with WordPress so the payload is on tinyupload for now. Let me know if it goes down. ## Details of infection chain: (click to enlarge!) ----- ## Full Details: Rulan has been providing various payloads over the past week or so. A coin miner and even [KINS was spotted earlier this week by @nao_sec. It is still using a JS redirector and a HTTP](https://twitter.com/nao_sec) refresh to redirect the victim to Rig EK. ----- Rig itself continues to change up it’s parameters this time using “opas“, “hopas” and “shops“. The RC4 key is now “marydcetoz“. You can use this to decrypt the payload from the pcap. The payload appeared to be an infostealer by nature. I was unable to identify it though sought the aid of [@James_inthe_box who digged further but could not identify it.](https://twitter.com/James_inthe_box) **SHA-256** 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb ----- **File** **name** [eb11bac9e73f7f6fed3506e28a13dacbfa3fbdc0](https://www.virustotal.com/#/file/3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb/detection) **File size** 288 KB The payload copied itself into a folder called “ZSysRaw” and the binary was named “sysraw.exe“. It then began to collect information and store it in a folder called “data“. The malware began with a POST request ending with “load.php“. It looks like Base64 but I could not decode it into anything meaningful. ----- Next it began to POST data from the text files it created. Again I could not decode this data. Each text file it created it then sent to the C2 with each file reaching a size of around 3kb~. ----- The payload did not trigger any signatures (ET/Snort) though it s behaviour is indicative of an information stealer. Keep checking Twitter, it’s likely some more info will come! -----