# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/rss/25068** ## Rig Exploit Kit sends Pitou.B Trojan **Published: 2019-06-25** **Last Updated: 2019-06-25 00:04:20 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [0 comment(s)](https://isc.sans.edu/forums/diary/Rig+Exploit+Kit+sends+PitouB+Trojan/25068/#comments) **_Introduction_** [As I mentioned last week, Rig exploit kit (EK) is one of a handful of EKs still active in the](https://isc.sans.edu/diary/An+infection+from+Rig+exploit+kit/25040) wild. Today's diary examines another recent example of an infection caused by Rig EK on Monday 2019-06-24. _Shown above: Traffic from the infection filtered in Wireshark._ ----- _[Shown above: Some of the alerts generated by this infection using Security Onion with](https://securityonion.net/)_ _[Suricata and the](https://suricata-ids.org/)_ _[EmergingThreats Pro ruleset viewed in Sguil.](https://www.proofpoint.com/us/threat-insight/et-pro-ruleset)_ **_Malvertising campaign redirect domain_** EK-based malvertising campaigns have "gate" domains that redirect to an EK. In this case, the gate domain was makemoneyeasywith[.]me. According to Domaintools, this domain was registered on 2019-06-19, and indicators of this domain redirecting to Rig EK were reported as early as 2019-06-21. _Shown above: makemoneyeasywith[.]me redirecting to Rig EK landing page on 2019-06-24._ **_Rig EK_** The Rig EK activity I saw on 2019-06-24 was similar to Rig EK traffic I documented in an ISC diary last week. See the images below for details. ----- _Shown above: Rig EK landing page._ ----- _Shown above: Rig EK sends a Flash exploit._ ----- _Shown above: Rig EK sends a malware payload._ **_The malware payload_** [The malware payload sent by this example of Rig EK appears to be Pitou.B. In my post-](https://www.symantec.com/security-center/writeup/2016-011823-3733-99) infection activity, I saw several attempts at malspam, but I didn't find DNS queries for any of the mail servers associated with this spam traffic. Prior to the spam activity, I saw traffic over TCP port 2287 which matched a signature for ETPRO TROJAN Win32/Pitou.B, and it also fit the description for Pitou.B provided by Symantec from 2016. I didn't let my infected Windows host run long enough to generate DNS queries for remote locations described in Symantec's Technical Description for this Trojan. However, [Any.Run's sandbox analysis of this malware shows DNS queries similar to](https://app.any.run/tasks/85509ead-0530-441c-a14c-c0601f6887d1) the Symantec description that happened approximately 9 to 10 minutes after the initial infection activity. ----- _Shown above: Post-infection traffic over TCP port 2287._ _Shown above: Filtering for indications of SMTP traffic in the pcap._ ----- _Shown above: Using the Export Objects function in Wireshark to see successfully sent_ _spam._ ----- _Shown above: An example of spam sent from my infected Windows host._ _[Shown above: DNS queries seen from the Any.Run analysis of this Pitou.B sample.](https://app.any.run/tasks/85509ead-0530-441c-a14c-c0601f6887d1)_ Indicators of Compromise (IoCs) ----- The following are IP addresses and domains associated with this infection: 185.254.190[.]200 port 80 - makemoneyeasywith[.]me - Gate domain that redirected to Rig EK 188.225.26[.]48 port 80 - 188.225.26[.]48 - Rig EK traffic 195.154.255[.]65 port 2287 - Encoded/encrypted traffic caused by the Pitou.B Trojan various IP addresses over TCP port 25 - spam traffic from the infected Windows host [various domains in DNS queries seen from the Any.Run analysis of this Pitou.B sample](https://app.any.run/tasks/85509ead-0530-441c-a14c-c0601f6887d1) The following are files associated with this infection: [SHA256 hash: 9c569f5e6dc2dd3cf1618588f8937513669b967f52b3c19993237c4aa4ac58ea](https://www.virustotal.com/gui/file/9c569f5e6dc2dd3cf1618588f8937513669b967f52b3c19993237c4aa4ac58ea/detection) File size: 9,203 bytes File description: Flash exploit sent by Rig EK on 2019-06-24 [SHA256 hash: 835873504fdaa37c7a6a2df33828a3dcfc95ef0a2ee7d2a078194fd23d37cf64](https://app.any.run/tasks/85509ead-0530-441c-a14c-c0601f6887d1) File size: 827,904 bytes File description: Pitou.B malware sent by Rig EK on 2019-06-24 **_Final words_** A pcap of the infection traffic along with the associated malware and artifacts can be found [here.](https://www.malware-traffic-analysis.net/2019/06/24/index.html) --Brad Duncan brad [at] malware-traffic-analysis.net [Keywords: exploit kit](https://isc.sans.edu/tag.html?tag=exploit%20kit) [Pitou](https://isc.sans.edu/tag.html?tag=Pitou) [Rig](https://isc.sans.edu/tag.html?tag=Rig) [Trojan](https://isc.sans.edu/tag.html?tag=Trojan) [0 comment(s)](https://isc.sans.edu/forums/diary/Rig+Exploit+Kit+sends+PitouB+Trojan/25068/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/rss/25068) Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----