{ "id": "dba8e79b-23bb-4bb2-bcef-a4ee8e00340d", "created_at": "2026-04-06T01:29:18.81085Z", "updated_at": "2026-04-10T03:21:25.072302Z", "deleted_at": null, "sha1_hash": "d8a9de56e237f4bd10ba44d11136d0edf35b88e5", "title": "Rig EK via Malvertising drops a Smoke Loader leading to a Miner and AZORult.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 804920, "plain_text": "Rig EK via Malvertising drops a Smoke Loader leading to a Miner\r\nand AZORult.\r\nPublished: 2017-10-13 · Archived: 2026-04-06 00:41:27 UTC\r\nSummary:\r\nBeen an interesting few weeks and I haven’t been able to update but the other researchers appear to have found a\r\nfew interesting things. I thought I would blog if anyone wanted a pcap to look at.\r\nI actually found this through my normal malvertising route. After pondering and assistance the payload was\r\ndetermined to be Smoke Loader leading to a Miner and AZORult stealer. It’s an interesting sample! Thanks\r\nto @James_inthe_box  for looking into it deeper.\r\nBackground Information:\r\nA few articles on Rig exploit kit and it’s evolution:\r\nhttps://www.uperesia.com/analyzing-rig-exploit-kit\r\nhttp://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html\r\nhttp://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html\r\nDownloads\r\n(in password protected zip)\r\n13-October-2017-Rig-Miner-PCAP-\u003e Pcap of traffic\r\n13-October-2017-Rig-Miner-CSV-\u003e CSV of traffic for IOC’s\r\n13-October-2017-Rig-Miner-\u003e Smoke Loader  –\r\n60489385b91478d36e4d027e70d662a861f305cc5d4bdce20f312ac1c7c2f126\r\nDetails of infection chain:\r\n(click to enlarge!)\r\nhttps://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/\r\nPage 1 of 5\n\nFull Details:\r\nThis campaign was spotted a few days back (clicky) by @BroadAnalysis. I however found this through my usual\r\nmalvertising campaign. It was only after that I realised that the IP of the domain is the same as the previous post\r\nthat was reported. The payload however is different and much like the Rulan campaign it is likely the payloads\r\nwill change often so it’s worth keeping an eye on this.\r\nThe chain involves a series of 302 redirects:\r\n The final redirect takes the client to Rig EK:\r\nhttps://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/\r\nPage 2 of 5\n\nThe payload was actually very interesting. I noticed a process injection which is Smoke Loader. I then saw the two\r\nbinaries one of which was a miner and the other is AZORult stealer. I did upload the sample to Hybrid Analysis\r\nhere are the results:\r\nNow on my lab I did not see the mining C2 which connected to 213.32.29.150:14444.\r\nHowever it did change the same registry key from the sandbox analysis. Below are two examples of POST\r\nrequests from the first binary believed to be Smoke Loader:\r\nhttps://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/\r\nPage 3 of 5\n\nThe second binary is “Asus Gaming” that produced the zbot like POST requests to C2. This is actually AZORult:\r\nSHA-256 2919a13b964c8b006f144e3c8cc6563740d3d242f44822c8c44dc0db38137ccb\r\nFile name Asus Gaming.exe\r\nFile size 270.5 KB\r\nhttps://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/\r\nPage 4 of 5\n\nThere’s a lot going on here! Enjoy.\r\nSource: https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/\r\nhttps://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/" ], "report_names": [ "rig-ek-via-malvertising-drops-a-miner" ], "threat_actors": [], "ts_created_at": 1775438958, "ts_updated_at": 1775791285, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8a9de56e237f4bd10ba44d11136d0edf35b88e5.pdf", "text": "https://archive.orkl.eu/d8a9de56e237f4bd10ba44d11136d0edf35b88e5.txt", "img": "https://archive.orkl.eu/d8a9de56e237f4bd10ba44d11136d0edf35b88e5.jpg" } }