FirstAlthough I introduced RigEK's behavior several times so far, I will introduce about various changes. Please refer to those who do not know the previous RigEK.
Step 0The beginning of this incident was @BroadAnalysis tweet.
EITest was again observed.#RigEK via #EiTest from 220.127.116.11 delivers #Mole #Ransomware - #pcap file Avail. - https://t.co/5bVuYYS23A pic.twitter.com/NOuTaCdKo2— Broad Analysis (@BroadAnalysis) 2017年5月24日
Rig Exploit Kit via EiTest campaign from 18.104.22.168 delivers Mole ransomware
I have not observed EITest since April 28. It has been observed again, please see the blog of @Broad Analysis for specific traffic.
What I will introduce this time is about the change in RigEK's behavior. I have been continuously observing Decimal IP and Seamless but they have been unable to observe from several days ago. It seems that RigEK was changing while I could not observe them.
Step 1The beginning is nostalgic EITest's code.
Let's follow the process.
Step 2This html is fired from the iframe of line 12. When the iframe is loaded, the onload event fires and start() is called. start() is as follows.
Call getBrowser() and check the user's fingerprint. Let's see getBrowser().
RigEK uses the information obtained in this way to check whether the user is the target environment. If the user does not misrepresent browser information and the browser is IE, a form tag is created and redirected to the next stage by HTTP POST method.
FinallyIn this way, RigEK has changed to use POST request.This process is not uncommon, but it shows that RigEK is still evolving.I will continue to track RigEK in the future.
P.S.Regarding the change of RigEK this time, my mal-getter is already supported :)