Refreshing EK Hunting Technique (Enrichment) via TTP
Posted: January 2nd, 2017 | Author: xanda | Filed under: IT Related | Tags: EK, Exploit Kit, RIG | 1 Comment »Happy new year!
It has been a while since the last update.
Today I’ve saw an update in malware-traffic-analysis on RIG EK. Nothing new, but i asked myself if my old hunting technique is still relevant today, since i left EK hunting ‘industry’ 1 year++ ago. So i wrote a simple script to perform a quick check:
xanda:tmp xanda$ ./loop.sh 109.234.36.0 109.234.36.133 109.234.36.210 DONE!
I’ve found 2 IPs; 109.234.36.133 (currently serving RIG, mentioned in malware-traffic-analysis blog) and 109.234.36.210. 109.234.36.210 is not yet serving anything malicious, but my prediction, it will be serving RIG EK in/within the next 7 days.
Some tips on this fingerprinting technique:
- Based on the initial IP found, look for the IP range assigned to the same ASN, in this case 109.234.36.0/24
- Identify the HTTP header response from the known bad IP, and use it to fingerprint the rest.
- Based from my experience, 1 batch of EK server setup will have similar (or almost similar) HTTP header response, and some EK will use 1 subnet for 1 batch (but not necessarily)
- EK server will always (mostly) be dedicated. If you found historical pDNS record on that IP, verify (with dig/nslookup) for the current IP resolved by the domain(s). For example; 109.234.36.210 has 3 historical pDNS record, but at the moment, 1 of the domain has expired, and another 2 domains are now pointing to different IP(s).
- This method will only works if the “scanned” hosts are alive at that particular moment
Hope it helps. Happy hunting
hi adnan. wanted to thank you for your BM dictionary add-on for firefox. selamat berpuasa to you and your family.