Refreshing EK Hunting Technique (Enrichment) via TTP
Posted: January 2nd, 2017 | Author: xanda | Filed under: IT Related | Tags: EK, Exploit Kit, RIG | 1 Comment »Happy new year!
It has been a while since the last update.
Today I’ve saw an update in malware-traffic-analysis on RIG EK. Nothing new, but i asked myself if my old hunting technique is still relevant today, since i left EK hunting ‘industry’ 1 year++ ago. So i wrote a simple script to perform a quick check:
xanda:tmp xanda$ ./loop.sh 109.234.36.0 109.234.36.133 109.234.36.210 DONE!
I’ve found 2 IPs; 109.234.36.133 (currently serving RIG, mentioned in malware-traffic-analysis blog) and 109.234.36.210. 109.234.36.210 is not yet serving anything malicious, but my prediction, it will be serving RIG EK in/within the next 7 days.
Some tips on this fingerprinting technique:
- Based on the initial IP found, look for the IP range assigned to the same ASN, in this case 109.234.36.0/24
- Identify the HTTP header response from the known bad IP, and use it to fingerprint the rest.
- Based from my experience, 1 batch of EK server setup will have similar (or almost similar) HTTP header response, and some EK will use 1 subnet for 1 batch (but not necessarily)
- EK server will always (mostly) be dedicated. If you found historical pDNS record on that IP, verify (with dig/nslookup) for the current IP resolved by the domain(s). For example; 109.234.36.210 has 3 historical pDNS record, but at the moment, 1 of the domain has expired, and another 2 domains are now pointing to different IP(s).
- This method will only works if the “scanned” hosts are alive at that particular moment
Hope it helps. Happy hunting