This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RIG Decimal IP Campaign

KevinStear1
Employee
Employee
‎2017-05-11 05:30 PM

In a world where the Internet makes sense to casual users “IP addresses (IPv4) follow the dot-decimal notation, which is four numbers, each ranging from 0 to 255, separated by dots. But then, to make things a little more complicated, we have exceptions, such as the non-dotted IP literals, in decimal (http://2130706433/) or octal form (http://017700000001/).”[1]

 

Most current browsers automatically convert non-dotted IP literals to 'normal' dot-decimal format, but can most snort instances? This is likely an issue for some traditional IP-based detection measures, which is probably why current RIG-related activity rightfully dubbed the Decimal-IP campaign has adopted just such a technique.  During April and May, RSA FirstWatch noted the presence of decimal-IP redirectors in use with the RIG Exploit Kit (EK).

  

 rig-decimal-ip-a.png

 

The Decimal-IP campaign is currently believed to be one of two active campaigns leveraging RIG, and has been recently observed delivering smokeloader, and you can find sample <here>. (Seamless is the other active RIG campaign, which was delivering Ramnit ransomware in April.)  Here's a good write-up by zerophage.

 

Brad Duncan (thanks for the images) also has a good technical walkthrough of the Decimal IP campaign delivering smokeloader via a fake adobe flash player install.  Below are a couple of related screenshots of traffic from the fake adobe site and then the file <open> dialogue for the smokeloader payload.

 

 Screen Shot 2017-05-11 at 2.13.20 PM.png

  Screen Shot 2017-05-09 at 7.58.31 PM.png

 

In addition to the smokeloader payload, during a recent changeover in the campaign’s operations, FirstWatch observed Decimal-IP redirects to seemingly Litecoin-related sites for ‘segwit.php’. This is interesting… especially given the recent events surrounding Segregated Witness or SegWit and its potential to bring transaction malleability and block scaling on Litecoin and Bitcoin. This is an area of ongoing research.

 

 rig-decimal-ip-b.png

 

With regard to detection of decimal-IP usage, the NetWitness ‘HTTP_lua’ parser has been updated to tag “http host header is an integer” in the analysis.service field. This content is currently available in RSA Live.

 

 decimal-ip-content2.png

  

With specific regard to detection of ‘RIG Decimal IP Campaign’ activity, a new ESA rule is also available in RSA Live.

 

 decimal-ip-esa2.jpg

 decimal-ip-esa1.jpg

 

Special thanks to @nao_sec (twitter) for continued efforts that provide referrers for our ongoing research against RIG exploit kit.

 

FirstWatch_banner.png

 

[1] https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/

© 2022 RSA Security LLC or its affiliates. All rights reserved.