Kevin Stear

RIG Decimal IP Campaign

Blog Post created by Kevin Stear Employee on May 11, 2017

In a world where the Internet makes sense to casual users “IP addresses (IPv4) follow the dot-decimal notation, which is four numbers, each ranging from 0 to 255, separated by dots. But then, to make things a little more complicated, we have exceptions, such as the non-dotted IP literals, in decimal (http://2130706433/) or octal form (http://017700000001/).”[1]

 

Most current browsers automatically convert non-dotted IP literals to 'normal' dot-decimal format, but can most snort instances? This is likely an issue for some traditional IP-based detection measures, which is probably why current RIG-related activity rightfully dubbed the Decimal-IP campaign has adopted just such a technique.  During April and May, RSA FirstWatch noted the presence of decimal-IP redirectors in use with the RIG Exploit Kit (EK).

  

 

 

The Decimal-IP campaign is currently believed to be one of two active campaigns leveraging RIG, and has been recently observed delivering smokeloader, and you can find sample <here>. (Seamless is the other active RIG campaign, which was delivering Ramnit ransomware in April.)  Here's a good write-up by zerophage.

 

Brad Duncan (thanks for the images) also has a good technical walkthrough of the Decimal IP campaign delivering smokeloader via a fake adobe flash player install.  Below are a couple of related screenshots of traffic from the fake adobe site and then the file <open> dialogue for the smokeloader payload.

 

 

  

 

In addition to the smokeloader payload, during a recent changeover in the campaign’s operations, FirstWatch observed Decimal-IP redirects to seemingly Litecoin-related sites for ‘segwit.php’. This is interesting… especially given the recent events surrounding Segregated Witness or SegWit and its potential to bring transaction malleability and block scaling on Litecoin and Bitcoin. This is an area of ongoing research.

 

 

 

With regard to detection of decimal-IP usage, the NetWitness ‘HTTP_lua’ parser has been updated to tag “http host header is an integer” in the analysis.service field. This content is currently available in RSA Live.

 

 

  

With specific regard to detection of ‘RIG Decimal IP Campaign’ activity, a new ESA rule is also available in RSA Live.

 

 

 

 

Special thanks to @nao_sec (twitter) for continued efforts that provide referrers for our ongoing research against RIG exploit kit.

 

 

[1] https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/

Outcomes