Exploit Kit Infection Chain Analysis: Tracing RIG/SunDown EK to C2
Case 03
Evidence Provided
- One pcap-file
Third case for the Cyberops course. Really interesting case-type and we practised the use Security Onion, Kibana and Suricata in a simulated incident-style investigation. We were given one pcap-file.
After installing and configuring the Security Onion, we downloaded the pcap onto the platform. Navigating through Alerts-view we noticed several high-severity Suricata alerts pointing to known exploit kits: RIG EK and SunDown EK.
We followed the timestamps and identified the initial HTTP GET request (in Wireshark) to a suspicious domain. From there, hidden iframes and JavaScript silently redirected the victim to another site hosting the exploit kits. The exploit kit probed the victim’s browser and outdated Flash plugin, eventually delivering a malicious .exe payload. Shortly after the payload delivery, we observed DNS traffic for a .su domain —> a top-level domain historically associated with malicious infrastructure, outbound encrypted communication to a C2(Command and Control) server.
By combining Security Onion alerts, Kibana dashboards and additional PCAP analysis in Wireshark, we were able to piece together the entire infection flow from initial contact → exploit execution → malware download → C2 beaconing. The final step was verifying file hashes through VirusTotal to confirm the presence of actual malware (SmokeLoader/Sharik-type behavior).
Overall, this case was a great exercise in correlating IDS alerts with traffic patterns, understanding exploit-kit behavior, and building a coherent attack timeline from scratch.
You can view the report for our findings below. Thanks JJ for great teamwork as usual.