EITest Gate at 85.93.0.13 Leads to Rig EK at 109.234.38.67 Which Drops Cerber Ransomware

IOCs:

85.93.0.13 – kavafo.xyz – EITest Gate
109.234.38.67 – qw.thesleepdoctormattress.com – Rig EK
162.250.144.215 – ip-api.com – GET /json – IP Check
115.28.36.224 – www.doswf.com – Associated with Rig EK Flash Exploit
91.223.89.201 – Decryptor Site – Associated Files
148.251.6.214 – btc.blockr.io – Associated with BitCoin Information
31.184.234.0/24 and 31.184.235.0/24 via UDP port 6892

Hashes:
SHA256: 262ccfc5ebb5a434d0424bccf2f564028b007a43976c123f216f924a08a76c04
File name: kavafo.xyz EITest SWF Redirect

SHA256: 23a53c15e3c8b7b26d82647c7cb6fc07299f0376df858862e04a2d55e1b2be30
File name: EITest Gate HTML.txt

SHA256: 1844fb643daaeaf2a97ac8e395f12a7875555f2de31bf3cb45e3cb015ea84059
File name: Rig EK Landing Page at 109.234.38.67.txt

SHA256: 14a58210b8d2f22d70d3f2502b7afde9becabb8ddf9ca63a292831a475965c08
File name: RigEK Flash Exploit 109.234.38.67

SHA256: 3920a70300ebb4518af3e4435b9fc93a16fd6560f8e3b2f8b5f1869aea4c355e
File name: RigEK Cerber Payload from 109.234.38.67

SHA256: 271a471d07acfc5c6097f592d62f12aa49bb4e9d5606a2a69bf9287bf29342dc
File name: Blowfish.dll

Another day, another infection chain to document. Since the demise of Angler the EK scene has been a little slow. Neutrino EK quickly took the spotlight as the most active EK on the market after Angler; however, within the last couple of weeks I’ve been noticing a lot of Rig EK activity.

On 8/15/16 numerous EK researchers found that EITest gate was leading to Rig EK. That was the first time anyone has seen EITest lead to Rig EK. People had been hypothesizing the threat actors were doing a test run. If that was the case then it would seem like the test run was successful as there has been a steady increase in the amount of EITest to RigEK since then.

The infection chain starts with the compromised website being injected with the EITest script, located within some tags:

The tag plays a Flash file at the URL within the tag. Here is the GET request for the SWF and the response from the server:

That SWF file ends up redirecting the host to a .jpeg… LOL yeah right. The SWF redirects to the EITest gate where you can see more malicious script:

The “Additional Information” tab on the VirusTotal report also shows the malicious script redirecting to the landing page:

The script redirects the host to the Rig EK landing page:

The response from the server shows that the data is being gzip compressed but here is what the file looks like:

The landing page contains some tags and a large chunk of base64 encoded data. Decoding the base64 returns the following:

Looking at the decoded data you can see some conditional statements: [if !IE] and [endif], as well as URLs pointing to additional EK resources.

The 2nd URL shown in the decoded data is for the Rig EK SWF exploit. The Rig EK SWF exploit is then followed by a Cerber ransomware payload:

Following the execution of the payload we can see IP checks via multiple GET requests to ip-api.com/json:

The check returns the AS, city, country, country code, ISP, latitude, longitude, organization, WAN IP address, region, region name, status of the connection, timezone, and zip code.

I then found post-infection UDP traffic via port 6892 to subnets 31.184.234.0/24 and 31.184.235.0/24:

After the IP check and UDP traffic there were multiple connections to www.doswf.com, which really resolves to www.doswf.org. DoSWF is program designed to encrypt and obfuscate ActionScript code. This makes sense because the Flash exploit sent by Rig EK is encrypted with DoSWF. We then find traffic to the Cerber decryptor site and to btc.blockr.io with responses that contain BitCoin payment information:

Here we can see some files dropped in %APPDATA%:

Here is the VT report for Blowfish.dll.

You can also see that the encrypted files are obfuscated and appended with the extension .cerber2.

The user would then see their Desktop background change to a Bitmap image showing the Cerber ransom note (copy found in %APPDATA%), as well as copies of the ransom notes in .HTML and .txt, and their browser would load the Cerber Decryptor site. There is also a VBScript file that plays “# DECRYPT MY FILES #.vbs,” which plays an audio message via Microsoft Speech API text-to-speech that the files in the system have been encrypted.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: