126.96.36.199 – kavafo.xyz – EITest Gate
188.8.131.52 – qw.thesleepdoctormattress.com – Rig EK
184.108.40.206 – ip-api.com – GET /json – IP Check
220.127.116.11 – http://www.doswf.com – Associated with Rig EK Flash Exploit
18.104.22.168 – Decryptor Site – Associated Files
22.214.171.124 – btc.blockr.io – Associated with BitCoin Information
126.96.36.199/24 and 188.8.131.52/24 via UDP port 6892
File name: kavafo.xyz EITest SWF Redirect
File name: EITest Gate HTML.txt
File name: Rig EK Landing Page at 184.108.40.206.txt
File name: RigEK Flash Exploit 220.127.116.11
File name: RigEK Cerber Payload from 18.104.22.168
File name: Blowfish.dll
Another day, another infection chain to document. Since the demise of Angler the EK scene has been a little slow. Neutrino EK quickly took the spotlight as the most active EK on the market after Angler; however, within the last couple of weeks I’ve been noticing a lot of Rig EK activity.
On 8/15/16 numerous EK researchers found that EITest gate was leading to Rig EK. That was the first time anyone has seen EITest lead to Rig EK. People had been hypothesizing the threat actors were doing a test run. If that was the case then it would seem like the test run was successful as there has been a steady increase in the amount of EITest to RigEK since then.
The infection chain starts with the compromised website being injected with the EITest script, located within some tags:
The tag plays a Flash file at the URL within the tag. Here is the GET request for the SWF and the response from the server:
That SWF file ends up redirecting the host to a .jpeg… LOL yeah right. The SWF redirects to the EITest gate where you can see more malicious script:
The “Additional Information” tab on the VirusTotal report also shows the malicious script redirecting to the landing page:
The script redirects the host to the Rig EK landing page:
The response from the server shows that the data is being gzip compressed but here is what the file looks like:
The landing page contains some tags and a large chunk of base64 encoded data. Decoding the base64 returns the following:
Looking at the decoded data you can see some conditional statements: [if !IE] and [endif], as well as URLs pointing to additional EK resources.
The 2nd URL shown in the decoded data is for the Rig EK SWF exploit. The Rig EK SWF exploit is then followed by a Cerber ransomware payload:
Following the execution of the payload we can see IP checks via multiple GET requests to ip-api.com/json:
The check returns the AS, city, country, country code, ISP, latitude, longitude, organization, WAN IP address, region, region name, status of the connection, timezone, and zip code.
I then found post-infection UDP traffic via port 6892 to subnets 22.214.171.124/24 and 126.96.36.199/24:
After the IP check and UDP traffic there were multiple connections to http://www.doswf.com, which really resolves to http://www.doswf.org. DoSWF is program designed to encrypt and obfuscate ActionScript code. This makes sense because the Flash exploit sent by Rig EK is encrypted with DoSWF. We then find traffic to the Cerber decryptor site and to btc.blockr.io with responses that contain BitCoin payment information:
Here we can see some files dropped in %APPDATA%:
Here is the VT report for Blowfish.dll.
You can also see that the encrypted files are obfuscated and appended with the extension .cerber2.
The user would then see their Desktop background change to a Bitmap image showing the Cerber ransom note (copy found in %APPDATA%), as well as copies of the ransom notes in .HTML and .txt, and their browser would load the Cerber Decryptor site. There is also a VBScript file that plays “# DECRYPT MY FILES #.vbs,” which plays an audio message via Microsoft Speech API text-to-speech that the files in the system have been encrypted.