- 18.104.22.168 – equatorappliances.com – Compromised Website
- 22.214.171.124 – conmensurativa.cyclemanagementassociates.net – Rig EK
- 126.96.36.199 – CryptMIC post-infection traffic via TCP port 443 (sent in clear text)
- SHA256: 86b24c3990b106c74f7f475ebaced01cb69f9b9f6de069d8df8209edba72a40f
File name: RigEK Landing Page.html
- SHA256: cc1002a14db7ccf59b7320b49a5dfc0995a6ad6895bfaab4de1a296756020fe6
File name: RigEK Flash Exploit.swf
- SHA256: bd98b94ec01df8a3391af1203f662225a4734c154ee58a739cd4af5328ff0823
File name: IIj6sFosp
- SHA256: 044dbd83e6fb41cf831cc83126d9b6e859f69ebd5c26f01d8c26c377bd892d65
File name: rad0DEDB.tmp.exe
The infection chain starts off with a compromised website being injected with the pseudoDarkleech script:
That iframe contains the URL for the Rig Exploit Kit landing page. Once the page loads in the browser the iframe generates a GET requests for the landing page. Here is the GET for the landing page:
After being redirected to the landing page the host made a GET request for a Flash file, in this case a Flash exploit:
And finally we see the payload being sent:
The first run at the Exploit Kit returned a file called “IIj6sFosp”. Here is a look at the file:
That file deleted itself and downloaded a .dll called “rad80A00.tmp.dll”. Recently, all these .dll files have been 126 bytes in size and follow the naming convention of rad[5 alphanumeric].tmp.dll.
My second attempt returned “rad0DEDB.tmp.exe”. For some reason the .dll’s being dropped by Rig Exploit Kit are failing to compromise the system while the executables are successful.
Here is a picture of both files being dropped in %TEMP%:
Once the system was infected the ransom notes (Bitmap, HTML, and Text) were dropped on the Desktop and in folders containing encrypted files:
While looking for post-infection traffic I found communication to 188.8.131.52 via TCP port 443. This traffic wasn’t encrypted as the ransom note can be seen in clear text:
My recommendation is to block the Rig Exploit Kit IP address and the callback IP at your perimeter firewall(s).