Rig EK at 74.208.99.252 Drops CryptMIC Ransomware

Rig EK Drops CryptMIC Ransomware

IOCs:

  • 50.63.246.29 – equatorappliances.com – Compromised Website
  • 74.208.99.252 – conmensurativa.cyclemanagementassociates.net – Rig EK
  • 65.49.8.96 – CryptMIC post-infection traffic via TCP port 443 (sent in clear text)

traffic

Hashes:

  1. SHA256: 86b24c3990b106c74f7f475ebaced01cb69f9b9f6de069d8df8209edba72a40f
    File name: RigEK Landing Page.html
  2. SHA256: cc1002a14db7ccf59b7320b49a5dfc0995a6ad6895bfaab4de1a296756020fe6
    File name: RigEK Flash Exploit.swf
  3. SHA256: bd98b94ec01df8a3391af1203f662225a4734c154ee58a739cd4af5328ff0823
    File name: IIj6sFosp
  4. SHA256: 044dbd83e6fb41cf831cc83126d9b6e859f69ebd5c26f01d8c26c377bd892d65
    File name: rad0DEDB.tmp.exe

Infection Chain:

The infection chain starts off with a compromised website being injected with the pseudoDarkleech script:

compromised-site

That iframe contains the URL for the Rig Exploit Kit landing page. Once the page loads in the browser the iframe generates a GET requests for the landing page. Here is the GET for the landing page:

rigek-landing-page

After being redirected to the landing page the host made a GET request for a Flash file, in this case a Flash exploit:

flash-exploit

And finally we see the payload being sent:

payload

The first run at the Exploit Kit returned a file called “IIj6sFosp”. Here is a look at the file:

js

That file deleted itself and downloaded a .dll called “rad80A00.tmp.dll”. Recently, all these .dll files have been 126 bytes in size and follow the naming convention of rad[5 alphanumeric].tmp.dll.

My second attempt returned “rad0DEDB.tmp.exe”. For some reason the .dll’s being dropped by Rig Exploit Kit are failing to compromise the system while the executables are successful.

Here is a picture of both files being dropped in %TEMP%:

temp

Once the system was infected the ransom notes (Bitmap, HTML, and Text) were dropped on the Desktop and in folders containing encrypted files:

desktop

While looking for post-infection traffic I found communication to 65.49.8.96 via TCP port 443. This traffic wasn’t encrypted as the ransom note can be seen in clear text:

post-infection-via-443

My recommendation is to block the Rig Exploit Kit IP address and the callback IP at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: