Rig EK at 149.202.239.50 Drops CryptMIC Ransomware

IOCs:

192.185.112.45 – 101beautytricks.com – Compromised Site
149.202.239.50 – dissect.theawesomestmusic.com – Rig EK
91.121.74.154 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear)

Traffic:

capture

c2

Hashes:

  1. SHA256: 101504d805174416b51f601dfb5ab626e8eea9504306a36bf5bb3ad2f8d30230
    File name: RigEK Landing Page.html
  2. SHA256: a09f4f8ab6d93995398320c9406a3502fee8d6116f0e7a8bf1b1c030dec555ff
    File name: RigEK Flash Exploit.swf
  3. SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331
    File name: IIj6sFosp
  4. SHA256: aed87c57ed65adfaba258d48bbad1f9d2f9bc2f0e404b3badff246b504bae8dc
    File name: rad8035D.tmp.exe

Infection Chain:

This was another typical Rig EK to CryptMIC infection chain that started with the script being injected into the compromised website:

pseudodarkleech-script

The script then redirects the host to the landing page which then causes the host to make a GET request for the Flash exploit. Lastly, there is a GET request for the payload. Below are all three request from the host and responses from the server:

rigek-landing-pagerigek-flash-exploitrigek-payload

As usual there is a .tmp.exe dropped into %TEMP% and ransom notes dropped in various folders and on the Desktop. Again, the .exe is masquerading as NirCmd.exe which is a legitimate command-line utility for Windows.

temp

desktop

This is the second IP in the 149.202.239.0/24 subnet that had been used by Rig EK today. It might be a good idea to flag HTTP traffic to this subnet. I would block any IPs within this subnet that are resolving to EK subdomains.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: