18.104.22.168 – 101beautytricks.com – Compromised Site
22.214.171.124 – dissect.theawesomestmusic.com – Rig EK
126.96.36.199 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear)
- SHA256: 101504d805174416b51f601dfb5ab626e8eea9504306a36bf5bb3ad2f8d30230
File name: RigEK Landing Page.html
- SHA256: a09f4f8ab6d93995398320c9406a3502fee8d6116f0e7a8bf1b1c030dec555ff
File name: RigEK Flash Exploit.swf
- SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331
File name: IIj6sFosp
- SHA256: aed87c57ed65adfaba258d48bbad1f9d2f9bc2f0e404b3badff246b504bae8dc
File name: rad8035D.tmp.exe
This was another typical Rig EK to CryptMIC infection chain that started with the script being injected into the compromised website:
The script then redirects the host to the landing page which then causes the host to make a GET request for the Flash exploit. Lastly, there is a GET request for the payload. Below are all three request from the host and responses from the server:
As usual there is a .tmp.exe dropped into %TEMP% and ransom notes dropped in various folders and on the Desktop. Again, the .exe is masquerading as NirCmd.exe which is a legitimate command-line utility for Windows.
This is the second IP in the 188.8.131.52/24 subnet that had been used by Rig EK today. It might be a good idea to flag HTTP traffic to this subnet. I would block any IPs within this subnet that are resolving to EK subdomains.