Rig EK at 149.202.239.54 Drops CryptMIC Ransomware

IOCs:

69.195.124.229 – friedchickenfestival.com – Compromised Site
149.202.239.54 – alveraverticaltotal.jacobeachquadplex.info – Rig EK
91.121.74.154 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear)

Traffic:

traffic-get

c2

Hashes:

  1. SHA256: 02bbe8a5e930508263776e2efbe0d3bd1a4c01d42fa7ee4906cf735a91e29853
    File name: RigEK Landing Page.html
  2. SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d
    File name: RigEK Flash Exploit.swf
  3. SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331
    File name: IIj6sFosp
  4. SHA256: ba664c151f312b4d249fbee2863984aea4d3725b97065095b63729fe1f3fabfd
    File name: radDA159.tmp.exe

Infection Chain:

The infection chain begins with the pseudoDarkleech script being injected into the compromised website. Below is an image of the websites source code which shows the injected script:

pseudodarkleech-script

The URL within the <iframe> tag is used as the redirection mechanism for the Rig Exploit Kit landing page. Below are the requests and responses for the Exploit Kit landing page, Flash exploit, and payload (in that order):

rigek-landing-page-request

rigek-flash-exploit-request-response

payload

This time the server sent an executable called “radDA159.tmp.exe”. The file description of the executable is “NirCmd”, which is a Windows command line tool. They are even giving the malicious executable an icon. See the images below:

temp

exe

There were also ransom notes (Bitmap, HTML, and Text) dropped in various folders. Oddly enough I didn’t get the usual .html and .txt ransom notes on the Desktop, only the image changed.

desktop

I recommend that the EK IP be blocked at your perimeter firewall.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: