- 220.127.116.11 – stjoeschool.org – Compromised Site
- 18.104.22.168 – vaippaandedicators.reducemycard.com – Rig EK
- 22.214.171.124 – CryptMIC C2 communications via TCP port 443 (in clear text)
- SHA256: 0e78c0dc543ae85b59d60d6a0de3986cb4cab1640cb0809a3e9ce10657a71851
File name: RigEK Landing Page.html
- SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d
File name: RigEK SWF Exploit.swf
- SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331
File name: IIj6sFosp
- SHA256: 0e9bedc57f97bb2c7119ad4713b03fc9b10df09202fb7a237b610aec4687b736
File name: radDC17B.tmp.exe
The infection chain begins with a compromised site being injected with the pseudoDarkleech script. The script is basically a malicious iframe that points to the Rig Exploit Kit landing page. Below is an image of the script on the compromised site:
The next phase of the infection chain begins when the host is redirected to the Exploit Kit landing page. Once the host retrieves the landing page from the server scripts are run to determine if the host is vulnerable to particular exploits. Below is the TCP stream showing the request for the landing page, Flash exploit, and payload (in that order):
This time the Rig Exploit Kit server sent an executable instead of a .DLL. Below are the files dropped in %TEMP%. The executable followed the naming convention that we are use to seeing these days which is “rad[5 alphanumeric characters].tmp.exe” or “.dll”.
Once the system was infected the usual CryptMIC ransom notes were dropped onto the Desktop and into various folders:
I recommend blocking all the IPs and domains listed above in the IOCs section.