Rig EK at 74.208.147.73 Drops CryptMIC Ransomware

IOCs:

  • 181.224.139.64 – stjoeschool.org – Compromised Site
  • 74.208.147.73 – vaippaandedicators.reducemycard.com – Rig EK
  • 91.121.74.154 – CryptMIC C2 communications via TCP port 443 (in clear text)

Traffic:

traffic

c2

Hashes:

  1. SHA256: 0e78c0dc543ae85b59d60d6a0de3986cb4cab1640cb0809a3e9ce10657a71851
    File name: RigEK Landing Page.html
  2. SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d
    File name: RigEK SWF Exploit.swf
  3. SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331
    File name: IIj6sFosp
  4. SHA256: 0e9bedc57f97bb2c7119ad4713b03fc9b10df09202fb7a237b610aec4687b736
    File name: radDC17B.tmp.exe

Infection Chain:

The infection chain begins with a compromised site being injected with the pseudoDarkleech script. The script is basically a malicious iframe that points to the Rig Exploit Kit landing page. Below is an image of the script on the compromised site:

pseudodarkleech-script-compromised-site

The next phase of the infection chain begins when the host is redirected to the Exploit Kit landing page. Once the host retrieves the landing page from the server scripts are run to determine if the host is vulnerable to particular exploits. Below is the TCP stream showing the request for the landing page, Flash exploit, and payload (in that order):

landing-page

swf-exploit

payload

This time the Rig Exploit Kit server sent an executable instead of a .DLL. Below are the files dropped in %TEMP%. The executable followed the naming convention that we are use to seeing these days which is “rad[5 alphanumeric characters].tmp.exe” or “.dll”.

temp

Once the system was infected the usual CryptMIC ransom notes were dropped onto the Desktop and into various folders:

desktop

I recommend blocking all the IPs and domains listed above in the IOCs section.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: