pseudoDarkleech Leads to Rig EK at 137.74.61.215 and Drops CryptMIC

IOCs:

  • 206.188.193.161 – gallolocomexican.com – Compromised Website
  • 137.74.61.215 – barkatullavbwait.ernestboaten.com – Rig EK
  • 162.244.35.19 – CryptMIC C2 via TCP port 443 – Traffic sent in the clear

Traffic:

traffic

Hashes:

SHA256: 1e20d2cb0ad52d1dbead4d7f029921d9cc6fb541e11fac6a899bf33b86577656
File name: RigEK Landing Page.html

SHA256: 25ea816e89234c1974e791b04eb83280c92296500fa9fbbdae24056d0b7a8bfe
File name: RigEK Flash Exploit.swf

SHA256: 293e77ff35ff9482c1ea58025f8ddd9b2bf09b4d08dc1202794e1ba193d7c511
File name: IIj6sFosp

SHA256: 1fbfd0132f0ca12a41fec858e065763fc5d1b7a282b24e6cb5f45be2bbe02b1b
File name: rad84159.tmp.exe

Infection Chain:

The infection chain started out with the pseudoDarkleech campaign script being injected into the compromised website. Below is an image showing the malicious iframe in the website’s source code:

pseudodarkleech-script

The script being loaded causes the host to make a GET request for the Rig EK landing page. Below is the GET request for the landing page, as well as the GET requests for the Flash exploit and CryptMIC payload (in that order):

rigek-landing-pagerigek-flash-exploitrigek-payload

Once on the landing page we see an extension-less .js file called  “IIj6sFosp” being dropped in %TEMP%. This is the malware binary downloader. That file self deletes itself (it put it back in %TEMP%) and then we see “rad84159.tmp.exe” being downloaded to %TEMP%:

temp

It is at this point the user’s files are encrypted and ransom notes are dropped on the system. Here is a picture of the Desktop which shows the various ransom notes (.html, .bitmap, a .txt). We can see the payment sites and decryption instructions:

desktop

I recommend blocking the Rig EK IP and the CryptMIC C2 at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: