pseudoDarkleech Leads to Rig EK at 5.196.126.82 Which Delivers CryptMIC

IOCs:

  • 162.144.62.185 – tygerauto.com – Compromised Website
  • 5.196.126.167 – aufrufenderasamblea.cyclemanagementassociates.info – Rig EK
  • 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443 (not encrypted)

Traffic:

traffic

Hashes:

SHA256: b7911fe9343c681b9ed5cc34f9489d4b82d8dc2aaf1136c05ba44d9546707687
File name: RigEK Landing Page.html

SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f
File name: RigEK Flash Exploit.swf

SHA256: e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d
File name: rad68A3A.tmp.exe

Infection Chain:

Below is an image grab from the compromised website’s code:

script

You can clearly see a malicious iframe being injected in the source code. That iframe contains a URL pointing to the Rig EK server. After the GET request for the landing page we see a extension-less .js file dropped in %TEMP%. This .js file is the downloader for the CryptMIC payload. Below is an example of that file, provided to me by a coworker (pseudonym “_elf”).

js-downloader

The file above deletes itself after the payload is downloaded. In this infection we saw a file called “rad68A3A.tmp.exe” being dropped into %TEMP%. Once executed, user’s file will be encrypted and then ransom notes (user instructions for decryption) will be dropped in .html, .bmp, and .txt formats.

Here is the executable dropped in %TEMP%:

temp

And here is an image of the Desktop post-compromise. Notice the background is changed to the ransom note which contains instructions for the user (payment sites circled in white):

desktop

I recommending blocking the compromised website (at least until it is fixed) as well as the Rig EK IP and CryptMIC callback IP.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: