- 22.214.171.124 – tygerauto.com – Compromised Website
- 126.96.36.199 – aufrufenderasamblea.cyclemanagementassociates.info – Rig EK
- 188.8.131.52 – CryptMIC post-infection traffic via TCP port 443 (not encrypted)
File name: RigEK Landing Page.html
File name: RigEK Flash Exploit.swf
File name: rad68A3A.tmp.exe
Below is an image grab from the compromised website’s code:
You can clearly see a malicious iframe being injected in the source code. That iframe contains a URL pointing to the Rig EK server. After the GET request for the landing page we see a extension-less .js file dropped in %TEMP%. This .js file is the downloader for the CryptMIC payload. Below is an example of that file, provided to me by a coworker (pseudonym “_elf”).
The file above deletes itself after the payload is downloaded. In this infection we saw a file called “rad68A3A.tmp.exe” being dropped into %TEMP%. Once executed, user’s file will be encrypted and then ransom notes (user instructions for decryption) will be dropped in .html, .bmp, and .txt formats.
Here is the executable dropped in %TEMP%:
And here is an image of the Desktop post-compromise. Notice the background is changed to the ransom note which contains instructions for the user (payment sites circled in white):
I recommending blocking the compromised website (at least until it is fixed) as well as the Rig EK IP and CryptMIC callback IP.