pseudoDarkleech Leads to Rig EK at 164.132.88.59 Which Drops CryptMIC Ransomware

IOCs:

  • 50.87.151.118 – fourcornersbc.com – Compromised Site
  • 164.132.88.59 – betonmaustanfordin.freshstyleapparel.com – Rig EK
  • 162.244.35.19 – CryptMIC post-infection traffic via TCP port 443

Traffic:

iocs

Hashes:

SHA256: 38ff6f31844f6ce957c9b8fe3b42ac157e3f5b9e77ba86c83bd3165a5ffdac7f
File name: RigEK Landing Page.html

SHA256: dde4ec698a206614b0cce449493f72ae16be7867f0a9b76d40b192dd5ce003f5
File name: RigEK Flash Exploit.swf

SHA256: b4ed980b3bac17066661433f6f2ab58e370cf75f453baadd4322a3c53a9c28da
File name: rad57379.tmp.exe

Infection Chain:

The infection chain started with me browsing to the compromised website. In the website’s source code is the malicious iframe associated with the pseudoDarkleech campaign. Below is an image of the script on the site:

pseudodarkleech-script

The URL in the iframe is pointing to Rig EK landing page. Here is the GET for the landing page:

rigek-lp

Following the host being redirected to the Rig EK landing page we see a GET for a Flash exploit:

rigek-flash-exploit

The Flash exploit is followed by the payload:

payload

There was a 2KB extension-less .js file used as a downloader dropped in %TEMP%. That file self deleted itself and then we see rad57379.tmp.exe being dropped in %TEMP% along with some other CryptMIC files. Below is an image of the Desktop and the %TEMP% folder post-infection:

desktop

You can see the ransom notes on the Desktop and in %TEMP%. I recommend blocking the Rig EK IP and the post-infection IP.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: