pseudoDarkleech Leads to Rig EK at 164.132.88.58 And Drops CryptMIC

IOCs:

  • 50.22.5.55 – gendisasters.com – Compromised Website
  • 164.132.88.58 – consulavissem-descorderar.navyamateurradioclub.org – Rig EK
  • 162.244.35.19 – CryptMIC post-infection traffic via TCP port 443 (not encrypted)

Traffic:

iocs

Hashes:

SHA256: eff15c0ede4f784532fd933843a2bf4dda86c92dbed785b979af50b7c808e34e
File name: RigEK Landing Page.html

SHA256: 744744db513250c8ddeef12d4998d339beac5cabc02a1d10f304e105462d4008
File name: RigEK Flash Exploit.swf

SHA256: d9553d2651fd05d98dbb551ed32f5875b73010b0387a487e3410ca75486c5d79
File name: radF7DD3.tmp.exe

Infection Chain:

The user would browse to the compromised website. Once the page loads the host would make a malicious GET request to the Rig EK landing page due to the pseudoDarkleech. Below is an image taken from the website’s source code:

pseudodarkleech-script1

Here is the GET request for the Rig EK landing page, as well as the GET requests for the Flash exploit and payload (in that order):

rigek-landing-pagerigek-flash-exploitrigek-payload

As always there is an extension-less file dropped in %TEMP% which acts as a downloader. That file self deletes itself and then we see an executable dropped in %TEMP%. Below is an image of the executable, other CryptMIC files, and the Desktop (with ransom notes):

desktop1

I recommend blocking the compromised website (until it is cleaned), the Rig EK IP and the CryptMIC C2 IP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: