Rig Exploit Kit Switches From CryptMIC to Cerber

IOCs:

  • 50.63.43.8 – thekingstreetgrille.com – Compromised site
  • 194.87.146.233 – rew.usaviatorfinancing.com – Rig EK
  • 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via dst. port 6892
  • 45.59.114.125 and 173.254.231.11 – Cerber Decryptor payment site(s):
    • ffoqr3ug7m726zou.5ggovj.bid
    • ffoqr3ug7m726zou.1nkkem.top
    • ffoqr3ug7m726zou.d4u711.bid
    • ffoqr3ug7m726zou.y7603i.bid
    • ffoqr3ug7m726zou.onion
  • 148.251.6.214 – btc.blockr.io – Bitcoin blockchain explorer

Traffic:iocs-1iocs-2

Hashes:

SHA256: bd0fd45d9424075870b108526f18db71ce7f7e5e741336c056c08c13ba40693a
File name: RigEK Landing Page.html

SHA256: cabb797012864750b80b2942ebfcfdedcb3ef6b4a510b4d28c9389a69f4d010a
File name: RigEK Flash Exploit.swf

SHA256: ecf0e7c5186591046df13e787985f8df6fd32d6d0e8d695ebaca09965b85029c
File name: IIj6sFosp

SHA256: 127a86c2e9cad0331ecc2df643d976742e32509fab634035812a236121e2e2cb
File name: rad9869F.tmp.exe

SHA256: 286069d12c8f12a00aef558d02426dfdbe3a6337b05dea53b70a3d3cfcf49ff9
File name: CDRom.dll

Infection Chain:

Starting around late September 2016 Rig EK began to switch its payload from CryptMIC ransomware to Cerber ransomware. While the payload has changed it is still using the same attack vector and downloader.

Today’s infection began when I visited the compromised site thekingstreetgrille.com. The site never successfully loaded in my browser, which is normal. However, the string “bavtypw” was displayed. Here is a picture of what I am describing:

webpage

Looking at the website’s source code we can see the traditional pseudoDarkleech campaign script as well as the string “bavtypw” outside of the </span> tag. Below is an image:

compromised-site

I’m not really sure why strings like this are being added to the injection but I thought it was worth pointing out.

The next step of the infection chain is the iframe causing the host to make a GET request for the Rig EK landing page. Once the host is redirected to the landing page the system is fingerprinted and sent a Flash exploit. Here is the GET for the landing page and the Flash exploit:

rigek-lprigek-flash-exploit

After the Flash exploit there is an extension-less JS downloader dropped into the user’s %TEMP% folder. That file was called “IIj6sFosp” and here is the code:

js-downloader

This file self deletes itself after it initiates the GET request for the payload. This appears to the same script that was dropping CryptMIC. Here is the GET request for the payload:

rigek-payload

The payload (rad9869F.tmp.exe) is then dropped in the user’s %TEMP% folder. After that we see some additional files created in %TEMP% (tmp713a.bmp and README.hta) as well as two folders called “nsu31.tmp” and “551ef835”. Contained within “nsu31.tmp” is a “System.dll”. Contained within “551ef835” is “41a6.tmp” and “e28f.tmp”. Here are some pictures of the files and folders:

The README.hta is dropped on the Desktop and in %TEMP%. The JS downloader and payload are deleted from the user’s %TEMP% folder. I have placed them on the Desktop simply for convenience.

There was also the launcher (CDRom.dll) and some other files created in the user’s Roaming folder:

roaming

Here is an image of an encrypted file in the Downloads folder being appended with a random 4 character extension (.ab8b):

downloads-folder

 

The Desktop is also changed to display the ransom note. Then, an audible message is played to the user telling them that their files have been encrypted. The README.hta contains all the instructions for the Cerber Decryptor and payment sites.

If you’re interested in seeing exactly what the README.hta contains you can look at the pictures in this post HERE.

I recommend blocking the Rig EK IP at your perimeter firewall. I would also suggest that the compromised website be blocked (until it is cleaned).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: