- 220.127.116.11 – thekingstreetgrille.com – Compromised site
- 18.104.22.168 – rew.usaviatorfinancing.com – Rig EK
- 22.214.171.124/24 and 126.96.36.199/24 – UDP traffic via dst. port 6892
- 188.8.131.52 and 184.108.40.206 – Cerber Decryptor payment site(s):
- 220.127.116.11 – btc.blockr.io – Bitcoin blockchain explorer
File name: RigEK Landing Page.html
File name: RigEK Flash Exploit.swf
File name: IIj6sFosp
File name: rad9869F.tmp.exe
File name: CDRom.dll
Starting around late September 2016 Rig EK began to switch its payload from CryptMIC ransomware to Cerber ransomware. While the payload has changed it is still using the same attack vector and downloader.
Today’s infection began when I visited the compromised site thekingstreetgrille.com. The site never successfully loaded in my browser, which is normal. However, the string “bavtypw” was displayed. Here is a picture of what I am describing:
Looking at the website’s source code we can see the traditional pseudoDarkleech campaign script as well as the string “bavtypw” outside of the </span> tag. Below is an image:
I’m not really sure why strings like this are being added to the injection but I thought it was worth pointing out.
The next step of the infection chain is the iframe causing the host to make a GET request for the Rig EK landing page. Once the host is redirected to the landing page the system is fingerprinted and sent a Flash exploit. Here is the GET for the landing page and the Flash exploit:
After the Flash exploit there is an extension-less JS downloader dropped into the user’s %TEMP% folder. That file was called “IIj6sFosp” and here is the code:
This file self deletes itself after it initiates the GET request for the payload. This appears to the same script that was dropping CryptMIC. Here is the GET request for the payload:
The payload (rad9869F.tmp.exe) is then dropped in the user’s %TEMP% folder. After that we see some additional files created in %TEMP% (tmp713a.bmp and README.hta) as well as two folders called “nsu31.tmp” and “551ef835”. Contained within “nsu31.tmp” is a “System.dll”. Contained within “551ef835” is “41a6.tmp” and “e28f.tmp”. Here are some pictures of the files and folders:
The README.hta is dropped on the Desktop and in %TEMP%. The JS downloader and payload are deleted from the user’s %TEMP% folder. I have placed them on the Desktop simply for convenience.
There was also the launcher (CDRom.dll) and some other files created in the user’s Roaming folder:
Here is an image of an encrypted file in the Downloads folder being appended with a random 4 character extension (.ab8b):
The Desktop is also changed to display the ransom note. Then, an audible message is played to the user telling them that their files have been encrypted. The README.hta contains all the instructions for the Cerber Decryptor and payment sites.
If you’re interested in seeing exactly what the README.hta contains you can look at the pictures in this post HERE.
I recommend blocking the Rig EK IP at your perimeter firewall. I would also suggest that the compromised website be blocked (until it is cleaned).