EITest Leads to Rig EK at 195.133.201.68 and Drops CryptFile2 Ransomware

IOCs:

  • 69.80.203.8 – criticall911.com – Compromised site
  • 195.133.201.68 – add.lovegivedo.com – Rig EK
  • 37.59.39.53 – GET /index.jpg and POST /brows/setup.php – CryptFile2 post-infection traffic

Traffic:

traffic

Hashes:

  1. SHA256: 0a6260e81a8eb7c2221da7431f0468f703fe047478de315d8023f8fe1be8ddb2
    File name: RigEK Landing Page.html
  2. SHA256: 4f3632001131f30bd7d01c4c0c195abb947b5556c34479e5f5a8bde2326dda48
    File name: RigEK Flash Exploit.swf
  3. SHA256: efdf104d92509f8f1084125b1f6235fca2c6ae8863e7c5d08c556ee91a446b1c
    File name(s): 77B6.tmp and ChromeFlashPlayer_[id].exe

Infection Chain:

The infection chain begins when the user visits the compromised website. For this incident I visited criticall911.com which had been injected with the EITest script. Here is an image of the GET request for the compromised site and the response showing the EITest script:

compromised-site-1compromised-site-response

You can see that the script contains some unicode. Removing the percent signs and decoding the unicode returns the following Rig EK landing page URL:

hxxp://add.LOVEGIVEDO.COM/?x3qJc7iUJRrOCoI=[truncated]

This script generates the iframe that redirects the host to the Rig EK landing page. As I stated in my last EITest write-up this particular campaign is no longer using a Flash redirection mechanism or gate. Instead it is redirecting the user’s directly to the landing pages.

As you can see from the traffic (image above) the host made a GET request for the landing page and was then sent the Flash exploit and CryptFile2 payload.

The CryptFile2 ransomware payload was dropped in %TEMP% via a .tmp file called “77B6.tmp” which was 74 KB in size. There was also the same file created in Roaming however this time it was an executable called “ChromeFlashPlayer_[personal ID]”:

tmp-and-exe

 

Ransom notes for CryptFile2 are “HELP_DECRYPT_YOUR_FILES” and they come as a .txt document. Also, encrypted files are appended with .scl as the extension. Files are also renamed to include some additional information, including your personal ID and the criminals email address. An example of the ransom note and encrypted files is shown below:

cryptfile2

There were also some registry keys created:

run-registry-cryptfile2run-once-registry-cryptfile2

I recommend blocking the Rig EK and CryptFile2 callback IP and your perimeter firewall(s).

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: