IOCs:
- 138.128.171.35 – northcoastmed.com – Compromised website
- 178.62.242.179 – dropname.syncroweb.com – Afraidgate subdomain
- 92.53.120.233 – red.telco.news – RIG-v EK
- 200.7.102.105 – lingvitopr.com – Godzilla loader GET for Locky
- 188.127.239.53 – Locky post-infection traffic – POST /checkupdate
Traffic:
Hashes:
SHA256: 443b3bb140553acc8c861ddc2a0275936a5a26489030b424703775d2f3242ae8
File name: northcoastmed.com.html
SHA256: cebd2b86b7830c3b11414581de5068d6d152873731a4a1f3fa7270d21a7a3fb2
File name: dropname.syncroweb.com Afraidgate.js
SHA256: eb8fb3f87093c0a9e24047cee0f472373d3d78212ced708d235825b31a70df4b
File name: RIG-v Pre-Landing Page.html
SHA256: fe7d38e39a31f76196636172e67fa7940a631a0a7b63101d18abff8ac37812bf
File name: RIG-v Landing Page.html
SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335
File name: RIG-v Flash Exploit.swf
SHA256: 068c8dc52f3f1af900ba2180d1169f5c1d832fa1cbe7aa3c8c1e6fb2a09c3d44
File name: AuDg0KHsWoZnSaz.exe (RIG-v EK payload Gozilla loader)
Hybrid-Analysis Report
SHA256: 6c46f24554cf755a8fc815f4c41590a3ba3271ce3655a47a5689a5b0c1d64254
File name: HPbbw15LQhlVnOOYCjJfDkLY2.exe (Locky)
Hybrid-Analysis Report
Infection Chain:
The infection chain started with browsing to the compromised website. The website contained script that caused the host to make a request for a .js file being hosted at an Afraidgate subdomain. Below is an image of the script found in the compromised website:
Here is the script contained within that .js file, which is returned to the host:
The subdomain, dropname.syncroweb[.]com, is resolving to 178.62.242.179. Using PassiveTotal to check the resolution history I can see multiple Afraidgate domains being used in recent weeks:
Whois information shows the Afraid.org name servers:
The host is then redirected to the URL contained within the iframe. In this particular case that URL would be the RIG-v “pre-landing” page that checks if the User-Agent is IE. The host is then redirected to the landing page. My host was then sent a Flash exploit, followed by an .tmp.exe file (Godzilla loader) in %Temp%. Below is the GET request:
The file is deleted from %Temp% but remains in ProgramFiles (x86), name AuDg0KHsWoZnSaz.exe:
Godzilla loader initiates a GET request for a file being hosted at lingvitopr[.]com using the User-Agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E),” which is Internet Explorer 8.0.
Not sure it matters but lingvitopr[.]com was first seen 12/23/16 resolving to 213.163.64.53. The first time it resolved to 200.7.102.105 was on 12/30/16.
We also see it drop a .lnk Shortcut in Startup:
Below is the GET request to the web server. Notice the User-Agent in the request header:
Locky is dropped in %Temp%:
We then see the Locky CnC checkin traffic to 188.127.239.53 (/checkupdate).
The first thing the user will notice is that their Desktop background is changed to a picture of the ransom note. The ransom note also pops up on the users Desktop in the form of an .bmp image and .htm file. This is the Osiris variant of Locky, which appends encrypted files with .osiris.
Block the offending IPs at your perimeter firewall(s).