Afraidgate at 178.62.242.179 Leads to RIG-v EK at 92.53.120.233, Godzilla Loader Grabs Locky (.osiris)

IOCs:

  • 138.128.171.35 – northcoastmed.com – Compromised website
  • 178.62.242.179 – dropname.syncroweb.com – Afraidgate subdomain
  • 92.53.120.233 – red.telco.news – RIG-v EK
  • 200.7.102.105 – lingvitopr.com – Godzilla loader GET for Locky
  • 188.127.239.53 – Locky post-infection traffic – POST /checkupdate

Traffic:

traffic

Hashes:

SHA256: 443b3bb140553acc8c861ddc2a0275936a5a26489030b424703775d2f3242ae8
File name: northcoastmed.com.html

SHA256: cebd2b86b7830c3b11414581de5068d6d152873731a4a1f3fa7270d21a7a3fb2
File name: dropname.syncroweb.com Afraidgate.js

SHA256: eb8fb3f87093c0a9e24047cee0f472373d3d78212ced708d235825b31a70df4b
File name: RIG-v Pre-Landing Page.html

SHA256: fe7d38e39a31f76196636172e67fa7940a631a0a7b63101d18abff8ac37812bf
File name: RIG-v Landing Page.html

SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335
File name: RIG-v Flash Exploit.swf

SHA256: 068c8dc52f3f1af900ba2180d1169f5c1d832fa1cbe7aa3c8c1e6fb2a09c3d44
File name: AuDg0KHsWoZnSaz.exe (RIG-v EK payload Gozilla loader)
Hybrid-Analysis Report

SHA256: 6c46f24554cf755a8fc815f4c41590a3ba3271ce3655a47a5689a5b0c1d64254
File name: HPbbw15LQhlVnOOYCjJfDkLY2.exe (Locky)
Hybrid-Analysis Report

Infection Chain:

The infection chain started with browsing to the compromised website. The website contained script that caused the host to make a request for a .js file being hosted at an Afraidgate subdomain. Below is an image of the script found in the compromised website:

redirect-to-afraidgate

Here is the script contained within that .js file, which is returned to the host:

dropname-syncroweb-com-js

The subdomain, dropname.syncroweb[.]com, is resolving to 178.62.242.179. Using PassiveTotal to check the resolution history I can see multiple Afraidgate domains being used in recent weeks:

178-62-242-179-afraidgate-subdomains

Whois information shows the Afraid.org name servers:

whois

The host is then redirected to the URL contained within the iframe. In this particular case that URL would be the RIG-v “pre-landing” page that checks if the User-Agent is IE. The host is then redirected to the landing page. My host was then sent a Flash exploit, followed by an .tmp.exe file (Godzilla loader) in %Temp%. Below is the GET request:

rigv-payload

The file is deleted from %Temp% but remains in ProgramFiles (x86), name AuDg0KHsWoZnSaz.exe:

downloader

Godzilla loader initiates a GET request for a file being hosted at lingvitopr[.]com using the User-Agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E),” which is Internet Explorer 8.0.

Not sure it matters but lingvitopr[.]com was first seen 12/23/16 resolving to 213.163.64.53. The first time it resolved to 200.7.102.105 was on 12/30/16.

We also see it drop a .lnk Shortcut in Startup:

Below is the GET request to the web server. Notice the User-Agent in the request header:

locky

Locky is dropped in %Temp%:

temp

We then see the Locky CnC checkin traffic to 188.127.239.53 (/checkupdate).

The first thing the user will notice is that their Desktop background is changed to a picture of the ransom note. The ransom note also pops up on the users Desktop in the form of an .bmp image and .htm file. This is the Osiris variant of Locky, which appends encrypted files with .osiris.

Block the offending IPs at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: