IOCs:
- 93.158.215.169 – fredomasearchdsd.top – RIG-v EK
- 186.2.163.47 – spora.biz – Spora ransomware domain
Traffic:
Hashes:
SHA256: ae7073760a86f38b29d6399a91dda6507237b420c5f4d386de3b5c1c3cf111f5
File name: Landing Page.html
SHA256: 840ce47e94db6dae302dddbfe33f9548a47541a0917def5e2e5644fc2965ba52
File name: Flash Exploit.swf
SHA256: 175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911
File name: radF0D46.tmp.exe
Hybrid-Analysis Report
Infection Chain:
I found a website with an iframe containing a URL for a RIG-v EK landing page:
It doesn’t look like EITest or pseudo-Darkleech. Anyways, as I stated above, the URL is for a RIG-v landing page and not the “pre-landing” page that we’ve been seeing lately. I’m not sure why the “pre-landing” page wasn’t used this time. It could be a one-off or maybe they’re changing tactics again.
Next we see the request for the landing page, followed by the Flash exploit:
Following the Flash exploit we see two requests for the same payload:
The malware payload is dropped in %Temp%:
And it is copied in the user’s root directory (C:):
Scanning the file shows it is Spora ransomware. This is also obvious as there is a Spora ransom note that pop-ups on the user’s Desktop (.HTML):
Logging in presents the user with the following Spora ransomware client page:
Users must click on “CHOOSE .KEY” and select the .KEY file that has been dropped on their Desktop (circled in red below):
Once the .KEY file has been uploaded the user will click on “SYNCHRONIZE”. After that the user will see their Block Date and their Username (circled in red):
Notice how they are offering live chat support. People in chat are upset that they paid but their files aren’t being decrypted. Other modules on the page show current transactions, available payment methods and a deadline to pay (7 days). Also there is a “discount” option under Available Payments. These people really are bastards.
It is a good idea to have backups of important documents and pictures stored someplace else (Flash drive, disconnected external hard drive, etc.) in case your computer does get hit with ransomware. I would recommend not paying them but people will have to make their own decisions.
Here are some processes found while running the sample:
Spora is using common methods seen with other ransomware variants. My recommendations would be to block the RIG-v EK IP at your perimeter firewall(s) and to disable vssadmin.exe. To read more about why and how you should disable vssadmin.exe click HERE.
Until next time!
[…] 2017-01-21 – unspecified campaign Rig EK sends Spora ransomware […]
LikeLike