EITest Leads to RIG-v EK at 194.87.145.225, Drops CryptoShield 1.1 Ransomware

IOCs:

  • 212.166.71.52 – blog.masmovil.es – Compromised website
  • 194.87.145.225 – sound.formpools.co – RIG-v EK
  • 45.76.81.110 – POST /test_site_scripts/moduls/connects/mailsupload.php – Callback

Traffic:

traffic

Hashes:

SHA256: dc837458d43126eb135816c0e3a3d8b8d0a557f89a9240b12319073e4fcc4449
File name: EITest RIG-v EK Flash Exploit.swf

SHA256: 3f517c7bf5176614ff11f3fc275849155c5bfede0b7a7748781b8aaf36fc6650
File name: QTTYUADAF

SHA256: a73c0538ad23bf6b092e6109d990802fefe549b0532bf39dc704a88198b8eebb
File name: rad871F7.tmp.exe and SmartScreen.exe
Hybrid-Analysis Report

Infection Chain:

I want to give a shout-out to @FreeBSDfan for informing me about the compromised website. I decided to check it out and located an injected EITest script in the source code:

eitest-script

The injected script contains the URL for the a RIG-v EK pre-landing page. Following the normal RIG-v infection chain we’ve seen over the last couple of months the host is then redirected to the landing page. As usual we see a Flash exploit being used and then we see the malware payload being dropped in %Temp%:

temp

Additionally, the executable is created in the ProgramData\MicroSoftWare\SmartScreen:

Running the sample through a sandbox showed the following processes:

analysed-processes

As with a lot of other Crypto ransomware variants this too is using the vvsadmin.exe Delete Shadows /All /Quiet command to delete the Shadow Volume Copies from the system. This means users wont be able to recover their encrypted files. For this reason it is highly recommended that users disable the vvsadmin.exe utility. Read more about this at BleepingComputer.com.

Some other commands that we typically see with Cryto ransomware are bcdedit.exe bcdedit /set {default} recoveryenabled No and bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures. This tells the system to disable Startup Repair and to ignore all failures during boot.

The ransomware will also generate a unique ID for the user and an encryption key. The infected machine then uploads the ID and private key to a CnC server. This information can be found in the POST requests to 45.76.81.110/test_site_scripts/moduls/connects/mailsupload.php.

Filenames are encrypted using ROT-13 (a simple letter substitution encryption scheme) and are then appended with .CRYPTOSHIELD. Victims of CryptoShield can use http://www.rot13.com/ to decode the names of their files. Unfortunately, there currently isn’t a way for users to decrypt the actual file. Here are some images of encrypted files on my machine:

As you can see this infection also drops ransom notes in each folder that contains an encrypted file.

After a successful infection the user would then be presented with two ransom notes. One is an .HTML file and the other is a .txt file. Both use the naming convention of # RESTORING FILES #:

html-cryptoshield-1-1-ransom-noteransom-note-txt-file-edited

This appears to be a new CryptoMix/CryptFile2 variant calling itself “CryptoShield 1.1.” Instructions from the ransom note indicate that the user must send an email to one of the following addresses:

  • restoring_sup@india.com
  • restoring_sup@computer4u.com
  • restoring_reserve@india.com

Looking through the registry I found the following entries to Run and RunOnce:

I would urge users to not pay the ransom; however, that is a personal choice that people will have to decide on their own. While there currently isn’t a decryption tool for this variant there could be one that is released in the future.

For more information please see this excellent write-up on BleepingComputer.com by Lawrence Abrams.

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: