EITest Leads to RIG EK at 188.225.36.251. EK Drops CryptoShield 2.0 Ransomware.

IOCs:

  • 104.28.18.48 – amaz0ns.com – Compromised website
  • 188.225.36.251 – 3tre.sicafnicaragua.com – RIG EK
  • 188.225.36.251 – 3fds.tbsistemas.com – RIG EK (second run)
  • 5.154.191.90 – GET /images/products-over.php – ET TROJAN CryptoShield Ransomware Checkin

Traffic:

Hashes:

SHA256: 9a750f27dfc05d5d41d9da4106ecb71be414538eff3eb3bc8ecca01f5a9aad9b
File name: Landing Page.html

SHA256: 5628e6cdecc617c18137ff132cda600c72baf23f824fbae5c81a8034a9ba3554
File name: RIG EK v4.0 Flash Exploit.swf

SHA256: e142f06a2e96f7a0c6eb046a79b85bc24e79e66c5c2bc12e144285c23fc89b69
File name: o32.tmp

SHA256: e2387bcd3d274f5b4d0353edff2755d39d66afedda1d47f7548391c5d4238f52
File names: l3v4k74h.exe, ma25k6ln.exe, 81yrliiy.exe, conhost.exe
Hybrid-Analysis Report

Infection Chain:

To start off I’d like thank the people posting compromised websites on Twitter and for tagging me in the post. This compromised website was brought to you by @nao sec‏.

The infection chain starts off with me visiting the compromised website, www[.]amaz0ns[.]com. The source code shows that the EITest script had been injected into the page. Below is an image of the EITest code from my second run:

eitest

The URL contained within the script has changed over the last couple of days. RIG has now changed the structure of the query string. For example, q=value1&oq=value2 and oq=value1&q=value2. Also, there wasn’t a request for the pre-filter page (firstDetect.js.html) on either of my runs from today.

Another change I noticed is that there is an injected sentence in the landing page. The sentence was actually from recent events as it has been documented by various news outlets like KTLA. Here is the snippet of the news story at the very top of the landing page:

example-of-landing-page

And here is the sentence from the news story posted on 2/25/17:

news-story

I remember when Angler use to have seemingly random text in it.

Another change is that the script used to download the payload has changed. The old name was “QTTYUADAF” and not we see “o32.tmp” being dropped in %Temp% and executed. Here is the code found in o32.tmp:

o32-tmp-code

The script causes the host to make a GET request for the malware payload. The malware payloads were using the naming convention rad[1-9A-B]{5}.tmp.exe but now it appears to be [1-9a-b]{8}.exe.

The payload is dropped and executed in %Temp%:

payload-dropped-in-temp

The payload is copied to C:\ProgramData\MicroSoftTMP\system32\ and named conhost.exe:

copied-to-programdata-microsofttmp-system32-conhost

There were also some files and folders created in %AppData% (.tmpfsp and Microsoft Help):

appdata

As with a lot of other Crypto ransomware variants this too is using the vvsadmin.exe Delete Shadows /All /Quiet command to delete the Shadow Volume Copies from the system. This means users wont be able to recover their encrypted files. It is for this reasons that user’s should take preventative actions and disable the vvsadmin.exe utility. Read more about this at BleepingComputer.com.

Some other commands found include bcdedit.exe bcdedit /set {default} recoveryenabled No and bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures. This tells the system to disable Startup Repair and to ignore all failures during boot.

The ransomware will also generate a unique ID for the user and an encryption key. The infected machine then uploads the ID and private key to a CnC server via POST requests to 5.154.191.90/images/products-over.php.

Filenames are encrypted using ROT-13 (a simple letter substitution encryption scheme) and are then appended with “.CRYPTOSHIELD.”

Victims of CryptoShield can use http://www.rot13.com/ to decode the names of their files. Unfortunately, there currently isn’t a way for users to decrypt the actual file. Here are some images of encrypted files on my machine:

encrypted

This infection drops ransom notes in each folder that contains encrypted files.

After a successful infection the user would then be presented with two ransom notes. One is an .html file and the other is a .txt file. Both use the naming convention of # RESTORING FILES #:

Instructions from the ransom note indicate that the user must send an email to one of the following addresses:

  • r_sp@india.com – SUPPORT
  • r_sp@computer4u.com – SUPPORT RESERVER FIRST
  • res_reserve@india.com – SUPPORT RESEVE SECOND

Here is an image of the Desktop after an infection:

desktop

Ransom notes dropped on Desktop

Looking through the registry I found the following entries were created in Run and RunOnce:

I would urge users NOT to pay the ransom. While there currently isn’t a decryption tool for this variant there could be one that is released in the future. You could hold on to copies of your documents in the hopes that one is released.

For more information on CryptoShield please see this excellent write-up on BleepingComputer.com by Lawrence Abrams.

Until next time!

space-invaders-keyboard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: