The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain:
You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad domain acting as a gate:
The fake ad domain, in this case milliption.gdn, returns a pre-filter page that fingerprints the system and then instructs the host to make a POST request for the landing page. To read more about this campaign and the pre-filter page click HERE.
Moving on… We see o32.tmp dropped and executed in %TEMP%, which facilitates the GET request and execution of the payload, pmpp20mo.exe:
For persistence the malware copies itself to %APPDATA% as rocanebeda.exe:
You can also see that this is where the ransom note is stored as both a .bmp and .jpg in %APPDATA% along with FFAEBC00XX.tmp which contains the number +79998373194 found on the ransom notes:
Checking the registry for persistence shows the following entries in both HKCU Run and RunOnce:
The ransom locker family of ransomware doesn’t actually encrypt user files; however, it is rather annoying as it locks the screen.
Here is an image of my Desktop after the payload was executed:
Here is a translation of the text on the ransom note:
Shout-out to @Amigo_A_ who sent me this translation!
The ransom note image is attempting to social engineer users into believing that this is a warning from the Russian Ministry of Internal Affairs (MIA). It gives the user an ID number (mine was aed68d54) and tells users to pay 4200 rubles at a payment terminal. The number it gives users is +79998373194.
User’s won’t be able to do anything from this screen so don’t even try opening up Task Manager, etc.
NEVER PAY A RANSOM!
Booting the infected system in either Safe Mode or Safe Mode with Networking won’t work as the system immediately locks with the ransom note on the screen. While this is extremely annoying there is hope! I put together a video of how to take back control of your system (see the top of this post).
Sorry for any errors in the video. I kind of rushed to get it done and I’m using a garbage keyboard. I listed out the steps below to get control of your system.
Boot to Safe Mode with Command Prompt
Use these commands to add the following values to the registry:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableCurrentUserRun /t REG_DWORD /d 1
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableCurrentUserRunOnce /t REG_DWORD /d 1
Additional commands if the persistence is in HKLM Run and RunOnce:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRun /t REG_DWORD /d 1
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1
Step 3 (optional):
Check that the entries are there by using the following command:
REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Use the command to restart the system:
shutdown -t 0 -r -f
Remediate the system
It looks as if these kind of lockers are making a slight comeback. Here is an article talking about RIG exploit kit dropping a similar locker:
- 188.8.131.52 – milliption.gdn – Fake ad domain
- 184.108.40.206 – fast.napadieselguide.com – RIG Exploit kit
- 220.127.116.11 – GET /l/wal.txt
- 18.104.22.168 – GET /l/upd.php?ccc=aed68d54
- 22.214.171.124 – GET /l//default.jpg
- %TEMP% – C:\Users\[Username]\AppData\Local\Temp\pmpp20mo.exe
- %TEMP% – C:\Users\[Username]\AppData\Local\Temp\o32.tmp
- %APPDATA% – C:\Users\[Username]\AppData\Roaming\FFAEBC00XX.tmp
- %APPDATA% – C:\Users\[Username]\AppData\Roaming\Upd2ExplerSysDrz.bmp
- %APPDATA% – C:\Users\[Username]\AppData\Roaming\Upd2ExplerSysDrz.jpg
File name: Flash Exploit.swf
File name: o32.tmp
File name: pmpp20mo.exe and rocanebeda.exe
Artifacts are available for download. The folder contains malicious artifacts. PM me on Twitter or send an email to firstname.lastname@example.org if you need the password (its the same that other researchers use):
I want to thank everyone who responded to my Twitter questions regarding this infection. Until next time!