Rig EK at Drops CryptMIC Ransomware

Rig EK Drops CryptMIC Ransomware


  • – equatorappliances.com – Compromised Website
  • – conmensurativa.cyclemanagementassociates.net – Rig EK
  • – CryptMIC post-infection traffic via TCP port 443 (sent in clear text)



  1. SHA256: 86b24c3990b106c74f7f475ebaced01cb69f9b9f6de069d8df8209edba72a40f
    File name: RigEK Landing Page.html
  2. SHA256: cc1002a14db7ccf59b7320b49a5dfc0995a6ad6895bfaab4de1a296756020fe6
    File name: RigEK Flash Exploit.swf
  3. SHA256: bd98b94ec01df8a3391af1203f662225a4734c154ee58a739cd4af5328ff0823
    File name: IIj6sFosp
  4. SHA256: 044dbd83e6fb41cf831cc83126d9b6e859f69ebd5c26f01d8c26c377bd892d65
    File name: rad0DEDB.tmp.exe

Infection Chain:

The infection chain starts off with a compromised website being injected with the pseudoDarkleech script:


That iframe contains the URL for the Rig Exploit Kit landing page. Once the page loads in the browser the iframe generates a GET requests for the landing page. Here is the GET for the landing page:


After being redirected to the landing page the host made a GET request for a Flash file, in this case a Flash exploit:


And finally we see the payload being sent:


The first run at the Exploit Kit returned a file called “IIj6sFosp”. Here is a look at the file:


That file deleted itself and downloaded a .dll called “rad80A00.tmp.dll”. Recently, all these .dll files have been 126 bytes in size and follow the naming convention of rad[5 alphanumeric].tmp.dll.

My second attempt returned “rad0DEDB.tmp.exe”. For some reason the .dll’s being dropped by Rig Exploit Kit are failing to compromise the system while the executables are successful.

Here is a picture of both files being dropped in %TEMP%:


Once the system was infected the ransom notes (Bitmap, HTML, and Text) were dropped on the Desktop and in folders containing encrypted files:


While looking for post-infection traffic I found communication to via TCP port 443. This traffic wasn’t encrypted as the ransom note can be seen in clear text:


My recommendation is to block the Rig Exploit Kit IP address and the callback IP at your perimeter firewall(s).

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: