18.104.22.168 – friedchickenfestival.com – Compromised Site
22.214.171.124 – alveraverticaltotal.jacobeachquadplex.info – Rig EK
126.96.36.199 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear)
- SHA256: 02bbe8a5e930508263776e2efbe0d3bd1a4c01d42fa7ee4906cf735a91e29853
File name: RigEK Landing Page.html
- SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d
File name: RigEK Flash Exploit.swf
- SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331
File name: IIj6sFosp
- SHA256: ba664c151f312b4d249fbee2863984aea4d3725b97065095b63729fe1f3fabfd
File name: radDA159.tmp.exe
The infection chain begins with the pseudoDarkleech script being injected into the compromised website. Below is an image of the websites source code which shows the injected script:
The URL within the <iframe> tag is used as the redirection mechanism for the Rig Exploit Kit landing page. Below are the requests and responses for the Exploit Kit landing page, Flash exploit, and payload (in that order):
This time the server sent an executable called “radDA159.tmp.exe”. The file description of the executable is “NirCmd”, which is a Windows command line tool. They are even giving the malicious executable an icon. See the images below:
There were also ransom notes (Bitmap, HTML, and Text) dropped in various folders. Oddly enough I didn’t get the usual .html and .txt ransom notes on the Desktop, only the image changed.
I recommend that the EK IP be blocked at your perimeter firewall.