IOCs:
- 206.188.193.161 – gallolocomexican.com – Compromised Website
- 137.74.61.215 – barkatullavbwait.ernestboaten.com – Rig EK
- 162.244.35.19 – CryptMIC C2 via TCP port 443 – Traffic sent in the clear
Traffic:
Hashes:
SHA256: 1e20d2cb0ad52d1dbead4d7f029921d9cc6fb541e11fac6a899bf33b86577656
File name: RigEK Landing Page.html
SHA256: 25ea816e89234c1974e791b04eb83280c92296500fa9fbbdae24056d0b7a8bfe
File name: RigEK Flash Exploit.swf
SHA256: 293e77ff35ff9482c1ea58025f8ddd9b2bf09b4d08dc1202794e1ba193d7c511
File name: IIj6sFosp
SHA256: 1fbfd0132f0ca12a41fec858e065763fc5d1b7a282b24e6cb5f45be2bbe02b1b
File name: rad84159.tmp.exe
Infection Chain:
The infection chain started out with the pseudoDarkleech campaign script being injected into the compromised website. Below is an image showing the malicious iframe in the website’s source code:
The script being loaded causes the host to make a GET request for the Rig EK landing page. Below is the GET request for the landing page, as well as the GET requests for the Flash exploit and CryptMIC payload (in that order):
Once on the landing page we see an extension-less .js file called “IIj6sFosp” being dropped in %TEMP%. This is the malware binary downloader. That file self deletes itself (it put it back in %TEMP%) and then we see “rad84159.tmp.exe” being downloaded to %TEMP%:
It is at this point the user’s files are encrypted and ransom notes are dropped on the system. Here is a picture of the Desktop which shows the various ransom notes (.html, .bitmap, a .txt). We can see the payment sites and decryption instructions:
I recommend blocking the Rig EK IP and the CryptMIC C2 at your perimeter firewall(s).