pseudoDarkleech Leads to Rig EK at Which Delivers CryptMIC


  • – – Compromised Website
  • – – Rig EK
  • – CryptMIC post-infection traffic via TCP port 443 (not encrypted)




SHA256: b7911fe9343c681b9ed5cc34f9489d4b82d8dc2aaf1136c05ba44d9546707687
File name: RigEK Landing Page.html

SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f
File name: RigEK Flash Exploit.swf

SHA256: e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d
File name: rad68A3A.tmp.exe

Infection Chain:

Below is an image grab from the compromised website’s code:


You can clearly see a malicious iframe being injected in the source code. That iframe contains a URL pointing to the Rig EK server. After the GET request for the landing page we see a extension-less .js file dropped in %TEMP%. This .js file is the downloader for the CryptMIC payload. Below is an example of that file, provided to me by a coworker (pseudonym “_elf”).


The file above deletes itself after the payload is downloaded. In this infection we saw a file called “rad68A3A.tmp.exe” being dropped into %TEMP%. Once executed, user’s file will be encrypted and then ransom notes (user instructions for decryption) will be dropped in .html, .bmp, and .txt formats.

Here is the executable dropped in %TEMP%:


And here is an image of the Desktop post-compromise. Notice the background is changed to the ransom note which contains instructions for the user (payment sites circled in white):


I recommending blocking the compromised website (at least until it is fixed) as well as the Rig EK IP and CryptMIC callback IP.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: