IOCs:
- 50.87.151.118 – fourcornersbc.com – Compromised Site
- 164.132.88.59 – betonmaustanfordin.freshstyleapparel.com – Rig EK
- 162.244.35.19 – CryptMIC post-infection traffic via TCP port 443
Traffic:
Hashes:
SHA256: 38ff6f31844f6ce957c9b8fe3b42ac157e3f5b9e77ba86c83bd3165a5ffdac7f
File name: RigEK Landing Page.html
SHA256: dde4ec698a206614b0cce449493f72ae16be7867f0a9b76d40b192dd5ce003f5
File name: RigEK Flash Exploit.swf
SHA256: b4ed980b3bac17066661433f6f2ab58e370cf75f453baadd4322a3c53a9c28da
File name: rad57379.tmp.exe
Infection Chain:
The infection chain started with me browsing to the compromised website. In the website’s source code is the malicious iframe associated with the pseudoDarkleech campaign. Below is an image of the script on the site:
The URL in the iframe is pointing to Rig EK landing page. Here is the GET for the landing page:
Following the host being redirected to the Rig EK landing page we see a GET for a Flash exploit:
The Flash exploit is followed by the payload:
There was a 2KB extension-less .js file used as a downloader dropped in %TEMP%. That file self deleted itself and then we see rad57379.tmp.exe being dropped in %TEMP% along with some other CryptMIC files. Below is an image of the Desktop and the %TEMP% folder post-infection:
You can see the ransom notes on the Desktop and in %TEMP%. I recommend blocking the Rig EK IP and the post-infection IP.