pseudoDarkleech Leads to Rig EK at And Drops CryptMIC


  • – – Compromised Website
  • – – Rig EK
  • – CryptMIC post-infection traffic via TCP port 443 (not encrypted)




SHA256: eff15c0ede4f784532fd933843a2bf4dda86c92dbed785b979af50b7c808e34e
File name: RigEK Landing Page.html

SHA256: 744744db513250c8ddeef12d4998d339beac5cabc02a1d10f304e105462d4008
File name: RigEK Flash Exploit.swf

SHA256: d9553d2651fd05d98dbb551ed32f5875b73010b0387a487e3410ca75486c5d79
File name: radF7DD3.tmp.exe

Infection Chain:

The user would browse to the compromised website. Once the page loads the host would make a malicious GET request to the Rig EK landing page due to the pseudoDarkleech. Below is an image taken from the website’s source code:


Here is the GET request for the Rig EK landing page, as well as the GET requests for the Flash exploit and payload (in that order):


As always there is an extension-less file dropped in %TEMP% which acts as a downloader. That file self deletes itself and then we see an executable dropped in %TEMP%. Below is an image of the executable, other CryptMIC files, and the Desktop (with ransom notes):


I recommend blocking the compromised website (until it is cleaned), the Rig EK IP and the CryptMIC C2 IP.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: