The University of South Florida: Subdomain Injected with EITest Script That Points to Both Rig-V and Rig-E EK. Dropped CryptoMix (CryptFile2) Ransomware.

malwarebreakdown on December 17, 2016

IOCs:

  • 131.247.120.45 – etc.usf.edu – Compromised subdomain on usf.edu
  • 217.107.37.39 – red.wellnesswatchersmd.net – Rig-V EK
  • 93.115.38.112 – d4sna.rithiperdien.top – Rig-E EK
  • 5.39.84.236 – GET /validator_os/master_valid_os/ms_statistic_os_key.php?info=SCmvxag30Y35DIy7JTzxsJSTLJzUe67VbrPhiiCr4iIe
  • 5.39.84.236 – POST /validator_os/master_valid_os/microsoft_osINFO.php – POSTs files to webserver

Traffic:

traffic

Hashes:

SHA256: 36fecf334a7be0e9c33c7a745c09e5daf775438e4018cc7de26e5d056ff9ec0f
File name: RigV UA check page.html

SHA256: ef89449250ff7e297300bd1bf1c5ca1c4de691b8d23727e481b24121985f69ad
File name: RigV Landing Page.html

SHA256: 65e938972896e4ffb6c4de3f8314e1a2acd8da5f86fee94f34d35a5d334723e6
File name: RigV Flash Exploit.swf

SHA256: 9f93a612da234591aa2645277aa0672ad53cfebe2697bdcf5e38e0920e270d35
File name: OTTYUADAF

SHA256: 820eada2932ea457bcb098f657034c8c8c727b18449a924653f323d4a0559c11
File name: Spy Security SoftWare_91bf6e5_aed68d54.exe
Hybrid-Analysis Submission

Infection Chain:

The infection chain started off with me browsing the Educational Technology Clearinghouse – University of South Florida website. Injected in the source code of the page was the EITest script shown below:

script-on-site

The URL contained within the script redirected the host to a Rig-V html document containing a script that checks the user-agent being used (browser). It should be noted that the EITest script being injected on etc.usf.edu was also pointing to Rig-E EK, however, I didn’t get a successful infection.

Here is traffic from the failed Rig-E attempts:

traffic-2

Below is the GET request for the Rig-V UA check page and the response from the server:

ua-check

Click on the picture to enlarge

The script above is designed to identify the browser being used. If the user-agent is IE and you’re not a bot then the script instructs the host to make a POST request for a landing page. For a more detailed analysis of this script please click HERE.

Further down the infection chain we see a POST request for the landing page, a GET request for a Flash exploit, and a request for the payload.

landing-page-request

Landing page

flash-exploit-request

Flash exploit

payload-request

Payload

The payload is dropped in %temp% and created in ProgramData (Spy Security SoftWare_91bf6e5_aed68d54.exe):

Downloaded twice

The malware uses persistence by creating values in the registry (Run and RunOnce keys):

run-registryrunonce-registry

We also see the malware using vssadmin.exe to delete the Shadow Volume Copies (A-Z), backups (wbadmin delete catalog -quiet), reading system information (computer name and GUID) using Windows Management Instrumentation Commandline (WMIC), and using bcdedit.exe in an attempt suppress failures during boot (used to hide system changes):

processes

Analyzed processes from Hybrid-Analysis report

Continuing the investigation  we can look at the callback traffic. This includes a GET request for a file located at the C2:

get-for-file-located-at-c2

The response from the server is 401 Unauthorized with the string os_valid: TRUE. Following this we see two POST requests to the C2.

The first POST request contains the value for the “id_number” (personal identification ID), “key_os” (decoding the hex dump shows it contains an RSA1 key), and an empty status value.

first-post

The second POST request contains the same information however this time we see the status = DoneWorkEnd.

second-post

After the user’s files have been encrypted the filenames are appended with .email[supl0@post.com]id[personal identification ID] and the file extension is changed to .lesli.

encrypted-files

Lastly we see the ransom notes (INSTRUCTION RESTORE FILE.txt) created in various folders as well as one dropped on the Desktop. As noted with previous CryptoMix infections (see malware-traffic-analysis write up) the bottom of the ransom note says “^_- Lesli Spying On You -_-“:

ransom-note-1

Image of CryptoMix ransom note

My recommendations would be to block the Rig EK IPs at your firewall(s) and to disable vssadmin.exe. To read more about why and how you should disable vssadmin.exe click HERE.

Until next time!

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

  1. Elise Koonce January 27, 2017 at 4:35 AM

    my pc is infected with the lesli spying on you ransomware. do you have a step by step solution for the not so tech savy individual?

    Like

    Reply

    1. malwarebreakdown January 28, 2017 at 2:04 AM

      Hello Elise,

      I am sorry that has happened to your computer. The best thing you can do is try to find a public decryption tool for this ransomware variant. I would look around on this thread for some advice or support https://www.bleepingcomputer.com/forums/t/611907/cryptomix-ransomware-help-and-support-topic-code-scl-extension/. However, I don’t believe there is such a tool yet. You could always save a copy of the encrypted files and wait to see if a tool is ever released.

      Generally, I would advise against paying any form of ransom.

      Like

      Reply

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: