- 220.127.116.11 – etc.usf.edu – Compromised subdomain on usf.edu
- 18.104.22.168 – red.wellnesswatchersmd.net – Rig-V EK
- 22.214.171.124 – d4sna.rithiperdien.top – Rig-E EK
- 126.96.36.199 – GET /validator_os/master_valid_os/ms_statistic_os_key.php?info=SCmvxag30Y35DIy7JTzxsJSTLJzUe67VbrPhiiCr4iIe
- 188.8.131.52 – POST /validator_os/master_valid_os/microsoft_osINFO.php – POSTs files to webserver
File name: RigV UA check page.html
File name: RigV Landing Page.html
File name: RigV Flash Exploit.swf
File name: OTTYUADAF
File name: Spy Security SoftWare_91bf6e5_aed68d54.exe
The infection chain started off with me browsing the Educational Technology Clearinghouse – University of South Florida website. Injected in the source code of the page was the EITest script shown below:
The URL contained within the script redirected the host to a Rig-V html document containing a script that checks the user-agent being used (browser). It should be noted that the EITest script being injected on etc.usf.edu was also pointing to Rig-E EK, however, I didn’t get a successful infection.
Here is traffic from the failed Rig-E attempts:
Below is the GET request for the Rig-V UA check page and the response from the server:
The script above is designed to identify the browser being used. If the user-agent is IE and you’re not a bot then the script instructs the host to make a POST request for a landing page. For a more detailed analysis of this script please click HERE.
Further down the infection chain we see a POST request for the landing page, a GET request for a Flash exploit, and a request for the payload.
The payload is dropped in %temp% and created in ProgramData (Spy Security SoftWare_91bf6e5_aed68d54.exe):
The malware uses persistence by creating values in the registry (Run and RunOnce keys):
We also see the malware using vssadmin.exe to delete the Shadow Volume Copies (A-Z), backups (wbadmin delete catalog -quiet), reading system information (computer name and GUID) using Windows Management Instrumentation Commandline (WMIC), and using bcdedit.exe in an attempt suppress failures during boot (used to hide system changes):
Continuing the investigation we can look at the callback traffic. This includes a GET request for a file located at the C2:
The response from the server is 401 Unauthorized with the string os_valid: TRUE. Following this we see two POST requests to the C2.
The first POST request contains the value for the “id_number” (personal identification ID), “key_os” (decoding the hex dump shows it contains an RSA1 key), and an empty status value.
The second POST request contains the same information however this time we see the status = DoneWorkEnd.
After the user’s files have been encrypted the filenames are appended with .email[firstname.lastname@example.org]id[personal identification ID] and the file extension is changed to .lesli.
Lastly we see the ransom notes (INSTRUCTION RESTORE FILE.txt) created in various folders as well as one dropped on the Desktop. As noted with previous CryptoMix infections (see malware-traffic-analysis write up) the bottom of the ransom note says “^_- Lesli Spying On You -_-“:
My recommendations would be to block the Rig EK IPs at your firewall(s) and to disable vssadmin.exe. To read more about why and how you should disable vssadmin.exe click HERE.
Until next time!