- 22.214.171.124 – northcoastmed.com – Compromised website
- 126.96.36.199 – dropname.syncroweb.com – Afraidgate subdomain
- 188.8.131.52 – red.telco.news – RIG-v EK
- 184.108.40.206 – lingvitopr.com – Godzilla loader GET for Locky
- 220.127.116.11 – Locky post-infection traffic – POST /checkupdate
File name: northcoastmed.com.html
File name: dropname.syncroweb.com Afraidgate.js
File name: RIG-v Pre-Landing Page.html
File name: RIG-v Landing Page.html
File name: RIG-v Flash Exploit.swf
File name: AuDg0KHsWoZnSaz.exe (RIG-v EK payload Gozilla loader)
File name: HPbbw15LQhlVnOOYCjJfDkLY2.exe (Locky)
The infection chain started with browsing to the compromised website. The website contained script that caused the host to make a request for a .js file being hosted at an Afraidgate subdomain. Below is an image of the script found in the compromised website:
Here is the script contained within that .js file, which is returned to the host:
The subdomain, dropname.syncroweb[.]com, is resolving to 18.104.22.168. Using PassiveTotal to check the resolution history I can see multiple Afraidgate domains being used in recent weeks:
Whois information shows the Afraid.org name servers:
The host is then redirected to the URL contained within the iframe. In this particular case that URL would be the RIG-v “pre-landing” page that checks if the User-Agent is IE. The host is then redirected to the landing page. My host was then sent a Flash exploit, followed by an .tmp.exe file (Godzilla loader) in %Temp%. Below is the GET request:
The file is deleted from %Temp% but remains in ProgramFiles (x86), name AuDg0KHsWoZnSaz.exe:
Godzilla loader initiates a GET request for a file being hosted at lingvitopr[.]com using the User-Agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E),” which is Internet Explorer 8.0.
Not sure it matters but lingvitopr[.]com was first seen 12/23/16 resolving to 22.214.171.124. The first time it resolved to 126.96.36.199 was on 12/30/16.
We also see it drop a .lnk Shortcut in Startup:
Below is the GET request to the web server. Notice the User-Agent in the request header:
Locky is dropped in %Temp%:
We then see the Locky CnC checkin traffic to 188.8.131.52 (/checkupdate).
The first thing the user will notice is that their Desktop background is changed to a picture of the ransom note. The ransom note also pops up on the users Desktop in the form of an .bmp image and .htm file. This is the Osiris variant of Locky, which appends encrypted files with .osiris.
Block the offending IPs at your perimeter firewall(s).