IOCs:
- 104.28.31.109 – lepatek.com – Compromised website
- 92.53.120.4 – key.benslocksmithaddison.info – RIG-v EK
- 109.236.87.84 – 109.236.87.84 – POST /images/slideshow/info.php – ET TROJAN CryptoShield Ransomware Checkin.
Traffic:
Hashes:
SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8
File name: RIG-v EK Flash Exploit.swf
SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea
File name: QTTYUADAF
SHA256: e680fae09e442833699d9e6e8363f08cca7d8bd92d7abc86027d6a14c88a5c4e
File name: rad26801.tmp.exe
Hybrid-Analysis Report
Infection Chain:
Loading the website in my browser and inspecting the TCP stream between my host and the web server showed that the EITest script had been injected into the web page. Below is the EITest script returned by the web server:
The URL within the script redirected my host to the RIG-v EK pre-landing page. The host was then redirected to the landing page after which we see the Flash exploit followed by the malware payload.
We see cmd.exe create QTTYUADAF in %Temp% and execute it. The script causes the host to make a GET request for the malware payload. The malware payload (rad26801.tmp.exe) is dropped and executed in %Temp%:
The malware is also copied to C:ProgramDataMicroSoftTMPsystem32 under the name conhost.exe:
As with a lot of other Crypto ransomware variants this too is using the vvsadmin.exe Delete Shadows /All /Quiet command to delete the Shadow Volume Copies from the system. This means users wont be able to recover their encrypted files. It is for this reasons that user’s should take preventative actions and disable the vvsadmin.exe utility. Read more about this at BleepingComputer.com.
Some other commands found include bcdedit.exe bcdedit /set {default} recoveryenabled No and bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures. This tells the system to disable Startup Repair and to ignore all failures during boot.
The ransomware will also generate a unique ID for the user and an encryption key. The infected machine then uploads the ID and private key to a CnC server via POST requests to 109.236.87.84/images/slideshow/info.php.
Filenames are encrypted using ROT-13 (a simple letter substitution encryption scheme) and are then appended with .CRYPTOSHIELD. Victims of CryptoShield can use http://www.rot13.com/ to decode the names of their files. Unfortunately, there currently isn’t a way for users to decrypt the actual file. Here are some images of encrypted files on my machine:
This infection drops ransom notes in each folder that contains encrypted files.
After a successful infection the user would then be presented with two ransom notes. One is an .HTML file and the other is a .txt file. Both use the naming convention of # RESTORING FILES #:
Instructions from the ransom note indicate that the user must send an email to one of the following addresses:
- res_sup@india.com – SUPPORT
- res_sup@computer4u.com – SUPPORT RESERVER FIRST
- res_reserve@india.com – SUPPORT RESEVE SECOND
Looking through the registry I found the following entries to Run and RunOnce:
I would urge users NOT to pay the ransom. While there currently isn’t a decryption tool for this variant there could be one that is released in the future. You could hold on to copies of your documents in the hopes that one is released.
For more information please see this excellent write-up on BleepingComputer.com by Lawrence Abrams.
Until next time!
Malware breakdown 