Rig Exploit Kit via pseudoDarkleech gates ddnsking and hopto delivers CrypMic ransomware

NOTES:

  • Today I captured traffic from the latest version of CrypMic ransomware. The ransomware was delivered via the pseudoDarkleech campaign with use of the Rig Exploit Kit.
  • pseudoDarkleech redirected to the Rig Exploit Kit Landing page via the ddnsking.com and hopto.org gates.
  • The injection method was an Iframe, as mentioned in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.
  • CrypMic continues to send its ransom notes over SSL port 443 in clear text.
  • CrypMic is now sending its payload as an .EXE executable file

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-09-22-Rig-EK-pcaps.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES ASSOCIATED WITH DDNSKING.COM :

  • www.fixmsoutlookerror.com – COMPROMISED SITE
  • 83.217.27.178 – yonfnwusgz.ddnsking.com – REDIRECT GATE
  • 74.208.112.66 – klebsiana-ylialivarakonttorin.atlantaofficeindustrialbroker.com – RIG EK LANDING PAGE
  • 91.121.74.154 – Port 443 – Clear Text – CnC Check-In POST INFECTION TRAFFIC

 

ASSOCIATED DOMAINS AND IP ADDRESSES ASSOCIATED WITH HOPTO.ORG:

  • fotografie-beyer.de – COMPROMISED SITE
  • 83.217.27.178 – gxvovf.hopto.org – REDIRECT GATE
  • 74.208.112.66 – klebsiana-ylialivarakonttorin.atlantaofficeindustrialbroker.com – RIG EK LANDING PAGE
  • 91.121.74.154 – Port 443 – Clear Text – CnC Check-In POST INFECTION TRAFFIC

 

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN ASSOCIATED WITH DDNSKING.COM:

Shown above: Network traffic  associated with the Rig exploit and CrypMic ransomware infection.

 

Shown above: Injected script found on index page of compromised site redirecting to the ddnsking.com redirect gate.

 

Shown above: Script found on ddnsking.com gate redirecting to the Rig exploit kit landing page.

 

IMAGES AND DETAILS OF INFECTION CHAIN ASSOCIATED WITH HOPTO.ORG:

Shown above: Network traffic  associated with the Rig exploit and CrypMic ransomware infection.

 

Shown above: Injected script found on index page of compromised site redirecting to the hopto.org redirect gate.

 

Shown above: Script found on hopto.org gate redirecting to the Rig exploit kit landing page.

 

Shown above: Compromised host desktop showing ransom notes and payment instructions associated with CrypMic ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: