Rig Exploit Kit via the EiTest injected script delivers CryptFile2 ransomware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered CryptFile2  ransomware via the EITEST campaign.
  • Files on the infected host were encrypted and the file extensions were changed to @dr.com_.scl.
  • The Rig exploit kit is making use of DNS Shadowing as explained in a sucuri.net blog post Website Malware – Evolution of Pseudo Darkleech. 
  • Thanks to @CyberScimitar for sharing information on compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-27-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.visitnewyork.com – COMPROMISED SITE
  • 195.133.201.212 – new.escapegamekc.com – RIG EK LANDING PAGE
  • 5.39.84.236 – GET /index.html – CryptFile2 CnC CHECK-IN
  • 5.39.84.236 – POST /uploader_img/imgupload.php – CryptFile2 CnC CHECK-IN

ASSOCIATED EMAILS FOR RANSOM PAYMENT:

E-MAIL1: enc7@usa.com
E-MAIL2: enc7@dr.com

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of CryptFile2 ransomware

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Using the ping command you can see the use of DNS shadowing. If you ping the landing page without the third level domain it returns to the IP address associated with the legitimate website. If you ping the third level domain you can see it returns a different IP address, which redirects to the Rig EK landing page.

 

Shown above: Using Wireshark’s “Follow TCP Stream” packet 129 shows partial contents of Rig EK sending flash exploit

 

Shown above: Using Wireshark’s “Follow TCP Stream” packet 245 shows partial encrypted\obfuscated contents of Rig EK delivering CryptFile2 ransomware

 

Shown above: CryptFile2 ransomware post infection check-in with its command and control host (CnC)

 

Shown above: Some of the files encrypted by CryptFile2 ransomware and the associated file extensions

 

Shown above: HELP_DECRYPT_YOUR_FILES.TXT ransom note and payment instruction associated with CryptFile2 ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: