Rig Exploit Kit via the EiTest injected script delivers CryptFile2 ransomware
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered CryptFile2 ransomware via the EITEST campaign.
- Files on the infected host were encrypted and the file extensions were changed to @dr.com_.scl.
- The Rig exploit kit is making use of DNS Shadowing as explained in a sucuri.net blog post Website Malware – Evolution of Pseudo Darkleech.
- Thanks to @CyberScimitar for sharing information on compromised site.
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- www.visitnewyork.com – COMPROMISED SITE
- 18.104.22.168 – new.escapegamekc.com – RIG EK LANDING PAGE
- 22.214.171.124 – GET /index.html – CryptFile2 CnC CHECK-IN
- 126.96.36.199 – POST /uploader_img/imgupload.php – CryptFile2 CnC CHECK-IN
ASSOCIATED EMAILS FOR RANSOM PAYMENT:
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”
Shown above: Using the ping command you can see the use of DNS shadowing. If you ping the landing page without the third level domain it returns to the IP address associated with the legitimate website. If you ping the third level domain you can see it returns a different IP address, which redirects to the Rig EK landing page.
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: