Rig Exploit Kit via Afraidgate delivers Locky ransomware from 194.87.93.11

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered the Godzilla loader which downloaded Locky ransomware and additional malware via the Afraidgate campaign. [Information on Afraidgate campaign]
  • The Locky variant used the .osiris file extension on the encrypted files.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-02-04-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • monteyplaya.com – COMPROMISED SITE
  • 138.197.222.151 – nitrindo.lasestrellas.com.ar/engine/classes/masha/masha.js – AFRAIDGATE REDIRECT
  • 194.87.93.11 – lex.modernlily.info – RIG-V LANDING PAGE
  • 5.188.223.104 – spotsbill.com – GODZILLA LOADER DOWNLOADING MALWARE
  • 185.162.10.108 – grentromz.com POST /blog.php – POST INFECT TRAFFIC
  • 107.181.187.77 – POST /checkupdate – LOCKY POST INFECT TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig EK, Afraidgate campaign, Godzilla loader and Locky ransomware

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Afraidgate to start infection chain

 

Shown above: Extracted JavaScript found on Afraidgate which redirects to the Rig EK landing page

 

Shown above: Name servers associated with the Afraidgate domain name

 

Shown above: Godzilla loader downloading additional malware payload

 

Shown above: Ransom note and payment instructions associated with Locky ransomware found on desktop

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: