2016-12-12 - EITEST RIG-V FROM 220.127.116.11 SENDS CRYPTOMIX RANSOMWARE
- ZIP archive of the pcap: 2016-12-12-EITest-Rig-V-sends-CryptoMix-ransomware.pcap.zip 194 kB (193,592 bytes)
- 2016-12-12-EITest-Rig-V-sends-CryptoMix-ransomware.pcap (265,127 bytes)
- ZIP archive of the malware: 2016-12-12-EITest-Rig-V-sends-CryptoMix-malware-and-artifacts.zip 74 kB (73,653 bytes)
- 2016-12-12-CryptoMix-decryption-instructions.txt (1,483 bytes)
- 2016-12-12-EITest-Rig-V-CryptoMix-rad9D1C1.tmp.exe (83,968 bytes)
- 2016-12-12-EITest-Rig-V-artifact-QXj6sFosp.txt (1,137 bytes)
- 2016-12-12-EITest-Rig-V-flash-exploit.swf (12,375 bytes)
- 2016-12-12-EITest-Rig-V-landing-page.txt (5,378 bytes)
- 2016-12-12-page-from-activaclinics.com-with-injected-EITest-script.txt (58,191 bytes)
BACKGROUND ON RIG EXPLOIT KIT:
- I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
- Rig-V: a "VIP version" with new URL patterns & RC4 payload encryption. Used by the Afraidgate & pseudoDarkleech campaigns. Sometimes used by the EITest campaign.
- Rig-E: a variant with old Rig EK URL patterns & RC4 payload encryption. Also known as Empire Pack. I often see Rig-E used by the EITest campaign.
- Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary). I haven't seen this one in a while.
BACKGROUND ON THE EITEST CAMPAIGN:
- Something I wrote on exploit kit (EK) fundamentals: link
- 2016-10-03 - Palo Alto Networks Unit 42 blog: EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
- 2016-10-03 - Broadanalysis.com: EITest campaign stopped using a gate.
- 2016-10-15 - Broadanalysis.com: EITest campaing stops using obfuscation for injected script in pages from compromised websites.
BACKGROUND ON CRYPTOMIX:
- The ransomware I've been calling CryptFile2 is actually CryptoMix. Details can be found here.
- The EITest campaign currently uses Rig-V to send this CryptoMix (CryptFile2) ransomware.
- The compromised website in today's blog, activaclinics.com, was used in a previous post on 2016-10-28 to get EITest script and generate Rig EK.
- Activaclinics.com has apparently remained compromised by the EITest campaign since that time (or however long ago before it was first discovered).
- Some people might be tempted to call this "Lesli ransomware" based on LESLI IS SPYING ON YOU in the ransom note and the .lesli file extension it uses for encrypted files.
- Don't be fooled. This is actually CryptoMix/CryptFile2 ransomware.
Shown above: Flowchart for this infection traffic.
Shown above: Injected script from the EITest campaign from the compromised site.
Shown above: Pcap of the infection traffic filtered in Wireshark.
- activaclinics.com - Compromised site
- 18.104.22.168 port 80 - far.sensorispace.net - Rig-V
- 22.214.171.124 port 80 - 126.96.36.199 - CryptoMix post-infection traffic
EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS: