2016-09-14: PSEUDO-DARKLEECH CAMPAIGN SWITCHED TO RIG EK - CRYPMIC RANSOMWARE SENT AS EXE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-09-14-pseudoDarkleech-Rig-EK-all-3-pcaps.zip   612.0 kB (611,974 bytes)

• 2016-09-14-pseudoDarkleech-Rig-EK-first-example.pcap   (541,132 bytes)
• 2016-09-14-pseudoDarkleech-Rig-EK-second-example.pcap   (82,080 bytes)
• 2016-09-14-pseudoDarkleech-Rig-EK-third-example.pcap   (86,377 bytes)

• ZIP archive of the malware:  2016-09-14-pseudoDarkleech-Rig-EK-malware-and-artifacts.zip   282.9 kB (282,945 bytes)

• 2016-09-14-CrypMIC-decryptor-style.css   (20,552 bytes)
• 2016-09-14-CrypMIC-decryptor.html   (13,375 bytes)
• 2016-09-14-CrypMIC-instructions.bmp   (2,457,654 bytes)
• 2016-09-14-CrypMIC-instructions.html   (1,660 bytes)
• 2016-09-14-CrypMIC-instructions.txt   (1,662 bytes)
• 2016-09-14-page-from-party-buses-rentals.com-with-injected-script-first-example.txt   (54,667 bytes)
• 2016-09-14-page-from-party-buses-rentals.com-with-injected-script-second-example.txt   (54,649 bytes)
• 2016-09-14-page-from-party-buses-rentals.com-with-injected-script-third-example.txt   (55,154 bytes)
• 2016-09-14-pseudoDarkleech-Rig-EK-flash-exploit-first-and-second-examples.swf   (25,565 bytes)
• 2016-09-14-pseudoDarkleech-Rig-EK-flash-exploit-third-example.swf   (25,757 bytes)
• 2016-09-14-pseudoDarkleech-Rig-EK-payload-CrypMIC-from-first-example.exe   (102,400 bytes)
• 2016-09-14-pseudoDarkleech-Rig-EK-landing-page-first-example.txt   (61,979 bytes)
• 2016-09-14-pseudoDarkleech-Rig-EK-landing-page-second-example.txt   (61,898 bytes)
• 2016-09-14-pseudoDarkleech-Rig-EK-landing-page-third-example.txt   (61,851 bytes)

 

NOTES:

• Thanks to Baber for informing me about today's compromised website.
• Today is the first time I've noticed the pseudoDarkleech campaign use Rig EK.
• Today is the first time I've seen CrypMIC sent as an EXE.
• Today the malware payload made it through okay only in the first example.
• The other two examples didn't show any actual payload data.

• I tried this several times today and saw Rig EK payloads saved as either as an EXE or a DLL.
• Most of the attempts I saw by Rig EK to send a payload were unsuccessful.
• In most cases, I saw the text string =(( returned after a request for the payload.
• So far, I haven't seen Rig EK successfully send a DLL file as the malware payload.

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign

 

BACKGROUND ON CRYPMIC RANSOMWARE:

• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated   [The date I first noticed this new branch of ransomware.]

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign in page from the compromised site (first example).

 

Shown above:  Traffic from the first example filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

• www.party-buses-rentals.com - Compromised site
• 69.162.103.180 port 80 - guldeling-didunculinae.manhattansignco.com - Rig EK (first example)
• 69.162.103.180 port 80 - lientymisen-skotske.manhattansignco.com - Rig EK (second example)
• 69.162.103.180 port 80 - balearicaglutathione.manhattansignco.com - Rig EK (third example)
• 65.49.8.96 port 443 - post-infection CrypMIC callback, custom encoded and clear text, not HTTPS/SSL/TLS

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• xijymvzq4zkyubfe.onion.to
• xijymvzq4zkyubfe.onion.city

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  1593993835b5a3b97d30a410897f70cbb00bd55f7ad0846120b7266ce2a0c074
  File name:  2016-09-14-pseudoDarkleech-Rig-EK-flash-exploit-first-and-second-examples.swf

• SHA256 hash:  c3d462e46deb6baa90680c505ea81f6d516534d148355cb26493629bfb84a569
  File name:  2016-09-14-pseudoDarkleech-Rig-EK-flash-exploit-third-example.swf

PAYLOAD:

• SHA256 hash:  a4176db3612cdc0788bed1dbfd40f360563ae205ef18e3b6b01fa4c8114ceaa8
  File name:  2016-09-14-pseudoDarkleech-Rig-EK-payload-CrypMIC-from-first-example.exe

 

IMAGES

Shown above:  Desktop of an infected Windows host (first example).

 

Shown above:  Desktop of an infected Windows host (first example).

 

Shown above:  Saw a lot of this today when Rig EK attempted to retrieve the malware payload.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-09-14-pseudoDarkleech-Rig-EK-all-3-pcaps.zip   612.0 kB (611,974 bytes)
• ZIP archive of the malware:  2016-09-14-pseudoDarkleech-Rig-EK-malware-and-artifacts.zip   282.9 kB (282,945 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.