2017-01-26 - AFRAIDGATE RIG-V FROM 92.53.97[.]168 SENDS GODZILLA LOADER/LOCKY/SOMETHING ELSE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-26-Afraidgate-Rig-V-sends-Locky-ransomware.pcap.zip   681 kB (681,221 bytes)

• 2017-01-26-Afraidgate-Rig-V-sends-Locky-ransomware.pcap   (737,129 bytes)

• 2017-01-26-2017-01-26-Afraidgate-Rig-V-artifacts-and-associated-malware.zip   320.8 kB (320,842 bytes)

• 2017-01-26-Afraidgate-Rig-V-1st-follow-up-download-unknown-malware.exe   (167,424 bytes)
• 2017-01-26-Afraidgate-Rig-V-2nd-follow-up-download-Locky-ransomware.exe   (216,576 bytes)
• 2017-01-26-Afraidgate-Rig-V-flash-exploit.swf   (19,230 bytes)
• 2017-01-26-Afraidgate-Rig-V-landing-page.txt   (5,217 bytes)
• 2017-01-26-Afraidgate-Rig-V-payload-Godzilla-Loader.exe   (119,296 bytes)
• 2017-01-26-Locky-ransomware-DesktopOSIRIS.bmp   (3,578,902 bytes)
• 2017-01-26-Locky-ransomware-DesktopOSIRIS.htm   (8,671 bytes)
• 2017-01-26-misterin.pkitup_com-watch.js.txt   (522 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use.
• I currently call it "Rig-V" out of habit.  You can probably just call it Rig EK now.
• Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older-style URLs as described by Kafeine here.
• I've only seen Rig-V (Rig 4.0) when looking at Rig EK-based campaigns so far in 2017.

BACKGROUND ON THE AFRAIDGATE CAMPAIGN:

• Things haven't changed much since my last in-depth write-up on the Afraidgate campaign (link).

OTHER NOTES:

• The payload (Godzilla loader) was sent twice, and it downloaded different follow-up malware each time.
• I don't know what the first follow-up malware is.
• The second follow-up malware was Locky ransomware.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Afraidgate redirect URL leading to a Rig-V landing page.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• [information removed] - Compromised website
• 146.185.151[.]179 port 80 - misterin.pkitup[.]com - GET /watch.js - Afraidgate redirect
• 92.53.97[.]168 port 80 - upd.15temmuzruhu[.]org - Rig-V
• 91.209.77[.]41 port 80 - kronobor[.]com - GET /main.php?g=0123456789&k=abcdefghijklmnopqrstuvwxy - Godzilla Loader pulling follow-up malware (x2)
• 185.162.10[.]108 port 80 - grentromz[.]com - POST /blog.php - Post-infection traffic from 1st follow-up malware
• 5.149.253[.]123 port 80 - truemoondez[.]com - POST /img.php - Post-infection traffic from 1st follow-up malware
• 194.31.59[.]5 port 80 - 194.31.59[.]5 - POST /checkupdate - Post-infection traffic from 2nd follow-up malware (Locky)

 

FILE HASHES

RIG-V FLASH EXPLOIT:

• SHA256 hash:  c51983e60892d0c011339e123f9058c390f8f4bc162e00fa1879db4a76734029   (19,230 bytes)
  File description:  Rig-V Flash exploit seen on 2017-01-26

 

RIG-V PAYLOAD (GODZILLA LOADER, SENT TWICE):

• SHA256 hash:  36b298c4056a5ba521acd16e23ff2532b0ec57516b58bf5800bd43e1a463c532   (119,296 bytes)
  File location:  C:\Users\[username]\AppData\Local\Temp\rad94FD3.tmp.exe
  File location:  C:\Users\[username]\AppData\Local\Temp\rad1AA47.tmp.exe
  File location:  C:\Users\[username]\Roaming\Gjhifk3YLxhz6Zq.exe
  File location:  C:\Users\[username]\Roaming\ZJN1xIfnItW6lyy.exe

 

FIRST FOLLOW-UP MALWARE:

• SHA256 hash:  ba470d653f7b85d65132d6c44c8e578134a9fe32c5280de99d62efde7022131c   (167,424 bytes)
  File location:  C:\Users\[username]\AppData\Local\Temp\yXEyqsM8w12Y8VMg9lipQi2Bf.exe
  File Description:  Unknown malware

 

SECOND FOLLOW-UP MALWARE:

• SHA256 hash:  966f140a983aeb91935e403f31d74ef668d1e25c07efe6e01d3e17f50a3ac5d3   (216,576 bytes)
  File location:  C:\Users\[username]\AppData\Local\Temp\2Gq1N5D8v2UnjJmKNUy4LupXp.exe
  File Description:  "Osiris" variant Locky ransomware

 

IMAGES

Shown above:  Desktop of the infected Windows host after rebooting.

 

Shown above:  Found another callback URL from the 1st follow-up malware by using Joe Sandbox Cloud.

 

Click here to return to the main page.