2017-01-30 - AFRAIDGATE RIG-V FROM 194.87.94[.]4 SENDS LOCKY RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-30-Afraidgate-Rig-V-sends-Locky-ransomware.pcap.zip   565.2 kB (565,185 bytes)

• 2017-01-30-Afraidgate-Rig-V-sends-Locky-ransomware.pcap   (610,058 bytes)

• 2017-01-30-Afraidgate-Rig-V-artifacts-and-Locky-ransomware.zip   226.3 kB (226,252 bytes)

• 2017-01-30-Afraidgate-Rig-V-artifact-QTTYUADAF.txt   (1,137 bytes)
• 2017-01-30-Afraidgate-Rig-V-flash-exploit.swf   (16,240 bytes)
• 2017-01-30-Afraidgate-Rig-V-landing-page.txt   (5,227 bytes)
• 2017-01-30-Afraidgate-Rig-V-payload-Locky-ransomware-radE7F02.tmp.exe   (261,632 bytes)
• 2017-01-30-Locky-ransomware-DesktopOSIRIS.bmp   (3,864,030 bytes)
• 2017-01-30-Locky-ransomware-DesktopOSIRIS.htm   (8,656 bytes)
• 2017-01-30-Locky-ransomware-decryptor-style.css   (3,422 bytes)
• 2017-01-30-Locky--ransomwaredecryptor.html   (6,392 bytes)
• 2017-01-30-troll.mysticalprinciples_com-scripts-pastebin.min.js.txt   (555 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use.
• I currently call it "Rig-V" out of habit.  You can probably just call it Rig EK now.
• Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older-style URLs as described by Kafeine here.
• I've only seen Rig-V (Rig 4.0) when looking at Rig EK-based campaigns so far in 2017.

BACKGROUND ON THE AFRAIDGATE CAMPAIGN:

• My most recent write-up on the Afraidgate campaign can be found here.

OTHER NOTES:

• Today I saw the Afraidgate campaign send Locky ransomware directly from Rig EK.
• Prior to this, I've most often seen Godzilla Loader as the payload, then the loader grabs Locky ransomware.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from compromised site leading to Afraidgate redirect URL.

 

Shown above:  Afraidgate redirect URL leading to a Rig-V landing page.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• [information removed] - Compromised website
• 139.59.160[.]143 port 80 - troll.mysticalprinciples[.]com - GET /scripts/pastebin.min.js - Afraidgate redirect
• 194.87.94[.]4 port 80 - dns.mobilmhp[.]org - Rig EK (Rig-V)
• 93.170.123[.]185 port 80 - 93.170.123[.]185 - POST /checkupdate - Locky post-infection traffic
• 194.31.59[.]5 port 80 - 194.31.59[.]5 - POST /checkupdate - Locky post-infection traffic

 

FILE HASHES

RIG-V FLASH EXPLOIT:

• SHA256 hash:  151445c7cbbaf31c4370c7f495c9bb3b588a23088a8bd96056842f85b13aaebe   (16,240 bytes)
  File description:  Rig-V Flash exploit seen on 2017-01-30

 

RIG-V PAYLOAD:

• SHA256 hash:  9d7016dccdb05939eaac3ca2452cf5ef9d22a8e3a0e8e60b555b41506f95c36e   (261,632 bytes)
  File location:  C:\Users\[username]\AppData\Local\Temp\radE7F02.tmp.exe
  File description:  "Osiris" variant Locky ransomware sent by Rig-V from the Afraidgate campaign

 

IMAGES

Shown above:  Desktop of the infected Windows host after rebooting.

 

Locky decryptor after checking the decryption instructions.

 

Click here to return to the main page.