2016-09-23 - PSEUDO-DARKLEECH RIG EK FROM 74.208.147.73 SENDS CRYPMIC RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-09-23-pseudoDarkleech-Rig-EK-sends-CrypMIC-both-pcaps.zip   260.1 kB (260,112 bytes)

• 2016-09-23-pseudoDarkleech-Rig-EK-sends-CrypMIC-first-run.pcap   (374,043 bytes)
• 2016-09-23-pseudoDarkleech-Rig-EK-sends-CrypMIC-second-run.pcap   (200,381 bytes)

• ZIP archive of the malware:  2016-09-23-pseudoDarkleech-Rig-EK-sends-CrypMIC-malware-and-artifacts.zip   165.0 kB (165,007 bytes)

• 2016-09-23-page-from-eborabus.com-with-injected-script.txt   (12,388 bytes)
• 2016-09-23-page-from-formatexample.org-with-injected-script.txt   (52,848 bytes)
• 2016-09-23-pseudoDarkleech-CrypMIC-decrypt-instructions.bmp   (3,276,854 bytes)
• 2016-09-23-pseudoDarkleech-CrypMIC-decrypt-instructions.html   (238,156 bytes)
• 2016-09-23-pseudoDarkleech-CrypMIC-decrypt-instructions.txt   (1,628 bytes)
• 2016-09-23-pseudoDarkleech-Rig-EK-flash-exploit.swf   (25,513 bytes)
• 2016-09-23-pseudoDarkleech-Rig-EK-landing-page-first-run.txt   (30,029 bytes)
• 2016-09-23-pseudoDarkleech-Rig-EK-landing-page-second-run.txt   (30,029 bytes)
• 2016-09-23-pseudoDarkleech-Rig-EK-payload-CrypMIC.exe   (51,200 bytes)

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK

 

BACKGROUND ON CRYPMIC RANSOMWARE:

• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated   [The date I first noticed this new branch of ransomware.]

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

 

Shown above:  Flowchart for today's traffic.  The first infection didn't have a gate.  The second infection did.

 

TRAFFIC

Shown above:  Injected pseudoDarkleech script in a page from the first compromised site points to Rig EK.

 

Shown above:  Traffic from the first pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

Shown above:  Injected script in page a from the second compromised site points to a gate.

 

Shown above:  The gate URL returns pseudoDarkleech script pointing to Rig EK.

 

Shown above:  Traffic from the second pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

FIRST RUN (WITHOUT GATE):

• www.formatexample.org - Compromised site
• 74.208.147.73 port 80 - vaippaandedicators.reducemycard.com - Rig EK
• 91.121.74.154 port 443 - post-infection CrypMIC callback, custom encoded and clear text, not HTTPS/SSL/TLS (both infections)

SECOND RUN (WITH GATE):

• www.eborabus.com - Compromised site
• 83.217.27.178port 80 - nxyiicirm.ddnsking.com - GET /wordpress/?ARX8 - Gate/redirect
• 74.208.147.73 port 80 - vaippaandedicators.reducemycard.com - Rig EK
• 91.121.74.154 port 443 - post-infection CrypMIC callback, custom encoded and clear text, not HTTPS/SSL/TLS (both infections)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• ccjlwb22w6c22p2k.onion.to
• ccjlwb22w6c22p2k.onion.city

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d
  File name:  2016-09-23-pseudoDarkleech-Rig-EK-flash-exploit.swf (from both infections)

PAYLOAD:

• SHA256 hash:  0e9bedc57f97bb2c7119ad4713b03fc9b10df09202fb7a237b610aec4687b736
  File name:  2016-09-23-pseudoDarkleech-Rig-EK-payload-CrypMIC.exe (from both infections)

 

IMAGES

Screenshot from one of the infected Windows hosts.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-09-23-pseudoDarkleech-Rig-EK-sends-CrypMIC-both-pcaps.zip   260.1 kB (260,112 bytes)
• ZIP archive of the malware:  2016-09-23-pseudoDarkleech-Rig-EK-sends-CrypMIC-malware-and-artifacts.zip   165.0 kB (165,007 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.